Jump to content


Photo

Shopping Wizard / Pop ups


  • Please log in to reply
37 replies to this topic

#1 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 19 July 2004 - 09:40 PM

I've been wrestling with this for a week now and I'm still getting it from time to time... anyone available to help?

Old Logfile deleted to save space... I'm running windows 2000.

Edited by Soundguy, 27 July 2004 - 06:02 PM.


#2 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 27 July 2004 - 05:57 PM

Is anyone available to help with this problem, I've spend the last week or so on here trying to get it myself but it always seems to come back. :(

#3 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 27 July 2004 - 05:59 PM

This is an updated Hijack this log

Logfile of HijackThis v1.98.0
Scan saved at 6:15:27 PM, on 7/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\sdkdh32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\netow32.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\zvwat.dll/sp.html#26980
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zvwat.dll/index.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zvwat.dll/index.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\zvwat.dll/sp.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\zvwat.dll/sp.html#26980
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zvwat.dll/index.html#26980
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {EF287315-4D6D-CEBA-3A14-D24D30D992A7} - C:\WINNT\mfcpn32.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [netow32.exe] C:\WINNT\netow32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"

#4 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 27 July 2004 - 06:05 PM

I keep having my homepage reset to res://zvwat.dll/index.html#26980

Once I run adaware and Spybot it goes away but only for a minute then it changes back.

#5 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 27 July 2004 - 06:34 PM

...but I'm really in need of some help, I posted here about it first on the 19th and now I have to go out of town and this spyware is driving my wife crazy. She works from home on the web and she's been after me non-stop to get this fixed. I've read the FAQ and everything I can find on this problem but I can't figure it out myself. Can someone please help me, I would be willing and very happy to send someone a few bucks for their time. I know you guys get tons of people with a "fix my computer for me" attitude and I don't know how you guys put up with it but I know I wouldn't mind someone paying me for some help. :D

Edited by Soundguy, 27 July 2004 - 06:38 PM.


#6 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 27 July 2004 - 06:58 PM

Donations to spywareinfo are always nice but don't affect how soon you get help.

Your threads merged to here, please stick to just this one.

Please do what it says here: About:Buster directions

After that, reboot and post the report results along with a fresh HijackThis log.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#7 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 27 July 2004 - 07:07 PM

Thanks a million for the reply...

About:Buster results

-- Scan 1 --------
About:Buster Version 1.31
Removed! : C:\WINNT\zvwat.dat
Removed! : C:\WINNT\zvwat.dll
Removed! : C:\WINNT\windv.exe
Removed! : C:\WINNT\sxvdmf.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

Fresh Hijackthis log

Logfile of HijackThis v1.98.0
Scan saved at 7:23:08 PM, on 7/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\sdkdh32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {EF287315-4D6D-CEBA-3A14-D24D30D992A7} - C:\WINNT\mfcpn32.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

#8 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 27 July 2004 - 07:52 PM

Looks better - good work. :)

There are obvious remaining ones to fix in HijackThis but it may not be that easy.

First thing, bring up Task Manager - I think Ctrl-Alt-Del will bring it up in Win 2000.
End this process: C:\WINNT\sdkdh32.exe

Now run HijackThis.
Tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked". Then Reboot.

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {EF287315-4D6D-CEBA-3A14-D24D30D992A7} - C:\WINNT\mfcpn32.dll


After fix and reboot, delete C:\WINNT\mfcpn32.dll if it is possibly still there.
Make sure you are set to show hidden files and folders:
Show Hidden Files and Folders

Then post another log.

(Incidentally, is there a report for scan 2 of About:Buster? if so post that as well.)

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#9 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 27 July 2004 - 07:56 PM

I tried to end that process and it tells me...

"The operation could not be completed, Access is denied."

#10 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 27 July 2004 - 07:59 PM

Should I reboot in safe mode to do this stuff?

#11 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 27 July 2004 - 08:05 PM

Fix the ones noted above in HijackThis, if you haven't already.

Reboot in safe mode - hit the F8 key several times while booting, until you get a menu.
I'm not absolutely sure C:\WINNT\sdkdh32.exe is bad, so just move it to the recycle bin.
Edit: Also move any C:\WINNT\sdkdh32..dll to the recycle bin.

Then let's see a HijackThis log from Safe Mode.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#12 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 27 July 2004 - 08:32 PM

Ok that file is in the rec. bin and here's a fresh log file from safe mode

Logfile of HijackThis v1.98.0
Scan saved at 8:42:11 PM, on 7/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\tqerl.dll/sp.html#26980
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://tqerl.dll/index.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://tqerl.dll/index.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\tqerl.dll/sp.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\tqerl.dll/sp.html#26980
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://tqerl.dll/index.html#26980
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {EF287315-4D6D-CEBA-3A14-D24D30D992A7} - C:\WINNT\mfcpn32.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [netvi32.exe] C:\WINNT\system32\netvi32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

#13 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 27 July 2004 - 10:05 PM

To remove this I need a HiJackThis log NOT in safe mode.

