PDA

View Full Version : Some Adaware program has installed itself on my computer



paragone
30-12-2004, 03:26 PM
Then I installed adaware found something I deleted it, but now all my desktop icons don't know what program there assicioated with. And I can't seem to run any exe files. Please help... I can't even get the unistall to run... or you could also email me at pod@celestialproductions.com

Speedy Gonzales
30-12-2004, 03:29 PM
What was the name of the program/file adaware found?? And u deleted?

paragone
30-12-2004, 03:36 PM
I don't know, because now I can't start some of my programs including adaware I see this message in that folder...

Exception generated on : 12-29-2004 1:10:04 PM
Ad-aware 6 Professional, Build158
Message : Zugriffsverletzung bei Adresse 77F5033E in Modul 'ntdll.dll'. Lesen von Adresse FF19F67C
Object ClassName : TACimage
Object InstanceSize : 560
Object InstanceName : Nextbtn1
=================================================

Let me try to start it up... could we e-mail each other or do you have a chat name? that may not even work for me...

Speedy Gonzales
30-12-2004, 03:42 PM
Ah you're using an out of date program V6 of Adaware is no longer getting updated. Get Adaware SE 1.05 and updates then scan.

err ntdll.dll is a windows system file isnt it?? You're lucky windows loads at all. Well I'm usually on the Austnet server and I use Mirc. Im in there at the mo.

Speedy Gonzales
30-12-2004, 03:51 PM
I wld if u can restore that file thru Adaware 6 before u uninstall Adaware 6 and reinstall the later version 1.05 SE... I think theres an option in Adaware, where u can restore what u delete.

tweak'e
30-12-2004, 03:53 PM
what ver of windows etc are you useing?

its werid the error message is in german!

johnboy
30-12-2004, 03:54 PM
Try this click start click run type in sfc /scannow There is a space after sfc this will run the Windows File checker and should replace any missing or corrupted system files.
hth

pheonix
30-12-2004, 04:01 PM
First try this file, as it will restore Windows associations for XP.

http://homepages.slingshot.co.nz/~t.hodder/xp_fileassoc.bat

paragone
30-12-2004, 04:20 PM
I ran this

http://homepages.slingshot.co.nz/~t...p_fileassoc.bat and now I actually see what programs my icons are associated with, but when I click on them i get this error... This file does not have a program associated with it for performing this action. Create an association in the folder options control panel? And I try to open other applications and I get the same error even if I go into the actual program folder and click on the .exe file. Then I tried to do the sfc /scannow and i get this error. windows cannot open this file: File:sfc.exe Windows needs to know what program created it. Then i have the option sto select the program from a list, but i'm not sure which one it is.

Thanks for all the help in advance! I need my computer working I have some jobs to finish please help!!! thanks!

paragone
30-12-2004, 04:44 PM
Some of my programs are working now, but not all... I went into the computer management tool and was looking at the system logs and found this error today which don't look too good right?

The Nsynas32 service failed to start due to the following error: The system cannot find the file specified. What do I do?

Speedy Gonzales
30-12-2004, 04:48 PM
Show all files in My computer / windows explorer. Then search for this ntdll.dll file. See if it is somewhere else on your hdd. It should be in c:/windows/system32 folder.

It may also be in c:/windows/servicepackfiles/i386 folder. If ntdll.dll is in this folder BUT not in the system32 folder COPY it to system32 folder.

I think this ntdll.dll file has something to do with exe files. Thats why no exes work.

paragone
30-12-2004, 04:59 PM
The file is there...

C:\WINDOWS\system32\ntdll.dll

Some of my applz work like photoshop, explorer, ad-aware, but i can't run uninstall

I just tried to start photoshop and it wouldn't work, but then when I right clicked on the .exe file I notice an extra menu option i never seen before called Run As? what is this? Then it says which user account do you want to use to run this program?

