My scans keep finding "Windows SyncroAd" and Spyware Doctor says that it can repair it. I tell it to repair and it says that it has done so successfully. But then I do another scan and it is there again.

Windows XP Pro (SP2)
Spyware Doctor 5.0.0.184

Why can't Spyware Doctor fix this?

Hi
This may be a new variation of this infection so SD may only remove some traces. Please submit a Malware Detective log to support@pctools.com with your problem as the subject.

OK, I have sent it.

Hi
I wouldnt expect definitions for this in the next smartupdate (Monday)...perhaps Tuesday. If you are still having issues with this, please feel free to post a Hijack This log for me to look over.
Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe

Thank you for contacting PC Tools.

With regards to your query could you please perform a scan for Spyware Doctor in safe mode and let me know about the outcomes.

Restart the Computer in Safe Mode:

1. Click on the Start button. The Start menu will appear.
2. Select ''Shut Down'' from the menu (''Turn off Computer'' in XP).
The 'Shut Down Windows' dialog box will appear.
3. Select ''Shut down'' (or, ''Turn Off'' in XP) and click the Yes (or OK) button.
4. When the computer starts back up, begin immediately by pressing the F8 key repeatedly until the Windows Startup menu appears with various options.
5. By using the up and down arrow keys on the keyboard, select 'Safe Mode'.
Do not select 'Safe Mode with networking' or any other modes.
6. Login to your account (if asked).
7. Wait and eventually Windows will start in Safe Mode.
8. Run Spyware Doctor

Please reboot your computer after you have completed these instructions.


p.s The Online Support Site at http://www.pctools.com/contact/support/ offers answers to many customer questions and is a great source of knowledge for future questions.

i would like to see the log from the scan.. i can't tell what is being flagged when you just say that "xyz" ("Windows SyncroAd") is being flagged..

Thank you for contacting PC Tools.

With regards to your query could you please perform a scan for Spyware Doctor in safe mode and let me know about the outcomes.

Restart the Computer in Safe Mode:

1. Click on the Start button. The Start menu will appear.
2. Select ''Shut Down'' from the menu (''Turn off Computer'' in XP).
The 'Shut Down Windows' dialog box will appear.
3. Select ''Shut down'' (or, ''Turn Off'' in XP) and click the Yes (or OK) button.
4. When the computer starts back up, begin immediately by pressing the F8 key repeatedly until the Windows Startup menu appears with various options.
5. By using the up and down arrow keys on the keyboard, select 'Safe Mode'.
Do not select 'Safe Mode with networking' or any other modes.
6. Login to your account (if asked).
7. Wait and eventually Windows will start in Safe Mode.
8. Run Spyware Doctor

Please reboot your computer after you have completed these instructions.


p.s The Online Support Site at http://www.pctools.com/contact/support/ offers answers to many customer questions and is a great source of knowledge for future questions.

I booted into safe mode and ran the scan twice. Each time it found the infection, each time I told it to fix it, each time it claimed it had fixed it but then another scan showed it was still there.

Dave

i would like to see the log from the scan.. i can't tell what is being flagged when you just say that "xyz" ("Windows SyncroAd") is being flagged..

It's weird, but my history is empty. I ran another scan and the history was still empty even though that new scan found the SyncroAd and claimed that it fixed it.

Dave

It's weird, but my history is empty. I ran another scan and the history was still empty even though that new scan found the SyncroAd and claimed that it fixed it.

Dave


There is a known issue with the history file system. Mine comes and goes, jumps some dates at random, only register one boot-up a day etc. If You are lucky, it'll be fixed some day. Some say to 'clear history file', but does not work too well for me. Problems seems to be comming back.

Interesting... My history wasn't empty. It was so big that it took so long to display that I thought it was empty. But eventually it displayed.

I then cleared it and re-ran the scan so I would have a history with just the pertinent information. This log file shows two subsequent scans (including fixing, but not really fixing, the infection).

Dave

Interesting... My history wasn't empty. It was so big that it took so long to display that I thought it was empty. But eventually it displayed.

I then cleared it and re-ran the scan so I would have a history with just the pertinent information. This log file shows two subsequent scans (including fixing, but not really fixing, the infection).

Dave

You have two folders: History and Log. My reference goes for the History.
Normally I do not suggest 'competitors', but it is a known factor that no one takes everything. Sometimes it pays off to try a different 'approach'.

Sometimes it seems that the Superantispyware (SAS) manage to kill some nasty ones that SD leaves behind, sometimes the other way. Use the Free version as alternate scanner/remover only and remember to close on-guards in SD when running scan.

Hi
Can you please post a Hijack This log using the download in my previous post?

Hi
Can you please post a Hijack This log using the download in my previous post?

Here it is.

thanks

My scans keep finding "Windows SyncroAd" and Spyware Doctor says that it can repair it. I tell it to repair and it says that it has done so successfully. But then I do another scan and it is there again.

