hijack software reloads after cleanup...

Discussion in 'adware, spyware & hijack cleaning' started by dige, Mar 24, 2004.

Thread Status:
Not open for further replies.
  1. dige

    dige Registered Member

    Joined:
    Mar 24, 2004
    Posts:
    1
    I have two unwanted pieces of software that reinstall themselves after I clean them up. In my program folder they have folders called WebSiteViewer and Dumb ball lite.

    After I run SpyBot-Search&Destroy, it finds Websiteviewer and its associated registry entries and I "fix" it. However, about 5 minutes later, the program reinstalls itself. SBSD does not find the Dumb ball lite program.

    I have deleted all files and registry entries manually. Here are the steps I follow but to no avail.

    1. WebSiteViewer
    a) Kill process 122956.dlr
    b) Delete the WebSiteViewer folder found in my Program Files folder and its contents which are:
    122956.dd
    122956.dlr
    122956.exe
    122956.ico
    lFR.txt
    c) Delete shortcut on desktop and in Start folder called "sexshow". Here is the path for the shortcut: "C:\Program Files\WebSiteViewer\122956.exe" /ac:122956 /sk:sk009 /lc: /ul
    d) Delete the registry key called:
    HKEY_CURRENT_USER\Software\WebSiteViewer
    e) Delete the registry value called "System Backup" found in the following key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Containing the following data: msystem.exe

    2. Dumb ball lite
    a) Delete the Dumb ball lite folder found in my Program Files folder and its contents which is:
    Refmfcd.exe
    b) Delete the registry key called:
    HKEY_CURRENT_USER\Software\Option Great 2boob
    c) Delete the registry value called "sectbias" found in the following key:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Containing the following data: C:\PROGRA~1\DUMBBA~1\Refmfcd.exe

    After I do all this work, 5 minutes later it's all back. How are they accomplishing this? Here is my Hijack log:

    Logfile of HijackThis v1.97.7
    Scan saved at 7:41:56 PM, on 24 Mar 2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\HPConfig.exe
    C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\PROGRA~1\DUMBBA~1\Refmfcd.exe
    C:\WINDOWS\System32\msystem.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Spyware Programs\Hijack This\HijackThis.exe

    O4 - HKLM\..\Run: [sectbias] C:\PROGRA~1\DUMBBA~1\Refmfcd.exe
    O4 - HKLM\..\Run: [System Backup] msystem.exe

    Thank you in advance for any help you can provide.
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi dige,

    Welcome to Wilders,

    Please post your entire HJT log if you have not done so. Some info appears missing.

    Regards,
    Kent
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    it's a new LOP hijack amongst others we do need a full log to be able to deal with it though
     
Thread Status:
Not open for further replies.