I'm desperate -- PLEASE HELP

Discussion in 'privacy problems' started by Gab, Feb 1, 2005.

Thread Status:
Not open for further replies.
  1. Gab

    Gab Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    25
    I was beingre-directed to porn sites -- pretty bad because my young son uses this machine. Disgusting links in Google. I ran Sypbot and it picked up and destroyed a few things. Then Adaware found more things. It removed them but it hangs when it tries to delete Windupdates. I have spent the whole afternoon and early evening trying to get things clean, including downloading spyware killers -- they all hang.

    If you can help, I would be eternally grateful
     
  2. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Try running your clean-up software after booting into Safe Mode

    If you are unsure how:
    restart your computer
    press F8 before the windows splash screen appears
    select "boot to safe mode"


    This will allow you to run the scans with minimal services/programs running to interfere.

    Check this folder as well: Start | Programs | Startup
    If it's not needed, delete it.

    Do you know much about the registry? If so, let us know and we can guide you through deleting stuff from the Run key.

    Good luck.
     
  3. Gab

    Gab Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    25
    I know very little about the Registry, but I know how to get a HijackThis log.

    I'm on Windows 98 SE. There is no Start Up in the Programs list. The last time I tried to boot in safe mode, the mouse didn't work. But I'll try it again now.

    Thanks a million for such a rapid response.

    Gab
     
  4. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Glad to help.

    Keep us posted as to the results :)
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas
    Gab

    Wilders no longer does hijack logs. Try the link for those that do.

    http://a-sap.org/

    I'll move this thread to Privacy Problems.
     
  7. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States

    Since you are using Win98 do this:

    Start | Programs | Accessories | System Tools | System Information

    Once it opens up go to Tools | System Configuration Utility

    Click the "Startup" Tab
    This lists a lot of programs that start up for your system. Check/unckeck the ones you want/don't want and click ok. You'll then have to reboot, but it's a start.
     
  8. Gab

    Gab Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    25
    I have done that. NOthing there about windupdate. I have unchecked loadqm (on a forum saw that ou could do this).

    I managed to run Spy Doctor in safe mode. It removed lots of things, but windupdates still seems to be there. Oh blimey!

    Very appreciative of the comments and attempts to help.

    Gab
     
  9. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Gab, and welcome.

    I do not usually point people to other people's log threads, but this thread at the Lavasoft forum (Ad-Aware SE) is fairly recent and the information given by the staff there might be helpful. It was mentioned by Mannen, one of the LavaXperts there, to look in the Add/Remove Program for a "Windows ControlAd" and if present, uninstall it, then do another full scan with Ad-Aware. In that member's case, they were successful in removing 'windupdate'.

    You may want to post an Ad-Aware scan log at Lavasoft forum for further analysis and cleanup. Be sure you have the most recent definitions (at the time of typing this post, the last update should show SE1R26 25.01.2005 ), and that you've read their posting policy for posting logs and scans: Before Posting A Logfile.

    Please let us know how it turns out.

    Regards,

    snap
     
  10. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Check to see if it is in your registry.

    Be very careful doing this

    Start | Run --> Type "regedit"

    Expand HKEY_LOCAL_MACHINE
    Expand Software
    Expand Microsoft
    Expand Windows
    Expand CurrentVersion
    Click on Run

    If you see the windupdate listed...click it and delete it
     
  11. Gab

    Gab Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    25
    There's nothing at all in Regedit when I get to Run as you instructed, except empty folders.

    As you suggest, I'll go on to the Lavasoft site, but tomorrow. To tell you the truth, I've been at this since 2 pm our time (in the UK, where it is no 10.50 pm) and I'm stressed out from it. Once again, I really appreciate the help I'm getting. I'll keep you posted.

    On thing you may be interested in is that I use MSN to talk to a friend in the USA. That friend today received an email purporting to be a friend of mine, with all kinds of details about me which could only have been got by spying on my MSN conversations. I know this for sure, because there are a couple of personal details which I've only ever mentioned on MSN (such as a new coat I got only yesterday, and the only person I told about it was my friend on MSN when we were chatting yesterday -- other little things too which could only have come from my MSN conversation with her). Today she received that email from a hotmail account, asking her for her bank details because the person claimed to want to send her money to buy airline tickets so I could fly out to see her, as a gift to me, but that it had to be kept secret. I was not supposed to know so that it would be a surprise. I can send you the email if you like.

