Can't get rid of strange virus/spyware :-(

  • Thread starter Thread starter Lars-Erik Østerud
  • Start date Start date
L

Lars-Erik Østerud

Clean a friends system, but there are something left I can't get rid
of. Both Ad-Aware and Spybit S&D finds it. It is in the "Startup"
list, but when they try to remove it it just reinstalls itself. Even
tried removing the entries in the registry. But they keep coming back.

Microsoft Anto Spyware and Malisious Software removal doesn't find it.
Neither does the anti-virus programs. But when installed it launches
IE with a window with commercials (stopped that by blocking "Winlogon"
in the firwall :-) So somthing is very very wrong. But what do I do?

Details:

In "startup" (actuall it suncribes to "Lgon" and "logoff" events, but
it show as "system.ini" in Spybot S&D" under the "Startup items")
there are two DLLs that are launched:

"tdcyw.dll" always has the same name, the other DLL changes name (and
description) all the time: dnp0018me.dll, r0p8la7u1d.dll,
mv6ul9j91.dll are only some of the names..

Tried to delete those DLLs, but of course they are in use. But I can't
see any processes that should not be there...

I forgot to note the names on the spyware "Ad-Aware" found :-(
But it finds 12 entries each time (even after I delete them).

Thought I could boot to "command prompt only" but that is not in the
boot meny (it's XP home), the obly choice with "command prompt" boots
XP first (to GUI) then launches a "cmd" (and then the spyware has
allready reinstalled itself and run). Is there a way to get a "cmd"
windows without launching XP first with XP home (works on XP Pro)?
 
Frank Saunders, MS-MVP OE:
Boot into Safe Mode and run the scans there.
Click to expand...

Tried that too. Same problem. Can't delete the files. And they
reinstall anyway. Also tried holding Ctrl-Alt-Shift at start (that
usually stops most autostarting programs from launching).
 
run HijackThis; http://aumha.org/downloads/hijackthis.zip
HijackThis - Tutorial & FAQ;
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

Register here: http://aumha.net/profile.php?mode=register
Once you have received your registration confirmation, post your HJT
log here: *(for expert analysis)*
http://aumha.net/viewforum.php?f=30

Please see http://aumha.net/viewtopic.php?t=4075 and
http://aumha.org/a/quickfix.htm before posting to the forum.

HijackThis tutorial:
http://aumha.org/a/hjttutor.htm
 
... Clean a friends system, but there are something left I can't get rid
... of. Both Ad-Aware and Spybit S&D finds it. It is in the "Startup"
... list, but when they try to remove it it just reinstalls itself. Even
... tried removing the entries in the registry. But they keep coming back.
...
... Microsoft Anto Spyware and Malisious Software removal doesn't find it.
... Neither does the anti-virus programs. But when installed it launches
... IE with a window with commercials (stopped that by blocking "Winlogon"
... in the firwall :-) So somthing is very very wrong. But what do I do?
...
... Details:
...
... In "startup" (actuall it suncribes to "Lgon" and "logoff" events, but
... it show as "system.ini" in Spybot S&D" under the "Startup items")
... there are two DLLs that are launched:
...
... "tdcyw.dll" always has the same name, the other DLL changes name (and
... description) all the time: dnp0018me.dll, r0p8la7u1d.dll,
... mv6ul9j91.dll are only some of the names..
...
... Tried to delete those DLLs, but of course they are in use. But I can't
... see any processes that should not be there...
...
... I forgot to note the names on the spyware "Ad-Aware" found :-(
... But it finds 12 entries each time (even after I delete them).
...
... Thought I could boot to "command prompt only" but that is not in the
... boot meny (it's XP home), the obly choice with "command prompt" boots
... XP first (to GUI) then launches a "cmd" (and then the spyware has
... allready reinstalled itself and run). Is there a way to get a "cmd"
... windows without launching XP first with XP home (works on XP Pro)?

Delete the dll extension. It always works for me.
 
Unregister the mentioned DLL files first.

At the command prompt, navigate to the directory where the DLL files reside.
Type "regsvr32 /u tdcyw.dll"
Type "regsvr32 /u <random DLL name>.dll"

Now delete the DLL files.
 
From: "Lars-Erik Østerud" <.@.>

| Clean a friends system, but there are something left I can't get rid
| of. Both Ad-Aware and Spybit S&D finds it. It is in the "Startup"
| list, but when they try to remove it it just reinstalls itself. Even
| tried removing the entries in the registry. But they keep coming back.
|
| Microsoft Anto Spyware and Malisious Software removal doesn't find it.
| Neither does the anti-virus programs. But when installed it launches
| IE with a window with commercials (stopped that by blocking "Winlogon"
| in the firwall :-) So somthing is very very wrong. But what do I do?
|
| Details:
|
| In "startup" (actuall it suncribes to "Lgon" and "logoff" events, but
| it show as "system.ini" in Spybot S&D" under the "Startup items")
| there are two DLLs that are launched:
|
| "tdcyw.dll" always has the same name, the other DLL changes name (and
| description) all the time: dnp0018me.dll, r0p8la7u1d.dll,
| mv6ul9j91.dll are only some of the names..
|
| Tried to delete those DLLs, but of course they are in use. But I can't
| see any processes that should not be there...
|
| I forgot to note the names on the spyware "Ad-Aware" found :-(
| But it finds 12 entries each time (even after I delete them).
|
| Thought I could boot to "command prompt only" but that is not in the
| boot meny (it's XP home), the obly choice with "command prompt" boots
| XP first (to GUI) then launches a "cmd" (and then the spyware has
| allready reinstalled itself and run). Is there a way to get a "cmd"
| windows without launching XP first with XP home (works on XP Pro)?

Please submit samples to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

Then we will know what exactly you are dealing with.
 
Back
Top