Sign in with
Sign up | Sign in
Your question

spyware removal problem

Last response: in Windows XP
Share
January 27, 2005 8:04:43 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

I've been fighting a war with the SAHBundle/SAHAgent trying to remove it
from my system. My Ad-Aware SE Plus program identifies and removes it over
and over and over
.... and it still reappears. It keeps adding the startup command in msconfig
and I want
to remove it completely. I have tried every discussed method I could find to
remove the item from my msconfig startup but NOTHING has worked and it keeps
duplicating entrys after I manually uncheck them from msconfig. I am also
finding the SAME SITUATION with the Spy
Sweeper program which I uninstalled but the startup command keeps
reappearing in my msconfig startup file. I have gone through all the various
removal options and
deleted the key in my registry
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) but it
continues to reappear as soon as I close the view and reopen it. I have
already removed
the bundle.exe from the ...documents and settings\%user name%\local
settings\temp and it now only shows up on my msconfig startup list. I
uncheck the box (and Spy Sweeper which has been uninstalled from my system)
from my msconfig startup and they reappear again as duplicates with the box
checked. I have tried all the google search sites and yahoo. I have McAfee
Internet Suite 6 running and updated but it doesn't help. Is there a way to
delete and/or remove these entries from my msconfig so they don't show up
and the SAHAgent stops relacing itself in my registry (key shown above)??
Anonymous
January 27, 2005 9:12:07 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

I would suggest you perform the following:

Symantec Security Check
http://security.symantec.com/sscv6/default.asp?langid=i...

3 Simple Steps to Help Ensure the Protection of Your PC
http://www.microsoft.com/athome/security/protect/defaul...

Microsoft Windows AntiSpyware
http://www.microsoft.com/downloads/details.aspx?FamilyI...

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/defaul...

----------------------------------------------------------------------------

"Don" wrote:

| I've been fighting a war with the SAHBundle/SAHAgent trying to remove it
| from my system. My Ad-Aware SE Plus program identifies and removes it over
| and over and over
| ... and it still reappears. It keeps adding the startup command in msconfig
| and I want
| to remove it completely. I have tried every discussed method I could find to
| remove the item from my msconfig startup but NOTHING has worked and it keeps
| duplicating entrys after I manually uncheck them from msconfig. I am also
| finding the SAME SITUATION with the Spy
| Sweeper program which I uninstalled but the startup command keeps
| reappearing in my msconfig startup file. I have gone through all the various
| removal options and
| deleted the key in my registry
| (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) but it
| continues to reappear as soon as I close the view and reopen it. I have
| already removed
| the bundle.exe from the ...documents and settings\%user name%\local
| settings\temp and it now only shows up on my msconfig startup list. I
| uncheck the box (and Spy Sweeper which has been uninstalled from my system)
| from my msconfig startup and they reappear again as duplicates with the box
| checked. I have tried all the google search sites and yahoo. I have McAfee
| Internet Suite 6 running and updated but it doesn't help. Is there a way to
| delete and/or remove these entries from my msconfig so they don't show up
| and the SAHAgent stops relacing itself in my registry (key shown above)??
Anonymous
January 27, 2005 9:52:56 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Don wrote:
> I've been fighting a war with the SAHBundle/SAHAgent trying to remove it
> from my system. My Ad-Aware SE Plus program identifies and removes it over
> and over and over
> ... and it still reappears. It keeps adding the startup command in msconfig
> and I want
> to remove it completely. I have tried every discussed method I could find to
> remove the item from my msconfig startup but NOTHING has worked and it keeps
> duplicating entrys after I manually uncheck them from msconfig. I am also
> finding the SAME SITUATION with the Spy
> Sweeper program which I uninstalled but the startup command keeps
> reappearing in my msconfig startup file. I have gone through all the various
> removal options and
> deleted the key in my registry
> (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) but it
> continues to reappear as soon as I close the view and reopen it. I have
> already removed
> the bundle.exe from the ...documents and settings\%user name%\local
> settings\temp and it now only shows up on my msconfig startup list. I
> uncheck the box (and Spy Sweeper which has been uninstalled from my system)
> from my msconfig startup and they reappear again as duplicates with the box
> checked. I have tried all the google search sites and yahoo. I have McAfee
> Internet Suite 6 running and updated but it doesn't help. Is there a way to
> delete and/or remove these entries from my msconfig so they don't show up
> and the SAHAgent stops relacing itself in my registry (key shown above)??
>
>


