PDA

View Full Version : Help removing adserver.sharware popups



srobert11
Jan 27, 2005, 07:01 PM
http://adserver.sharewareonline.com/AdServerX/MemTurboLanding.aspx?Referrer=acpa


The above link is what keeps popping up when I open my homepage and try to type in a url and sometimes when I try to open a page from Google.

I'd just updated my Ad-Aware to their new program today and it helped with many popup problems I've had this past few days. I finally got rid of the DSO Exploit (5) errors that Spy Bot kept bringing up. I just cannot get rid of this
Irritating pop up from adserver.

Thanks in advance.

fredg
Jan 28, 2005, 04:14 AM
Hi,
This pop-up is probably already located itself in your Registry.
Here are steps to rid a computer with most Spyware/Malware/Advertising programs:

If you think you already have Spyware/Advertising Ware in your computer, run these as follows:

http://www.security-related.com/download2.htm
Download: SpyBot Search & Destroy; 1.3

AdAware at:
www.lavasoftusa.com
Download: AdAware_SE

CWShredder at:
http://www.download.com/CWShredder/3000-8022_4-10349879.html?tag=lst-0-1
(CWShredder is intended only for removal of CoolWebSearch files; placed as spyware on the harddrive). It is not a "stand alone" scan, but needs to be run.

All 3 of the above programs run better and much faster when run in SafeMode.
It's best to run the AdAware scan first; 3 times; then re-boot.
Then, run the AdAware scan again 3 times; then run the SpyBot. Then, run CWShredder.
Re- Boot.
Reason for running so many times:
Some of these trojans' files can be deleted the first time; leaving some others; but on re-boot, they re-write the files that were deleted.
Running multiple times deletes most of it the first
Time.

If you wish to have a great program, after you clean out Spyware/Advertising Ware:
SpyWare Blaster 3.2
Great, free, program that STOPS spyware, trojans, home page hijacks, etc, BEFORE they get into your computer. Check it out at CNET at link:

http://www.download.com/SpywareBlaster/3000-8022_4-10305680.html?tag=lst-0-2

Two Tips:
If you notice the little green computer lights that show your dial-up connection to the internet staying on when they shouldn't be, located on the bottom right of the system tray, disconnect immediately and run AdAware. These lights staying on means that some URL is sending or receiving spyware/advertising ware to or from your computer, most of the time.

Other Tip: After being on the net, if you have visited any sites you don't really trust, then run AdAware BEFORE you shut down or re-start the computer. This will delete any Spyware easier, before the computer can configure it, set it up, spread it throughout the Registry, and make it more difficult to remove after re-booting.

If the above doesn't solve the issue, please post back for steps on how to edit the Registry; and find the URL that is causing this.

Have you cleared out all cookies, History, etc, from Internet Explorer temp files?
Best of luck,
fredg

srobert11
Jan 29, 2005, 09:29 AM
Thank you for all of your suggestions. I had each program installed
Except CW Shredder. I have installed it since your post.
I followed your instructions and ran each item 3 (sometimes 4) times.

I'm getting mixed messages. I have also installed VX2 add-on to Ad-Aware SE.
When I click it, it tells me system is clean, no VX2 files found. When I run Ad-Aware scan I keep getting 3 VX2 files. I have quarantined them, since they will not delete. One of them keeps coming back even though it has been put in quarantine. It is in my memory. The log reads: Warning! VX2 object fund in memory (C:\WINDOES\system32\0266lcjslfo6.dll). It ask if I want it to remove it when I reboot. I say yes, but it doesn't happen! :confused:

When I run Spy Bot it tells me Congratulations... no items found.
Talk about being confused. Each program tells you something else.

I have installed Webroot Spy Sweeper. That has helped with many pop-ups including Clkoptimizer. I have all of them in quarantine as well.

I'm still getting my browser hijacked when I run a search, but not as often.
Any further suggestions about the VX2 in my momory?

Sorry to have been so long replying. Yesterday I did not have the time to run all items and scans in order. I appreciate your help very much. :)
Shirley

SESaskDFC
Jan 29, 2005, 09:39 AM
Howdy:

Lavasoft’s new plug-in VX2 Cleaner detects the malware VX2 and offers you the ability to remove it from your computer. Some users have experienced a very difficult variant of VX2 which cannot be removed by Ad-Aware. For those users which have this variant, we have developed a plug-in to help you remove this VX2 variant.

This VX2 variant registers itself in a way, which gives it system privileges. It also prevents the user from viewing this information by removing the user’s rights to do so. Furthermore it constantly monitors the registry and prevents any attempts to remove its associated values. This makes it very difficult for the user to manually remove it.

