PDA

View Full Version : Malware



QuietWind
Saturday, August 27th, 2005, 01:31 AM
Help?

I have a malware that I cannot get rid of. I will tell you everything I know about it and all that I have tried to get rid of it.

I first noticed it when I was browsing Skadi one day and my browser began to automatically go to another site. I ran Ad aware and it located it. The bad news: it cannot get rid of it. I ran Norton and it did not detect it. I ran AVG and it did not detect it. I ran "Windows Malicious Software Removal Tool" and it did not detect it. I downloaded and tried some Browser hijaker retaliator thingy, and it did not work.

The browser I primarily use is Mozilla Firefox. I have used, but rarely ever use IE. I have a problem with this thing on both of them. It will automatically start going to a new website. It also will reset my browser home page so that when I open my browser it goes to something odd and I have to rechange my browser page. I have no problems with this on my AOL. This also lags down my speed and will cause my computer to resart itself with a protection error message if I use something on my computer that uses windows explorer.

This is what Ad aware says about this malware:

Description: "Browser hijacker. No uninstaller. May cause system instability. Auto updates. Operates in stealth."

http://www.lavasoftnews.com/ms/display_main.php?tac=Lop

The identifying process path is:

c:\docume~1\compaq~1\locals~1\temp\ymdll vtl.exe

BUT...... the last part "ymdllvtl.exe" changes. I have 10 other endings for this same one. It keeps changing. I think this is why my Ad aware cannot quarentine it, because it quarentines one and it changes. Every time I run the Ad aware, it has a different ending, I quarentine it, run Ad aware again, and already it is back with a new ending.

I have tried following the path under "explore" in the "start" and I cannot locate it.

So......anyone know what to do?

itsallaroundyou
Saturday, August 27th, 2005, 04:43 AM
format c:

Zyklop
Saturday, August 27th, 2005, 06:37 AM
Spybot (http://www.safer-networking.org/en/download/index.html)

AVG Free Edition (http://free.grisoft.com/doc/2/lng/us/tpl/v5)

Frans_Jozef
Saturday, August 27th, 2005, 09:16 AM
EMCO Malware Destroyer (http://www.emco.is/malwarebouncer/features.html)


Ewido (http://www.ewido.net/en/)


Removing Spyware (http://www.michaelhorowitz.com/removespyware.html)


BleepingComputer.com Tutorial Center (http://www.bleepingcomputer.com/forums/tutorials.html)

Schutzstaffelor
Saturday, August 27th, 2005, 09:08 PM
very good guide is found here: www.greyknight17.com/spyware.htm (http://www.greyknight17.com/spyware.htm)

also, visit www.techsupportforums.com (http://www.techsupportforums.com) or tech guy forums for questions.


other than that, i'd recommend you download ad aware, hijack-this (do a scan and paste the log in one of the forums above, or PM me and i can tell you what to do), spybot S&D, and run all of them in your computer's safe mode (VERY IMPORTANT, i cannot stress this enough, as there are malicious processes that can interfere with these programs, and escape deletion, or worse, detection)

here's where to download the necessary programs:

hijackthis:

http://www.majorgeeks.com/download3155.html (very important you scan your comp with this, as it detects all running processes, so you can paste the logfile and show it to a more knowledgeable person)

spybot S&D

http://www.safer-networking.org/en/index.html

ewido anti-virus and trojan

http://www.ewido.net/en/

and finally, ad-aware SE

http://www.lavasoftusa.com/software/adaware/

QuietWind
Sunday, August 28th, 2005, 01:26 AM
Just to give you an update.....

I have tried all of your new suggestions, including downloading all the ones I had not previously tried, and it doesn't show up on any of them. Just like I mentioned in the first post, none of them detect it except for Ad-aware, but it cannot delete it because it just changes the ending and returns. The "hijack this" product and "ewido" are really cool and I am keeping them in addition to all my other security features that I already have. The thing I have doesn't even show up in the hijack this log file. I searched it line by line by line and about 90% of my currently running processes are things that I can easily identify as being legit things that I KNOW what they are and KNOW they are running. It's neat-o, even Skadi.net shows up in there :P (I had skadi up while I ran the scan.) Of the other 10% that I wasn't sure about, they had totally different paths than the one I want to get rid of...which doesn't necessarily mean they are not somehow connected to it.... but for now I decided to leave them alone.

On a good note, I actually FOUND my malware I have been looking for. I searched through the path again (previously, I couldn't locate it this way), and finally I tracked it down. So, now I have it staring at me, isolated in a little window minimized on my screen, while I comtemplate my next move against it. It's pretty cool, because although it will not let me manually delete it, I can run ad aware, cross check that it is the same one, quarentine it using ad aware which deletes it from my little box, and then I can watch as it re-installs itself using a new end code.:) So, I am at a stalemate with it, staring at it, occasionally deleting it with ad aware for fun, and watching it return. Okay, so now I sound like I have spent all day on this, when in fact I have really been plastering my living room floor with copious amounts of papers like the guy in A Beautiful Mind. (I'm writing a paper for school.) My husband walked in after work and remarked that now he is just waiting for me to start drawing diagrams all over the papers to find codes within the text.;)

My next plan of action against my little malware? I am going to put my computer into safemode, and try to manually delete it in safe mode. I know...I should have done this hours ago, but I hate safe mode-- it annoys me. I already tried disconnecting my computer from the internet in hopes of cutting this thing off, and yet I still couldn't delete it.