Symantec Security Response - Adware.SAHAgent
http://sarc.com/avcenter/venc/data/adware.sahagent.html

--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
Related resources
January 27, 2005 10:36:24 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

I'm still fighting and it's winning! I have tried all of your options and
the new beta spyware program from microsoft finds and SUPPOSEDLY removes the
detected spyware ... until you run the spyware tool again and then it's
found again and removed and found and removed etc etc ... The msconfig still
shows to start the "bundle" and "Spy Sweeper" programs. The Spy Sweeper is
not a problem because it does not show up as spyware but it is a question as
to why it also continues to reappear in the startup of msconfig?? So far no
one has been able to come up with the answer to this. It's maddening and
frustrating to say the least. I keep trying everything I can and it won't go
away. HELP !!! PLEASE!!!

"Bruce Chambers" <bruce_a_chambers@h0tmail.com> wrote in message
news:%23y3XXwNBFHA.3472@TK2MSFTNGP14.phx.gbl...
> Don wrote:
>> I've been fighting a war with the SAHBundle/SAHAgent trying to remove it
>> from my system. My Ad-Aware SE Plus program identifies and removes it
>> over and over and over
>> ... and it still reappears. It keeps adding the startup command in
>> msconfig and I want
>> to remove it completely. I have tried every discussed method I could find
>> to remove the item from my msconfig startup but NOTHING has worked and it
>> keeps duplicating entrys after I manually uncheck them from msconfig. I
>> am also finding the SAME SITUATION with the Spy
>> Sweeper program which I uninstalled but the startup command keeps
>> reappearing in my msconfig startup file. I have gone through all the
>> various removal options and
>> deleted the key in my registry
>> (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) but it
>> continues to reappear as soon as I close the view and reopen it. I have
>> already removed
>> the bundle.exe from the ...documents and settings\%user name%\local
>> settings\temp and it now only shows up on my msconfig startup list. I
>> uncheck the box (and Spy Sweeper which has been uninstalled from my
>> system) from my msconfig startup and they reappear again as duplicates
>> with the box checked. I have tried all the google search sites and yahoo.
>> I have McAfee Internet Suite 6 running and updated but it doesn't help.
>> Is there a way to delete and/or remove these entries from my msconfig so
>> they don't show up and the SAHAgent stops relacing itself in my registry
>> (key shown above)??
>
>
> Symantec Security Response - Adware.SAHAgent
> http://sarc.com/avcenter/venc/data/adware.sahagent.html
>
> --
>
> Bruce Chambers
>
> Help us help you:
> http://dts-l.org/goodpost.htm
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> You can have peace. Or you can have freedom. Don't ever count on having
> both at once. - RAH
Anonymous
January 27, 2005 11:47:03 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Clean Install Windows XP
http://www.michaelstevenstech.com/cleanxpinstall.html

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/defaul...

----------------------------------------------------------------------------

"Don" wrote:

| I'm still fighting and it's winning! I have tried all of your options and
| the new beta spyware program from microsoft finds and SUPPOSEDLY removes the
| detected spyware ... until you run the spyware tool again and then it's
| found again and removed and found and removed etc etc ... The msconfig still
| shows to start the "bundle" and "Spy Sweeper" programs. The Spy Sweeper is
| not a problem because it does not show up as spyware but it is a question as
| to why it also continues to reappear in the startup of msconfig?? So far no
| one has been able to come up with the answer to this. It's maddening and
| frustrating to say the least. I keep trying everything I can and it won't go
| away. HELP !!! PLEASE!!!
Anonymous
January 28, 2005 12:06:04 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

After performing a "Clean Install", consider purchasing and
installing a first-rate Internet Security program to help protect
your system from garbage internet web sites:

Norton Internet Security 2005
http://www.symantec.com/sabu/nis/nis_pe/features.html

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
January 28, 2005 12:06:05 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