Please post a new one.,

Thanks, lpp.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#14 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 27 July 2004 - 10:09 PM

LoPhatPhuud has kindly agreed to step in.. See post above this one..

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#15 drluvnnv

drluvnnv

    Member

  • New Member
  • Pip
  • 2 posts

Posted 27 July 2004 - 10:32 PM

Hello Everybody!!

I struggled with search extender, search assistant and the other bas&^%$rd for a week. I read many of the forums which has some great ideas. In a nutshell, I ended up downloading Hijack this and about buster, ran Hijack this first and deleted all of the bad stuff, ran about buster immediately after (without opening a browser), wrote down all of the files that it would not delete on it own, shutting down and rebooting into safe mode and then deleting each and every file. This process took me 3 times!!!!! but it did work....it deleted the most malicious exe files that would not delete in other than safe mode. Good luck! If I knew where these guys are, I would send my friends Guido and Tony for a visit.

#16 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 01 August 2004 - 09:22 PM

This is a new HiJack this log not running in safe mode.

Logfile of HijackThis v1.98.0
Scan saved at 9:38:02 PM, on 8/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\sdkdh32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\netvi32.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\AIM95\aim.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\zefxe.dll/sp.html#26980
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zefxe.dll/index.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zefxe.dll/index.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\zefxe.dll/sp.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\zefxe.dll/sp.html#26980
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zefxe.dll/index.html#26980
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {EF287315-4D6D-CEBA-3A14-D24D30D992A7} - C:\WINNT\mfcpn32.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [netvi32.exe] C:\WINNT\system32\netvi32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

#17 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 01 August 2004 - 09:55 PM

=== Remove CWS sp.html/#nnnnn exploit XP/2K ===
This is a new variant of CWS which requires special treatment to remove.

Please take the following steps:

First, please enable viewing of hidden/system files per the instructions here: http://www.xtra.co.n...1916458,00.html

IMPORTANT Be sure all browser and explorer windows are closed.

Using the Task Manager end the task on the following processes:
sdkdh32.exe
netvi32.exe

Next, go to Start->Run and type "Services.msc" (without quotes) then hit OK.
Scroll down and find the service called "Network Security Service". It may also be called "Remote Procedure Vall (RPC) Helper" or "Workstation NetLogon Service".
When you find it, double-click on it.
In the next window that opens, click the Stop button, then change the Startup Type to Disabled.
Now hit Apply and then OK and close any open windows.


Run HijackThis and place a check mark next to the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\zefxe.dll/sp.html#26980
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://zefxe.dll/index.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://zefxe.dll/index.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\zefxe.dll/sp.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\zefxe.dll/sp.html#26980
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://zefxe.dll/index.html#26980
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {EF287315-4D6D-CEBA-3A14-D24D30D992A7} - C:\WINNT\mfcpn32.dll

O4 - HKLM\..\Run: [netvi32.exe] C:\WINNT\system32\netvi32.exe
Press 'Fix Checked'.

Exit HiJackThis.

Reboot into Safe Mode* and delete the following files:
(also deleted any *.dat files with the same name as one of these *.exe files)
C:\WINNT\sdkdh32.exe
C:\WINNT\system32\netvi32.exe
C:\WINNT\system32\zefxe.dll
C:\WINNT\mfcpn32.dll

While still in Safe Mode* finish the cleanup process, please run through the rest of these steps:

Go to Start --> Run and type Regedit then click Ok.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:

__NS_Service
__NS_Service_2
__NS_Service_3

If any are listed, right-click that entry in the right pane and choose Delete.

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
and highlight Root in the Left Pane. In the right pane, look for these entries:

LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3

If you find it, right-click it in the right-pane and choose delete.

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or another name that starts with LEGACY__NS_SERVICE) to highlight it. Then click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritable permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.

Exit regedit, boot in Normal Mode.

To remove the remainder of the files this exploit deposits, run this Online AntiVirus scan, removing all it finds:

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com


=== Check ActiveX Settings ===
Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.


=== Replace Deleted Files ===
It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

Go here: http://www.spywarein...es.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here: http://members.aol.c...dbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

If you have Spybot S&D installed you may also need to replace one file.
Go here: http://www.spywarein...s.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended.


