Solved

Cannot get rid of "websearch" adware

Posted on 2004-10-28
426 Views
Last Modified: 2013-11-16
Hello.  Got a good one for ya.

I recently began having trouble with adware - pop ups even when not on line - so I ran Norton and it found a ton of viruses (120) and adware but it couldn't delete most of the adware.  I already had Spybot on my computer, Windows XP Pro with it's firewall and Norton Internet Security installed and updated so I'm not sure where this stuff came from.  In addition, I bought Spyware Doctor and it cleaned up some of the adware.  Norton still finds 62 +/-problems but it can only get rid of one or two, and Spyware Doctor finds two that it cannot remove.  I rebooted in Safe mode and ran Norton, Spybot and Spyware Doctor again but they still cannot delete most of the problems so I kept the list of the adware files in Norton, updated my permissions, and manually deleted most of the adware.  They were in the C drive under the 'System Volume Information' folder.  Rebooted in normal mode, ran another Norton sweep and the WebSearch adware (plus others) are found again but this time under the C drive in a folder I can't get to C:\RESTORE...  It's like it duplicated the files I deleted (yes I emptied the recyle bin), renamed them and put them in another folder I can't get to.  

Also, the two files Spyware Doctor cannot delete are under 'HKLM\SYSTEM\ControlSet001\Enum\Root\Legacy_WintoolSSVC' and 'HKLM\SYSTEM\CurrentContolSet\Enum\Root\Legacy_WintoolSSVC.'

I have also been denied access to an excel sheet that was encripted by me.  

I have no idea how to get rid of all this junk.  HELP???????????

0
Question by:bjansson4
    19 Comments
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    Hello bjansson4 =)

    First use msconfig to untick unwanted progrmas as described here >> http://netsquirrel.com/msconfig/
    Then Download these tools and install them:
    ========================================================
    AdAware ==> http://www.spychecker.com/program/adaware.html
    SpyBot  ==> http://www.spychecker.com/program/spybot.html
    CoolWebShredder ==> http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
    Stinger ==> http://vil.nai.com/vil/stinger
    ========================================================

    Turn off ur System Restore before cleaning the system if its WinME\XP >> http://www.pchell.com/virus/systemrestore.shtml (Recommeneded in ur case)
    Then Run all of them one by one in safemode and delete everything they detect.
    Then delete the temporary internet files and history of IE
    and run Disk Cleanup on ur hard drive to delete those temp and junk files.
    Restart back in Normal Mode to check for the problems now ??
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    after coming back from safemode to normal mode, Dont forget to turn ur System Restore back on, and create a New System Restore point !!
    0
     

    Author Comment

    by:bjansson4
    I've downloaded everything but the coolwebshredder - When I try to download that one it closes the browser.  There is a disclaimer at the bottom explaining this and a tool to remove whatever is closing the browser but it goes to 'page cannot be found.'

    Now what?
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    wait i will find a another link for both products !! :)
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    ok this is for CWShredder 2.0 >> http://www.intermute.com/spysubtract/cwshredder_download.html
    and if this one also closes , then here is the working link for CWShredder.SmartKiller >> http://www.majorgeeks.com/download4113.html
    0
     

    Author Comment

    by:bjansson4
    Cool, thanks!  :)
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    my pleasure =)
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    bjansson, any progress today :)
    0
     

    Author Comment

    by:bjansson4
    Well, it took a while to do all of that and about 2.5 hours to run Norton again.  Here's what happened;  everything malicious is gone (bravo) except the websearch stuff.  Norton is completely clean now.  As Aware found 35 bugs and removed them.  Spybot got rid of come.  Nothing was found with Coolwebshredder or stinger.

    I had already gotten into add remover programs and uninstalled Websearch before I did any of there.

    It's just these two files now under 'HKLM\SYSTEM\ControlSet001\Enum\Root\Legacy_WintoolSSVC' and 'HKLM\SYSTEM\CurrentContolSet\Enum\Root\Legacy_WintoolSSVC' that are so stubborn.  I'm just afraid they are going to open the door to more junk.

    What do you think?
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    ok so when u try to delete those registry folder manually from regedit, do u get an error,,,, or they come back again after deleting ??
    coz if u get an error, then u have to boot into safemode, login with Administrator(if tis XP), and then open regedit, right clcik the Legacy_WintoolSSVC folder and clcik Permissions, check that u have Full permission on this folder and nothing shud be Deny !!
    do same for the other folder and check if u can delete them now or not ?? :)
    0
     

    Author Comment

    by:bjansson4
    Ah!  I didn't know how to do that.  OK, When I go to those directories I don't see anything that resembles 'websearch.'  How do I know what to delete?  Spyware doctor cannot delete them and this is the total path.  Both directories look like they have the same content.
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    u have to delete the "Legacy_WintoolSSVC" folder from there :)
    0
     

    Author Comment

    by:bjansson4
    The whole fooooollllllder!  I get it.  Let me do that real quick.
    0
     
    LVL 65

    Accepted Solution

    by:
    :)
    0
     

    Author Comment

    by:bjansson4
    That worked perfectly!  You're a GENIUOS!!!!!!!!!!!
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    Excellent..... ^_^
    0
     

    Author Comment

    by:bjansson4
    I really appreciate your help.  Thank you!
    0
     
    LVL 65

    Expert Comment

    by:SheharyaarSaahil
    my pleasure bjansson.... its always a good feeling to see a happy costumer here =)
    Cheers ^_^
    0
     

    Author Comment

    by:bjansson4
    I've got another question out about that encrypted file I can't open now - because of all this I think.  Can you help with that one too?
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
    Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
    This video is in connection to the article "The case of a missing mobile phone (https://www.experts-exchange.com/articles/28474/The-Case-of-a-Missing-Mobile-Phone.html)". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

    846 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    5 Experts available now in Live!

    Get 1:1 Help Now