In other words - you have no idea of how to fix the problem because it too
complicated for you and it's easier to tell me to start over. No thanks -
I'll try and find the right person who can correct the problem instead of
telling me to start over.
"Carey Frisch [MVP]" <cnfrisch@nospamgmail.com> wrote in message
news:unZ8QZOBFHA.1200@tk2msftngp13.phx.gbl...
> After performing a "Clean Install", consider purchasing and
> installing a first-rate Internet Security program to help protect
> your system from garbage internet web sites:
>
> Norton Internet Security 2005
> http://www.symantec.com/sabu/nis/nis_pe/features.html
>
> --
> Carey Frisch
> Microsoft MVP
> Windows XP - Shell/User
>
>
Anonymous
January 28, 2005 12:06:06 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

I have seen systems so infected that starting over was the only viable
option left. Carey could be right.

--
Colin Barnhorst [MVP Windows - Virtual Machine]
"Don" <harley4don@npgcable.com> wrote in message
news:o of8zrOBFHA.2112@TK2MSFTNGP09.phx.gbl...
> In other words - you have no idea of how to fix the problem because it too
> complicated for you and it's easier to tell me to start over. No thanks -
> I'll try and find the right person who can correct the problem instead of
> telling me to start over.
> "Carey Frisch [MVP]" <cnfrisch@nospamgmail.com> wrote in message
> news:unZ8QZOBFHA.1200@tk2msftngp13.phx.gbl...
>> After performing a "Clean Install", consider purchasing and
>> installing a first-rate Internet Security program to help protect
>> your system from garbage internet web sites:
>>
>> Norton Internet Security 2005
>> http://www.symantec.com/sabu/nis/nis_pe/features.html
>>
>> --
>> Carey Frisch
>> Microsoft MVP
>> Windows XP - Shell/User
>>
>>
>
>
Anonymous
January 28, 2005 1:04:27 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

From your original description you seem to be removing it but it keeps
coming back. If that is correct, it begs the question, do you have a
firewall installed or, at the very least, do you have the XP firewall turned
on?

If you are running without a firewall, that might explain how it keeps
returning. If you do have a firewall and it's turned on, my guess is you
have downloaded some file that you and the spyware removal tools and
antivirus have not identified, something which is the source and keeps
infecting your system. Under such circumstances, Carey's response might be
the right course of action assuming you don't restore it from some backup
set. Carey was only trying to help, help which is free and contributed by
him and others who simply volunteer. There's no need to castigate him
because you don't like the response.

Whatever the case, msconfig is a symptom, not the cause.

You might try checking to see if something related appears to be listed in
the running processes. Hit ctrl-alt-delete, go to the processes tab, if you
see something that appears to be related, see if you can find it under
services. Go to Control Panel, open Administrative Tools, open Services,
check the list of running services for something similar to what you found
under processes. Double click the item, and select disable from the
dropdown list under startup type, then reboot and see if that resolves the
issue.

It really doesn't end there but trying to root this out by trying to find a
corresponding executable might be quite some work. Conversely, if you found
some registry key, there's no way of knowing if removing it might cause some
ripple effect on your system and that brings us back to clean install.

Not sure if you have done this, have you checked the startup folder on the
start menu to see if there are any shortcuts there that might be
responsible. I know that sounds rather simple but sometimes the simplest
and most obvious possibilities are overlooked.

--
Michael Solomon MS-MVP
Windows Shell/User
Backup is a PC User's Best Friend
DTS-L.Org: http://www.dts-l.org/

"Don" <harley4don@npgcable.com> wrote in message
news:o of8zrOBFHA.2112@TK2MSFTNGP09.phx.gbl...
> In other words - you have no idea of how to fix the problem because it too
> complicated for you and it's easier to tell me to start over. No thanks -
> I'll try and find the right person who can correct the problem instead of
> telling me to start over.
> "Carey Frisch [MVP]" <cnfrisch@nospamgmail.com> wrote in message
> news:unZ8QZOBFHA.1200@tk2msftngp13.phx.gbl...
>> After performing a "Clean Install", consider purchasing and
>> installing a first-rate Internet Security program to help protect
>> your system from garbage internet web sites:
>>
>> Norton Internet Security 2005
>> http://www.symantec.com/sabu/nis/nis_pe/features.html
>>
>> --
>> Carey Frisch
>> Microsoft MVP
>> Windows XP - Shell/User
>>
>>
>
>
Anonymous
January 28, 2005 1:54:03 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

