Find Whirlpool Deals at Lowe’s
Community Newsletter: Q&A: 4/1/05 Removing malware that just won't die!
- 3/31/05 5:06 PM
Pop-up problems
by flinton31 - 4/1/05 5:08 PM In reply to: 4/1/05 Removing malware that just won't die! by Lee Koo (ADMIN)
Yes I would reformat your drive. Reinstall XP using the strup program. Once reinstalled install SP2. A great program I found called Microsft AntiSpyware Beta one. It works very well and is easy to configure. Here is the lihttp://www.microsoft.com/athome/security/spyware/software/default.mspxnk.
Hope this helps.
Matt
Always has to be someone who trashes it for the rest
by busted_badgurl - 4/1/05 11:19 PM In reply to: 4/1/05 Removing malware that just won't die! by Lee Koo (ADMIN)
Unless I totally miss the point, but I thought the reason why these forums were created was to help those who genuinely have a problem/s with their computers. Strange as it may seem the concept was pretty simple. You have something constructive to add to the subject then by all means do so.
So like more than just a few on here I thought it was cool that so many took the time to criticize “phardstaff” for his less than helpful comments. Theres also one other type of attitude that seems all too frequent on these forums these days and those are the people who seem to want to provoke conflict and I cite “appsman” as an example.
Rough posted a comment, which to me seemed perfectly valid. In response “appsman” posted this as a reply “Not sure why you posted your response here instead of one level up”. What did “appsman” expect to be gained from that reply? At the worst “rough” mistakenly posted his response in the wrong place and im not saying he did. What did “appsman” expect “rough” to do? Obviously he cant move it so it seems to me that the motive was to provoke a response from “rough” because “appsman” is looking to cause a conflict. What other motive can there be, lets be honest, the vast majority would have let it slide and moved on without making any comment.
Rough didn’t respond and as a result it seems clear to me that “appasman” went on to see who else he could stir up. So he sights “sidey” and makes the following comment to him “Still not sure who your response was directed at. If your post is directed at my reply then you truly did not read or understand its content. If thats the case then maybe you are the, as you so eloquently put it, "wannabe IT gurus who claim to know it all but in reality know zip". If not just let it die.”
Now even a fool on his worst day would know that “sideys” post had absolutely no bearing on anything “appsman” had said in the previous posts. Obviously “sideys” comment was in response to “rough” and thread and timing support that. Appsman was looking to cause trouble and he must have known that the clear and totally uncalled for insult would force a response which is exactly what he wanted.
I think “sidey” was well within his rights to respond and I applaud him for presenting his argument as a mature adult. In my opinion “sidey” made “appsman” look the fool he clearly is. I also wonder why it is “appsman” seemed to take such exception to “sideys” comment "wannabe IT gurus who claim to know it all but in reality know zip" perhaps its because that comment although not originally aimed at “appsman” fits him like a glove all the same.
Can I just ask that in future, those who cannot contribute anything positive to those who need it the most, please refrain from making any comment at all because it serves no valuable purpose. Also to those who seek to create conflict like some schoolyard bully, take it elsewhere and grow up
Killing spyware
by cchuahy - 4/2/05 6:07 AM In reply to: 4/1/05 Removing malware that just won't die! by Lee Koo (ADMIN)
I had the same problem with my notebook running Windows XP. Even with Spybot, Microsoft Spyware, Norton and firewall the sypware seemed to be impossible to kill. Then I tried the last thing I could think about: I used the recovery system utility from the Windows XP and turned back my computer to some days before the date the spyware showed up for the first time. It worked. Therefore, if I were Tom, I would try this before formatting the hard disk.
Buy a Mac
by Mark Tucker - 4/2/05 7:20 AM In reply to: 4/1/05 Removing malware that just won't die! by Lee Koo (ADMIN)
Don't want spyware, viruses or other pesky invaders? But a mac! I did. They really are miles better, and you can do everything you used to do on a pc, better. Exept gaming. Oh yeah, they come with built in firewall.
All due respect BUT
by IT_Ministry - 4/2/05 8:31 AM In reply to: Buy a Mac by Mark TuckerYour suggestion is hardly a practical solution to the guys problem with his daughters computer. Believe it or not most people dont have the resources to just drop into the local Mac store and replace a PC just because their current one has a problem, a fixable one I might add. Constructive comments are helpful to those who need it dont you think?
PS: Oh yeah, if you think Macs built in firewall is all you need all I can say is good luck dude.
You can't be serious
by Stride - 4/2/05 9:34 AM In reply to: Buy a Mac by Mark TuckerAre you really saying that a MAC is immune to "spyware, viruses or other pesky invaders"!!!!????
