Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adssite


  • Please log in to reply
16 replies to this topic

#1 kjk20

kjk20

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:11:41 PM

Posted 17 February 2008 - 10:11 AM

I get popups from adssite. I read a different post and tried ATF-cleaner and Superantispyware in safe mode. I still get the same popups when going to my usual web sites. Does anyone know how to get rid of this? I use windows vista and firefox for a browser. Thanks, Kurt

Edited by kjk20, 17 February 2008 - 10:14 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 PM

Posted 17 February 2008 - 05:14 PM

Please uninstall the following program(s) from Add/Remove Programs. Go to Start > Settings > Control Panel and double-click on Add/Remove Programs. From within Add/Remove Programs highlight "Browser Optimizer Adssite" (if listed) and select Remove. Do the same for any other Optimizers you find which you did not install.

Search for and delete the following file(s)/folder(s) in bold if still present.

Files:
C:\WINDOWS\System32\adssite-remove.exe <- this file
C:\WINDOWS\System32\adssite_sidebar_uninstall.exe <- this file
C:\WINDOWS\System32\rightonadz-uninst.exe <- this file

You can use Windows Explorer to navigate to or use Windows Search feature > More advanced options to locate them. To do this, go to Start -> Search and click For Files or Folders....
  • Click All files and folders.
  • Type in the name of the file under "Search by...criteria."
  • Click More advanced options and check these options:
    • "Search system folders"
    • "Search hidden files and folders"
    • "Search subfolders"
  • Then click "Search" to look for the file(s).
-- If your using Vista, see Windows Vista - Using the Search Function for how to perform an advanced search.

When found right-click the file, choose delete and empty your recycle bin. If you get an error when deleting a file, right-click on it and check to see if the read only attribute is checked. If it is, uncheck it and try again. If that does not work, then open Task Manager, look for and kill the process if running, then delete the file. If you still have problems, then delete the file(s) in "Safe Mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 kjk20

kjk20
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:11:41 PM

Posted 21 February 2008 - 10:34 PM

Hi, I went to control panel and then uninstall programs and there is no Browser Optimizer listed. Do I need to find this before deleting those other files? Thanks, Kurt

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 PM

Posted 21 February 2008 - 10:40 PM

If its not listed in Add/Remove Programs then just continue with the next steps.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 kjk20

kjk20
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:11:41 PM

Posted 23 February 2008 - 11:03 AM

Hi, I tried searching for those files via Vista advanced search, windows explorer, and also checked the task manager and found nothing. I also have a problem with Firefox crashing sometimes when I try to access your web site and other sites. I had to use IE just now. One other thing I get is a warning from my firewall that a program called aupd.exe is trying to start which I always cancel. I use Computer Associates Security center that comes free with my Time Warner Roadrunner internet provider. Thanks, Kurt

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 PM

Posted 23 February 2008 - 11:53 AM

Where does your firewall say aupd.exe is located (full file path) at on your system?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 kjk20

kjk20
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:11:41 PM

Posted 23 February 2008 - 03:50 PM

I did a search on my computer for aupd and came up with 2 paths. One is C:\users\dad&mom\AppData\Local\Temp. The other is C:\users\dad&mom\AppData\Local. This is a different problem then my original one with adssite. Adssite popup is a lot more frequent. Thanks, Kurt

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 PM

Posted 23 February 2008 - 03:55 PM

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download and install SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.)
  • Under the "Configuration and Preferences", click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 kjk20

kjk20
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:11:41 PM

Posted 24 February 2008 - 11:19 PM

Here are the scan results.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/24/2008 at 10:10 PM

Application Version : 3.9.1008

Core Rules Database Version : 3408
Trace Rules Database Version: 1400

Scan type : Complete Scan
Total Scan Time : 00:38:25

Memory items scanned : 217
Memory threats detected : 0
Registry items scanned : 6599
Registry threats detected : 32
File items scanned : 66760
File threats detected : 48

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{9C8A568E-4201-478a-8536-526CF371D2E2}
HKCR\CLSID\{9C8A568E-4201-478A-8536-526CF371D2E2}
HKCR\CLSID\{9C8A568E-4201-478A-8536-526CF371D2E2}
HKCR\CLSID\{9C8A568E-4201-478A-8536-526CF371D2E2}\InprocServer32
HKCR\CLSID\{9C8A568E-4201-478A-8536-526CF371D2E2}\InprocServer32#ThreadingModel
HKCR\CLSID\{9C8A568E-4201-478A-8536-526CF371D2E2}\ProgID
HKCR\CLSID\{9C8A568E-4201-478A-8536-526CF371D2E2}\Programmable
HKCR\CLSID\{9C8A568E-4201-478A-8536-526CF371D2E2}\TypeLib
HKCR\CLSID\{9C8A568E-4201-478A-8536-526CF371D2E2}\VersionIndependentProgID
C:\WINDOWS\SYSTEM32\NSCAB42.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9C8A568E-4201-478a-8536-526CF371D2E2}

Keylogger.Actual Spy
HKLM\Software\ACSPMonitor
HKLM\Software\ACSPMonitor#path_app2
HKLM\Software\ACSPMonitor\Actual Spy_is1
HKLM\Software\ACSPMonitor\Actual Spy_is1#Inno Setup: Setup Version
HKLM\Software\ACSPMonitor\Actual Spy_is1#Inno Setup: App Path
HKLM\Software\ACSPMonitor\Actual Spy_is1#InstallLocation
HKLM\Software\ACSPMonitor\Actual Spy_is1#Inno Setup: Icon Group
HKLM\Software\ACSPMonitor\Actual Spy_is1#Inno Setup: No Icons
HKLM\Software\ACSPMonitor\Actual Spy_is1#Inno Setup: User
HKLM\Software\ACSPMonitor\Actual Spy_is1#Inno Setup: Selected Tasks
HKLM\Software\ACSPMonitor\Actual Spy_is1#Inno Setup: Deselected Tasks
HKLM\Software\ACSPMonitor\Actual Spy_is1#DisplayName
HKLM\Software\ACSPMonitor\Actual Spy_is1#DisplayIcon
HKLM\Software\ACSPMonitor\Actual Spy_is1#UninstallString
HKLM\Software\ACSPMonitor\Actual Spy_is1#QuietUninstallString
HKLM\Software\ACSPMonitor\Actual Spy_is1#URLInfoAbout
HKLM\Software\ACSPMonitor\Actual Spy_is1#HelpLink
HKLM\Software\ACSPMonitor\Actual Spy_is1#URLUpdateInfo
HKLM\Software\ACSPMonitor\Actual Spy_is1#NoModify
HKLM\Software\ACSPMonitor\Actual Spy_is1#NoRepair
HKLM\Software\ACSPMonitor\Actual Spy_is1#InstallDate
HKLM\Software\ACSPMonitor\Test
C:\Program Files\ACSPMonitor\ActualSpy.chm
C:\Program Files\ACSPMonitor\ASMonitor.exe
C:\Program Files\ACSPMonitor\asmonitor.exe.manifest
C:\Program Files\ACSPMonitor\f.bat
C:\Program Files\ACSPMonitor\FILE_ID.DIZ
C:\Program Files\ACSPMonitor\hk.dll
C:\Program Files\ACSPMonitor\hk2.dll
C:\Program Files\ACSPMonitor\hprog.dll
C:\Program Files\ACSPMonitor\libeay32.dll
C:\Program Files\ACSPMonitor\license.txt
C:\Program Files\ACSPMonitor\logs\app.dat
C:\Program Files\ACSPMonitor\logs\clipboard.dat
C:\Program Files\ACSPMonitor\logs\computer.dat
C:\Program Files\ACSPMonitor\logs\filedir.dat
C:\Program Files\ACSPMonitor\logs\inetcon.dat
C:\Program Files\ACSPMonitor\logs\key.dat
C:\Program Files\ACSPMonitor\logs\prnt.dat
C:\Program Files\ACSPMonitor\logs\screenshots.dat
C:\Program Files\ACSPMonitor\logs\url.dat
C:\Program Files\ACSPMonitor\logs
C:\Program Files\ACSPMonitor\readme.txt
C:\Program Files\ACSPMonitor\rights.bat
C:\Program Files\ACSPMonitor\settings.exe
C:\Program Files\ACSPMonitor\ssleay32.dll
C:\Program Files\ACSPMonitor\unins000.dat
C:\Program Files\ACSPMonitor\unins000.exe
C:\Program Files\ACSPMonitor
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ActualSpy\ActualSpy.exe
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ActualSpy

Trojan.Downloader-AUPD
C:\USERS\DANNY\APPDATA\LOCAL\TEMP\AUPD.EXE
C:\USERS\DANNY\APPDATA\LOCAL\TEMP\LOW\AUPD.EXE

Adware.ZenoSearch-NVON
C:\USERS\DANNY\APPDATA\LOCAL\TEMP\TIP2D002.EXE

Adware.Tracking Cookie
C:\Users\Danny\AppData\Roaming\Microsoft\Windows\Cookies\danny@advertising[2].txt
C:\Users\Danny\AppData\Roaming\Microsoft\Windows\Cookies\danny@ar.atwola[2].txt
C:\Users\Danny\AppData\Roaming\Microsoft\Windows\Cookies\danny@atdmt[2].txt
C:\Users\Danny\AppData\Roaming\Microsoft\Windows\Cookies\danny@atwola[1].txt
C:\Users\Danny\AppData\Roaming\Microsoft\Windows\Cookies\danny@cdn.atwola[1].txt
C:\Users\Danny\AppData\Roaming\Microsoft\Windows\Cookies\Low\danny@advertising[1].txt
C:\Users\Danny\AppData\Roaming\Microsoft\Windows\Cookies\Low\danny@atdmt[2].txt
C:\Users\Danny\AppData\Roaming\Microsoft\Windows\Cookies\Low\danny@bleeparoo[1].txt
C:\Users\Danny\AppData\Roaming\Microsoft\Windows\Cookies\Low\danny@www.bleeparoo[2].txt
C:\Users\Emily\AppData\Roaming\Microsoft\Windows\Cookies\emily@advertising[1].txt
C:\Users\Emily\AppData\Roaming\Microsoft\Windows\Cookies\emily@ar.atwola[2].txt
C:\Users\Emily\AppData\Roaming\Microsoft\Windows\Cookies\emily@atdmt[2].txt
C:\Users\Emily\AppData\Roaming\Microsoft\Windows\Cookies\emily@atwola[1].txt
C:\Users\Emily\AppData\Roaming\Microsoft\Windows\Cookies\emily@cdn.atwola[2].txt
C:\Users\Emily\AppData\Roaming\Microsoft\Windows\Cookies\Low\emily@hornymatches[2].txt

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 PM

Posted 25 February 2008 - 08:27 AM

Did you install the keylogger? Keylogging programs can be legitimate but their related files are often detected by anti-virus or anti-malware scans as a "RiskTool", "Hacking tool, "Potentially unwanted tool" or even a "Trojan". These types of programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. Potentially unwanted does not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus and anti-malware utilities cannot cannot distinguish between "good" and "malicious" use of such programs.

If not, you should consider the computer compromised. If it was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums. They should be changed by using a different computer and not the one where the keylogger was installed.

Although the keylogger has been identified and removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the keylogger has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS. Please read "When should I re-format?".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 kjk20

kjk20
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:11:41 PM

Posted 25 February 2008 - 11:06 PM

I don't believe I installed any keylogger. What would I have installed that may have a keylogger? I would like to reformat but don't know if I have an installation disc. I bought this computer at Best Buy with preloaded software. I also have never installed Vista before. I have formatted before on other computers with XP but not this one. Did you see any reasons for the Adssite popups? I also still have a problem with Firefox crashing every time I try to go to bleepingcomputers.com. I have to use IE every time now.
Thanks, Kurt

#12 kjk20

kjk20
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:11:41 PM

Posted 25 February 2008 - 11:15 PM

I researched the keylogger program and see what you mean. Is there any way to see when it was installed on my computer and where the log files are kept or sent to? Thanks again.

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 PM

Posted 26 February 2008 - 10:00 AM

I'm getting hits on this keylogging program at various crack and pirate sites. Have you used these types of sites?

Open Windows Explorer and navigate to Program Files. Look for a folder named Actual Spy or ACSPMonitor. If its there you should see a creation date. There may also be a sub folder with logs but SAS could have removed them as well as other files it detected.

I don't use Vista so if you need help with reformating your system you may want to start a new topic in that forum for assistance with doing that.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 kjk20

kjk20
  • Topic Starter

  • Members
  • 53 posts
  • OFFLINE
  •  
  • Location:USA
  • Local time:11:41 PM

Posted 26 February 2008 - 10:35 PM

I'm not sure what crack sites are. I do use Limewire at times and I have kids that use the usual Myspace, Facebook, AIM, etc. I am assuming that limewire is a pirate site but am not sure what a crack site is. I looked in program files and did an advanced search and found nothing on the Actual Spy or ACSPMonitor. I would love to find out if someone here installed it or if it came from a pirate site. If I knew that it would help to determine if I need to format which is something I would not like to do. It is always a pain in the rear to start over and loose everything. Thanks, kurt

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,769 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:41 PM

Posted 27 February 2008 - 09:02 AM

I'm not sure what crack sites are


Crack, keygen and pirate sites are places some folks go to look for keys and workarounds to illegally use products rather than buy them. In many cases, these sites are infested with a smörgåsbord of malware and an increasing source of system infection. They can lead to other sites containing more malware which you can inadvertently download without knowledge or consent. In some instances an infection may cause so much damage to your system that it cannot be successfully cleaned or repaired. In those cases, recovery is not possible and the only option is to reformat/reinstall the OS.

LimeWire is a popular P2P file sharing program with built in BitTorrent support. Using any P2P (peer-to-peer) file sharing program is a security risk which can make your system susceptible to malware infections, remote attacks, and exposure of personal information. Even the safest P2P file sharing programs that do not contain bundled spyware, still expose you to risks because of the very nature of the P2P file sharing process. By default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer.

The reason for this is that file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft. Even if you change those risky default settings to a safer configuration, the act of downloading files from an anonymous source greatly increases your exposure to infection. This is because the files you are downloading may actually contain a disguised threat. Many malicious worms and trojans, such as the Storm Worm, target and spread across P2P files sharing networks because of their known vulnerabilities. In some instances the infection may cause so much damage to your system that it cannot be successfully cleaned and recovery is not possible. In those cases, the only option is to reformat/reinstall the OS. Read P2P Software User Advisories and P2P file sharing: Anticipate the risks....
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users