    All this is very worrying, and I'm absolutely shattered from it.

    Once again, many, many thanks.

    Gab
     
  12. Capp

    Capp Registered Member

    Joined:
    Oct 16, 2004
    Posts:
    2,125
    Location:
    United States
    Check in "regedit" under HKEY_CURRENT_USER and expand the same directories listed above.

    Good luck with Ad-Aware
     
  13. Butters

    Butters Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    39
    I googled it and found manual removal instructions. There is a lot of stuff to delete, if you aren't comfortable editing the registry you might need to find a removal tool. I don't vouch for the following software "Scanspyware." I don't have any experience with it either way, I am just providing the link for the free removal instructions.

    Manual Detection & Removal
    of WindUpdates


    http://www.scanspyware.net/info/WindUpdates.htm

    It is recommended to take a backup of Registry before following manual instructions. The best solution for taking backup is creating a System Restore Point before following the instructions below. Please note that ScanSpyware uses certain other rules for detection and removal of spyware from your PC, which results in 100% accuracy in removal process. Only use the below given information for spyware removal if you are sure about what you are doing.


    Delete the following directories:

    WindUpdates
    Windows AdControl
    Windows ControlAd
    Admilli Service
    Admanager Controller


    Delete the following files:

    WinAdCtl.exe
    WinCtlAd.exe
    WinUpdt.exe
    WinKA.exe
    comm.dll
    AdmilliComm.dll
    AdmilliKeep.exe
    AdmilliServ.exe
    Info.txt
    AdManCtl.exe
    AdManKeep.exe
    WinAdCtlX.dll
    Bridgex.dll
    Bridgex.inf
    WinAdCtlX.dll
    Bridgex.dll
    ide21201.vxd
    cdt_bbi8016.exe


    Delete the following Cookies:
    WindUpdates does not create any cookies


    Delete the following registry keys:

    BridgeX.Installer
    BridgeX.Installer
    {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
    {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
    {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
    WindUpdates
    Admilli Service
    Windows AdControl
    Windows ControlAd
    Wind Updates
    Admilli Service
    Windows AdControl
    Windows ControlAd
    %windir%/Downloaded Program Files/BridgeX.dll
    %windir%/Downloaded Program Files/WinAdCtlX.dll


    Delete the following registry values:

    Admilli Service
    Windows AdControl
    Windows ControlAd
    Admanager Controller
    WindUpdates
    %windir%\Downloaded Program Files\BridgeX.dll
    %windir%\Downloaded Program Files\WinAdCtlX.dll

    --------------------------------------------------------------


    Gab, I have found Ad-aware as the name implies be useful for ADWARE, but not much more. If you want to get rid of tracking cookies it is okay, but there are better products to handle even that problem. It has become somewhat obsolete in my opinion, especially if you patch Windows and switch browsers. What you have is a lot nastier than anything that Adaware is designed to handle.

    SpyBot Search and Destroy is freeware as is Hijackthis, and both are very good. Giant Anti-spyware was bought by Microsoft and is being offered as freeware (http://www.snapfiles.com/get/msantispy.html). Pest Patrol used to offer a free scanner, you had to buy it to get the removal features enabled. I think it is strictly commercial now. It is still my preferred spyware scanner although I have several. No false positives, and it finds stuff that nothing else does. They used to publish great manual removal instructions. If you consider buying one you should look into it.

    When you get a pest like this it usually means you need to patch your OS. Once you get it cleaned go to windowsupdate.microsoft.com and download the critical patches or service packs if you haven't. Also, if you are using Internet Explorer, consider switching to Mozilla or Firefox.
     