I don't know if you have already tried this, and since I did not see it in
your post I thought I would submit it:

1. Boot in to Windows XP normally and disable the System Restore feature:
a. Right click on the My Computer icon and choose 'Properties'.
b. Click on the System Restore tab and put a check mark in the "Turn off
System Restore" option.
c. Click on the 'Apply' button, then click the 'OK' button.

2. Reboot the computer, this time booting in to Safe Mode. Once you have
logged on to the computer using safe mode, follow the removal instructions
found at this web site:
http://sarc.com/avcenter/venc/data/adware.sahagent.html

3. Run your Ad-aware Plus Scan again to see if it detects the entries, and
also clean them off of the computer.
4. Reboot your computer once this is done and then re-enable the System
Restore feature.

I hope this helps!

"Don" <harley4don@npgcable.com> wrote in message
news:o of8zrOBFHA.2112@TK2MSFTNGP09.phx.gbl...
> In other words - you have no idea of how to fix the problem because it too
> complicated for you and it's easier to tell me to start over. No thanks -
> I'll try and find the right person who can correct the problem instead of
> telling me to start over.
> "Carey Frisch [MVP]" <cnfrisch@nospamgmail.com> wrote in message
> news:unZ8QZOBFHA.1200@tk2msftngp13.phx.gbl...
>> After performing a "Clean Install", consider purchasing and
>> installing a first-rate Internet Security program to help protect
>> your system from garbage internet web sites:
>>
>> Norton Internet Security 2005
>> http://www.symantec.com/sabu/nis/nis_pe/features.html
>>
>> --
>> Carey Frisch
>> Microsoft MVP
>> Windows XP - Shell/User
>>
>>
>
>
Anonymous
January 28, 2005 9:23:26 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Hi,

Michael has the right idea - if it keeps coming back, then it's not being
properly removed. This is not all that unusual, but it sure is a pain in the
butt. Boot to Safe mode, scan the registry for mention of it. Delete strings
that refer to it. You may also want to download and run Doug Knox's startup
tracker to assist you (in the utilities section at www.dougknox.com). You
may also find that it is loading from different user hives, so may have to
logon as each user to properly locate and remove the starting points. This
is a fairly tedious task, but it's the only way.

The MS spyware tool is a BETA - so it isn't going to work right all the
time, do not rely on this to remove the stubborn ones.

--
Best of Luck,

Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Associate Expert - WindowsXP Expert Zone
www.microsoft.com/windowsxp/expertzone
Windows help - www.rickrogers.org

"Don" <harley4don@npgcable.com> wrote in message
news:o of8zrOBFHA.2112@TK2MSFTNGP09.phx.gbl...
> In other words - you have no idea of how to fix the problem because it too
> complicated for you and it's easier to tell me to start over. No thanks -
> I'll try and find the right person who can correct the problem instead of
> telling me to start over.
> "Carey Frisch [MVP]" <cnfrisch@nospamgmail.com> wrote in message
> news:unZ8QZOBFHA.1200@tk2msftngp13.phx.gbl...
>> After performing a "Clean Install", consider purchasing and
>> installing a first-rate Internet Security program to help protect
>> your system from garbage internet web sites:
>>
>> Norton Internet Security 2005
>> http://www.symantec.com/sabu/nis/nis_pe/features.html
>>
>> --
>> Carey Frisch
>> Microsoft MVP
>> Windows XP - Shell/User
>>
>>
>
>
Anonymous
January 28, 2005 6:41:17 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Rick

What about an entry in the Hosts file? Might that help?


~~~~~~

Regards.

Gerry