Boy what have you been smoking coz I want some so long as the total idiot factor don't last forever. Oh and the firewall ... wait while I pick myself off the floor in fits of laughter ... I have to agree with the other guy. If you think that's gonna save you, boy are you in trouble. Give me a break ... go back to the Mac forum.
I'll refer you to the FACTS...
by Jamie314 - 4/8/05 4:39 AM In reply to: Buy a Mac by Mark TuckerAs sidey's excellent comment showed, Mac and Linux platforms are NOT as secure or immune as you may think:
http://reviews.cnet.com/5208-10149-0.html?forumID=7&threadID=95901&messageID=1099868
In case you decide to describe me as biased in any way or agreeing with sidey because I 'like' Windows, I have a dual booting WinXP/Linux machine and I use Linux on a daily basis for software development.
** I have to exercise the same caution and install equivalent protection programs in Linux, just as I do in Windows, and just as you should for your Mac. **
If the Macs were completely invulnerable, why would Apple release security updates? I rest my case.
Jamie
Spyware/Adware issues
by shadowslaer - 4/2/05 11:15 AM In reply to: 4/1/05 Removing malware that just won't die! by Lee Koo (ADMIN)
I use Webroot Spysweeper for my adware/spyware/virii removals. It is a pretty thorough program but not all spyware/adware/virii can be removed using removal programs.
Spysweeper can identify most spyware and such but there are some that it cannot remove because the programs are still running in the background (You can find these by depressing CTRL+ALT+Delete and then look in the list--For XP you want to look in the "Processes" tab).
Nowadays, it is a good habit to do CTRL+ALT+Delete and see what is "normal" for your processes tab (You may write down the processes that are running in the background so you know what SHOULD be running, and what shouldn't, pay attention to new programs you install and add them to your list as they run on your PC).
Some adware/spyware/trojans have resillient connections. When you "End Task" them, they immediately reconnect. To irradicate this requires some manual manipulation. Spysweeper (and all other spyware utilities I believe) provides a directory path to identified viruses/spyware/adware. Using Windows Explorer, you can go to the directory and find the Master Folder which contains the program in question. Next I cut it (right click then select "Cut" from the drop-down menu) and paste it to the desktop.
This will let you know if the program can be manipulated. If it does get moved to the desktop, rename the folder (I usually just rename it to "garbadge"). If the process is running, it may not let you delete the file until after you restart your PC. After you restart your PC, the file should not be able to connect since it can no longer be found (You have moved it and renamed it so any registry files that cause it to run can't find the target program). Then you should be able to delete it.
If the process is running and will not allow you to rename it and/or delete it, you will have to go into the START menu, RUN, then type in "msconfig" and try to stop the program from initiating each time you start up windows (This is done in the Startup tab in the menu box that appears).
If that still doesn't stop it (Some are VERY Resillient!) then you will have to go into the registry (START, RUN, type in "regedit") and look for the actual registry file that targets the pesky program and delete it. If you think doing the Windows Explorer search manually is a chore, the registry search can be even worse since registry keys can be installed into several folders. With a little diligence you can find the registry keys and delete them.
THEN go to the program in question and delete it asap. Usually by deleting the registry key, you end the process so it should not be running. You may receive an error message indicating as such. If so, you know for sure that you have killed the program's brain. Most of the time, you will receive no error messages so try to delete the program or have your adware stopper remove it for you once you delete the registry item that was running it.
YES!YES!YES!FINALLY!!!
by funkid7 - 4/3/05 1:28 AM In reply to: Spyware/Adware issues by shadowslaerTHat is exactly how I was killing those spies! I wasn't too sure what I was really doing, but I realized early on, that cut to desktop and rename/reboot was doing the trick! I know my Run/pros by heart and can recognize a bad BHO in a flash. I have none of that RunDll32 garbage in processes either.
I'm not sure that terminating the rundll32 is best
by iloveya2 - 4/3/05 3:52 AM In reply to: YES!YES!YES!FINALLY!!! by funkid7Rundll32.exe is actually a normal function of windows, and it's not generally recommended that it be terminated. I see that it might be effective in helping prevent malware, but often at the expense of system stability.
Some informative links:
A decent description of what the executable does:
http://www.liutilities.com/products/wintaskspro/processlibrary/rundll32/
And to actually see the dlls that it loads:
http://windowsxp.mvps.org/rundll32.htm
let him dream on
by sidey - 4/3/05 3:58 AM In reply to: I'm not sure that terminating the rundll32 is best by iloveya2this is a kid who thinks anti virus is pointless and yahoo anti spyware will protect him on its own.
Personally I like it ... keeps my fellow techs in a job do guys like this.
Use Safemode first, before regedit
by ust1268 - 4/8/05 7:40 AM In reply to: Spyware/Adware issues by shadowslaerI've found that I can delete those pesky files by using
Safemode - press F8 while rebooting and select it from the menu. Thne find the guilty file.