Current user is clicked on
then a box underneath that is checked saying protect my computer and data from unauthorized program activity. Under that is says this option can prevent computer viruses from harming your computer or personal data, but selecting it might cause the program to function improperly. What's up with all this?

Speedy Gonzales
30-12-2004, 05:07 PM
Dont know what Nsynas32 is. I dont think its part of XP.

Do a search on your hdd. See if theres a file called Nsynas32.exe somewhere. See what folder its in.

Speedy Gonzales
30-12-2004, 05:11 PM
Run as if u have more than 1 user, lets whoever run the program only. Its normal in XP. Have u got Cubase VST installed?? I think thats what that Nsynas32 belongs to.

paragone
30-12-2004, 05:14 PM
Yes I have cubase SX installed... but I was looking through the ad-aware program and look at this log i found. I remember now that it was asking me that these events want to run and I clicked on cancel the events. So I disabled everything from ad-ware and i'm going to restart and see if this helps... and try to un-install after that...

Ad-watch Logfile, exported on 12/29/2004
Total number of events:3
===============================================
12/29/2004 11:03:10 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\.exe
Value:
Data:
New Data:exefile

Possible browser hijack attempt (Accepted)

===============================================
12/29/2004 11:03:13 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\.lnk
Value:
Data:
New Data:lnkfile

Possible browser hijack attempt (Accepted)

===============================================
12/29/2004 11:03:13 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Key:SOFTWARE\Classes\.reg
Value:
Data:
New Data:regfile

Possible browser hijack attempt (Accepted)

===============================================

Speedy Gonzales
30-12-2004, 05:19 PM
Have u removed v6 of Adaware yet? By the looks of it u havent. I would uninstall it and install 1.05 of Adaware SE to keep up to date.

paragone
30-12-2004, 05:32 PM
I uninstalled ad-aware... but I never seen that run as options how do I get rid of that? And I just ran a hijackthis.log file do you know what to take out by looking at the file? I have to post that somewhere else on this site right?

Speedy Gonzales
30-12-2004, 05:37 PM
You cant remove the run as option. Its part of XP. You can paste the hijackthis log here. Might as well keep it in the same post.

FoxyMX
30-12-2004, 05:38 PM
And I just ran a hijackthis.log file do you know what to take out by looking at the file? I have to post that somewhere else on this site right?

Leave HijackThis alone until everything is all fixed up or you will be in a right mess.

What version of Windows are you running? If it is Win ME or XP you could try a system restore back to before you first installed or ran Adaware.

paragone
30-12-2004, 05:39 PM
But I never seen that option before... I would right click on applications and never saw that option there. Something I did must of turned it on.


Logfile of HijackThis v1.99.0
Scan saved at 11:22:19 PM, on 12/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = http://fastsearchweb.com/srh.php?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
O2 - BHO: (no name) - {1E0D6E98-21D5-45BD-ACC5-A3C4C5CFEDFB} - C:\WINDOWS\System32\msbc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FreshBar - {06ABAA2D-34AB-4902-A326-409BD9B9A7A5} - C:\WINDOWS\System32\iecust.dll
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [taskopen.exe] taskopen.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCA6497B-B75D-4BCD-9CD9-946058C0E8BD}: NameServer = 69.50.166.94,69.31.80.244
O21 - SSODL: Web Event Logger - {7CFEFEF1-ED03-1337-ABCD-526492F5D679} - C:\WINDOWS\System32\Hdinlddc.dll
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

pheonix
30-12-2004, 05:43 PM
A suggested next step would be to see if you can use your system restore to go back a day or two.

Failing that, then you will require the XP disk, and do what Johnboy suggested,
start-run and enter SFC /SCANNOW

pheonix
30-12-2004, 05:48 PM
Looks like you have also been Hijacked by about.blank

Download aboutBuster http://www.spyware911.net/downloads.htm

Restart in safemode and run it.

paragone
30-12-2004, 05:50 PM
Ok, how do I do a system restore back?

thanks guys!

pheonix
30-12-2004, 06:02 PM
Start - run and paste this in the box...

