Help with pesky pest...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Lorde Hellig, Oct 26, 2004.

  1. Lorde Hellig

    Lorde Hellig Private E-2

    I'm at my wits' end!

    I've had a spyware infestation for a week now, just by clicking on a website with a picture of Bill Lumbergh (Office Space). Go figure... :rolleyes:

    Here's a synopsis of what has happened:

    - Main bugs: 2ndThought, Freecasino, various offending registry keys.

    - I have run Spybot, Ad-Aware, and Pest Patrol, including in Safe Mode, which has gotten rid of most of it. HOWEVER, I'm still having trouble erasing (even detecting!) serverlogic3. Also, every time I go to Yahoo!, I can see it linking to red.clientapps, which I don't think it did before. All this despite running all of the above spyware killers both on regular and safe mode...

    - And one more: I get a pop-up with a title bar that reads 'invalid syntax error'. Properties read 'res://C:\WINNT\system32\shdoclc.dll/syntax.htm#http://sponsored%20by:%20wowbb.com/' - The variant comes after the 'sponsored by' part, and it can be a variety of websites, all crapware.

    Please let me know what I can do. I have HijackThis and will be happy to send a .txt file with the results.

    Thanks!!!!!
     
    Lorde Hellig, Oct 26, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please follow all the steps in this Sticky thread < READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal >

    If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

    NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.
     
    chaslang, Oct 26, 2004
    #2
  3. Lorde Hellig

    Lorde Hellig Private E-2

    I was in the process of following the instructions on that link when you posted it. As soon as I'm done, I'll post the results here. Thanks for your prompt reply!
     
    Lorde Hellig, Oct 26, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! If you have any questions , just ask.
     
    chaslang, Oct 26, 2004
    #4
  5. Lorde Hellig

    Lorde Hellig Private E-2

    Followed all the steps. Still getting a pop-up window with the title 'invalid syntax error', with the same properties described on my first post...

    This is my computer at work too...it's getting aggravating.

    Thank you for your help so far.
     
    Lorde Hellig, Oct 26, 2004
    #5
  6. Lorde Hellig

    Lorde Hellig Private E-2

    This is freaky...not only I get these pop-ups, but if I'm in Google, the screen flickers as if there was something running stealth.

    And certain words, even in MajorGeeks, are underlined and when you place your mouse pointer over it, you get 'sponsored links' to a bunch of junk related to the word you're pointing to!
     
    Lorde Hellig, Oct 26, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should read the tutorial in this Sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

    Please make sure you have HijackThis version 1.98.2.
     
    chaslang, Oct 26, 2004
    #7
  8. Lorde Hellig

    Lorde Hellig Private E-2

    Here they are. I also uploaded a .doc file showing a screenshot of the pop-up containing the 'invalid syntax error' title, as well as an example of a pop-up with its properties. Sorry it took so long. I was running into a runtime error everytime I click on 'manage attachments'. It's been taken care of now.

    Let me know if this helps.

    Thanks!
     

    Attached Files:

    Lorde Hellig, Oct 26, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What is your expected home page?

    Do you recognize the below? Is Nibco your ISP?
    http://mynibco/


    Do you know who added this proxy server setting:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.8.254.55:80

    Why are you running this stuff? Are you doing some debugging of your computer with Dell?
    C:\DMI\bin\dmisrv.exe
    C:\DMI\bin\delldmi.exe
    C:\DMI\bin\win32sl.exe
    C:\DMI\bin\nic.exe
    C:\DMI\bin\coo.exe
    C:\DMI\bin\dnar.exe
    C:\DMI\bin\nodemngr.exe
     
    chaslang, Oct 26, 2004
    #9
  10. Lorde Hellig

    Lorde Hellig Private E-2

    To answer your questions:

    - NIBCO is the company I work for. The expected homepage is mynibco.

    - I do not know who added the proxy server HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.8.254.55:80

    - I am not working with Dell to debug anything.

    I hope this helps.

    Thanks.
     
    Lorde Hellig, Oct 26, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hmmm! I wonder why all the Dell Remote debug stuff is running.

    Are you sure the proxy setting (10.8.254.55:80) is not used by your internal network.
     
    chaslang, Oct 26, 2004
    #11
  12. Lorde Hellig

    Lorde Hellig Private E-2

    I would have to ask if that's the proxy setting we use.

    I'll check into it tomorrow. I gotta leave for the day.

    Thanks!
     
    Lorde Hellig, Oct 26, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay I'll ignore that line for now but here are some things to fix.

    Make sure you have system restore disabled and viewing of hidden files enabled.
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Find the below processes and End them:
    C:\WINNT\Rgvoov.exe
    C:\WINNT\system32\winvdeps.exe
    C:\WINNT\pgtaff.exe
    C:\WINNT\system32\wlnstr10.exe

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R3 - URLSearchHook: {A4A58A2C-B039-432B-8BC1-DCA7AC0757DC} - - (no file)
    O2 - BHO: SDWin32 Class - {1DAEAE08-FB89-4B52-B4D6-24E53B5620BC} - C:\WINNT\system32\budgo.dll
    O2 - BHO: LinkTracker Class - {6A6E50DC-BFA8-4B40-AB1B-159E03E829FD} - C:\WINNT\system32\lmf32.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [budgoc] C:\WINNT\system32\budgoc.exe
    O4 - HKLM\..\Run: [ehanq] C:\WINNT\Rgvoov.exe
    O4 - HKLM\..\Run: [o39V32S] winvdeps.exe
    O4 - HKLM\..\Run: [pgtaff] C:\WINNT\pgtaff.exe
    O4 - HKCU\..\Run: [Z0q9RSeEj] wlnstr10.exe
    O4 - HKCU\..\Run: [pgtaff] C:\WINNT\pgtaff.exe
    O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/286be158a22555397405/netzip/RdxIE601.cab
    O18 - Filter: text/html - {E64E4E60-EF13-4C79-A159-119762E18181} - C:\WINNT\system32\lmf32.dll

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINNT\system32\budgo.dll
    C:\WINNT\system32\lmf32.dll <---- This is LinkReplacer keyword hijacker
    C:\WINNT\system32\winvdeps.exe
    C:\WINNT\system32\wlnstr10.exe

    I want to delete the following too but not just yet. Let's wait until later. I want to make sure these are not valid files. I seriously doubt they are valid.
    C:\WINNT\system32\budgoc.exe
    C:\WINNT\Rgvoov.exe
    C:\WINNT\pgtaff.exe

    No reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Oct 26, 2004
    #13
  14. Lorde Hellig

    Lorde Hellig Private E-2

    Followed every step. So far, so good! MajorGeeks was the website that generated the most 'invalid syntax error' pop-ups and so far, nothing (knock on wood).

    I have not deleted the the following files yet, per your advice:

    C:\WINNT\system32\budgoc.exe
    C:\WINNT\Rgvoov.exe
    C:\WINNT\pgtaff.exe

    So far, it looks good. Haven't seen any sponsored links attached to keywords yet.

    Thank you so much for all your help!
     
    Lorde Hellig, Oct 27, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. If everything looks good and you have no problems running any program after a few days, I would then delete those 3 other files.

    Please for future protection also refer to: How to Protect yourself from malware!
     
    chaslang, Oct 27, 2004
    #15
  16. Lorde Hellig

    Lorde Hellig Private E-2

    I will do that.

    Thanks.
     
    Lorde Hellig, Oct 27, 2004
    #16

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds