Tech Talk Discuss PC Hardware, Software, Internet and Other Technology

Serious Spyware Problem

Old 05-30-04, 12:11 AM
  #1  
Banned
Thread Starter
 
Join Date: Apr 2000
Location: "Sitting on a beach, earning 20%"
Posts: 6,154
Serious Spyware Problem

I'm having a serious spyware problem.

I'm getting a tremendous amount of pop-ups that won't stop even though I've tried everything I know how to do.

These pop-ups are accompanied by the tool bar and "start" button flickering on and off. Sometimes the tool bar disapears completely and will not return untill I restart.

I have Spy Killer and I ran it and it detected 63 pieces of spyware. It cleaned them all. I used the Bazooka Adware Scanner. It told me I have the /scvhost.worm. I followed the directions for removal and located the files and deleted them.

I did a HouseCall scan and it found nothing. My McAffee found nothing.

The problem is still happening.

What else can I do?
Pants is offline  
Old 05-30-04, 12:18 AM
  #2  
Mod Emeritus
 
Gallant Pig's Avatar
 
Join Date: Aug 1999
Posts: 15,325
Adaware and Spybot with the most recent updates.
Gallant Pig is offline  
Old 05-30-04, 12:23 AM
  #3  
Banned
Thread Starter
 
Join Date: Apr 2000
Location: "Sitting on a beach, earning 20%"
Posts: 6,154
Thanks for the reply.

Are Adaware and Spybot really that supperior to Spy Killer?

Are they free?

I paid $20 for Spy Killer. I'd hate to have to pay again.
Pants is offline  
Old 05-30-04, 12:29 AM
  #4  
Mod Emeritus
 
Gallant Pig's Avatar
 
Join Date: Aug 1999
Posts: 15,325
Yes to both questions.
Gallant Pig is offline  
Old 05-30-04, 01:11 AM
  #5  
Banned
Thread Starter
 
Join Date: Apr 2000
Location: "Sitting on a beach, earning 20%"
Posts: 6,154
Downloaded Adaware. No change.

I'll try Spybot next and report back.

One thing I've noticed is that the pop-ups start poping (50 or 60 at a time!) when I vistit hotmail.
Pants is offline  
Old 05-30-04, 03:49 AM
  #6  
Banned
Thread Starter
 
Join Date: Apr 2000
Location: "Sitting on a beach, earning 20%"
Posts: 6,154
Tryed Spybot. Still having the same problem.

Chronic pop-ups cause the tool bar to disapear.

WHAT ELSE CAN I DO? I'm dieing over here.

HELP!
Pants is offline  
Old 05-30-04, 04:42 AM
  #7  
Banned
Thread Starter
 
Join Date: Apr 2000
Location: "Sitting on a beach, earning 20%"
Posts: 6,154
All right here's what I know:

1. I ran a scan that indicated I have the scvhost.worm

2. I followed the directions to remove, but the files that were to be deleated were not where the directions indicated

3. Through trial and error (and much scanning) I found files called svchost.exe (read that closely the "c" and the "v" are the other way around). A Google searched revealed that there is indeed an svchost worm.

4. This svchost.exe appears to be running because when I open my Task Manager I can see not one but several things called svchost.exe under my "Processes" tab.

5. When I try to "End Process" and remove these things from my Task Manager my system tells me it will shut down in 60 seconds...and then it does!

How can I remove these things?
Pants is offline  
Old 05-30-04, 04:48 AM
  #8  
DVD Talk Legend
 
Join Date: Jul 2000
Location: Arizona, USA
Posts: 23,460
i'll help... relax... go delete that thread in other before it gets locked.
Trigger is offline  
Old 05-30-04, 04:50 AM
  #9  
DVD Talk Legend
 
Join Date: Jul 2000
Location: Arizona, USA
Posts: 23,460
go here - http://www.spywareinfo.com/~merijn/downloads.html

download hijack this and cwshredder.

put hijack this into a folder on your c drive C:\HJT\

Run hijack this and save a log - open the log with notepad and copy and paste the results here.
Trigger is offline  
Old 05-30-04, 04:52 AM
  #10  
DVD Talk Legend
 
Join Date: Jul 2000
Location: Arizona, USA
Posts: 23,460
some (perhaps all) of the svchost things running are legit.
Trigger is offline  
Old 05-30-04, 04:56 AM
  #11  
DVD Talk Special Edition
 
Join Date: Jul 2002
Location: North Bay Area, CA
Posts: 1,076
Svchost.exe is a file that Windows needs, thus you do not delete it. Itís an executable call file that runs other processes when they are needed by the system. The worm that was made for this (about 2 years ago, and should have been long dead) attaches and makes calls for this file. If you have already ran the cleaner from Norton, itís gone already. Any remaining problems that you have are the leftovers from what has been modified from all of that spyware and that worm you had.

Best I can recommend from a distance diagnosis, is to format and reinstall. Then make sure you always have a firewall, fully updated AV, and pop-up blocker. And donít be installing any ďtoolbarĒ applications for IE. Oh, and before you do this I assume you have a backup of all your data files, jes? Good practice is to always store your data on another drive or partition, never the main OS drive.
Tazwolff is offline  
Old 05-30-04, 04:57 AM
  #12  
DVD Talk Godfather
 
DVD Polizei's Avatar
 
Join Date: Jan 2002
Posts: 52,192
Start your computer in safe mode (press F8 on your keyboard before the OS boots and for simplified purposes, just keep on pressing it until the safe mode comes up.

Start the registry editor. This is done by clicking Start then Run. (The Run dialog will appear.) Type regedit and click OK. (The registry editor will open.)

Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run'

In the right pane, delete the value called 'Config Loader', if it exists.

Browse to the key:
'HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunServices'

In the right pane, delete the value called 'Config Loader', if it exists.
Exit the registry editor.

Restart your computer.

Start Windows Explorer and delete:

C:\WINNT\System32\scvhost.exe (Windows NT/2000), or C:\Windows\System32\scvhost.exe (Windows XP)

You should be able to get into the system32 area without shutdown problems so be sure this is the right name.

Last edited by DVD Polizei; 05-30-04 at 05:00 AM.
DVD Polizei is offline  
Old 05-30-04, 05:17 AM
  #13  
DVD Talk Legend
 
Join Date: Jul 2000
Location: Arizona, USA
Posts: 23,460
Still there, or has Skynet become self-aware?
Trigger is offline  
Old 05-30-04, 06:05 AM
  #14  
Banned
Thread Starter
 
Join Date: Apr 2000
Location: "Sitting on a beach, earning 20%"
Posts: 6,154
I'm here.

I did a system recover to 7:00pm yesterday so the things I deleated are back (ie. I'm starting over)

DVDPolitzei's directions are identical to what I already found at kephyr.com. They don't work because when I go to those places those things aren't there.

I'll try it one more time and make double sure that I'm in safe mode.

Thanks
Pants is offline  
Old 05-30-04, 06:10 AM
  #15  
DVD Talk Legend
 
Join Date: Jul 2000
Location: Arizona, USA
Posts: 23,460
Allright then - guess you got it taken care of.
Trigger is offline  
Old 05-30-04, 06:20 AM
  #16  
DVD Talk Godfather
 
DVD Polizei's Avatar
 
Join Date: Jan 2002
Posts: 52,192
Do you see scvhost.exe in your Task Manager? If not, then it could be an lsass.exe variant problem. Have you updated Windows recently?
DVD Polizei is offline  
Old 05-30-04, 06:26 AM
  #17  
Banned
Thread Starter
 
Join Date: Apr 2000
Location: "Sitting on a beach, earning 20%"
Posts: 6,154
Originally posted by Pants
I'll try it one more time and make double sure that I'm in safe mode.

All right I tried again and realized that I WAS NOT in safe mode. Unfortunately it made no difference now that I was in Safe Mode.

The problem that occurs is that when I follow those above directions there is no "Config Loader" in the registry.

And there is no "scvhost.exe" in Windows Explorer.

Mysteriously THERE IS scvhost.exe in the registry at HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run and RunServices

What could that mean?
Pants is offline  
Old 05-30-04, 06:28 AM
  #18  
DVD Talk Limited Edition
 
Preacher's Avatar
 
Join Date: Sep 2000
Location: outside Toronto, Canada
Posts: 6,917
Originally posted by Trigger
Still there, or has Skynet become self-aware?
Preacher is offline  
Old 05-30-04, 06:29 AM
  #19  
Banned
Thread Starter
 
Join Date: Apr 2000
Location: "Sitting on a beach, earning 20%"
Posts: 6,154
Originally posted by DVD Polizei
Do you see scvhost.exe in your Task Manager?
No I don't.

But I see svchost.exe all over my Task Manager (it appears there at least 6 times).

Also, when I observe the Task Manager during my pop-up attack and tool bar disapearance the CPU jumps to 100% use. One of the many svchost.exe is using 97% and the Task Manger itself is using 3%.

Does any of that help?

P.S. I updated Windows today after the problem occured
Pants is offline  
Old 05-30-04, 06:30 AM
  #20  
Banned
Thread Starter
 
Join Date: Apr 2000
Location: "Sitting on a beach, earning 20%"
Posts: 6,154
Originally posted by Trigger
Still there, or has Skynet become self-aware?
I too appreciate the humor. I'ts needed because I'm having a tough time tonight.
Pants is offline  
Old 05-30-04, 06:36 AM
  #21  
Banned
Thread Starter
 
Join Date: Apr 2000
Location: "Sitting on a beach, earning 20%"
Posts: 6,154
Originally posted by Trigger
go here - http://www.spywareinfo.com/~merijn/downloads.html

download hijack this and cwshredder.

put hijack this into a folder on your c drive C:\HJT\

Run hijack this and save a log - open the log with notepad and copy and paste the results here.
Logfile of HijackThis v1.97.7
Scan saved at 4:36:34 AM, on 5/30/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\SBC\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\PROGRA~1\BROADJ~1\CLIENT~1\CFD.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\J. Ebright\Local Settings\Temporary Internet Files\Content.IE5\S18XYZW9\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dnn.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dnn.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dnn.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\dnn.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\dnn.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\dnn.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {913F6EB7-8DEB-4197-9782-1023B8DEC628} - C:\WINDOWS\System32\dnn.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [scvhost.exe] scvhost.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\RunServices: [scvhost.exe] scvhost.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Yahoo! Login (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Login (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} (RegConfig Class) - http://download.yahoo.com/dl/install...od/yregcfg.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...136.7270601852
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/installs/yab_af.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CBBE79C0-537C-4D44-9325-A89415E2099F}: NameServer = 206.13.29.12 206.13.30.12
Pants is offline  
Old 05-30-04, 06:43 AM
  #22  
Banned
Thread Starter
 
Join Date: Apr 2000
Location: "Sitting on a beach, earning 20%"
Posts: 6,154
Originally posted by Trigger

put hijack this into a folder on your c drive C:\HJT\

BTW, I didn't understand this part. What exactly do you want me to do? Or do you simply mean download the program? I just opened it. Should I really save it?
Pants is offline  
Old 05-30-04, 06:49 AM
  #23  
DVD Talk Legend
 
Join Date: Jul 2000
Location: Arizona, USA
Posts: 23,460
I'm working on your hijackthis log... while we're waiting, I'd like to suggest (for later) that you remove all that yahoo crap. Unless you're married to it.
Trigger is offline  
Old 05-30-04, 06:51 AM
  #24  
DVD Talk Legend
 
Join Date: Jul 2000
Location: Arizona, USA
Posts: 23,460
Originally posted by Pants
BTW, I didn't understand this part. What exactly do you want me to do? Or do you simply mean download the program? I just opened it. Should I really save it?
I meant that you should make a folder in your C drive called "HTJ" and download the Hijackthis program off that site I linked and place it in the HTJ folder before running it. No biggie, but if you save it to your desktop or just run it somewhere, you'll get a bunch of garbage files cluttering up wherever it is.
Trigger is offline  
Old 05-30-04, 06:53 AM
  #25  
Banned
Thread Starter
 
Join Date: Apr 2000
Location: "Sitting on a beach, earning 20%"
Posts: 6,154
Originally posted by Trigger
while we're waiting, I'd like to suggest (for later) that you remove all that yahoo crap. Unless you're married to it.
Why what is it?

While we're waiting I'll tell you strait out that this is my Mom's computer and I'm not supposed to be using it (as pathetic as that sounds from a 25 year old). I want to do everything to get rid of this pop-up spy shit and yet leave relatively little trace that would show I was using it.

On the plus side my mom's a computer idiot who only uses it for ebay and doesn't have a single file saved on the whole damn thing. Small changes and new files that are created will not be noticed by her.
Pants is offline  

Thread Tools
Search this Thread

Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright © 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.