SG, continuous loop, to accept or deny

Hi folks, I'm a HJT analyst over at Spyware Warrior Forums, and I have a question about a particular problem.

We have a user, who gets a warning of a BHO install, gets asked to either deny or accept the install, by Spyware Guard and chooses deny, and then it continues to go, round and around, the same thing happeneing. I'm currently waiting for an updated HJT log, a we had cleaned up one of her machines previosly.

But I have seen this once or twice before.

Anyone have any ideas?

Here is the first log I did for her:
http://spywarewarrior.com/viewtopic.php?p=25409&highlight=#25409

 

Hi TeMerc,

I just looked through the thread, and there's still a few items there that need to be removed.

When this BHO was fixed with HJT, it was then replaced with another BHO, 'midaddle.dll' in the next log (they have the same CLSID's).

1st log:
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\Darlene Kay Anderson\Local Settings\Temp\EY.dll

2nd log:
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll

She will have to delete the entire midaddle folder as it probably contains other malware files (I thought that was in AdAware's detection now though).

This one can be fixed also, but you knew that.
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

She is saying she can't delete this one? She may have to go into Safe Mode and delete it, though it would be best to have her empty the contents of all the Temp folders.
O4 - HKLM\..\Run: [y] C:\Documents and Settings\Darlene Kay Anderson\Local Settings\Temp\y.exe

Once she's posted a new log you can check to see if the above are still there, have her fix them in HijackThis, boot into safe mode and delete the 'midaddle' folder and empty the Temp folders, then run another scan with AdAware & Spybot S&D while still in safe mode, then hopefully she won't get anymore alerts from SpywareGuard from nasty BHO's wanting to install.

Regards,

snap

 

Well, look at that, there I go posting a log I deemed as clean, and I missed that middaddle BHO, shame on me.

What the user is now saying is she keeps gettin an alert from Spyware Guard to either accept or deny an attempt at imstalling a BHO, and she clicks 'deny', and the circle just keeps repeating itself. But, of course, it would help more if the analyst in question(ME ), fixed the thing proper the first time, now wouldn't it? LOL

Well, I'm waiting on her reply, and she even had yet another machine, which I had her fix, which she has not repsonded to yet, so there are a few machines needing cleaning.

Thanks for your reply, I guess I need to have her fix the one, and work from there.

 

ROFL! Don't feel bad TeMerc, after a mere 1,000 logs or so you're bound to miss a few midaddles or two.

This is where two pairs of eyes being better comes into play....especially mine since they've taken a break from HJT logs.

Good luck, and it's good to see you!

Regards,

snap