Windows XP Pro (SP2)
Spyware Doctor 5.0.0.184

Why can't Spyware Doctor fix this?

This program is manually installed, meaning that you will probably have to uninstall it to have a good chance of cleaning it. Did you uninstall this first from add/remove programs and delete any remaining associated program files and reboot, first, before running a scan a safe mode? If not do that first and try rescanning in safe mode.

Also the fact that it appears to remove, and then reappear, means that it is reinstalling itself, many of these programs are designed to do this and the related registry keys and .exe need to taken out to prevent this.

Here is some info. from Symantec on removal instructions, it will give you an idea of what to look for in your add/remove list.

http://www.symantec.com/security_response/writeup.jsp?docid=2004-100912-5037-99&tabid=3

I did check before and I have checked again now. I do not have SyncroAd (or any of the variants listed in that Symantec link) showing in the "Add or Remove Programs" tool. In fact, I don't see anything in that list that looks suspicious (to my untrained eye).

Dave

I did check before and I have checked again now. I do not have SyncroAd (or any of the variants listed in that Symantec link) showing in the "Add or Remove Programs" tool. In fact, I don't see anything in that list that looks suspicious (to my untrained eye).

Dave

Have you any 'codecs' or 'web site viewers', or something along those lines in your add/remove list? Some information from sunbelt. You could try a windows search on some of the mentioned associated files, just to see if they exist.

http://research.sunbelt-software.com/threatdisplay.aspx?name=Windows%20SyncroAd&threatid=14950

Have you had any luck with a scan today? Have you tried what reodor suggested in post no.11?

PS. What are the symptoms of this adware that you are experiencing on your PC?

I loaded both SuperAntiSpyware and SpywareSweeper and ran full scans with both. Neither found any issues.

Just now I have run a Smart Update and an Intelli-Scan and Spyware Doctor still finds the SyncroAd infection and still can't remove it (even though it claims it succeeds).

I can't say I'm seeing any symptoms. (Yes, my computer runs slow, but that could be due to Spyware Doctor itself instead of any malware.) All I really know is that SD claims there is a high priority threat and that it is removing it. But it doesn't go away.

Dave

OK, I have sent it.

Dave,

Could you send me the ticket number? I'll analyze the info and get back to you.

I loaded both SuperAntiSpyware and SpywareSweeper and ran full scans with both. Neither found any issues.

Just now I have run a Smart Update and an Intelli-Scan and Spyware Doctor still finds the SyncroAd infection and still can't remove it (even though it claims it succeeds).

I can't say I'm seeing any symptoms. (Yes, my computer runs slow, but that could be due to Spyware Doctor itself instead of any malware.) All I really know is that SD claims there is a high priority threat and that it is removing it. But it doesn't go away.

Dave

I couldn't see any evidence of it being installed on your HiJackThis Log, and anywhere I have searched for manual removal instructions states, like Symantec, to uninstall from add remove first??? But maybe mjg424 can come along and confirm that.

Where are the files that SD is detecting located on your computer? Can you post a log or send one to support?

Dave,

Could you send me the ticket number? I'll analyze the info and get back to you.

Sorry, I don't mean to be dense, but where would I find the ticket number. I ran the Malware Detective and provided all the information it requested, and then it seemed to send off a whole lot of information. But it didn't give me a ticket number.

Dave

Not to worry Dave, can you send me a private message with the email address you have used when you sent the log file.

I couldn't see any evidence of it being installed on your HiJackThis Log, and anywhere I have searched for manual removal instructions states, like Symantec, to uninstall from add remove first??? But maybe mjg424 can come along and confirm that.

Where are the files that SD is detecting located on your computer? Can you post a log or send one to support?

It is finding a registry key. The exact details are in the log I posted in post #10 of this thread.

Thanks

Dave

It is finding a registry key. The exact details are in the log I posted in post #10 of this thread.

Thanks

Dave

Hi Dave, sorry totally missed that Duhh!. It's in the Internet Zone Map. Have you ever downloaded anything from freeemotes or do you use the site often?

You don't have the actual Windows SyncroAd program installed, if you did you would be experiencing a pop-up nightmare, so at least that is ruled out.

Let AChen follow this up for you to get to the bottom of it.

Hi Dave, sorry totally missed that Duhh!. It's in the Internet Zone Map. Have you ever downloaded anything from freeemotes or do you use the site often?

You don't have the actual Windows SyncroAd program installed, if you did you would be experiencing a pop-up nightmare, so at least that is ruled out.

Let AChen follow this up for you to get to the bottom of it.

Thanks. I have no idea what freeemotes.com is, and I definitely don't use it. I don't use IE so I wasn't sure if that was why I don't see the effects of SyncroAd or if I really don't have it. I wasn't sure if SyncroAd would effect firefox.