You should only use regedit if you are ABSOLUTELY sure of what you are doing, and if you have backed up the registry first.
Malware....
by CPapoulias - 4/2/05 5:17 PM In reply to: 4/1/05 Removing malware that just won't die! by Lee Koo (ADMIN)
Hi Tom,
There is no real fix to this problem, as long as your on the net you are going to contract these spy bots.
In saying that, all you can do at most is to minimise as previous people said and run anti spy software...
Also your browser has alot to do with it, Microsoft Internet Explorer is not very secure at all, as it does leak information and if hacked can explore your files through there.
I'm currenlty using Fire fox 1.02 browser & Thunderbird email client, and since the switch the spy bots i contract are minimal, between 1 & 5, as before more than 50.
Proper firewall is also recommeded. but as i said before the browser has alot to to with it.
i use have lots of problems before and now none what so ever.
Another tip to have & run multiple anti spy bot searches, they all work differently just like anti virus software does, and that way you can detect more and delete. a good one that i use is from Lavasoft - anti ad Se which is free for personal use.
You must run Anti Spy bot searches Regularly.
Good luck & i hope i have been helpful to you.
I got him.. it infects through the MS Media Player.
by gcanavaggio - 4/3/05 8:46 AM In reply to: 4/1/05 Removing malware that just won't die! by Lee Koo (ADMIN)
I have been working on killing the malaware which would not die , re infecting cleaning up re infecting.Doing imposibles.
I GOT IT….
Finally after tracking logs and time stamps I got the answer. I hope this helps others avoid the infection.
It enters the computer through the MS. MEDIA PLAYER. I got a sound clip in an e mail which then triggered the media player’s Licensed music program and the acquire lenience program which is then directed to a server with the MALAWARE, and infects the Pc.
Enclosed the log left behind by the MS media player.. THE XXXXX SUBSTITUTED FOR THE HTTP// put in by me to stop the link from beeing posted as active.
I hope this helps others who can use this information.
Procedure, start with the time stamps of files detected by Panda or others. Look at all the .txt files
Once we know their names the killing is easier.
Good day.
Guy
Log ……
module 0 0
Old name C:\WINNT\Downloaded Program Files\update.exe New name C:\WINNT\system32\dwlbr.exe
RemoveFromHider -> C:\WINNT\Downloaded Program Files\update.exe
AddToHider -> C:\WINNT\system32\dwlbr.exe
UpdateHider
module 7a0000 1b
Work in C:\Program Files\Internet Explorer\iexplore.exe
LockFile C:\WINNT\system32\dwlbr.exe -> 6c
WorkExplorer
InternetOpenUrl cc000c
InternetReadFile 374
InternetReadFile 374
Downloading file XXXX//69.50.166.98/users/alberto/web/lodctrpd.exe
InternetOpenUrl cc000c
InternetReadFile 33792
InternetReadFile 33792
Executing file C:\WINNT\system32\lodctrpd.exe
Downloading file XXXX//69.50.166.98/users/alberto/web/diantzpt.exe
InternetOpenUrl cc000c
InternetReadFile 11264
InternetReadFile 11264
Executing file C:\WINNT\system32\diantzpt.exe
Downloading file XXXXX//69.50.166.98/users/alberto/web/dosxpd.exe
InternetOpenUrl cc000c
InternetReadFile 47077
InternetReadFile 47077
Executing file C:\WINNT\system32\dosxpd.exe
Downloading file XXXXht//69.50.166.98/users/alberto/web/audissrp.exe
InternetOpenUrl cc000c
InternetReadFile 10752
InternetReadFile 10752
Executing file C:\WINNT\system32\audissrp.exe
Downloading file XXXht//69.50.166.98/users/alberto/web/fixmapirs.exe
InternetOpenUrl cc000c
InternetReadFile 3733
InternetReadFile 3733
Executing file C:\WINNT\system32\fixmapirs.exe
Downloading file XXXX//69.50.166.98/users/alberto/web/autodmfp.exe
InternetOpenUrl cc000c
InternetReadFile 46592
InternetReadFile 46592
Executing file C:\WINNT\system32\autodmfp.exe
Downloading file XXXX//69.50.166.98/users/alberto/web/chkntfsfat.exe
InternetOpenUrl cc000c
InternetReadFile 19456
InternetReadFile 19456
Executing file C:\WINNT\system32\chkntfsfat.exe
All files downloaded successfully...
Removing downloader...
RemoveFromHider -> C:\WINNT\system32\dwlbr.exe
Perfect Solution for Spyware, Nasty Viruses, etc...
by MaestroMurcielago - 4/3/05 4:13 PM In reply to: 4/1/05 Removing malware that just won't die! by Lee Koo (ADMIN)
Buy a Mac 
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
