Jump to content


Photo

Pesky little spyware


  • Please log in to reply
12 replies to this topic

#1 smelt

smelt

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 24 June 2004 - 09:36 PM

Hello. First, thank you for this site!
I have read the FAQ section, and have followed procedure.

My browser keeps getting jacked to:
res://whtdm.dll/index.html#27859
Also, since my PopupStopper Pro seems to have disappeared,
I'm getting popups, pop-unders also.

-------------------------

So I used the most current Adaware6, and I'm getting
CoolWebSearch entries in Adaware. I clean it, and re-run
Adaware, and at least one entry of CoolWebSearch is back on there.

---------------------------

So then I tried Spybot. It said it couldn't delete everything, because
something was in use or in memory, so I rebooted in SafeMode, ran
it (same problem), then ran in normal WinXP, and the same problem.

---------------------------

I was not able to find comparable BHO's and 04 startup items in HijackThis.
I had a bunch of .tmp files in my search, but I could not delete all of them.

---------------------------------------------------------------------------
Hijack Log (the crdi32 and ieij.exe both sound unfamiliar to me)
--------------------------------------------------------------------------

Logfile of HijackThis v1.97.7
Scan saved at 9:33:20 PM, on 6/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\System32\DeltTray.exe
C:\WINDOWS\crdi32.exe
C:\WINDOWS\system32\ieij.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Scott J. Breaud\Start Menu\Programs\Accessories\Xtra\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\whtdm.dll/sp.html#27859
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://whtdm.dll/index.html#27859
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://whtdm.dll/index.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\whtdm.dll/sp.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://whtdm.dll/index.html#27859
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\whtdm.dll/sp.html#27859
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {9B52DB7D-8D7B-4564-958F-49D99A6430FB} - C:\WINDOWS\appux32.dll
O3 - Toolbar: (no name) - {8E718888-423F-11D2-876E-00A0C9082467} - (no file)
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [crdi32.exe] C:\WINDOWS\crdi32.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - http://activex.micro...ce/outlctlx.CAB
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.micros...tes/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\wodurhsy.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://ash/alc/Porta...rces/msddsc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7823A620-9DD9-11CF-A662-00AA00C066D2} (PopupMenu Object) - https://athenanet.at...audm/iemenu.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 smelt

smelt

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 28 June 2004 - 08:23 AM

Well, I used my AVG virus program to scan the system, and it found some kind of trojan. With that fixed, I used Adaware6 again, as well as Spybot and HijackThis!.

Now my browser's back, and everything seems to behave appropriately (I had to reinstall a few programs, like my cd drivers, windows media player, etc.).

However, when I run Spybot, it states I have 3 things:
1) c2.lop
2) Cydoor
3) an IE exploit

It fixes the IE exploit, and says it can't fix the other 2 cause they're in use.
If I re-run Spybot, the IE exploit pops up again.

I updated WinXP and IE from Microsoft's website (in hopes to update the security stuff), and that didn't help.

I read up on c2.lop, and the only thing I read was that Spybot hangs up on this one, but that's not my problem. It's still in memory.

I don't see any "LOP" program in ADD/REMOVE programs, which I read sometimes works.

Any ideas?

#3 smelt

smelt

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 06 July 2004 - 07:57 AM

:wtf:

#4 smelt

smelt

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 08 July 2004 - 06:58 PM

:zipped:

#5 smelt

smelt

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 14 July 2004 - 08:59 AM

:bounce:
Any ideas gang?

#6 smelt

smelt

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 20 July 2004 - 07:31 AM

:techsupport:

Hey guys. Please help!
Can't remove LOP & IE exploit!

Been about a month now....

#7 zakpzazz

zakpzazz

    Member

  • New Member
  • Pip
  • 2 posts

Posted 20 July 2004 - 10:04 AM

I don't kow much about this, I'm having real problems just trying to get rid of a redirection of my homepage but I found CWShredder got rid of the trojan that was adding new adware. Maybe this would help.. :(

#8 smelt

smelt

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 20 July 2004 - 08:44 PM

zakpzazz,

Thank you for your response. I didn't think that CoolWebSearch was
my issue, but I downloaded CWShredder & tried it out anyway.
It found nothing on my system. Oh well, it was worth a try.

thanks anyway...


------------------------------------------
Done!
Your system was completely clean.

Windows XP (5.01.2600 SP1)
CWShredder v1.59.1
------------------------------------------

#9 smelt

smelt

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 27 July 2004 - 11:00 AM

Help!

Cannot remove c2lop, and something that says Alexa.
Tried out SpySweeper, and it does the same thing as Spybot.

#10 Guest_Joey1_*

Guest_Joey1_*
  • Guests

Posted 27 July 2004 - 11:03 AM

Try Task Manager>Processes and find the process. Then Click "end process"

#11 smelt

smelt

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 27 July 2004 - 09:31 PM

When I do a "CTR-ALT-DEL", this is what's listed....

1) SpoolSV.exe
2) taskmgr.exe
3) EXPLORER.exe
4) SVCHOST.exe (Local Service)
5) SVCHOST.exe (Network Service)
6) SVCHOST.exe (Service)
7) SVCHOST.exe
8) iexplore.exe
9) LSASS.exe
10) SERVICES.exe
11) WINLOGON.exe
12) CRSS.exe
13) SMSS.exe
14) System
15) System Idle Process

I turned off the stuff that was not required to keep Windows running,
re-ran Spybot & SpySweeper, but I ran across the same problem. Darn.

#12 smelt

smelt

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 01 August 2004 - 10:19 PM

I downloaded a trial of SpySweeper, and it basically worked just like
Spybot. It couldn't delete lop because it was "in use." I emailed the
SpySweeper guys, and they recommended
1) update SpySweeper
2) update windows
3) re-run program in Safe Mode

I did that, and when I was in Safe Mode, the program would freeze
when it got to the point of deleting LOP.

By the way, during the SpySweeper scan, it detected Cydoor and Alexa
as well.

Arggh!

#13 smelt

smelt

    Member

  • Full Member
  • Pip
  • 11 posts

Posted 12 August 2004 - 09:38 PM

Still no luck. Same memory-resident stuff on my computer.
Help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button