~~~~~~~~~~~~~~~~~~~~~~~~
FCA

Stourport, Worcs, England
Enquire, plan and execute.
~~~~~~~~~~~~~~~~~~~~~~~~



"Rick "Nutcase" Rogers" <rick@mvps.org> wrote in message
news:o hJZLvSBFHA.3924@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> Michael has the right idea - if it keeps coming back, then it's not
> being properly removed. This is not all that unusual, but it sure is a
> pain in the butt. Boot to Safe mode, scan the registry for mention of
> it. Delete strings that refer to it. You may also want to download and
> run Doug Knox's startup tracker to assist you (in the utilities
> section at www.dougknox.com). You may also find that it is loading
> from different user hives, so may have to logon as each user to
> properly locate and remove the starting points. This is a fairly
> tedious task, but it's the only way.
>
> The MS spyware tool is a BETA - so it isn't going to work right all
> the time, do not rely on this to remove the stubborn ones.
>
> --
> Best of Luck,
>
> Rick Rogers, aka "Nutcase" - Microsoft MVP
> http://mvp.support.microsoft.com/
> Associate Expert - WindowsXP Expert Zone
> www.microsoft.com/windowsxp/expertzone
> Windows help - www.rickrogers.org
>
> "Don" <harley4don@npgcable.com> wrote in message
> news:o of8zrOBFHA.2112@TK2MSFTNGP09.phx.gbl...
>> In other words - you have no idea of how to fix the problem because
>> it too complicated for you and it's easier to tell me to start over.
>> No thanks - I'll try and find the right person who can correct the
>> problem instead of telling me to start over.
>> "Carey Frisch [MVP]" <cnfrisch@nospamgmail.com> wrote in message
>> news:unZ8QZOBFHA.1200@tk2msftngp13.phx.gbl...
>>> After performing a "Clean Install", consider purchasing and
>>> installing a first-rate Internet Security program to help protect
>>> your system from garbage internet web sites:
>>>
>>> Norton Internet Security 2005
>>> http://www.symantec.com/sabu/nis/nis_pe/features.html
>>>
>>> --
>>> Carey Frisch
>>> Microsoft MVP
>>> Windows XP - Shell/User
>>>
>>>
>>
>>
>
>
January 28, 2005 6:41:18 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Well. I'll just have say thanks for all your thoughts & efforts because
nothing has worked and I have investigated and tried them ALL (with the
exception of the clean install). I do have and have had McAfee Internet
Suite 6 with the firewall and antivirus continually up and running since I
did a "clean install" with auto updates for all programs (including Win XP
with SP2). I also have (but not yet installed) Norton anti virus 2004, which
I bought at the same time as the McAfee Internet Suite 6. I had previously
used Norton but had heard some stories of it missing some problems which
McAfee would find. So I tried McAfee this time (for the past 9 months) to
see if it was better. Regardless, the software has been in service and yet
the problem is still present and apparently unbeatable.
"Gerry Cornell" <gcjc@btinternet.com> wrote in message
news:uarIU$UBFHA.1992@TK2MSFTNGP10.phx.gbl...
> Rick
>
> What about an entry in the Hosts file? Might that help?
>
>
> ~~~~~~
>
> Regards.
>
> Gerry
>
> ~~~~~~~~~~~~~~~~~~~~~~~~
> FCA
>
> Stourport, Worcs, England
> Enquire, plan and execute.
> ~~~~~~~~~~~~~~~~~~~~~~~~
>
>
>
> "Rick "Nutcase" Rogers" <rick@mvps.org> wrote in message
> news:o hJZLvSBFHA.3924@TK2MSFTNGP10.phx.gbl...
>> Hi,
>>
>> Michael has the right idea - if it keeps coming back, then it's not being
>> properly removed. This is not all that unusual, but it sure is a pain in
>> the butt. Boot to Safe mode, scan the registry for mention of it. Delete
>> strings that refer to it. You may also want to download and run Doug
>> Knox's startup tracker to assist you (in the utilities section at
>> www.dougknox.com). You may also find that it is loading from different
>> user hives, so may have to logon as each user to properly locate and
>> remove the starting points. This is a fairly tedious task, but it's the
>> only way.
>>
>> The MS spyware tool is a BETA - so it isn't going to work right all the
>> time, do not rely on this to remove the stubborn ones.
>>
>> --
>> Best of Luck,
>>
>> Rick Rogers, aka "Nutcase" - Microsoft MVP
>> http://mvp.support.microsoft.com/
>> Associate Expert - WindowsXP Expert Zone
>> www.microsoft.com/windowsxp/expertzone
>> Windows help - www.rickrogers.org
>>
>> "Don" <harley4don@npgcable.com> wrote in message
>> news:o of8zrOBFHA.2112@TK2MSFTNGP09.phx.gbl...
