Has anyone heard of sidtware or sdhansi.exe?

[Guest]

Whenever I start Ms Internet Explorer, after a while a new process apears in
the "Security Task Manager" process list with the following details:
Name: ProcessID 2012 (or another number)
Path: C:\Program Files\Sidtware\sdhansi.exe

The program seems to be listening and/or sending on a port and neither the
listed path nor the file name can be found on my harddisk.

I have used AdAware, Spybot, Ms AntiSpyware, Norton AntiVirus, and Solo
Antivirus. None of these packages seems to detect anything suspicious on my
system, but the process keeps on appearing.
I have tried to kill it, checked all startup/services/etc. lists, removed
all unknown browser and ActiveX objects, but without success.

Has anyone seen this item before and, if so, any advice on getting rid of it?

Daniel

 

[Guest]

Check it out this URLs provide by Dave M


http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Overview

Engel

 

[Guest]

Hi Daniel

One way to get further information is to find sdhansi.exe and the other file
on your system, and submit the file at one or more of the following sites:

http://www.virustotal.com

http://virusscan.jotti.org

Each has a browse window in the upper right to do the submission, and will
check out your file with 10 or so antivirus vendors with one submission.

A clean reading at these sites is not proof that a file is safe, but I'd say
in this case that it is likely to be a good indicator that, in fact, the
file is safe, and you are seeing a false positive.

Engel

 

[Guest]

Thanks for the tip, but didn't help. Actually, I already tried most of what's
mentioned in that guide:
- HijackThis doesn't show any unknown or suspicious process
- Ad-aware does not find anything
- Spybot doesn't find anything
- Ms AntiSpyware doesn't find anything
- Norton antivirus doesn't find anything
- Solo antivirus doesn't find anything
- Ewido security suite doesn't find anything

Still it is not a false positive. Whenever my internet explorer is open the
sdhansi.exe process is spawned. I can kill it, but after a while it will
reappear. If I leave it for some time it will install other various (known)
Spyware, and either this process or the additionally installed spyware will
open browser windows with advertisements (despite the fact that I have
various blockers active).

And to answer your suggestions in the other post: the file sdhansi.exe is
nowhere to be found on my harddisk. The only tool that has been able to
detect the process is the Neuber "Security Task Manager".

I guess I will also post a message in the castlecops forum...

Daniel

 

[Dave M]

Hi Daniel;
I'd recommend you do exactly that (post on CastleCops) The few Google hits on
Sidtware, make it look like a scam, a mix of anti-spyware products, drugs, and
trucking(?) software. I got one page that wanted to Hijack my browser home
page... with an option to opt out, which I didn't fall for with either a No
thanks, or a close window. I pulled the plug LOL

 

[Guest]

In case others run into the same problem, I solved it myself and here is the
solution:
Please note none of the anti virus/trojan/adware/spyware tools seems to
detect this at this time. The wrongdoer is an organisation behind the
following website: http://adchannel.contextplus.net, or at least that is the
url listed somewhere in their registry keys. Symptoms have been described in
previous posts. Solution is the following:

1. Start windows in safe mode
2. Double check on any suspicious processes, like the sdhansi.exe, using the
Neuber security task manager (this seems the only tool to list the process)
and kill it. Do NOT open internet explorer.
3. Use regedit to edit the registry and search for sdhansi. You are likely
to find some more or less harmless references in e.g. the security task
manager cache keys. You may ignore or remove these entries. The important
entries you should find and remove are the following:
a. HKEY_LOCAL_MACHINE/Software/C1glmAzoYUts or some other weird sequence of
characters in the Software section. This entry has a whole list of keys that
point to various hidden drivers and (un)installers on your computer. Before
you remove this entry, you may want to print or write-down this list, because
you can use this as a reference to find and remove the remaining traces.
Especially write down the reference to the InstallationId.
b. HKEY_LOCAL_MACHINE/System/Controlset001/Services/AFDrVdm - remove this
entry
c. HKEY_LOCAL_MACHINE/System/Controlset003/Services/AFDrVdm - remove this
entry
d. HKEY_CURRENT_USER/Microsoft/Windows/Shell NoRoam/MUI Cache: [key]
C:\Program files\Sidtware\sdhansi.exe
4. While still in regedit, find references to the key listed under
InstallationId as noted above. You will likely find some uninstallerkey or
something and should remove this key.
5. Just to be sure search the registry for any other file names you found
under the keys of the entry discussed under 3a. above. After that you can
exit regedit.
6. Remove the following folders and files from your harddisk (note: these
are only visible in safe mode):
a. Windows\System32\LPQNTBBU.EXE (file)
b. Program Files\Sidtware (folder)
c. Windows\System32\Drivers\Poriodrv.sys

The above may be a bit cryptic, but if you are familiar a bit with regedit,
it should not pose a problem.