Adware.Winpup

  • Thread starter Thread starter Adam A. Wanderer
  • Start date Start date
A

Adam A. Wanderer

I'm having a problem with the Adware.Winpup. My Norton detected it, but
can't remove it. I've tried everything, manual removal, and other automatic
software. Does anyone know of a way to get rid of this problem, or any
software that will? Thanks!
 
Adam A. Wanderer said:
I'm having a problem with the Adware.Winpup. My Norton detected it, but
can't remove it. I've tried everything, manual removal, and other automatic
software. Does anyone know of a way to get rid of this problem, or any
software that will? Thanks!
Click to expand...

Ad-aware and Spybot Search & Destroy are two tools that are effective
against various adware/spyware nusiances. Regular anti-virus products do
little or nothing with these.

http://www.lavasoft.de/
http://www.safer-networking.org/index.php?page=home

Gregg C.
 
Adam said:
I'm having a problem with the Adware.Winpup. My Norton detected it,
but can't remove it. I've tried everything, manual removal, and
other automatic software. Does anyone know of a way to get rid of
this problem, or any software that will? Thanks!
Click to expand...


http://securityresponse.symantec.com/avcenter/venc/data/adware.winpup.html

HijackThis will show the offending entries:
Please download HijackThis into the C:\HJT folder you create and unzip it
there.
Run it and click on Scan.
Let it run to completion.
Click on Save log then copy-n-paste the log contents in this same topic.

http://www.merijn.org/files/hijackthis.zip

Do not remove anything in there yet as not all items are bad.
 
Logfile of HijackThis v1.97.7

Scan saved at 20:20:14 , on 2004/Jan/09

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Norton Internet Security\NISUM.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\WINDOWS\System32\CTHELPER.EXE

G:\Program Files\CursorXP\CursorXP.exe

C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE

C:\Program Files\Symantec\DeepSight Extractor\ccExtractorService.exe

C:\Program Files\Norton Internet Security\ccPxySvc.exe

C:\WINDOWS\System32\cisvc.exe

C:\WINDOWS\System32\CTsvcCDA.exe

C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

H:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\WINDOWS\System32\nvsvc32.exe

H:\PROGRA~1\NORTON~3\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\[email protected]

C:\Program Files\FahCore_78.exe

F:\FAH4Console.exe

F:\FahCore_78.exe

C:\WINDOWS\System32\cidaemon.exe

F:\em2.exe

C:\Program Files\Outlook Express\msimn.exe

H:\Program Files\yProxy\yProxy.exe

G:\Program Files\shortkey\SHORTKEY.EXE

C:\Documents and Settings\William\My Documents\ontop10\OnTop.exe

C:\Program Files\Yahoo!\Messenger\YPager.exe

G:\Program Files\mIRC\backup\mirc.exe

C:\WINDOWS\msagent\AgentSvr.exe

G:\hijackthis[1]\HijackThis.exe

C:\WINDOWS\explorer.exe

G:\hijackthis\HijackThis.exe

C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://start.earthlink.net/channel/START

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: MyWay Search Assistant BHO -
{04079851-5845-4dea-848C-3ECD647AA554} - (no file) (file missing)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
(fc7850324464e4d19a24a03d882b5cc4, 54248 bytes)

O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} -
C:\WINDOWS\system32\dla\tfswshx.dll (5827f118be2e058da19e9d8b3f17593d, 94262
bytes)

O2 - BHO: (no name) - {88C5C070-8C60-4f45-9345-3FFB96334CAD} - C:\Program
Files\Openwares IE Security Patch\OpenwaresIEPatch.dll
(2f0867539e11e74b551403cf17bda4b1, 53248 bytes)

O2 - BHO: WinZip IBS - {99A10100-66BB-11D4-A02A-00600818E7D8} -
G:\PROGRA~1\WINZIP\wziebs.dll (bd47a3ca15127d48802d4730e3d200a2, 77824
bytes)

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll (724f1f9e4280d49b1fbccda27bb94f67, 753664
bytes)

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program
Files\Norton AntiVirus\NavShExt.dll (65c8a602dfa9d5860f1e328cb8575317,
103368 bytes)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx (71b4ec7ee27a6935d3c20b98f0d8ddf9, 844048
bytes)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
(65c8a602dfa9d5860f1e328cb8575317, 103368 bytes)

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll (724f1f9e4280d49b1fbccda27bb94f67, 753664
bytes)

O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec
Shared\ccRegVfy.exe (ead5b3b15fa4f47a43552e87cd1ac076, 38592 bytes)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
(c419df63e0121d72411285780c2fc6cc, 90112 bytes)

O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash
Screen\CTEaxSpl.EXE" /run (8335f092782f24788a937b7fabb73c4c, 49152 bytes)

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup (0fb22dd37c17f80ad71316049f725170,
31744 bytes)

O4 - HKLM\..\Run: [Advanced Tools Check]
C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE (62b992ae61e3b054f8efe65fd4ce9392,
74920 bytes)

O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft
IntelliPoint\point32.exe" (f572c7aa83f7adfff6a6e10fea6bcc2f, 163840 bytes)

