I'm desperate -- PLEASE HELP

I was beingre-directed to porn sites -- pretty bad because my young son uses this machine. Disgusting links in Google. I ran Sypbot and it picked up and destroyed a few things. Then Adaware found more things. It removed them but it hangs when it tries to delete Windupdates. I have spent the whole afternoon and early evening trying to get things clean, including downloading spyware killers -- they all hang.

If you can help, I would be eternally grateful

 

Try running your clean-up software after booting into Safe Mode

If you are unsure how:
restart your computer
press F8 before the windows splash screen appears
select "boot to safe mode"


This will allow you to run the scans with minimal services/programs running to interfere.

Check this folder as well: Start | Programs | Startup
If it's not needed, delete it.

Do you know much about the registry? If so, let us know and we can guide you through deleting stuff from the Run key.

Good luck.

 

I know very little about the Registry, but I know how to get a HijackThis log.

I'm on Windows 98 SE. There is no Start Up in the Programs list. The last time I tried to boot in safe mode, the mouse didn't work. But I'll try it again now.

Thanks a million for such a rapid response.

Gab

 

Glad to help.

Keep us posted as to the results

 

http://www.spywareinfoforum.com/index.php?showtopic=227

 

Since you are using Win98 do this:

Start | Programs | Accessories | System Tools | System Information

Once it opens up go to Tools | System Configuration Utility

Click the "Startup" Tab
This lists a lot of programs that start up for your system. Check/unckeck the ones you want/don't want and click ok. You'll then have to reboot, but it's a start.

 

I have done that. NOthing there about windupdate. I have unchecked loadqm (on a forum saw that ou could do this).

I managed to run Spy Doctor in safe mode. It removed lots of things, but windupdates still seems to be there. Oh blimey!

Very appreciative of the comments and attempts to help.

Gab

 

Hi Gab, and welcome.

I do not usually point people to other people's log threads, but this thread at the Lavasoft forum (Ad-Aware SE) is fairly recent and the information given by the staff there might be helpful. It was mentioned by Mannen, one of the LavaXperts there, to look in the Add/Remove Program for a "Windows ControlAd" and if present, uninstall it, then do another full scan with Ad-Aware. In that member's case, they were successful in removing 'windupdate'.

You may want to post an Ad-Aware scan log at Lavasoft forum for further analysis and cleanup. Be sure you have the most recent definitions (at the time of typing this post, the last update should show SE1R26 25.01.2005 ), and that you've read their posting policy for posting logs and scans: Before Posting A Logfile.

Please let us know how it turns out.

Regards,

snap

 

Check to see if it is in your registry.

Be very careful doing this

Start | Run --> Type "regedit"

Expand HKEY_LOCAL_MACHINE
Expand Software
Expand Microsoft
Expand Windows
Expand CurrentVersion
Click on Run

If you see the windupdate listed...click it and delete it

 

There's nothing at all in Regedit when I get to Run as you instructed, except empty folders.

As you suggest, I'll go on to the Lavasoft site, but tomorrow. To tell you the truth, I've been at this since 2 pm our time (in the UK, where it is no 10.50 pm) and I'm stressed out from it. Once again, I really appreciate the help I'm getting. I'll keep you posted.

On thing you may be interested in is that I use MSN to talk to a friend in the USA. That friend today received an email purporting to be a friend of mine, with all kinds of details about me which could only have been got by spying on my MSN conversations. I know this for sure, because there are a couple of personal details which I've only ever mentioned on MSN (such as a new coat I got only yesterday, and the only person I told about it was my friend on MSN when we were chatting yesterday -- other little things too which could only have come from my MSN conversation with her). Today she received that email from a hotmail account, asking her for her bank details because the person claimed to want to send her money to buy airline tickets so I could fly out to see her, as a gift to me, but that it had to be kept secret. I was not supposed to know so that it would be a surprise. I can send you the email if you like.

All this is very worrying, and I'm absolutely shattered from it.

Once again, many, many thanks.

Gab

 

Check in "regedit" under HKEY_CURRENT_USER and expand the same directories listed above.

Good luck with Ad-Aware

 

I googled it and found manual removal instructions. There is a lot of stuff to delete, if you aren't comfortable editing the registry you might need to find a removal tool. I don't vouch for the following software "Scanspyware." I don't have any experience with it either way, I am just providing the link for the free removal instructions.

Manual Detection & Removal
of WindUpdates

http://www.scanspyware.net/info/WindUpdates.htm

It is recommended to take a backup of Registry before following manual instructions. The best solution for taking backup is creating a System Restore Point before following the instructions below. Please note that ScanSpyware uses certain other rules for detection and removal of spyware from your PC, which results in 100% accuracy in removal process. Only use the below given information for spyware removal if you are sure about what you are doing.


