tag:blogger.com,1999:blog-1740550564148120237.post260577311511534250..comments2023-09-23T07:51:06.345-07:00Comments on NetScanTools® Inside Out: A run-in with Defender-Review browser hijack malwareUnknownnoreply@blogger.comBlogger13125tag:blogger.com,1999:blog-1740550564148120237.post-29060005043135685222009-02-05T01:19:00.000-08:002009-02-05T01:19:00.000-08:00Kirk, thank you! Thank you! Thank you! I've been ...Kirk, thank you! Thank you! <B>Thank you!</B> I've been working since Sunday on trying to get rid of this <I>annoyance</I>. <BR/> (shouldn't this be illegal? Can't ICANN or 3W or someone shut these bandits down? "Hey, dat's a nice computer you got...be a shame if anyt'ing happened to it...so buy my software.")<BR/><BR/>Your step-by-step was great.<BR/>My <B>exe file</B> was vgwsn871850.<BR/>I never found a 2Mb tmp file on my "infected" days.<BR/>and <B>xerks.exe</B> and <B>rasim.exe</B> were in different folders (same file size, however).<BR/><BR/>My initial "find/search on vgwsn871850" in <B>regedit</B> gave three instances (so folks should use Find Next ... or whatever continues the search of your registry).<BR/><BR/>PS - searching "drivers\svchost.exe" was great advice. I deleted all of them (that listed driver <B><I>before</I></B> the svchost.exe)<BR/><BR/><B>Thank you again</B>.<BR/>And thank you (plural) for the comments left here.<BR/><BR/>(I'm glad I finally searched AVG+defender-review ... wish I'd done it days ago)poppaculturehttps://www.blogger.com/profile/18419038870353032824noreply@blogger.comtag:blogger.com,1999:blog-1740550564148120237.post-27297305168701673582009-02-04T22:58:00.000-08:002009-02-04T22:58:00.000-08:00Thanks for the post. Got this earlier this evening...Thanks for the post. Got this earlier this evening from my first (and last) visit to Piratebay.org (a BitTorrent tracker) this evening. Thanks for the detail. I'm running an AdAware scan and will run HijackThis afterwards to make sure nothing else is lurking... I have some choice words for those who write these things, but I've already yelled them out loud several times. :-\<BR/><BR/>Again, thanks for your post.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1740550564148120237.post-603474430787604332009-02-02T21:13:00.000-08:002009-02-02T21:13:00.000-08:00Thanks for your post. The symptoms you described (...Thanks for your post. The symptoms you described (sudden reboot, the popup, SVChost) were the same as what I ran into. Ultimately I used Malwarebytes in Safe Mode to get rid of this. <BR/><BR/>Your hunch about PDF file is interesting. The computer I was working on has Adobe version 8, and did not have the latest security patches for it installed. It may have been the way this laptop picked it up also.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1740550564148120237.post-72228487898365966512009-02-02T05:01:00.000-08:002009-02-02T05:01:00.000-08:00Thanks for taking the time and trouble to post thi...Thanks for taking the time and trouble to post this helpful warning and method. We picked up this hijack last night and by following your guidance I have got it off our PC.<BR/>Thanks again.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1740550564148120237.post-67981746865757321322009-01-30T03:18:00.000-08:002009-01-30T03:18:00.000-08:00Thank you. I also wasted 3 hours disabling their ...Thank you. I also wasted 3 hours disabling their piece of work... Very clever group of criminals... I kept a copy of the popup (a picture)... After spending an hour looking for the Win32.Zafi.B virus and cursing at my antivirus I followed the popup to its process and saw the 'xpsdg640222.exe' name... that's when Flags went up and I quickly realized zafi was a diversion...<BR/><BR/>Thank you very much for posting detailed instructions.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1740550564148120237.post-9331354609637145822009-01-29T23:04:00.000-08:002009-01-29T23:04:00.000-08:00In the registry, I also found these:HKLM/System/Co...In the registry, I also found these:<BR/><BR/>HKLM/System/ControlSet004/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/AuthorizedApplications/List %windir%/system32/drivers/svchost.exe:*:Enabled:svchost<BR/><BR/>and in this folder: HKCU/Software/Microsoft/Windows/Shell/Noroam/MUICache<BR/><BR/>I found this entry:<BR/><BR/>"C:\Documents and Settings\%username%\Application Data\Google\xpsdg6420222.exe<BR/><BR/>You didn't mention it in your post but based on all the advice before I assume these should be deleted too! <BR/><BR/>Here goes.