VX2 Cleaner plug-in:
- Close Ad-Aware and Ad-Watch (if running)
- Download the free VX2 Cleaner here
- Install the VX2 Cleaner
- Start Ad-Aware
- Go to “Plug-ins”
- Select the VX2 Cleaner plug-in and click “Run Plugin”
- If your computer isn’t infected, click “Close”.

http://www.majorgeeks.com/download4283.html

Murray

srobert11
Jan 29, 2005, 12:08 PM
As outlined in my message previous to this reply, I have Ad-AwareSE
Add tool called VX2. It says I'm not infected, but the scan shows
4 VX2 objects. 3 I could quarantine when I couldn't remove them but
One will not guarantine or remove!

What now?
Thanks

SESaskDFC
Jan 29, 2005, 12:35 PM
Okay.. what operating system and where does it say this "malware" is located on your system?

Murray

srobert11
Jan 29, 2005, 12:54 PM
OS:Microsoft Windows XP Professional Service Pack 1 (Build 2600)
AdAware says the Malware is running in memory.
I'll attach the last scan I just did, if that will help.

My main two problems when trying to search or use I.E. is I'm being
My browser is being "hijacked" I guess, to one of these two items.
http://adserver.sharewareonline/adserver/memTurbo/Adm/ad080504.htm
Or/and as popovers and popunders
http://urllogic.com

I think I've got the clkoptimizer-aepesi.dll quarantined in spy sweeper. It has stopped coming up in Ad-Aware and SpyBot tells me my computer is clean.
Go figure.
Thanks again for the help

SESaskDFC
Jan 29, 2005, 01:12 PM
Thank you for the scan..

Go into Registry and navigate to the following..

HKEY_CURRENT_USER: software\microsoft\internet explorer\toolbar\webbrowser: {0E5CBF21-D15F-11D0-8301-00AA005B4383}

Highlight the area I put in bold and delete it.. (make sure System Restore is disabled)..

Reboot and re-enable System Restore..

Murray

srobert11
Jan 29, 2005, 01:26 PM
Thank you for you help.
Sorry to be so much trouble, but how do I get into the Registry?
That is something I've never done.

60 year old grandmothers shouldn't be allowed to have computers! :eek:
Shirley

SESaskDFC
Jan 29, 2005, 04:47 PM
:) Start>Run type in regedit and press "okay"..

Make sure you look for the EXACT area your "trojan" shows up in..

Murray

srobert11
Jan 29, 2005, 08:31 PM
Murray, I followed your directions and got rid of the problem I had. Thanks. ;)
I rebooted, ran Ad Aware and 5 new objects came up. Two marked as critical that could not be removed. :(

VX2
>>>>>>>>>>>>>>>>>>>>
obj[3]=process: C:\WINDOWS\system32\dnju0119e.dll

obj[4]=process: C:\WINDOWS\system32\KHDNO.DLL

I have attached my scan log again.

Also, when I reboot my computer now I also get this message as the desktop opens.
RUNDLL
An exception occurred while trying to run ""C
WINDOWS\system 32\KNDNO.DLL", UMonitor

Is that related to the VX2 by the same name found in Ad Aware?

I went into Google to see if I'd receive pop-ups after removing the first
VX2 and sure enough some spyware package ad took over my browser.

I appreciate your help so much. All of this is so above my head. Thank
heavens for sites like yours.

Shirley

fredg
Jan 30, 2005, 05:16 AM
Hi,
Murray has some very, very good suggestions... I sincerely hope they work to solve your issue.

You can also use the Edit Registry to search for words, etc;

Here are steps to do that, it you ever need these for the future:

To Edit the Registry:
First, back up your Registry. The simplest way to do it is to shut down the computer, wait a few seconds, then turn it back on. It will automatically back up the Registry when booting up.

BE CAREFUL when deleting things from the Registry; your computer might not re-boot.

Here are steps for deleting things that startup when you boot up the computer:

Go to Start/Run. Type in "regedit" without quotes, then click on OK.
At the top, Click on "Edit", then "Find".
In the space Find What: type in what you want to find, such as the spyware name.
Then, put a check mark by "Match whole string only". This will keep the search from stopping at every word it finds.
Then click "Find Next". It will search the registry for the first entry you typed in.
It will "open" a folder on the left hand side of the screen, showing what is in the folder on the right hand side. If you know that an entry on the right hand side is something you no longer have, or has just been added with a name you don't know, then right click on it, then left click "delete", tell it Yes or OK to remove it.
Then, press F3 on the top of the keypad to continue the search.
When finished, at the top, click on File, Exit.

Any StartUp programs, that start when the computer boots up will be listed in folders on the left hand side of the screen with names like:
RUN, RUNSERVICES, RUNONCE, RUN-, etc.
Click on the next folder down with the name RUN in it, to look at its startups on the right hand side.