%SystemRoot%\System32\restore\rstrui.exe

Easy to follow it from there.

Speedy Gonzales
30-12-2004, 06:02 PM
O4 - HKLM\..\Run: [taskopen.exe] taskopen.exe

Taskopen by the sounds of it is a backdoor trojan. Also look for hdut.exe/hdut.dll in C;/windows/system32 folder. If u find hdut.dll or hdut.exe delete them.

And also try this http://www.simplysup.com/tremover/ update it then scan. Also select utilities/reset internet explorer home/start/search page settings, and also the option under it (reset windows hosts file).

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain this is also spyware. See if Wildtangent is in Add/remove program, if it is uninstall it, then under start / run type regsvr32 / u cdaEngine0400.dll

Also go here:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

Look for CDA Wildtangent, taskopen.exe delete BOTH entries in the right window. Then reboot

paragone
31-12-2004, 05:13 AM
I can't do the system restore, becaue i get this error message...

Windows cannot open this file:
file: rstrui.exe

To open this file, windows needs to know what program created it. Windows can go online to look it up or you can manually select from a list of programs on your computer. what do you want to do?

paragone
31-12-2004, 05:33 AM
YESSS!!! I restarted my computer in safe mode and it asked me if I wanted to do a system restore. I did it and now everything seems to be fine!!! I run the hijackfile again and this is how my log looks now. Is there anything I could take out?

Logfile of HijackThis v1.99.0
Scan saved at 11:25:36 AM, on 12/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\DeltTray.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\HiJackThis\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{FCA6497B-B75D-4BCD-9CD9-946058C0E8BD}: NameServer = 24.29.99.18,24.29.99.17
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Speedy Gonzales
31-12-2004, 09:12 AM
You still have spyware. istsvc.exe is istbar. Download this and run it

http://securityresponse.symantec.com/avcenter/FxIstbar.exe

Also, Wildtangent is some kind of spyware. Follow the steps I gave previously to remove it. CDA / Wildtangent may also be under the following registry entries. Highlight it then delete it, then reboot.

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

and here

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

pheonix
31-12-2004, 10:51 AM
Do as Speedy recommends, then try another Hijackthis log.

Wild Tanget will try to introduce more spyware, so get rid of it.

It would pay to also download , UPDATE and use Spybot S&D, http://www.majorgeeks.com/download2471.html

Together with Ad-aware, they make a formidable cleaner of spyware, which is what you were filled up with.

FoxyMX
31-12-2004, 12:59 PM
See if Wild Tangent is in Add/Remove programs in Control Panel and if so, uninstall it from there then run Adaware, Spybot, etc.

Mycenius
31-12-2004, 01:54 PM
It would pay to also download , UPDATE and use Spybot S&D, http://www.majorgeeks.com/download2471.html

Yes Indeed. Make sure you activate Teatimer in Spybot and if you are using IE activate SD Helper as well (but better still toss IE and get Opera or Firefox).

tweak'e
31-12-2004, 02:09 PM
as much as i hate IE (and love opera) its not really practical for a lot of uses to toss IE. IE is a requirement for a lot of programs :( therefore its stil wise to keep the patches uptodate and run some sort of protection even tho you don't use IE.

the other thing is useing non-IE browser won't save you from spyware but will cut down the odds of it installing via your browser. don't forget a lot sites trick users into downloading and running infected software/files rather than just expoloiting the browser.

SurferJoe1946
02-01-2005, 07:32 AM
Wow! You guys in the southern hemisphere got the same problems we have here up north. The WILDTANGENT thing is a replicator virus. It is capable of totally filling your hard drives with garbage that won't let you clean/scandisk/defrag or anything but fdisk. It has been running wild here, especially on dial-up isp's. DSL's seem to not be so adversely affected, but you have to run GOOD anti-spy killers.
I had to drill down in HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run and then look for things like this:

WildTangent CDA

RUNDLL32.exe"C\ProgramFiles\WildTangent\Apps\CDA\cdaEngine0400. dll",cdaEngineMain

It MAY not be in the programs add/delete area. It might be there, but in stealth as "white-on-white" .exe or .cmd prompts that generate the replication into the hard drives.