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1740550564148120237.post-69215876969673510162009-01-29T21:25:00.000-08:002009-01-29T21:25:00.000-08:00I love you. Yes, I do. I love you. This just ha...I love you. Yes, I do. I love you. This just happened to me about an hour. Did a quick Google search and came across your post with very, very helpful detailed directions. I'm still cleaning it up.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1740550564148120237.post-14346124224699760252009-01-29T16:50:00.000-08:002009-01-29T16:50:00.000-08:00Kirk - This is a GREAT review of how simple things...Kirk - This is a GREAT review of how simple things can cause us such pain.<BR/>Great review - Thanks...OldcommguyAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1740550564148120237.post-92168110334739273692009-01-29T14:17:00.000-08:002009-01-29T14:17:00.000-08:00Thank you for this post. The virus arrived at 7.18...Thank you for this post. The virus arrived at 7.18am (Local Melbourne Time) yesterday morning 29th of Jan. I spent most of the evening last night tracking down the problem. <BR/><BR/>It completely disabled my firefox to the point that I had to uninstall it, and i had to resort to IE *ugh* for a while. Until it began to not let me download any files. Then the power went out (due to the heat here in Melbourne)<BR/><BR/>Loaded up Opera this morning and found your post and managed to disable it all. AVG found and disabled the trojan (the dll file - kpldlpl.dll) but didn't do anything to the exe file. I had to follow the MSConfig instructions in safe mode to get rid of it.<BR/><BR/>Once again thank you for your post. It saved my ass.<BR/><BR/>Hot and Bothered in Melbourne (three days of 43 degrees celsius straight and counting)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1740550564148120237.post-63253480237003889862009-01-29T13:33:00.000-08:002009-01-29T13:33:00.000-08:00svchost.exe (14kb) is only supposed to be in windo...svchost.exe (14kb) is only supposed to be in windows/system32. There are references to it all throughout the registry. <B>Do not delete those.</B> Only delete svchost.exe (note the larger filesize) from windows/system32/drivers and ONLY delete references to it from the registry. ie. Delete references to c:windows\system32\drivers\svchost.exe from the registry. There are a few.Kirk Thomashttps://www.blogger.com/profile/01196946760222412036noreply@blogger.comtag:blogger.com,1999:blog-1740550564148120237.post-69451283638161167682009-01-29T13:26:00.000-08:002009-01-29T13:26:00.000-08:00I had the same problem this morning, and Trend Mic...I had the same problem this morning, and Trend Micro did not catch it. But I was able to delete almost all of the exe and dll files. In my case, sinashi.exe also showed up. All the bad apps and dll's were located in C:\Documents and Settings\%username%\Application Data, and were in various software folders, two of which (\Yahoo and \Google)were newly created. I have a duplicate copy of svchost.exe in C:\WINDOWS\system32\drivers, but there is still a copy in \system32 as well. I also have the same registry keys that you listed in HKCU, with duplicates in HK_Users, as well as the keys you listed in HKLM, with duplicates in HKLM/System/CurrentControlSet and HKLM/System/ControlSet003. One question though: did you delete C:\WINDOWS\System32\drivers\svchost.exe and all the registry instances of it?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1740550564148120237.post-1740765859048589052009-01-29T13:13:00.000-08:002009-01-29T13:13:00.000-08:00I also got this problem just now. Coincidence? Pro...I also got this problem just now. Coincidence? Probably, probably not. Either way, i was able to get rid of them with AVG; managed to pick up the files and all of the drops as well. I hope no one else gets this; it was quite scary at first.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1740550564148120237.post-32532047197776945722009-01-29T12:29:00.000-08:002009-01-29T12:29:00.000-08:00This same exact thing happened to me. I'm on a mac...This same exact thing happened to me. I'm on a mac but I'm running Windows so it was harder to get into safe mode, but I went through everything you did, step by step before finding this page, including the msconfig BS. Even found the same file first. Searched for it in google, and this post was the only thing that showed up. Thanks for everything to look forAnonymousnoreply@blogger.com