Hello,

Recently ive been having a ton of problems with spyware/adware and i cant seem to get rid of it.It gets detected in Norton Antivirus 2005,and the latest version of Ad aware but neither program can seem to delete it.When i check my Proceses by using ctrl+alt+del i see a few that just recently started showing up such as packager.exe and wbniweui.exe.Now i believe that packager.exe may be a windows program but the second i am not to sure about.I hope someone here can help me out.Also what would be a good program to help prevent these things from infecting my PC again?I have Norton Systemworks 2005,Ad aware latest version,System Mechanic,and BulletproofSoft SPyware remover.Thank you for your time.

Have you tried SpyBot (http://www.safer-networking.org/en/mirrors/index.html)? I often find this works when Ad-Aware fails (which it IMO rarely does).

Nope i havent tryed it but i will take a look.Thanks for the quick reply.To be honest i think i got most of thise crap when downloading a new program.Perhaps you heard of it.I was watching G4Tech TV channel and saw an advertisement for some adware/spyware/antivirus program called stopsign.I figured id give it a test and after that is when most of this started.I already scanned through my HDD's manually and removed all the files i found that were obviously spyware and such.but a few just wont remove as it says access is denied ect.

eggheads (http://techzonez.com/forums/showthread.php?t=9739) spy remover guide.

I see this alot at work. Many so-called anti-spyware apps actually install spy/ad-ware. SpyBot and Ad-Aware are 2 of the great ones that dont.

Trying out the above guide.Thanks alot for the help guys.I am really glad i found this Forum.Its so hard to find help on these things.

You might also try either the Tea Timer from Spy Bot or Spyware Blaster which is another free app. Both seem to do a good job a keeping out new spyware apps as long as you keep them updated...

After using all the above suggestions i think i got rid of all spyware and adware.I only have one question and that is can anyone tell me what the windows Xp process named "wbniweui.exe" is exactly.I do not remember ever seeing this process until recently and i can not close it.When i choose "end task" as soon as it closes it auto restarts again.Since i do not know if it is a normal file or spyware its drivig me a little insane.

windows Xp process named "wbniweui.exe" is exactlyHave you spelled it correctly ? I can't find any info on it

Many worms and some adwares generate a random 8 letter filename to help to stealth them - notably some variants of CoolWebSearch trojan. You may be able to delete it using KillBox ( www.bleepingcomputer.com/files/killbox.php ) or you may be able to terminate the process using Process Explorer ( www.sysinternals.com/ntw2k/freeware/procexp.shtml ). Try 'suspend' then 'kill process tree'. You could also try Advanced Process Termination ( www.diamondcs.com.au/index.php?page=apt ) and TaskMan+ ( www.diamondcs.com.au/index.php?page=taskman )from Diamond CS.

yes i am positive i spelled it correct i thought i misread it as well because i also tryed a google search.

Thanks Curio i will try those and post my progress :)

Sorry about the double post.Just wanted to thank curio,i tried the programs you mentioned and killed the "wbniweui.exe" it seems that this was an exe file in my C:/WINDOWS/system32 folder and according to Process Explorer that file was running odly enough the calculator tool in the backround.Very weird.

Also wanted to ask does the name "Cypress USB Mass Storage Driver Notification Icon Application" or the filename "SM1nint.exe" look familiar?its in my PC and also wasnt on my PC before until recently.According to the properties tab its created by "Cypress Semiconductor"

congrats

Do you have a mp3 player or usb memory stick? It looks very much like your USB MASS stor.......blah is likely something to do with that.

I have found the root to my problem.There are to files in the windows directory called Farmmext.exe and ernikw.exe now i have search on google and many people have had problems with these but heres my problem.I tried all the suggested removal tips and deleted these files and all traces of them.but then 5-10 minutes later they are suddenly back again :mad: any idea how to get rid of them for good?

You are going to have to post a HJT log b4 anyone can take it further. One is a trojan of some sort but don't know other one.

Just wanted to post an update.I think i got the problem solved.It seemed it was a problem from the internet.Everytime i cleaned my registry,ran all types of spyware/adware programs and deleted the pests they would be gone but the moment i go online they pop back up.I decided to purchase Zone alarm security suite and installed it and now i see no more problems with those files.Thank god.This can be closed.

You have to disable the system recovery in XP before trying to delete them.

After that, you can turn it on again.

However, a lot of the spyware is self-healing, so unless you get it all, you'll have everything back again, same as it was...

Do you, by any chance, have Coolwebsearch on the machine, or does typing about:blank in the address line in Exploder and then hitting enter turn up with anything but a blank page ? Those two are difficult to get rid of...


Update all your antispyware and antivirus software, restart the computer in safe mode and then do a scan, and see what turns up.


Edit: Ok - I see you got rid of the crap - good for you :D

Johan-Kr

If the CLSID remains in the registry any html calling that CLSID will mean the crap automatically downloads and re-installs without any user prompts - a quirk of Windows. That's why we use SpywareBlaster, X-Cleaner et al - they mark the CLSID as being incompatible by changing the registry entry for it so it cannot install - woohoo!!
However it looks more like you had no or a useles firewall previously.

Yeah i used to just use Xp's built in firewall along with Nortons internet worm protection but somehow the spyware got through.Then i tried everything mentioned above (disabling system restore,starting in safe mode,scanning,deleting,registry cleaning.)but they still came back.Now that i have a new firewall installed i dont see that much crap anymore.I think i still got some sort of adware though because i get these popups once in a while but they are blank because the firewall is set to block them out.

Also nope i dont have coolwebsearch or any of that crap.Already know all about the various types of those things.

The ones i mentioned above are some sort of popup with the following address-

http://xadsj-o.offeroptimizer.com/imp/servlet/ImpServe?urlContext=http%3A%2F%2Fwww.prowrestling.com%2Fnews.php%3Fid%3D12579%2Farticles%2Fnews&domainContext=prowrestling.com

but the site changes for example if im on www.bestbuy.com the address to the popup will be-

http://xadsj-o.offeroptimizer.com/imp/servlet/ImpServe?urlContext=http%3A%2F%2Fwww.prowrestling.com%2Fnews.php%3Fid%3D12579%2Farticles%2Fnews&domainContext=bestbuy.com

anyone know if this is adware/spyware?or is it just popups generated by the sites?

If pop-ups only come up when you are on certain sites it may be those sites - check in your trusted sites list to see if you have any entries, or do a HJT log and post it up. Incidentally the HJT log analyser on www.hijackthis.de is pretty good, it doesn't replace an expert but it's a start.