>>> In other words - you have no idea of how to fix the problem because it
>>> too complicated for you and it's easier to tell me to start over. No
>>> thanks - I'll try and find the right person who can correct the problem
>>> instead of telling me to start over.
>>> "Carey Frisch [MVP]" <cnfrisch@nospamgmail.com> wrote in message
>>> news:unZ8QZOBFHA.1200@tk2msftngp13.phx.gbl...
>>>> After performing a "Clean Install", consider purchasing and
>>>> installing a first-rate Internet Security program to help protect
>>>> your system from garbage internet web sites:
>>>>
>>>> Norton Internet Security 2005
>>>> http://www.symantec.com/sabu/nis/nis_pe/features.html
>>>>
>>>> --
>>>> Carey Frisch
>>>> Microsoft MVP
>>>> Windows XP - Shell/User
>>>>
>>>>
>>>
>>>
>>
>>
>
Anonymous
January 28, 2005 6:41:19 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Salut/Hi Don,

First of all, my heartiest sympathy.

Having once had quite a nasty attack of spyware, I know how stubborn they
can be. I've also read most of the suggestions and comments and your
replies.

le/on Fri, 28 Jan 2005 15:01:35 -0700, tu disais/you said:-

>Well. I'll just have say thanks for all your thoughts & efforts because
>nothing has worked and I have investigated and tried them ALL (with the
>exception of the clean install). I do have and have had McAfee Internet
>Suite 6 with the firewall and antivirus continually up and running since I
>did a "clean install" with auto updates for all programs (including Win XP
>with SP2). I also have (but not yet installed) Norton anti virus 2004, which
>I bought at the same time as the McAfee Internet Suite 6. I had previously
>used Norton but had heard some stories of it missing some problems which
>McAfee would find. So I tried McAfee this time (for the past 9 months) to
>see if it was better. Regardless, the software has been in service and yet
>the problem is still present and apparently unbeatable.

Nope, it's probably not unbeatable. you just haven't found out how to do it
yet!!!!

I suspect that some process is infected, and that your firewall is letting
it through because it thinks the infected process is legit. This might be
able then to re-install itself.

So if you have access to another online computer, then this might be a
helpful way forward.

Your various anti-spyware programs all seem to be finding the program. So
what I'd suggest you do is, using your NON infected on-line computer, go to
google and do a search on the adware name. Print all the instructions,
because you might just find that part of the removal process involves
editing the registry.

Secondly, I think it's likely that you will want to do at least part of the
removal process in safe mode. There's little point in continuing to get your
installed programs to try to remove the files, they're either ineffectual or
infected themselves. Try it once from safe mode by all means, but disconnect
yourself physically from the internet while you're doing so. See if
rebooting has solved the problem, if it has, so much the better. I'm
assuming it won't.

Reboot once more in safe mode and go through the procedure suggested to do
it by hand. You might also like to note every process running in Safe mode,
and then after rebooting in normal mode, check to see if the adware is still
there. If it is, then see what _other_ processes are now running and do a
search to see if anything turns up under their names. I had one nasty little
process called !sass.exe. which was pretending to be lsass.exe, and took
quite a bit of finding. for example. In other words, make sure you are
pretty confident that you know what ALL your processes are.

Best of luck. But you know.... if you have installation disks of all your
applications, or their installation files, and have backed up your data
properly (and of course, run anti-spyware checks on these back ups), then it
might just be easier to re-install. That takes a couple of hours, while
really grovelling through the machine can easily take a day or two!


--
All the Best
Ian Hoare
http://www.souvigne.com
mailbox full to avoid spam. try me at website
Anonymous
January 29, 2005 1:41:41 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

"Don" <harley4don@npgcable.com> wrote in message
news:o of8zrOBFHA.2112@TK2MSFTNGP09.phx.gbl...
> In other words - you have no idea of how to fix the problem because it too
> complicated for you and it's easier to tell me to start over. No thanks -