If anyone has any more suggestions, I'm all ears. I will try almost anything.

Schutzstaffelor just wants me to paste my log file so you can all see what I have running. :D I'm kidding, of course. Maybe if I have time later or tomorrow, or if safe mode doesn't work.....then I will paste that 10% of things I am not sure of so you can all take a look at what I have running that I do not know what it is. Do you realize how many security features I currently have running on this computer? Mmm, about 4 including my firewall. Previously I only had two when this malware got in. Plus, I now have about 3-4 other new "toys" that are not running since you all have given me so many free links. :)

This malware is bad. :( Nothing detects it and I can't get rid of it.

QuietWind
Sunday, August 28th, 2005, 01:59 AM
Safe mode allowed me to delete it....BUT, not really. It came back, of course, with a new ending as soon as I brought my computer back up. :(

Patria
Sunday, August 28th, 2005, 02:26 AM
Safe mode allowed me to delete it....BUT, not really. It came back, of course, with a new ending as soon as I brought my computer back up. :(Start Windows again in Safe mode and then only start Spybot and Adware. You said one tool found your malware, did the malware have a specific name?

QuietWind
Sunday, August 28th, 2005, 03:30 AM
Start Windows again in Safe mode and then only start Spybot and Adware. You said one tool found your malware, did the malware have a specific name?


Nope, no name. Only the path given above in my first post.

Ad aware doesn't find it in safe mode, only in regular mode. So, basically, I still got it. :lol

My husband just checked and he has it too. We do share the same IP and our computers are connected through a router. We are not connected on a network though. Our computers are not networked together at all, and the only thing that we do share is the IP/internet connection.

Don't know if any of that helps or matters?

Schutzstaffelor
Sunday, August 28th, 2005, 05:03 AM
then how did you delete the malware originally (manually or w/ software)? if it was with a software, the name must have come up somehow. it must have been a dll or whatnot you deleted. do you remember anything?

QuietWind
Sunday, August 28th, 2005, 04:13 PM
then how did you delete the malware originally (manually or w/ software)? if it was with a software, the name must have come up somehow. it must have been a dll or whatnot you deleted. do you remember anything?

I deleted it manually by it's path:

c:\docume~1\compaq~1\locals~1\temp\ymdll vtl.exe

That is what shows up in Ad Aware. No name, just the path with the odd combinations of letters at the end, that change everytime it is deleted and reinstalls itself.

c:\docume~1\compaq~1\locals~1\temp\qnaxj kvz.exe
c:\docume~1\compaq~1\locals~1\temp\tfulc jdq.exe
c:\docume~1\compaq~1\locals~1\temp\sta56 e.exe
c:\docume~1\compaq~1\locals~1\temp\vgshh oq.exe
c:\docume~1\compaq~1\locals~1\temp\cvtwm joi.exe
c:\docume~1\compaq~1\locals~1\temp\tplwa qyp.exe
c:\docume~1\compaq~1\locals~1\temp\jhpeb qwz.exe

Those are just to show a few of the endings. I have many more listed from all my attempts to get rid of it. When I follow the path, it is listed in the final destination as whatever the letters are in the thing at that time. I'll take some screen shots and post them in a minute.

QuietWind
Sunday, August 28th, 2005, 04:36 PM
First, I search through the known path to find the malware and find it. You can see it listed as: czdwtwbp

(See first atteachment below)

Then I run Ad Aware, and you can see that czdwtwbp is in there. (See second attachment below)

I get rid of it using ad aware.

Then I check through the path again and look, a new one! You can see it says: xtdllqfu (see third attachment below)

If I were to run ad aware again, xtdllqfu would show up just as the other one did, and then a new one would appear. This thing simply keeps changing the last letters. I delete it, it returns.

You can also see there are two other things in there:

IadHide5.dll and ~DFC41D.tmp

These are two other things that I also cannot delete. Ad aware nor any other program picks them up as a problem, but I am pretty sure that at least the DFC41D is associated with the malware. I am sure of this because after I delete the malware, I can also delete the DFC41D manually, but it returns when the malware returns. IadHide5 only allows me to delete it in safe mode, but it also returns as soon as I bring my computer back up.

Schutzstaffelor
Sunday, August 28th, 2005, 10:36 PM
delete these two using delete doctor:

http://www.theabsolute.net/sware/#deletedr


guaranteed to delete anything and it's freeware

QuietWind
Sunday, August 28th, 2005, 10:59 PM
delete these two using delete doctor:

http://www.theabsolute.net/sware/#deletedr


guaranteed to delete anything and it's freeware


:( Didn't work.

Schutzstaffelor
Monday, August 29th, 2005, 12:30 AM
even in safe mode ?!


edit: have you tried hijack this?

scan your computer with hijack this and post the log here or on a proffessional tech support forum (www.techsupportforums.com)

QuietWind
Monday, November 14th, 2005, 04:22 AM
I just wanted to update an old thread......

It's gone! :smilies


I decided to just live with it and ignore it, but at the same time, every time I ran my adaware I went ahead and deleted it knowing it would return. I just kept on wondering exactly how many times it would return. You know....because everything has a limit. So, there had to be an end in new coding for it poping back up. It worked! Finally, one of the times I deleted it, it was gone for good! I reached the end and won! It has been gone over a month now and not returned. :)