Unwanted Adware.

[Bob King]

Guys,some help please......

I keep getting ADWARE.DELFIN, come up after a AOL Spyware Protection check, it allows me to block it ,but when i do the same test a few hours later ,it comes back up again.

If i carry out a Norton Internet Security or Ad-Aware SE Personal check ,the ADWARE.DELFIN does not show up .

How can i get rid of ADWARE.DELFIN once and for all, i take it , its potentially harmful to my personal security on my PC.....any advise would be a great help,

Bob.

[Kremmen]

Hi

According to >> THIS LINK << you should be able to get rid of most of it via Add/Remove programs !

Sounds too easy to me ?

[adz]

Make sure your Virus and adware program's are up to date to start off.

I disabled XP auto-restore and restarted in safe mode, then ran the ad-aware and anti-virus proram's. Follow the instructions when it finds them, if it doesn't then follow the manual removal instructions in the link in the previous post.

As long as you follow the instructions properly you should be able to remove the adware, most removals require removal of registry keys which can be daunting. Do a search on the net for your particular adware and there's bound to be some forums which can help, that's what I did. Them adware and virus writers need shooting, no trial just blammm!. Good luck Bob.

[Bob King]

Hi

According to   >> THIS LINK <<  you should be able to get rid of most of it via Add/Remove programs ! 

Sounds too easy to me ?

←

Hmmmm...did take a look at this before posting up, but it scares the hell out of me .

[jaylist]

Hi

According to   >> THIS LINK <<  you should be able to get rid of most of it via Add/Remove programs ! 

Sounds too easy to me ?

←

Hmmmm...did take a look at this before posting up, but it scares the hell out of me .

←

Two things to install .#

1 spybot s&d

http://www.safer-networking.org/en/download/

Download the latest version of this, get it to update itself using the update button.

Then clicck the search buttont, use this to search for everything malware,spyware , keyloggers etc and get rid of it. Then use the immunise button to protect against spyware/malware etc in the future.

This should be fairly straightforward to use. If you need help ask, once you click the immunise button it should protect you against most further attacks. It's important to save the backup it creates when you press immunise, as it might disable something you actually want.

Once you have done this you are ready for the final.

Run hijack-this http://www.tomcoyote.org/hjt/

Follow these instructions on the web page. What hijack-this does it to scan your registry. Then it displays the entries their related to your browser etc.

You can identify from this what is good (i,e your google bar) and what is bad (i.e ibis search bar).

Then using this program you can delete these entries, to stop the spyware from appearig again.

Some spyware is tricky to get rid off which is why you need this multilevel approach.

Think of it as agent orange for spyware! When you have to kill every last mother :tsktsk: in the room, accept no substitutes.

IF you need help understanding the hijack-this prinout take a copy of it and post it here.

I'll tell you which lines to delete.

Then once your up and running - make sure you have zonealarm firewall or similar, and have the latest anti-virus software running at all time!

Be safe!

:mat:

Remember if you need help with the registry log print it out here and I'll disect it for you.

J

[jaylist]

Ad-aware is fine, but I feel Spybot has the edge.

Somethings like re-direct urls are registry settings which is why you need to run hijack-this to get rid of them.

J

[Bob King]

Cheers J, it still scares the hell out of me......i'll have a go over the weekend .

[jaylist]

Cheers J, it still scares the hell out of me......i'll have a go over the weekend .

←

Honestly it's easy. Spybot is easy to use. Hijack this just displays your registry settings associated with browsing.

Just click Scan, then Save Log.

It's a 20 minute job max (you'll need to re-boot once you've run Hijack-this , and then run it again, to make sure those registry settings have really gone.

J

Here's my log. Looks ok to me!

Logfile of HijackThis v1.97.7

Scan saved at 20:45:43, on 06/05/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\Network Associates\VirusScan\Mcshield.exe

C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Launch Manager\QtDTAcer.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe

C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\Program Files\AOL 9.0\aoltray.exe

C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe

C:\PROGRA~1\INCRED~1\bin\IMApp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\AOL 9.0\waol.exe

C:\Program Files\Valve\Steam\Steam.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AOL 9.0\shellmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSPS~1.EXE

C:\Documents and Settings\Justin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://global.acer.com/

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll

O4 - HKLM\..\Run: [LaunchApp] Alaunch

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtDTAcer.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe

O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

O4 - HKCU\..\Run: [incrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c

O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

O4 - HKCU\..\Run: [steam] C:\Program Files\Valve\Steam\\Steam.exe -silent

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html

O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Create Mobile Favorite (HKLM)

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)

O9 - Extra button: AOL Toolbar (HKLM)

O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)

O9 - Extra button: @btrez.dll,-4015 (HKLM)

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll

O15 - Trusted Zone: http://V5.Windowsupdate.microsoft.com and https

O15 - Trusted Zone: http://Download.Windowsupdate.com

O15 - Trusted Zone: www.yell.co.uk

O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwob.ops.placeware.com/etc/place/...quicksilver.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...ol_v1-0-3-9.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/19389e46b324f1...ip/RdxIE601.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab

O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab

O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cab

O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab

O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{CD42ADD2-2AB2-4945-B56D-102927231056}: NameServer = 205.188.146.145

[jaylist]

Look how much :tsktsk: I have installed lol.

The best way to also protect against malware etc is to use Firefox web browser.

Using Internet explorer is like displaying a big flashing neon sign saying please install :tsktsk: on my computer .

[AMH]

I had a similar hijack problem over Christmas and the hijack-this log and the guys at http://www.wilderssecurity.com/forumdisplay.php?f=26 did me proud.

As a non-computer person it all scared me witless but it really was simple to fix once I got into it all.

Ad-Aware / Spybot / AVG are now all installed and used regularly and all has been OK since :)