It took me 4 days solid work to remove some adware from my wifes PC.

In the end I found that although the leading removal programs (Spybot,
adaware, PestPatrol etc) were identifying the infection but leaving some
suspect processes running. These processes were repairing the adware and
causing it to return on the next reboot.

The solution for me was to:

a) Physically disconnect from the web just to be sure.
a) Run each removal program in turn, one after the other _without_ rebooting
between
b) Identify all the suspect processes left behind and manually kill them
using the task manager.
c) Edit msconfig to remove any nasties there.
d) Reboot.

Sometimes I found it better to run the rmoval programs in a different order.

At one point there were 60 suspect processes left running. They typically
had names that appeared to be random letters - like "gxzypqf" - and which
didn't look like an abrieviation for something. They also had matching .exe
files in the windows folder that were all the same length. This site helped
idfentify candidates..

http://www.sysinfo.org/startuplist.php

Good luck, You may need it.

Colin
January 31, 2005 4:43:46 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Through a VERY LONG process over the past 4 days I have found and fixed the
problem. Apparently the Ad Aware SE Plus had been infected somewhere/somehow
and the problem was in the "Ad Watch" part of the software. I went through
every process I could find/attempt and finally, in safe mode, I went through
the registry AGAIN and found and removed all instances and references of
SAHBundle. I had my modem disconnected and rebooted. The difference this
time was that I had disabled Ad Watch so that it did not restart with the
boot process. After booting I ran the Ad Aware scan and it found no spyware
or mention of the SAHBundle as previously found. I then started Ad Watch and
right away it showed the modification to the registry with the addition of
the Sahbundle. Needless to say, I no longer have the "Ad Watch" part of the
Ad Aware SE Plus on my system. What a battle !! But I always feel better
know why and understanding the reason and therefore the battle was worth the
effort. Thanks to all for their efforts and suggestions.

"CWatters" <colin.watters@pandoraBOX.be> wrote in message
news:FczKd.7681$WQ4.775294@phobos.telenet-ops.be...
>
> "Don" <harley4don@npgcable.com> wrote in message
> news:o of8zrOBFHA.2112@TK2MSFTNGP09.phx.gbl...
>> In other words - you have no idea of how to fix the problem because it
>> too
>> complicated for you and it's easier to tell me to start over. No thanks -
>
> It took me 4 days solid work to remove some adware from my wifes PC.
>
> In the end I found that although the leading removal programs (Spybot,
> adaware, PestPatrol etc) were identifying the infection but leaving some
> suspect processes running. These processes were repairing the adware and
> causing it to return on the next reboot.
>
> The solution for me was to:
>
> a) Physically disconnect from the web just to be sure.
> a) Run each removal program in turn, one after the other _without_
> rebooting
> between
> b) Identify all the suspect processes left behind and manually kill them
> using the task manager.
> c) Edit msconfig to remove any nasties there.
> d) Reboot.
>
> Sometimes I found it better to run the rmoval programs in a different
> order.
>
> At one point there were 60 suspect processes left running. They typically
> had names that appeared to be random letters - like "gxzypqf" - and which
> didn't look like an abrieviation for something. They also had matching
> .exe
> files in the windows folder that were all the same length. This site
> helped
> idfentify candidates..
>
> http://www.sysinfo.org/startuplist.php
>
> Good luck, You may need it.
>
> Colin
>
>
>
Anonymous
February 4, 2005 1:30:58 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

"Don" <harley4don@npgcable.com> wrote in message
news:o BEJKW9BFHA.1296@TK2MSFTNGP10.phx.gbl...
> Through a VERY LONG process over the past 4 days I have found and fixed
the
> problem. Apparently the Ad Aware SE Plus had been infected
somewhere/somehow
> and the problem was in the "Ad Watch" part of the software.

Did you get your copy direct from Lavasoft? I heard that there were fake (or
modified?) copies of some adware removal programs around that actually
contain this stuff! If you got it from a freeware server go back to the
lavasoft site for a new copy.
!