Something's throwing a monkey wrench into Adaware

Factual Questions
1

Background:

Adaware’s been on my parents’ computer for years, but apparently they could never be bothered to use it (lost among all the crap they have on the desktop). This was not so much a problem while I was in college because I’d be home every two or three months to run it and keep infections from getting out of control. Last week I returned after an absence of 9 months to yield 917 hits with adaware (I suspect they fell, frequently, for those spyware warning popups and things went downhill from there).

The problems began when adaware kept crashing when I tried to rid it of all that. This had happened before, but I just ran it again, aborted the scan about halfway through, and deleted things in chunks. Inelegant, and uninformed, but it had worked before. Using this method, I managed to get rid of a little bit and reduce it to maybe 6 or 700 hits, but past advice and experience has shown me that adaware isn’t enough. I downloaded spybot, and it got rid of a bit more.

However, I can’t get rid of everything:

Adaware invariably freezes whenever I try to delete what it digs up.

When I change the parameters to, for example, exclude the processes, it gives me a list of things that it can’t remove due to open browser windows (there aren’t any (THERE F***ING AREN’T ANY, YOU DAMNABLE MACHINE), at least on my taskbar) and offers to remove them upon reboot. When it does that, it only gives me the same message.

Spybot has apparently done all it can do, only picking up the security hole in IE at this point.

CoolWebSearch was apparently among the things that Adaware could successfully remove, as it hasn’t shown up in any more scans and CWShredder doesn’t catch any versions of it.

Hijack this doesn’t turn up anything I don’t recognize; a bunch of AIM and MSN crap, but that’s not quite so virulent as what is yet to be eliminated, and is a task for another day.

At my friend’s suggestion, I tried starting the computer up in safe mode and running adaware there, but for some reason I can’t access any of the options when I hit ctrl+F8; the keyboard simply doesn’t work in that screen, and I suspect that whatever gremlins yet remain on the hard drive are responsible.

For the future, I’ve installed SpywareBlaster, the Firefox install file is awaiting a simple double-click to end the tyranny of IE, and the (infuriatingly undeletable) IE icon is going to be placed in a decidedly out of the way place. As for getting my parents to actually USE what I’ve installed (and update it), only the Lisan al-Gaib himself can forsee how I would go about doing that.

Now, to the questions:

I’m familiar with the dangers of screwing with what gets uncovered in the registry, but my question is this: with the executable files it uncovers in the WINDOWS\SYSTEM directory for example, can I just delete those, or would that affect other aspects of the system? Would that even solve the problem completely? For example, it turns up “adbuddy.exe (hypothetical; the actual name of the file escapes me at the moment)” as a process and points to WINDOWS\SYSTEM\adbuddy.exe as the source. If I deleted that, would this solve the problem or would there be associated files to make the computer try to start the program and then go ape**** when it can’t find the executable?

But more generally, could I theoretically track down the files adaware picks up and delete them manually? On the one hand, I’ve tried to do that with cookies and there are just too damned many to filter through. Just to make absolutely sure that it’s safe, I can purge all my cookies with no adverse consequences, right?

Lastly, what could possibly be making adaware lock up during the deletion phase? I can still X out of the window without a “program not responding” box coming up. It’s just that the hard drive stops clicking and the program seems to just fall asleep. Would this be a matter of some malware interfering with the process or is the crap that’s on the machine just taking up too many resources? This computer is a p4 1.4GHz running WinME with adaware SE personal, FTR.

In the meantime, the program whose name escapes me at the moment continues to make popups appear even when no IE windows are open, Adaware continues in what will most likely prove to be another futile attempt to exorcise the computer, and I will continue to mull over writing a pit thread detailing what I’d like to do with the bastards who write spyware, preferably with some rough-hewn pine and a cinder block.

In short, for the wrath of Shai-hulud and for the water of your ancestors, HELP ME. :smack: :smack: :smack: :smack:

2

Are you using the absolute latest version of Ad-Aware? It’s called Ad-Aware SE.

Probably you have done this, seeing as you’ve tried so many other things, but as it’s something that I didn’t know about except by discovering it accidentally, I figured it is worth a try.

3

Well, a last ditch effort to get all of the spyware off your computer, format the hard drive. Of course this will get rid of every other file on your computer but, it would work. You could save all the files you want to save on to floppies or CDs.

4

I assume you know the dangers of messing with the registry, but for those who don’t, let’s stress that it’s the aspect of the operating system that tells the computer how to run what, and deleting the wrong things in it will permanently* disable the system and/or end the potential for using programs you want to use.

However, there is a way to fix the registry safely.

Assume you’re run appropriate virus/spyware programs to determine that there are things which are definitely malware and not part of the system, but which cannot be deleted because “Windows is using spyworm.dll” or some similar message.

List off these problem files on a slip of paper.

Using Start/Run, load regedit. Then use Ctrl-F to activate the “find” option. Search for each of the bad files, and when found, delete in the registry. (Most will show up two or three times each, so continue the search. The system may be slow to find them owing to the size of the registry, so be patient.)

Then go back to Windows Explorer or whatever you’re using to delete malware, and delete them there.

Be very sure that you’re looking at a malware installation, not a part of the system or program software, first, before doing any delete, though.

5

Thanks, Polycarp. I would very much like to try what you’ve suggested, but this last bit has me concerned. Do you mean to say that it could be ambiguous as to whether a .dll associated with malware is also important to the system? Or just to be sure that the file I select to be deleted is the right one?