These "white-on-white" codes are left over from the days of SHIFT/F1 control devices in the 6-level keyboard accesses in the old PET 40-40 opsys. They were insidious in their day, but I thought that this would be so old fashioned, that it would not be used in modern times. Ah! Not so! Here it comes like deja vu all over again! lol! :badpc:

SurferJoe1946
02-01-2005, 07:37 AM
I forgot to add:

DO NOT FORGET TO CLOSE ALL THE FILES YOU OPENED IN THE DRILL DOWN!!!!

If you don't do that, the drill down will all be for naught. Close all files and collapse the tree when you are done, and then go to "FILE" on the toolbar, >File,>EXIT. Failure to do this will make the changes you just made NOT take effect!

Sorry for the omission.
SURFER JOE in Southern California. :thumbs:

Safari
02-01-2005, 08:03 AM
I forgot to add:

DO NOT FORGET TO CLOSE ALL THE FILES YOU OPENED IN THE DRILL DOWN!!!!

If you don't do that, the drill down will all be for naught. Close all files and collapse the tree when you are done, and then go to "FILE" on the toolbar, >File,>EXIT. Failure to do this will make the changes you just made NOT take effect!

Sorry for the omission.
SURFER JOE in Southern California. :thumbs:

Thanks Surfer Joe, useful information and I suspect not widely known.

SurferJoe1946
02-01-2005, 08:46 AM
Now comes the hard part!

To keep the WildTangent virus out, the following steps had to be done on my puter, and I do the same things on all the units I have to exorcise here too.

1) Turn off SYSTEM RESTORE (yup! viruses like to hide there, and a system restore will just bring the little virus back to life)

2) roll down the "Days to keep pages in history" in Internet Options to 0

3) clear history

4) delete files

5) delete cookies

6) get SPYBOT S&D 1.2 with the words "Kolla" and ".de" in the url (there are phonies out there!)

7) get AdAware, not ADWARE from Lavasoft The latter is more spyware.

8) get SPYWAREBLASTER

9) in INTERNET PROPERTIES >advanced tab, unclick Enable third-party browser extensions

10) disable third party cookies

11) get SP-2 ASAP! It will not be available forever! Actually, get the disc from Microsoft before it's too late. And I have received another 4 updates since I got SP-2 too!

12) update, update, update all and every time you go online. Remember that viruses get started when you re-boot or cold-boot your puter. They won't usually cause any problems 'till you restart. By that time you don't remember what you did last time that brought all this on your head.

13) get Firefox by Mozilla, and make it your default browser. You can always keep IE for those few time you might need it...just use descretion!

Now the maintainence part:

In Spybot, check the scanned exceptions area (advanced mode). Once in a while, I find and don't know how it happens, that some of the exceptions boxes which were all unchecked, are now checked. It might be spoofs or timebombs in the system, but it happens...so check it some times.

AdAware will not update itself unless you buy the commercial version which has no different scanning capabilities than the freebie. It just updates automatically. Update it all the time.

SpywareBlaster is a very special killer. It fills the voids left by the other killers. Use it and enable all protection...leave no stone unturned!

All these programs run silently and invisably in the background in my equiptment. The only strange thing is that Spybot will constantly find a "DSO EXPLOIT" in the results of the scan. It is Spywareblaster that it sees. I don't click the DSO exemption box; I just let the files get found over and over. It is small price to pay just in case there are someday a new DSO exploit it finds that isn't Spywareblaster.

