need help with Ad Aware

I'd also run Trend Micro Sysclean, sf. See
http://aumha.net/viewtopic.php?t=10610
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE) & Security

sf wrote:
Thanks Gary... I haven't posted to the aumha website yet because I'm
using the Trend Micro AdWare Scanner and it's coming up with more than
I thought I had. Things don't look good, that's for sure.

What is a "rootkit"? I've never heard that term before!!

TIA
sf
``````````````

On Mon, 11 Jul 2005 15:12:04 -0700, Gary S. Terhune wrote:

Unfortunately, you may have a much worse problem than you think--this
is beginning to sound like the effects of a rootkit. If that's the
case, little you do is likely to fix it. There is a lot of research
going into how to detect and remove rootkits. But for now, the most
common solution given by the *experts* is to wipe the drive completely
and start over.

Before you do that, use MSCONFIG, Advanced button at lower right, to
enable the Startup Menu, so that you can *always* boot to the Startup
Menu, then do as much and as many different kinds of cleanup *ONLY* in
Safe Mode. (There are other ways to force Safe Mode always, if the
30-second countdown isn't sufficient protection against leaving the
default choice on Normal. Adding the line BOOTSAFE=1 to MSDOS.SYS, for
instance.)

You need to refer to online resources using a different machine. Things
like HijackThis logs need to be transferred using floppy, and you want
to make sure the system you are going online with (that, presumably,
you transfer the logs to) is well protected against viruses. You can
also transfer files *to* the target machine using CDs, assuming the
good, online machine has a CD burner.

If you spend more than another couple of days on this, and you simply
can't get it cleaned up--you can't boot to Normal Mode without all
kinds of sh*t hitting the fan, then it's probably time to consider the
rootkit possibility. We'll discuss this possibility if/when that time
comes.

Refer again to my Security! article. Use all of the tools mentioned
there. And then come back for more suggestions, s. Ad-Aware alone
isn't enough, but I usually find that combining it with Spybot S&D
catches most things. (Use Spybot, but no Immunization!) The forum at
Aumha.org might be a better place to go with this issue. Find the
general link(s) he
http://aumha.org/secure.htm

Forums he
http://forum.aumha.org/index.php?c=12

You may simply need slightly more complicated, manual removal
instructions for whatever it is that ails your sister's machine.

"sf" wrote in message
...
snip
The common problem is ADW_ABETTERINTERNET_VX2... actually the VX2
part. It's small, but seems to be a BIG problem.
Also, BookedSpace keeps coming back... it's a lot larger.

Grrrr

Try adding the VX2 Cleaner plug-in to Ad-Awa
http://www.lavasoftusa.com/software/...2cleaner.shtml
There are very difficult variants of VX2....now may be the time to post at the
aumha.net HijackThis forums and get the expert advice of the folks there, such as
Robear and Mow.

BookedSpace:
http://www.doxdesk.com/parasite/BookedSpace.html
http://sarc.com/avcenter/venc/data/a...okedspace.html
--
Glen Ventura, MS MVP Shell/User, A+
http://dts-l.org/goodpost.htm

On Mon, 11 Jul 2005 22:20:45 -0700, Gary S. Terhune wrote:

PS -- If you download and run the RootKit Revealer detection app from
Sysinternals, please don't post logs here. There are other forums
dedicated to that purpose.


LOL... first you tell me about something I've never heard of before;
then you tell me there's a way to "root" them out. After that you
tell me not to post the "log" (which I didn't know it would produce
here). OK, buddy... of the three things you just told me, at least I
know enough not to post any logs here.

On Tue, 12 Jul 2005 03:17:55 -0400, PA Bear wrote:

I'd also run Trend Micro Sysclean, sf. See
http://aumha.net/viewtopic.php?t=10610


WOW, thanks! I didn't know that site/service existed. I've
downloaded and am running it now. So far it has found TROJ_SMALL.AAL.

Unfortunately, it hangs on a certain music file. I stopped the
program, went to the specific file and waited way too long (10
minutes) after the TSC stopped running for a result, so I stopped the
program. A popup said words to the effect of "stopped by user" and
every line in the log began with "unable". Do you think I should just
delete the file and see if I can continue?

This computer uses Nero (something I don't allow on my computer)
primarily for burning purposes. Do you have another suggestion for a
free burner?

On Tue, 12 Jul 2005 07:06:03 -0400, glee wrote:

"sf" wrote in message
...
snip
The common problem is ADW_ABETTERINTERNET_VX2... actually the VX2
part. It's small, but seems to be a BIG problem.
Also, BookedSpace keeps coming back... it's a lot larger.

Grrrr

Try adding the VX2 Cleaner plug-in to Ad-Awa
http://www.lavasoftusa.com/software/...2cleaner.shtml
There are very difficult variants of VX2....now may be the time to post at the
aumha.net HijackThis forums and get the expert advice of the folks there, such as
Robear and Mow.

BookedSpace:
http://www.doxdesk.com/parasite/BookedSpace.html
http://sarc.com/avcenter/venc/data/a...okedspace.html


I don't know what I did, but the system seems to be clean now. I will
post my new log for confirmation. Many Thanks to all for bearing with
me!

"sf" wrote in message
...
On Mon, 11 Jul 2005 22:20:45 -0700, Gary S. Terhune wrote:

PS -- If you download and run the RootKit Revealer detection app
from
Sysinternals, please don't post logs here. There are other forums
dedicated to that purpose.


LOL... first you tell me about something I've never heard of before;
then you tell me there's a way to "root" them out. After that you
tell me not to post the "log" (which I didn't know it would produce
here). OK, buddy... of the three things you just told me, at least I