Download the latest version of Adaware (get the free edition)
http://www.lavasoft....ftware/adaware/
(choose download from the left hand menu)

Go to: Select Full Install and choose the download location of your choice (1.7mb)
Choose Download from http://fileforum.bet...3?fid=965718306 <--(I found FileForum easiest)

Be sure to UPDATE BEFORE SCANNING FIRST!! That is a very important step and I have included easy directions.

After download and installing first, please update the program. Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen. You should now see Reference File # :01R325 22.06.2004 or higher listed.

Next, go to Settings (the gear icon at the top) and then *Scanning* and checkmark these items so they will be green:
Scan within archives
Scan my IE Favorites for banned URLS
Scan my hosts file

Then click *proceed* to save settings.

Click on *Tweak* next. And checkmark to make this green also:
Automatically try to unregister objects prior to deletion

Click on *proceed*

Next, from the main screen, click on *Start* (lower righthand corner) and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.

Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).

Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.

HiJackThis version 198.1 is now available.
If you do already have it installed, download it from here:
http://209.133.47.12.../HijackThis.exe
http://downloads.net.../HijackThis.exe
http://www.computerc...s-file-328.html

Run HiJackThis and post a new log in this thread.



* How to Boot into Safe Mode:
http://service1.syma...001052409420406
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#18 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 01 August 2004 - 09:59 PM

Thanks, printing instructions and starting now

#19 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 01 August 2004 - 10:12 PM

I tried to end the two tasks (sdkdh32.exe & netvi32.exe) but it won't allow me to end the first one and neither of them show up in safe mode... what should I do?

#20 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 01 August 2004 - 11:33 PM

Still getting pop ups... :(

Logfile of HijackThis v1.98.1
Scan saved at 11:49:16 PM, on 8/1/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\sdkdh32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINNT\system32\netvi32.exe
C:\WINNT\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\aesak.dll/sp.html#26980
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://aesak.dll/index.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://aesak.dll/index.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\aesak.dll/sp.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\aesak.dll/sp.html#26980
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://aesak.dll/index.html#26980
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {EF287315-4D6D-CEBA-3A14-D24D30D992A7} - C:\WINNT\mfcpn32.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [netvi32.exe] C:\WINNT\system32\netvi32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#21 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 01 August 2004 - 11:41 PM

I'm still not able to end the task sdkdh32.exe, if I delete it in safe mode my machine won't reboot until I restore it.

#22 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 01 August 2004 - 11:52 PM

THis is beginnig to get annoying, It is strange that you cannot end that process, even if it is the service, which I expect. Let's try the latest version of About:Buster.

Be sure to boot into Safe Mode before running About Buster.

=== Download and Install About:Buster ===
Please download About:Buster from one of the following locations:
http://www.atribune....AboutBuster.zip or
http://tools.zerosre...AboutBuster.zip

Unzip about:buster to it's own folder.


Open the about:buster folder.
Double click on the program.
Update it.

Next click 'OK'and allow the program to run. (it may take a few minutes)

Make a copy of the log it creates for posting later.

Then run the About:Buster a second time just to be sure it got everything.

Make a copy of the log it creates again.

Reboot.

Post both of the about:buster logs in this thread.

Run HiJackThis again, and post the log in this thread.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#23 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 02 August 2004 - 12:04 AM

These are both from safemode...

-- Scan 1 --------
About:Buster Version 1.31
Removed! : C:\WINNT\sxvdmf.dat
Removed! : C:\WINNT\elsugz.dat
Removed! : C:\WINNT\zvwat.dat
Removed! : C:\WINNT\sgroa.dat
Removed! : C:\WINNT\dcsmsl.dat
Removed! : C:\WINNT\bguvvc.dat
Removed! : C:\WINNT\winlr.exe
Removed! : C:\WINNT\bqytrs.dat
Removed! : C:\WINNT\xhmall.dat
Removed! : C:\WINNT\javakz32.exe
Removed! : C:\WINNT\aesak.dat
Removed! : C:\WINNT\mfcpn32.exe
Removed! : C:\WINNT\system32\netvi32.exe
Removed! : C:\WINNT\system32\fjhyg.dat
Removed! : C:\WINNT\system32\zefxe.dat
Removed! : C:\WINNT\system32\apirc32.exe
Removed! : C:\WINNT\system32\zleyi.dat
Removed! : C:\WINNT\system32\javacw32.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
______________________________________________________

Logfile of HijackThis v1.98.1
Scan saved at 12:17:53 AM, on 8/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {EF287315-4D6D-CEBA-3A14-D24D30D992A7} - C:\WINNT\mfcpn32.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#24 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 02 August 2004 - 12:06 AM

And this was just a second about buster in normal mode

-- Scan 1 --------
About:Buster Version 1.31
Removed! : C:\WINNT\aesak.dat
Removed! : C:\WINNT\sxvdmf.dat
Removed! : C:\WINNT\system32\zleyi.dat
Removed! : C:\WINNT\system32\winrq.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

#25 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 02 August 2004 - 12:19 AM

I am going to hold off having a party just yet.