BTW: Wildtangent will not always call itself by that name. It generates some files with the prefix: "wt.......etc". It seems to randomise new file prefixes all the time, and therefor once it's in, it is very hard to remove. Take the above steps, and if you find that you run for a while with no more incidences of it raising up from the dead, go ahead and reinstate system restore if you absolutely have to. I never do.
Surfer Joe In Socal

FoxyMX
02-01-2005, 10:08 AM
The WILDTANGENT thing is a replicator virus. It is capable of totally filling your hard drives with garbage that won't let you clean/scandisk/defrag or anything but fdisk. It has been running wild here, especially on dial-up isp's.
I have found WildTangent games installed on certain new computers (Packard Bell was one, I think). Is that related to the WildTangent you are talking about?

Speedy Gonzales
02-01-2005, 10:23 AM
Thats possible Foxy. I would find out what those games are, and do a search on google or yahoo. If they are remove them.

Safari
02-01-2005, 11:01 AM
I have found WildTangent games installed on certain new computers (Packard Bell was one, I think). Is that related to the WildTangent you are talking about?

http://support.wildgames.com/WT_spyware.html

WildTangent is an online video game software company with partnerships with many companies like HP, Dell, Compaq, Logitech, AOL, and others. We package our games with their products such as computers and computer peripherals. We do not install our software onto your computer without your knowledge and consent. *

If you have found WildTangent software on your computer, but didnít install it, it was installed onto your computer in the following ways:

Your computer manufacturer, such as HP, Dell, Compaq, or Gateway, preinstalled the software and games on your computer.

Playing any of our games, like Polar Bowler, Blasterball or Tradewinds, or any AIM Games, like Lexibox and WildCards, will install WildTangent on your computer. *In conjunction with AOL, we supply our games as a part of AIM Games.

Trying one of our games from our website partners like MSN Gaming Zone, Yahoo and Shockwave. *To view all our games, please go to our WildGames website.

Someone in your household has played or downloaded any one of our games.

SurferJoe1946
03-01-2005, 07:13 AM
My answer here is without predjudice:

Let me copy/paste your reply:

If you have found WildTangent software on your computer, but didnít install it, it was installed onto your computer in the following ways:

Your computer manufacturer, such as HP, Dell, Compaq, or Gateway, preinstalled the software and games on your computer.

Someone in your household has played or downloaded any one of our games.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sorry to burst your bubble there, person from WildTangent.

I have never played any games, never allowed anyone else to use this computer, never bought an out of the box puter, and this one is custom made with no...repeat NO previous input by anyone. I built it, gave it life and was there for the birth. I have never allowed any...and I mean ANY games to exist on it.

Now, the truth of the matter is this:

There is a virus running around...it is called WildTangent, and if it's yours, then I suggest you get to the bottom of the fact that somebody has either spoofed your games or disassembled your code and written in something else of which you are not aware.

There are great numbers of people here who hold WildTangent with utter contempt and on about the same level as the after effects of a tsunami. Get it?

While you are probably just an ivory-tower dweller, here in the real world there are a lot of hard drives being destroyed by your so called games. I will mail some of them to you if you like; you can open them up and find for yourself just what it is that you have defended as nothing more than a harmless little ol' game. Real world destruction is no funny thing....I thoroughly dislike the inferrence that I somehow installed or allowed to be installed any games or downloads from any of your sites.

The very existance of the virus, and the fact that even Spybot considers it as such and scans for it, are proof enough that there is some insidious reason why it should be removed. (I hold Mr. Patric Kolla in the highest esteem, and as such feel that he has no contentious attitudes toward you/your company personally, he just thoroughly dislikes what is considered 0's and 1's being the cause root of spying, hacking, trojans and viruses and other malware. Read his licensing and reasons why he does what he does). And, it isn't just that these anti-spy killers don't want WildTangent reporting to the mother ship. These programs are destructive to...<let me look to my right here>...the 6 destroyed hard drives that I have piled up next to my chair.