know enough not to post any logs here.



Heh, heh... I hadn't really looked into rootkits until recently. What
little I do know is mostly what I learned from Mark Russinovich, et al,
at http://www.sysinternals.com/utilitie...trevealer.html Good
explanation, and includes links to other rootkit info.

In *some* cases, there *may* be ways to root them out, but the overall
consensus is that most are as yet unfixable, leaving reformat as the
only option. The same page I referred you to offers what is essentially
an experimental program to find evidence of RootKits. If you run it, it
creates a log that can be saved. If you want someone to look at that log
and advise... Well, I'm fairly certain you can find people willing to
examine such logs at the Aumha forums.

I ran RootkitRevealer a week or two ago, and it definitely found
evidence of rootkit-like behavior. Further investigation showed that
these items were installed by Adobe when I upgraded to Creative Suite
CS. Far as I can tell, the reason for these items is to make their
licensing and anti-piracy measures more difficult (if not impossible) to
mess with. However, seeing as how that installation has been nothing but
a PITA since I did it, I have to wonder if the "rootkit" items were
deliberate or were they accidental, maybe even at the root of my
problems (pun intended this time, s.) I'll know when I get around to
rebuilding this system and reinstalling Adobe

--
Gary S. Terhune
MS MVP Shell/User
http://www.grystmill.com/articles/cleanboot.htm
http://www.grystmill.com/articles/security.htm

On Tue, 12 Jul 2005 11:25:54 -0700, Gary S. Terhune wrote:

"sf" wrote in message
...
On Mon, 11 Jul 2005 22:20:45 -0700, Gary S. Terhune wrote:

PS -- If you download and run the RootKit Revealer detection app
from
Sysinternals, please don't post logs here. There are other forums
dedicated to that purpose.


LOL... first you tell me about something I've never heard of before;
then you tell me there's a way to "root" them out. After that you
tell me not to post the "log" (which I didn't know it would produce
here). OK, buddy... of the three things you just told me, at least I
know enough not to post any logs here.



Heh, heh... I hadn't really looked into rootkits until recently. What
little I do know is mostly what I learned from Mark Russinovich, et al,
at http://www.sysinternals.com/utilitie...trevealer.html Good
explanation, and includes links to other rootkit info.

In *some* cases, there *may* be ways to root them out, but the overall
consensus is that most are as yet unfixable, leaving reformat as the
only option. The same page I referred you to offers what is essentially
an experimental program to find evidence of RootKits. If you run it, it
creates a log that can be saved. If you want someone to look at that log
and advise... Well, I'm fairly certain you can find people willing to
examine such logs at the Aumha forums.

I just finished posting a rather "good looking" log file... I think I
beat BookedSpace and VX2 into submission.

I ran RootkitRevealer a week or two ago, and it definitely found
evidence of rootkit-like behavior.

I'd like to run it, but I'm getting an error message about a missing
DLL. PSAPI.DLL. Not sure what to do next. I'm pretty sure you're
right about a rootkit problem because the Hyjack This log looked
clean, but something is still causing unwanted popups and seems to be
hyjacking IE every now and then.

Further investigation showed that
these items were installed by Adobe when I upgraded to Creative Suite
CS. Far as I can tell, the reason for these items is to make their
licensing and anti-piracy measures more difficult (if not impossible) to
mess with. However, seeing as how that installation has been nothing but
a PITA since I did it, I have to wonder if the "rootkit" items were
deliberate or were they accidental, maybe even at the root of my
problems (pun intended this time, s.) I'll know when I get around to
rebuilding this system and reinstalling Adobe

At least you knew what you were looking at! LOL I'm not sure I will
if I can ever get it up and running.

My bad! RootkitRevealer doesn't run on Win9x systems. SORRY!

--
Gary S. Terhune
MS MVP Shell/User
http://www.grystmill.com/articles/cleanboot.htm
http://www.grystmill.com/articles/security.htm

"sf" wrote in message
...
On Tue, 12 Jul 2005 11:25:54 -0700, Gary S. Terhune wrote:
I'd like to run it, but I'm getting an error message about a missing
DLL. PSAPI.DLL. Not sure what to do next. I'm pretty sure you're
right about a rootkit problem because the Hyjack This log looked
clean, but something is still causing unwanted popups and seems to be
hyjacking IE every now and then.

Delete the problem file, download the latest Control Pattern Release file
and then run Sysclean.com again per the instructions.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE) & Security

sf wrote:
On Tue, 12 Jul 2005 03:17:55 -0400, PA Bear wrote:

I'd also run Trend Micro Sysclean, sf. See
http://aumha.net/viewtopic.php?t=10610


WOW, thanks! I didn't know that site/service existed. I've
downloaded and am running it now. So far it has found TROJ_SMALL.AAL.

Unfortunately, it hangs on a certain music file. I stopped the
program, went to the specific file and waited way too long (10
minutes) after the TSC stopped running for a result, so I stopped the
program. A popup said words to the effect of "stopped by user" and
every line in the log began with "unable". Do you think I should just
delete the file and see if I can continue?

This computer uses Nero (something I don't allow on my computer)
primarily for burning purposes. Do you have another suggestion for a
free burner?

On Tue, 12 Jul 2005 12:09:16 -0700, Gary S. Terhune wrote:

My bad! RootkitRevealer doesn't run on Win9x systems. SORRY!

The one in question is an ME... that's why you recommended it, I
think.