Can't get rid of strange virus/spyware :-(

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Clean a friends system, but there are something left I can't get rid
of. Both Ad-Aware and Spybit S&D finds it. It is in the "Startup"
list, but when they try to remove it it just reinstalls itself. Even
tried removing the entries in the registry. But they keep coming back.

Microsoft Anto Spyware and Malisious Software removal doesn't find it.
Neither does the anti-virus programs. But when installed it launches
IE with a window with commercials (stopped that by blocking "Winlogon"
in the firwall :-)  So somthing is very very wrong. But what do I do?

Details:

In "startup" (actuall it suncribes to "Lgon" and "logoff" events, but
it show as "system.ini" in Spybot S&D" under the "Startup items")
there are two DLLs that are launched:

"tdcyw.dll" always has the same name, the other DLL changes name (and
description) all the time:  dnp0018me.dll, r0p8la7u1d.dll,
mv6ul9j91.dll  are only some of the names..

Tried to delete those DLLs, but of course they are in use. But I can't
see any processes that should not be there...

I forgot to note the names on the spyware "Ad-Aware" found :-(
But it finds 12 entries each time (even after I delete them).

Thought I could boot to "command prompt only" but that is not in the
boot meny (it's XP home), the obly choice with "command prompt" boots
XP first (to GUI) then launches a "cmd" (and then the spyware has
allready reinstalled itself and run). Is there a way to get a "cmd"
windows without launching XP first with XP home (works on XP Pro)?
--
 Lars-Erik  -  http://home.chello.no/~larse/ -  ICQ 7297605

Re: Can't get rid of strange virus/spyware :-(

Boot into Safe Mode and run the scans there.

--
Frank Saunders, MS-MVP OE
"Anyone who prefers security over freedom deserves neither."

Quoted text here. Click to load it


Re: Can't get rid of strange virus/spyware :-(

Frank Saunders, MS-MVP OE:

Quoted text here. Click to load it

Tried that too. Same problem. Can't delete the files. And they
reinstall anyway. Also tried holding Ctrl-Alt-Shift at start (that
usually stops most autostarting programs from launching).
--
 Lars-Erik  -  http://home.chello.no/~larse/ -  ICQ 7297605

Re: Can't get rid of strange virus/spyware :-(

run HijackThis; http://aumha.org/downloads/hijackthis.zip
HijackThis - Tutorial & FAQ;
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

Register here: http://aumha.net/profile.php?mode=register
Once you have received your registration confirmation, post your HJT
log here:  *(for expert analysis)*
http://aumha.net/viewforum.php?f=30

Please see http://aumha.net/viewtopic.php?t=4075 and
http://aumha.org/a/quickfix.htm before posting to the forum.

HijackThis tutorial:
http://aumha.org/a/hjttutor.htm

--
Frank Saunders, MS-MVP OE
"Anyone who prefers security over freedom deserves neither."

Quoted text here. Click to load it


Re: Can't get rid of strange virus/spyware :-(

In windows control panel add/remove programs uninstall surfsidekick,
newnet or newdotnet and WebNexus if they are listed, restart the PC if
prompted.

Download and run Look2Me-Destroyer: http://www.atribune.org/content/view/28 /
or
Symantec tool -
http://www.symantec.com/avcenter/venc/data/spyware.look2me.html
or
F-secure tool - http://www.f-secure.com/sw-desc/look2me.shtml

Good luck
Martin


Quoted text here. Click to load it



Re: Can't get rid of strange virus/spyware :-(

On Mon, 22 May 2006 12:39:51 +0200, in alt.comp.anti-virus, Lars-Erik Østerud
arranged some electrons, so they looked like this:

 ... Clean a friends system, but there are something left I can't get rid
 ... of. Both Ad-Aware and Spybit S&D finds it. It is in the "Startup"
 ... list, but when they try to remove it it just reinstalls itself. Even
 ... tried removing the entries in the registry. But they keep coming back.
 ...
 ... Microsoft Anto Spyware and Malisious Software removal doesn't find it.
 ... Neither does the anti-virus programs. But when installed it launches
 ... IE with a window with commercials (stopped that by blocking "Winlogon"
 ... in the firwall :-)  So somthing is very very wrong. But what do I do?
 ...
 ... Details:
 ...
 ... In "startup" (actuall it suncribes to "Lgon" and "logoff" events, but
 ... it show as "system.ini" in Spybot S&D" under the "Startup items")
 ... there are two DLLs that are launched:
 ...
 ... "tdcyw.dll" always has the same name, the other DLL changes name (and
 ... description) all the time:  dnp0018me.dll, r0p8la7u1d.dll,
 ... mv6ul9j91.dll  are only some of the names..
 ...
 ... Tried to delete those DLLs, but of course they are in use. But I can't
 ... see any processes that should not be there...
 ...
 ... I forgot to note the names on the spyware "Ad-Aware" found :-(
 ... But it finds 12 entries each time (even after I delete them).
 ...
 ... Thought I could boot to "command prompt only" but that is not in the
 ... boot meny (it's XP home), the obly choice with "command prompt" boots
 ... XP first (to GUI) then launches a "cmd" (and then the spyware has
 ... allready reinstalled itself and run). Is there a way to get a "cmd"
 ... windows without launching XP first with XP home (works on XP Pro)?

Delete the dll extension. It always works for me.


Re: Can't get rid of strange virus/spyware :-(


| Clean a friends system, but there are something left I can't get rid
| of. Both Ad-Aware and Spybit S&D finds it. It is in the "Startup"
| list, but when they try to remove it it just reinstalls itself. Even
| tried removing the entries in the registry. But they keep coming back.
|
| Microsoft Anto Spyware and Malisious Software removal doesn't find it.
| Neither does the anti-virus programs. But when installed it launches
| IE with a window with commercials (stopped that by blocking "Winlogon"
| in the firwall :-)  So somthing is very very wrong. But what do I do?
|
| Details:
|
| In "startup" (actuall it suncribes to "Lgon" and "logoff" events, but
| it show as "system.ini" in Spybot S&D" under the "Startup items")
| there are two DLLs that are launched:
|
| "tdcyw.dll" always has the same name, the other DLL changes name (and
| description) all the time:  dnp0018me.dll, r0p8la7u1d.dll,
| mv6ul9j91.dll  are only some of the names..
|
| Tried to delete those DLLs, but of course they are in use. But I can't
| see any processes that should not be there...
|
| I forgot to note the names on the spyware "Ad-Aware" found :-(
| But it finds 12 entries each time (even after I delete them).
|
| Thought I could boot to "command prompt only" but that is not in the
| boot meny (it's XP home), the obly choice with "command prompt" boots
| XP first (to GUI) then launches a "cmd" (and then the spyware has
| allready reinstalled itself and run). Is there a way to get a "cmd"
| windows without launching XP first with XP home (works on XP Pro)?

Please submit samples to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it.  In addition,
unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

Then we will know what exactly you are dealing with.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Site Timeline