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType
Pro\type32.exe" (0b45a5b6c854cc6c68c891bdeabec035, 114688 bytes)

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE (15f71a562eb274baae347a7a224e3bf9,
24576 bytes)

O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program
Files\LiveUpdate\LiveUpdate.exe (93cf2b93f02e52cd6fffa567249f3f73, 61440
bytes)

O4 - HKCU\..\Run: [CursorXP] G:\Program Files\CursorXP\CursorXP.exe
(eb7232057799d26b2c37548cad04e95b, 125440 bytes)

O4 - HKCU\..\Run: [Creative Detector] C:\Program
Files\Creative\MediaSource\Detector\CTDetect.exe /R

O4 - Startup: CCAPP.EXE.lnk = C:\Program Files\Common Files\Symantec
Shared\CCAPP.EXE (631bd98882f6fc3e1191c8c7ef942638, 70816 bytes)

O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html (file missing)

O8 - Extra context menu item: &WordWeb... -
res://C:\WINDOWS\System32\wweb32.dll/lookup.html (file missing)

O8 - Extra context menu item: Backward &Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html (file missing)

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmcache.html (file missing)

O8 - Extra context menu item: Si&milar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html (file missing)

O8 - Extra context menu item: Translate into English - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmtrans.html (file missing)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: ICQ Pro (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Instant Messenger (SM) (HKLM)

O9 - Extra button: Turbo Memory Charger (HKLM)

O9 - Extra 'Tools' menuitem: Turbo Memory Charger (HKLM)

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 (HKLM)

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144
(HKLM)

O15 - Trusted Zone: .*.akamai.net

O15 - Trusted Zone: http://www.dslreports.com

O15 - Trusted Zone: http://www.hotmail.com

O15 - Trusted Zone: http://*.java.com

O15 - Trusted Zone: http://sea2fd.sea2.hotmail.msn.com

O15 - Trusted Zone: http://folding.stanford.edu

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software
AutoUpdate) -
http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) -
http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab

O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor
Class) -
http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1069322077765

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
http://download.yahoo.com/dl/installs/yinst0309.cab

O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) -
https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akamai.net/7/1540/52...pple.com/abarth/us/win/QuickTimeInstaller.exe

O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -
file://C:\Documents and Settings\William\Local
Settings\Temp\EI40_\msxml4.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37909.9666435185

O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments
Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab

O16 - DPF: {C87A3AD5-DE8E-4a2e-BF7B-D6BCD419DED1} (EnvivioTV MPEG-4 Source
Filter) -
http://www.envivio.tv/downloads/EnvivioTV/EnvivioTVSilentInstaller.exe

O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) -
http://www.live365.com/players/play365.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.symantec.com/techsupp/activedata/odc/SymAData.dll

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
https://www-secure.symantec.com/techsupp/activedata/odc/ActiveData.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
http://h30043.www3.hp.com/aio/eng/check/qdiagh.cab?312

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) -
http://fdl.msn.com/public/chat/msnchat45.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software
AutoUpdate Support Package) -
http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab

O17 -
HKLM\System\CCS\Services\Tcpip\..\{3A81AA3E-7D52-433E-BDFA-C09407FAD907}:
NameServer = 207.69.188.187 207.69.188.186
 
Adam said:
Logfile of HijackThis v1.97.7
Click to expand...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: MyWay Search Assistant BHO -
{04079851-5845-4dea-848C-3ECD647AA554} - (no file) (file missing)

O8 - Extra context menu item: &Google Search - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsearch.html (file missing)

O8 - Extra context menu item: &WordWeb... -
res://C:\WINDOWS\System32\wweb32.dll/lookup.html (file missing)

O8 - Extra context menu item: Backward &Links - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmbacklinks.html (file missing)

O8 - Extra context menu item: Cac&hed Snapshot of Page -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html (file
missing)

O8 - Extra context menu item: Si&milar Pages - res://C:\Program
Files\Google\GoogleToolbar1.dll/cmsimilar.html (file missing)

O8 - Extra context menu item: Translate into English -
res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html (file
missing)
Click to expand...

Remove these with HijackThis.
O17 -
HKLM\System\CCS\Services\Tcpip\..\{3A81AA3E-7D52-433E-BDFA-C09407FAD907}:
NameServer = 207.69.188.187 207.69.188.186
Click to expand...

Remove this if it is not placed there by yourself or your ISP configuration.

I don't see any evidence of Adware.Winpup. If Norton complains about it
being in the Restore folder then disable System Restore and reboot. Then
enable System Restore.
 
Bazooka has been able to remove this since dec 8th
http://www.kephyr.com/spywarescanner/

Taff............
Click to expand...

I noticed some trolls on Download.com trying to say Bazooka
contains spyware. T'aint so.

InControl5 showed a very clean install:
1 Folder, 12 Files, 5 reg keys, 4 reg values

It found no spyware on my system but Adaware and SpybotSD
never do either. A couple prevention programs make a big
difference in what cleaners can find. Safehex helps too!

BoB
 
Back
Top