And, GuanoLad, yes I’m running Adaware SE. I found out only the hard way this summer that simply upgrading adaware 6 wasn’t enough. Replacing that with SE on this machine was the first thing I did after I got home and before getting Spybot.

Just to be explicit about what this computer has for protection now, I have the latest versions of the following:

Firefox
Adaware SE
Spybot
SpywareBlaster
HijackThis!
CWShredder

6

Completely wipe and reformat the hard disks. Complain to your parents the entire time, making it known in no uncertain terms that their apathy led to such drastic measures as being the only option. Once set up again, teach them to keep it clean, lest the complete wipe and reinstall be once again necessary. If they can’t do that, serruptitiously replace the computer with a cardboard prop.

7

I recently had to wipe my entire hard drive, for very similar reasons to the OP.

There was a registry entry in a number of places that was calling an executable called “fukerz.exe”. Every time I directly deleted the file, it reappeared.

In six months, I have not been able to find a direct reference to it on any of the major anti-virus websites, although I suppose I haven’t checked recently.

8

http://www.tasklist.org/task_fukerz_exe_5128.html

9

Khan, here’s a site that I found very useful when combatting scumware:

http://computercops.biz/

Specifically, these pages will help you identify what files are what:
The CLSID / BHO List / Toolbar Master List
Startup List

10

Khan, a couple of things:

  1. Back up all their data in case you have to go scorched earth and reformat the drive and do a complete reinstall.

  2. Since Adaware has been on your folks’ PC for a while, uninstall it, then go get the latest version of it (Adaware Personal SE 1.05, IIRC), install, update and clean. It picks up a lot more crap.

  3. Cookies - not really deadly in of themselves but you can delete them manually (they’re in the user profile, generally c:\documents and settings[username]\cookies).

  4. The only spyware I’ve personally seen (and I deal with this stuff on a daily basis at work) that hosed Adaware and Spybot was the infamous “About:blank” parasite. CWShredder didn’t get rid of it and neither did anything else that I tried, including things that are supposed to specifically kill it. Had to reimage those PCs to remove it.

  5. If Spybot or Adaware identify something as nefarious you are probably safe to manually delete it but be sure that you’ve got the right file & location, they sometimes have names or locations similar to legitimate system files.

  6. For most parasites manually deleting the files will get rid of them but some are very persistent - they use randomly named files that are reloaded each time, or there’s a hidden .DLL that goes out and downloads the damn things again each time you boot up. A good trick is to unplug your network connection before rebooting, then rescan and clean. If you find it hard to delete a file, try renaming it (I change names to “CRAP.TXT” or other suitable identifier). The next time you reboot, the application can’t be found and so it doesn’t launch.

  7. Yes be careful with the Registry. That said, one common place for stuff to be hanging out (this is for WinNT/2K/XP, not 100% sure of the location in ME) is under HKLM\Software\Microsoft\Windows\CurrentVersion\Run. That shows all the stuff that launches upon startup and you may find the nastiness in there. Be aware that there is a lot of stuff in there that is SUPPOSED to be there and you won’t recognize all the names (but if you see something like “c:\internethijacker.exe” it’s pretty obvious that it should go away).

Good luck!

11

Try the new AVG 7. I have just cleaned up a couple of machines for a friend that were very badly infected, they had not bothered with any security downloads or anti-scumware updates. AVG cleaned out all the crap left untouched by Spybot, Adaware, CWSredder, Stinger etc.

Start running Firefox now, don’t wait for IE to collect more nasties.

Don’t see why you can’t get rid of the IE icon. None exist on my machines or any machines given over to me to clean up.

Install Zone Alarm ASAP - keep the buggers at bay.

12

That’s often because there are TWO copies of essentially the same program running, maybe under different names. Each one periodically checks for the existence of the other, and if it isn’t there, spawns a new thread.

Since most task-killer utility programs that I have seen only allow killing one program at a time, the malware can survive. The solution to this is to boot directly into DOS where those tasks aren’t running and exist only as files, so you can delete them and they won’t come back. You may to to deal with hidden and read-only attributes, but this is easy with the DOS ATTRIB command.

Even if the registry entry still exists, it can’t execute a file that isn’t there.

Clever little fuckers, ain’t they?

13

If you are dealing with total computer inept folks you might want to consider an install of a program like Deep Freeze. A repair is only a reboot away. Specific folders like “my documents” can be left thawed so basic downloads and documents can still be saved

14

Yeah, I’ve already got that. Everything I’ve got has been installed within the last ten days, including Adaware. You see, I could barely walk my parents through even RUNNING the old version, much less downloading and installing the new one, so it had to wait until I could come home again.

In the meantime, I’m gonna go try AVG. It goes for viruses and spyware, right? I had it on my own computer, but I took it off after finding it superfluous and difficult to get through the broken english in some places.

15

Don’t wipe the hard drive. It’ll fix it, but it’s unlikely the step in necessary.

Download and run hijackthis. Save the log and post it at http://www.spywareinfo.com. They will tell you what the problem is and how to fix it.

16

You really should run in safemode. If crtl-f8 do not work you might want to try just f8. If that doesnt work you can use msconfig to set next boot to /safeboot.

17

Thanks for the help, but it looks like I was premature in my evaluation of AVG. It seems to have fixed the problem, but I’ll keep advised as necessary.

At another board they have a “cheers” smiley, with two regular :)'s clinking glasses. They oughta get one of those here.