There are websites and blogs just like this that are teeming with ways to remove something that you call "games" Do you wonder why? Is there some general hate for "games" or is it that there is truly flame at the base of all this smoke?

Since I have just spend another 11 hours trying to exorcise another friend's computer of your so called games and I have a splitting headache from being up all night doing so, I am in no mood for platitudes from any one who would so cheerfully indict me for failures I have as an end user. As it is, their hard drive too, was so junked with replicant data/files with the "wt" prefix, that today is another day that the local Staples Electronics will have their purses gilded. Donations will be gladly accepted.

Would you like to volunteer to pay for all the drives that are ruined so far? How about tomorrow? Will you and your company take responsibility for what you say is just games? As the vocal representative (and sole defender so far) of your company, will you pay for this? You have the bully pulpit for your company.

....a non-happy exorcist. :stare: :xmouth:

SurferJoe1946
03-01-2005, 07:53 AM
I have found WildTangent games installed on certain new computers (Packard Bell was one, I think). Is that related to the WildTangent you are talking about?

You know, Foxy, I don't really know for sure. I am positive that there are some things out there that come pre-installed in opsys's that are both good and bad. A blessing and a malediction, if you will.

It really has taken me by surprize that this virus has either attached itself to (coat-tailed) or was actually installed by the WildGames Company. (Maybe the WT virus just goes cruising by your ports peeking in and looking for the games, and invites itself in when it finds it's own name there).

I suspect that even they (WildGames?) don't know the full ramifications of what is being done in their name, unless they planted it themselves.

I am not a game-r, nor do I use or buy commercial computers. I build my own from virgin motherboards, ecu's and cards. I run some serious hotrod processors with overclocking, high-end ram, RAIDs with 6 / 180gig 10,000 rpm drives. This is for my music and video files. I water cool my processors and boards, and run full temp sensors for all critical devices. 7 fans make the tower sound like a fleet of helicopters taking off until the drivers slow them down to a small scream.

I write code in Forth-69 and Pascal. My oldest daughter can read machine language like a cheap book, and my oldest sons are in the puter building and renovation business, with the older of the two as the hardware king, and the younger as the systems tech. We are very diversified and also volunteer a lot of time and trouble to/for people who get burned by these attacks.

Currently, our consolidated opinions are that computers are to be issued to only those who have had at least 4 years of computer sciences and lab time in an accredeted university environment. Much less is tantamount to giving a child a small yield nuclear device. There are going to be more panic calls from more friends (outta the woodwork they come) who got their Christmas presents and plugged them in and got killed online in a few minutes. That is very sad...and not the way things should be.

So, I take my 'puters seriously.

What I also take seriously is someone trying to commandeer my systems. I see red, and as a Type-I personality, I get a little hostile as a father would if his child was being stalked by wolverines. Sorry....bad mental picture there.

I do not subscribe to P2P file swapping, bit torrenting, or booting illegal OS's.

Running a legal and sane motherboard is my primary concern. Do you see why I get a little miffed at those who like to cause damage to me and my friends?

So, to answer your question from my soapbox (sorry), I say get rid of the WT thing asap. If it is not the cause, then it is surely in my opinion, the harbinger of bad future news.
Surfer Joe ;)

augustus
03-01-2005, 07:56 AM
Try using system restore to go back to before you ran adaware. Start, all programs, accessories, system tools, system restore.

Chilling_Silence
03-01-2005, 08:35 AM
http://www.google.com/search?q=wildtangent+spyware&start=0&start=0&ie=utf-8&oe=utf-8&client=firefox&rls=org.mozilla:en-US:unofficial

Mycenius
05-01-2005, 09:20 AM
Try using system restore to go back to before you ran adaware. Start, all programs, accessories, system tools, system restore.

If the worm/virus/spyware was already there then this will only serve to restore it as well. You need to be very careful about using restores - personally I don't use them at all (I disable it totally), far better to do proper back-ups and/or disk images.