You can also search for other words, rather than RUN, such as Hotsearchbar; or whatever; and delete values on the right hand side associated with it.

Best of luck,
fredg

SESaskDFC
Jan 30, 2005, 05:36 AM
Thanks for the registry backup reminder fred!

Shirley: Now, boot into Safe Mode.. Use Windows Explorer to navigate to the c:\windows\system32 folder.. Highlight those files and delete..

Murray

cremedies
Jan 30, 2005, 01:47 PM
Go to Microsoft.com and download MS AntiSpyware, formerly GIANT Company. Click on downloads, then AntiSpyware. This product may be used free for 6 months.

brobiche
Dec 23, 2005, 04:09 PM
Anyone know what this is, it won't stop, and the link is very long and has infinite similar pop-ups starting the same?

nymphetamine
Dec 23, 2005, 04:21 PM
I'm not sure what that is, but do you have a pop up blocker installed? If you have a pop up blocker installed it will stop this problem and it will only allow the popups that you tell it to. I have one that works just great.

brobiche
Dec 26, 2005, 07:51 AM
Yes, I have a pop-up blocker. I am unable to enter the site directly to block it because the name is so long and changes by a few characters each time. I recently loaded the Microsoft spyware, but it did not alleviate the problem. Any other ideas?

Curlyben
Dec 26, 2005, 08:32 AM
Hi,
This pop-up is probably already located itself in your Registry.
Here are steps to rid a computer with most Spyware/Malware/Advertising programs:

If you think you already have Spyware/Advertising Ware in your computer, run these as follows:

http://www.security-related.com/download2.htm
Download: SpyBot Search & Destroy; 1.3

AdAware at:
www.lavasoftusa.com
Download: AdAware_SE

CWShredder at:
http://www.download.com/CWShredder/3000-8022_4-10349879.html?tag=lst-0-1
(CWShredder is intended only for removal of CoolWebSearch files; placed as spyware on the harddrive). It is not a "stand alone" scan, but needs to be run.

All 3 of the above programs run better and much faster when run in SafeMode.
It's best to run the AdAware scan first; 3 times; then re-boot.
Then, run the AdAware scan again 3 times; then run the SpyBot. Then, run CWShredder.
Re- Boot.
Reason for running so many times:
Some of these trojans' files can be deleted the first time; leaving some others; but on re-boot, they re-write the files that were deleted.
Running multiple times deletes most of it the first
time.

If you wish to have a great program, after you clean out Spyware/Advertising Ware:
SpyWare Blaster 3.2
Great, free, program that STOPS spyware, trojans, home page hijacks, etc, BEFORE they get into your computer. Check it out at CNET at link:

http://www.download.com/SpywareBlaster/3000-8022_4-10305680.html?tag=lst-0-2

Two Tips:
If you notice the little green computer lights that show your dial-up connection to the internet staying on when they shouldn't be, located on the bottom right of the system tray, disconnect immediately and run AdAware. These lights staying on means that some URL is sending or receiving spyware/advertising ware to or from your computer, most of the time.

Other Tip: After being on the net, if you have visited any sites you don't really trust, then run AdAware BEFORE you shut down or re-start the computer. This will delete any Spyware easier, before the computer can configure it, set it up, spread it throughout the Registry, and make it more difficult to remove after re-booting.

If the above doesn't solve the issue, please post back for steps on how to edit the Registry; and find the URL that is causing this.

Have you cleared out all cookies, History, etc, from Internet Explorer temp files?
Best of luck,
fredg


AS fred has already posted try all these.

SESaskDFC
Dec 26, 2005, 02:11 PM
Howdy brobiche:

I normally do NOT suggest to someone they visit a different Help Forum when they have a problem like a few others that I know do!!

However, in your case I feel I have to make an exception..

Malware Removal has become an art unto it's own and anyone niave enough to think that Ad-Aware and Spybot will cure all that ails them, or even some of those other programs like SpywareBlaster will do the trick are simply hiding their head in the sand!

Most Computer Help Sites now offer a separate Malware Forum staffed by trained experts in malware removal.. Unfortunately, this site hasn't progressed to that extreme as of yet (may be something for the Admin's to look at in the future)!

Because of this "lack" of malware expertise, I strongly suggest that you go to either http://www.geekstogo.com/forum/Malware-Removal-HiJackThis-Logs-Go-Here-f37.html or http://www.cybertechhelp.com/forums/forumdisplay.php?f=25

And post your problem in one of those.. The malware guru's there will be more than happy to take a look at your problem and will have you up and running in no time!

Murray

tadd
Jan 10, 2006, 12:28 PM
I've tried every adware removal I could find and none will even list where there are located in my registry. I've seen some hijack this logs before but have had no response. Can't even find these in the encyclopedias yet