Check the following items in HiJackThis:
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {EF287315-4D6D-CEBA-3A14-D24D30D992A7} - C:\WINNT\mfcpn32.dll


Close all open windows and press 'Fix Checked'

Now, lets get some protection in there. The most important one is IE/Spyads. After you have it in, and others if you choose (I do recommend them all), Then reboot afew times and see if anything comes back, Then run HJT again and post a new log inthis thread.


At last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future.

1. Visit Windows Update: <-- YOU NEED TO DO THIS!!
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v4.windowsupd.../en/default.asp

2. Adjust your security settings for ActiveX:]
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

3. Download and install the following free programs
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.wildersse...ywareguard.html
c. IE/Spyad: https://netfiles.uiu...ww/resource.htm

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.koll...n&page=download

5. Install 'Spoofstick" from here: http//www.corestreet.com/spoofstick/. Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.


For more information about Spyware, the tools available, and other informative material, including information on how you may have been infected in the first place, please check out this link: http://forum.gladiat...?showtopic=9857


Good luck, and thanks for coming to our forums for help with your security and malware issues.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#26 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 02 August 2004 - 12:25 AM

I'm running the update now and I did the hijack this fix as well. I already run S&D and Adaware, neither of them helped with this problem though...

#27 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 02 August 2004 - 12:28 AM

New log

Logfile of HijackThis v1.98.1
Scan saved at 12:45:50 AM, on 8/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\sdkdh32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#28 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 02 August 2004 - 12:29 AM

-- Scan 1 --------
About:Buster Version 1.31
Attempted Clean Of Temp folder.
Pages Reset... Done!

#29 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 02 August 2004 - 12:36 AM

After doing all that I tried to download one of the programs you listed and I began to get popups again, I also checked my Internet tools and my homepage has been hijacked again. :(

#30 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 02 August 2004 - 12:38 AM

The new hijack this log shows it all back just like before...

Logfile of HijackThis v1.98.1
Scan saved at 12:55:10 AM, on 8/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\sdkdh32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\apigc32.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jjbzr.dll/sp.html#26980
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jjbzr.dll/index.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jjbzr.dll/index.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\jjbzr.dll/sp.html#26980
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jjbzr.dll/sp.html#26980
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jjbzr.dll/index.html#26980
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {EF287315-4D6D-CEBA-3A14-D24D30D992A7} - C:\WINNT\mfcpn32.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [apigc32.exe] C:\WINNT\system32\apigc32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#31 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 02 August 2004 - 12:40 AM

It is our friend C:\WINNT\sdkdh32.exe again. That file must go!!!

Check your processes, I have a hunch that is running as a service. If it is stop it, or at least disable or manual it.

It will talk to some others about this too and see what they have to say. I believe the boot issue can be solved.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#32 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 02 August 2004 - 12:43 AM

When I try to end it I get an access denied message, should I boot in safemode and delete it? Is there another way to kill it so that I don't have to reboot?

#33 LoPhatPhuud

LoPhatPhuud

    Master of Disaster Recovery

  • Emeritus
  • PipPipPipPip
  • 432 posts

Posted 02 August 2004 - 12:48 AM

Too late tonite for any more help so hang on. I need to check with a couple of people first.
IPB Image Microsoft MVP Windows-Security 2005

Posted Image


When angry count four; when very angry, swear

#34 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 02 August 2004 - 12:50 AM

This Spywareguard software you had me download is going crazy now, I'm getting non stop prompts that my current IE search page (google) has been changed and it shows me the hijack page address that normally comes up... seems like the currupt file is constantly trying to hijack IE in the background.

#35 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 02 August 2004 - 12:59 AM

I think I got it, I went into safe mode and killed that file and it did reboot just fine.

Here's a new log

Logfile of HijackThis v1.98.1
Scan saved at 1:16:02 AM, on 8/2/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINNT\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINNT\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab

#36 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 02 August 2004 - 01:00 AM

:) Opened IE about 20 times and no homepage hijack or popups...

#37 Soundguy

Soundguy

    Member

  • Full Member
  • Pip
  • 26 posts

Posted 02 August 2004 - 01:05 AM

looks like sdkdh32.exe was the badguy. Thanks a ton for helping me guys, now my wife won't call me daily to get this figured out. :)

#38 momesso_sergio

momesso_sergio

    Member

  • New Member
  • Pip
  • 1 posts

Posted 20 August 2004 - 08:24 AM

Search Extender, Home Search Assistant, and Shopping Assistant is a pain in the a#$! Found a program @ www.hsremove.com. Worked on my first run!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button