  14. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Just to make it known here, ScanSpyware is on the rogue list,

    http://www.spywarewarrior.com/rogue_anti-spyware.htm



    snowbound
     
  15. Butters

    Butters Registered Member

    Joined:
    Jan 30, 2005
    Posts:
    39
    Snowbound,

    I agree. I am not sure I trust this program, that is why I added the disclaimer. However, I would be willing to give their removal instructions a try (backing up the registry first). It would be worth searching for the processes and registry entries, if they are there it validates the instructions.

    My sister got infected with coolwebsearch and emailed me for help. It was a real mess, multiple processes, dozens of registry entries, if you don't find them all they are recreated. I finally found some instructions using google and identified the scope of the problem. (Now they have a removal tool). Without a map you simply cannot remove a problem like this.



    Gab,

    I would add the following about backing up the registry: do make a system restore point as they recommended, but back it up manually as well.
     
  16. Q Section

    Q Section Registered Member

    Joined:
    Feb 5, 2003
    Posts:
    771
    Location:
    Headquarters - London & Field Offices -Worldwide
    In addition a good programme that deserves mentioning is IM2. If one uses IM2 one can have a relatively good sense of security as conversations between different IM2 users are encrypted. IM2 is a multi-platform instant messaging client available here.
     
  17. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Yes, of course. I just wanted to alert everyone here in case someone was thinking of actually downloading this program.



    snowbound
     
  18. Gab

    Gab Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    25
    I am still infected. Still doing my nut.

    1. Under HKEY_CURRENT_USER expansion up to Run, no sign of Windupdates

    2. Giant AntiSpyware will not run under Windows 98; requires 2000 and above.

    3. Adaware picks up Windupdates but hangs when it tries to delete it.

    4. Adaware in safe mode does not pick it up.

    5. Neither Spybot nor Spyware Doctor picks it up, either in normal or safe mode.

    6. When I have used IE6 to go to my web mailbox, I then can't get to this site. I get a file download warning. I click Cancel and I'm returned to the Desktop.

    7. I am not very confident about doing a manual deletion of Registry entries. I don't know what I am doing. I will try it if you think it's OK, but given the comments above, is it safe?

    8. I will investigate encrypted messaging, but I want to concetrate on getting rid of Windupdates first.

    9. I am very sorry to be such a pain. I am not computer illiterate, but I am in uncharted territory. I am -- need I repeat it? -- verygrateful to you.

    Gab
     
  19. Gab

    Gab Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    25
    One final thing. I have now tried the instructions in the Lavasoft thread, as suggested. I found an entry named AdStatus. I removed it. After the usual Are You Sure? thing (in this case telling you that if you do remove it, you may not be able to run some freeware), you get a message asking if you also want to keep certain elements listed. You clock No and are immediately taken to windupdates.com. Clever people these swines!

    After removal of AdStatus, Adaware does indeed run and doesn't find any windupdate entries. But Spy Doctor now hangs as it reaches the second entry in its database (AdGoblin). Somethinng must still be there, since Spy Doctor runs OK in safe mode.

    This is getting to be a minefield. BUt I am learning al ot in my despair.

    Gab
     
  20. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Hi, good to hear that you are learing, we can all learn new things every day :)

    Have you tried the Host file restore function in Adaware?

    Also if no one has suggested it, switch browsers and get Mozilla firefox, it's alot safer than IE.
     
  21. Gab

    Gab Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    25
    Can't find Host File Restore function in Adaware.

    I got a "private message from ...". Didn't dare open it! Is it normal?

    I am still getting offers to download files when I come on to this site.

    And still infected. I am considering giving up and installing Windows 2000 instead of 98. Then getting rid of IE.

    Gab
     
  22. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Yes private messages are normal.

    have you tried HijackThis?
     
  23. Gab

    Gab Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    25
    I have copied and pasted all the exe and dll files into Search. Nothing found

    Gab
     
  24. Gab

    Gab Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    25
    I have tried Hijack This.

    How do I get back to the private message I didn't read?
     
  25. Gab

    Gab Registered Member

    Joined:
    Jan 27, 2005
    Posts:
    25
    Got the private message now.

    Still desperate. Cups of tea no longer helping!

    Gab
     
Thread Status:
Not open for further replies.