Dave

Thanks. I have no idea what freeemotes.com is, and I definitely don't use it. I don't use IE so I wasn't sure if that was why I don't see the effects of SyncroAd or if I really don't have it. I wasn't sure if SyncroAd would effect firefox.

Dave

It's a 'strange' site for free downloads, gives lots of links to other sites, some like Smiley Central are known for downloading spyware.

From your HiJackThis log I can't see that you have SyncroAd installed, but I'm looking for the obvious. I also did a google search on the registry key detected and it returned nothing, so I can honestly say I am at as much of a loss as you are now. Sorry that's not a big help. See what support suggest and let us know how it turns out.

Thanks for the malware log Dave.

We analyzed the log file and it is clean. We were unable to locate Windows SyncroAd. Could we get a screenshot to see where SD is detecting this?

Freeemotes lists a bunch of sponsor links on it's site. Heaven help anyone who downloads anything from sites such as this one. Places like that are about as safe from malware as walking down dark alleys and shouting I have a wallet full of twenty dollar bills!!!:eek:

Thanks for the malware log Dave.

We analyzed the log file and it is clean. We were unable to locate Windows SyncroAd. Could we get a screenshot to see where SD is detecting this?

I've attached three screen shots, one during the scan, one after the scan and one after SD thinks it has removed the threat. If you want to see the exact key, then take a look at the log file in post #10.

Dave

I've attached three screen shots, one during the scan, one after the scan and one after SD thinks it has removed the threat. If you want to see the exact key, then take a look at the log file in post #10.

Dave

It looks like your registry has some permission issues.

BTW, the screenshot is very small and difficult to see.

c_edge :)

Hi
Looking at your screenshots it seems you have webroot spysweeper installed. It has an immunization feature similar to SD. Could it be possible that SD is detecting the regstry immunization of spysweeper as a false positive?

Hi
Looking at your screenshots it seems you have webroot spysweeper installed. It has an immunization feature similar to SD. Could it be possible that SD is detecting the regstry immunization of spysweeper as a false positive?

I only installed spysweeper AFTER this situation arose. And I have it set to NOT enable itself at boot. I just used it once to do a scan and see if it could find/fix this issue.

I do have Registry Mechanic and Desktop Mechanic installed, but neither does active monitoring.

Dave

Hi
Do you have its immunization feature active though? Even if Spysweeper is not running it still tries to protect IE ActiveX downloads.

hi
from the scan results screen add SyncroAd to the global action list then go into settings->global actions list and set syncroad's action to block

hope that helps;)

Hi
Do you have its immunization feature active though? Even if Spysweeper is not running it still tries to protect IE ActiveX downloads.

OK, In the name of removing variables, I removed SpywareSweeper and ALL other anti-spyware and anti-virus products. SD is now the only one. I then rebooted and re-ran my scans. It still finds the threat, still claims it has removed it, and it still remains.

Dave

hi
from the scan results screen add SyncroAd to the global action list then go into settings->global actions list and set syncroad's action to block

hope that helps;)

I did exactly what you wrote. It has absolutely NO effect. I also don't see why it would. Clearly SD already blocks SyncroAd by default. All this did was to tell it to explicitly do what it already does by default. Or am I missing something??

Dave

it should automatically remove it without telling you:confused:

OK, In the name of removing variables, I removed SpywareSweeper and ALL other anti-spyware and anti-virus products. SD is now the only one. I then rebooted and re-ran my scans. It still finds the threat, still claims it has removed it, and it still remains.

Dave

I too thought mjg424 had knocked the 'nail on the head', about the false positive of an immunised key. Hang in there, I am sure you will hear from support with a logical explanation.

BUMP

Hmmm, no response from support and this issue is still there.

Hello....

BUMP

Hmmm, no response from support and this issue is still there.

Hello....

Hi Dave,

I had been wondering if you had heard anything about this. I am curious myself as to what the cause may be. Do you have a Ticket No. for your enquiry? You could send a PM to AChen with the number and see if he can find anything out about it, or chase it up, for you.

I too have the same issue and see freeemotes but I go to my registry under zonemaps and nothing is there... Does anyone know if Dave ever got his isue resolved ?

Hi Peter666,

I have sent you a Private Message in regards to the issue.

Hello I found this topic today and even though its old I was wondering how to get rid of SyncroAd. I get it appearing in my registry when I run SD. I have tried other anti spyware programs and they never seem to find it or report it. I have done a hyjack on my system and none of the suspects are loaded. Nothing in my startup files either. SD says it has cleaned it up but the warning infection still pops up when I run SD. I get no popups from SyncroAD, but I do remember getting a blank window ad now and then but its not constant.

Symantec has quite a good description on how to get rid of it here:
http://www.symantec.com/security_response/writeup.jsp?docid=2004-100912-5037-99&tabid=1

Might be worth giving it a try.