Delete the following directories:

WindUpdates
Windows AdControl
Windows ControlAd
Admilli Service
Admanager Controller


Delete the following files:

WinAdCtl.exe
WinCtlAd.exe
WinUpdt.exe
WinKA.exe
comm.dll
AdmilliComm.dll
AdmilliKeep.exe
AdmilliServ.exe
Info.txt
AdManCtl.exe
AdManKeep.exe
WinAdCtlX.dll
Bridgex.dll
Bridgex.inf
WinAdCtlX.dll
Bridgex.dll
ide21201.vxd
cdt_bbi8016.exe


Delete the following Cookies:
WindUpdates does not create any cookies


Delete the following registry keys:

BridgeX.Installer
BridgeX.Installer
{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
WindUpdates
Admilli Service
Windows AdControl
Windows ControlAd
Wind Updates
Admilli Service
Windows AdControl
Windows ControlAd
%windir%/Downloaded Program Files/BridgeX.dll
%windir%/Downloaded Program Files/WinAdCtlX.dll


Delete the following registry values:

Admilli Service
Windows AdControl
Windows ControlAd
Admanager Controller
WindUpdates
%windir%\Downloaded Program Files\BridgeX.dll
%windir%\Downloaded Program Files\WinAdCtlX.dll

--------------------------------------------------------------


Gab, I have found Ad-aware as the name implies be useful for ADWARE, but not much more. If you want to get rid of tracking cookies it is okay, but there are better products to handle even that problem. It has become somewhat obsolete in my opinion, especially if you patch Windows and switch browsers. What you have is a lot nastier than anything that Adaware is designed to handle.

SpyBot Search and Destroy is freeware as is Hijackthis, and both are very good. Giant Anti-spyware was bought by Microsoft and is being offered as freeware (http://www.snapfiles.com/get/msantispy.html). Pest Patrol used to offer a free scanner, you had to buy it to get the removal features enabled. I think it is strictly commercial now. It is still my preferred spyware scanner although I have several. No false positives, and it finds stuff that nothing else does. They used to publish great manual removal instructions. If you consider buying one you should look into it.

When you get a pest like this it usually means you need to patch your OS. Once you get it cleaned go to windowsupdate.microsoft.com and download the critical patches or service packs if you haven't. Also, if you are using Internet Explorer, consider switching to Mozilla or Firefox.

 

Just to make it known here, ScanSpyware is on the rogue list,

http://www.spywarewarrior.com/rogue_anti-spyware.htm



snowbound

 

Snowbound,

I agree. I am not sure I trust this program, that is why I added the disclaimer. However, I would be willing to give their removal instructions a try (backing up the registry first). It would be worth searching for the processes and registry entries, if they are there it validates the instructions.

My sister got infected with coolwebsearch and emailed me for help. It was a real mess, multiple processes, dozens of registry entries, if you don't find them all they are recreated. I finally found some instructions using google and identified the scope of the problem. (Now they have a removal tool). Without a map you simply cannot remove a problem like this.



Gab,

I would add the following about backing up the registry: do make a system restore point as they recommended, but back it up manually as well.

 

In addition a good programme that deserves mentioning is IM2. If one uses IM2 one can have a relatively good sense of security as conversations between different IM2 users are encrypted. IM2 is a multi-platform instant messaging client available here.

 

Yes, of course. I just wanted to alert everyone here in case someone was thinking of actually downloading this program.



snowbound

 

I am still infected. Still doing my nut.

1. Under HKEY_CURRENT_USER expansion up to Run, no sign of Windupdates

2. Giant AntiSpyware will not run under Windows 98; requires 2000 and above.

3. Adaware picks up Windupdates but hangs when it tries to delete it.

4. Adaware in safe mode does not pick it up.

5. Neither Spybot nor Spyware Doctor picks it up, either in normal or safe mode.

6. When I have used IE6 to go to my web mailbox, I then can't get to this site. I get a file download warning. I click Cancel and I'm returned to the Desktop.

7. I am not very confident about doing a manual deletion of Registry entries. I don't know what I am doing. I will try it if you think it's OK, but given the comments above, is it safe?

8. I will investigate encrypted messaging, but I want to concetrate on getting rid of Windupdates first.

9. I am very sorry to be such a pain. I am not computer illiterate, but I am in uncharted territory. I am -- need I repeat it? -- verygrateful to you.

Gab

 

One final thing. I have now tried the instructions in the Lavasoft thread, as suggested. I found an entry named AdStatus. I removed it. After the usual Are You Sure? thing (in this case telling you that if you do remove it, you may not be able to run some freeware), you get a message asking if you also want to keep certain elements listed. You clock No and are immediately taken to windupdates.com. Clever people these swines!

After removal of AdStatus, Adaware does indeed run and doesn't find any windupdate entries. But Spy Doctor now hangs as it reaches the second entry in its database (AdGoblin). Somethinng must still be there, since Spy Doctor runs OK in safe mode.

This is getting to be a minefield. BUt I am learning al ot in my despair.

Gab

 

Hi, good to hear that you are learing, we can all learn new things every day

Have you tried the Host file restore function in Adaware?

Also if no one has suggested it, switch browsers and get Mozilla firefox, it's alot safer than IE.

 

Can't find Host File Restore function in Adaware.

I got a "private message from ...". Didn't dare open it! Is it normal?

I am still getting offers to download files when I come on to this site.

And still infected. I am considering giving up and installing Windows 2000 instead of 98. Then getting rid of IE.

Gab

 

Yes private messages are normal.

have you tried HijackThis?

 

I have copied and pasted all the exe and dll files into Search. Nothing found

Gab

 

I have tried Hijack This.

How do I get back to the private message I didn't read?

 

Got the private message now.

Still desperate. Cups of tea no longer helping!

Gab