Need help about this SPyware/Adware - Hewlett Packard

This is a discussion on Need help about this SPyware/Adware - Hewlett Packard ; I just picked up a PC from one of my customer and it has this very bizard problem: After the system came up to normal mode, there are four about 3" X 4" boxes on the Desktop ---- Gambling, Dating, ...

+ Reply to Thread
Results 1 to 18 of 18

Thread: Need help about this SPyware/Adware

  1. Need help about this SPyware/Adware


    I just picked up a PC from one of my customer and it has this very
    bizard problem:

    After the system came up to normal mode, there are four about 3" X 4"
    boxes on the Desktop ---- Gambling, Dating, Pharmacy, XXX, Spyware, &
    Insurance. When the mouse is move over the box, it says loading and
    then put an extra box of Text/link for whatever the subject title of
    that box is about. For example, move the mouse over to Dating will list
    links for local girls, X Rated things, ect.

    I've checked system with Spybot Search & Destroy, AVG. I've also check
    the system with "Hijack this" and have gone into the Registry and try to
    see what is going on. When I booted the system up to Safe Mode, the
    boxes DID NOT show.

    Anyone has seen this before?? All helps are wlecome.

    Dewaine



  2. Re: Need help about this SPyware/Adware

    I've seen similar stuff before. Install Ad-Aware, update its definitions and
    run. Also make sure the latest Spybot definitions are installed before running.

    If Ad-Aware and Spybot don't nail the problem, look at each entry shown by
    HiJackThis. It helps to have internet access alongside the infected computer,
    so you can access NAV and other anti-virus/spyware/adware info.

    Finally, ask your client when this behavior started. It may sound a bit risky,
    but often a careful deletion of strangely named files from the WINDOWS and
    WINDOWS/SYSTEM32 folders is the answer. The date when all this started is the
    key, because the strangely name files will have file dates/times coinciding with
    the start of the nasties. Of course, some of the nastyware installs itself with
    equally bizarre file dates like Dec 31 1979, which is before the creation of the
    world, according the Gates... Ben Myers

    On Wed, 07 Dec 2005 04:55:23 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM
    PLZZZnc.rr.com> wrote:

    >
    >I just picked up a PC from one of my customer and it has this very
    >bizard problem:
    >
    >After the system came up to normal mode, there are four about 3" X 4"
    >boxes on the Desktop ---- Gambling, Dating, Pharmacy, XXX, Spyware, &
    >Insurance. When the mouse is move over the box, it says loading and
    >then put an extra box of Text/link for whatever the subject title of
    >that box is about. For example, move the mouse over to Dating will list
    >links for local girls, X Rated things, ect.
    >
    >I've checked system with Spybot Search & Destroy, AVG. I've also check
    >the system with "Hijack this" and have gone into the Registry and try to
    >see what is going on. When I booted the system up to Safe Mode, the
    >boxes DID NOT show.
    >
    >Anyone has seen this before?? All helps are wlecome.
    >
    >Dewaine
    >
    >



  3. Re: Need help about this SPyware/Adware

    Dewaine:

    If you really want to remove the maleware I suggest taking
    the following steps:

    1) Get latest Ad-Aware spyware definition file from:
    http://www.lavasoft.de/support/download/
    I suggest that you download this defs.zip file on an uninfected computer;
    then copy it to a 1.44M floppy diskette or a CD-R.

    2) Reboot your infected computer and tap F8 once per second during restart
    and when the menu appears select: Safe Mode without networking.

    3) Unzip and insert the downlaoded file, defs.ref, in file location:

    c:\Program Files\Lavasoft\Ad-Aware SE Personal/defs.ref
    This insures that a subsequent scan for malware will use the latest
    spyware definition files.

    4) Launch Start/Program/Files/Lavasoft Ad-Aware SE Personal/Ad-Aware SE Personal
    and click the initial bullet to do a Full System Scan.
    When done, right click the list of maleware found and choose: Select All
    Then click Next, and finaly click OK.

    This will remove the maleware that you are experiencing.

    5) Restart the system in normal mode.


    Skip Knoble, Penn State


    On Wed, 07 Dec 2005 04:55:23 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
    wrote:

    -|
    -|I just picked up a PC from one of my customer and it has this very
    -|bizard problem:
    -|
    -|After the system came up to normal mode, there are four about 3" X 4"
    -|boxes on the Desktop ---- Gambling, Dating, Pharmacy, XXX, Spyware, &
    -|Insurance. When the mouse is move over the box, it says loading and
    -|then put an extra box of Text/link for whatever the subject title of
    -|that box is about. For example, move the mouse over to Dating will list
    -|links for local girls, X Rated things, ect.
    -|
    -|I've checked system with Spybot Search & Destroy, AVG. I've also check
    -|the system with "Hijack this" and have gone into the Registry and try to
    -|see what is going on. When I booted the system up to Safe Mode, the
    -|boxes DID NOT show.
    -|
    -|Anyone has seen this before?? All helps are wlecome.
    -|
    -|Dewaine
    -|


  4. Re: Need help about this SPyware/Adware

    "Dewaine Chan" <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com> wrote in message
    news:%Wtlf.2040$7b4.763945@twister.southeast.rr.co m...
    |
    | I just picked up a PC from one of my customer and it has this very
    | bizard problem:
    |
    | After the system came up to normal mode, there are four about 3" X 4"
    | boxes on the Desktop ---- Gambling, Dating, Pharmacy, XXX, Spyware, &
    | Insurance. When the mouse is move over the box, it says loading and
    | then put an extra box of Text/link for whatever the subject title of
    | that box is about. For example, move the mouse over to Dating will list
    | links for local girls, X Rated things, ect.
    |
    | I've checked system with Spybot Search & Destroy, AVG. I've also check
    | the system with "Hijack this" and have gone into the Registry and try to
    | see what is going on. When I booted the system up to Safe Mode, the
    | boxes DID NOT show.
    |
    | Anyone has seen this before?? All helps are wlecome.
    |
    | Dewaine
    |

    It would appear to me, that a malware web page has been set up as the
    desktop.

    Right-click the desktop outside of the boxes and select Properties.

    Does the Display Properties window pop-up?

    (If no, go to Control Panel and select Display.)

    Click the Desktop tab and click the "Customize Desktop..." button.

    Select the Web tab, if anything is selected there, unselect it.
    And delete anything but "My Current Home Page", but make sure it too is
    unselected.

    If Lock Desktop Items is seleced, unselect it.

    Click OK till all Windows are closed.


    JaF



  5. Re: Need help about this SPyware/Adware

    Well:

    Spent a bit more time on this and here is what I found:

    It created the following files in the C:\Windows\system32 folder:

    C:\WINDOWS\system32\insurance.bmp
    C:\WINDOWS\system32\close.bmp
    C:\WINDOWS\system32\spyware.bmp
    C:\WINDOWS\system32\xxx.bmp
    C:\WINDOWS\system32\pharmacy.bmp
    C:\WINDOWS\system32\gambling.bmp
    C:\WINDOWS\system32\dating.bmp
    C:\WINDOWS\system32\idesk.conf

    It also created a file rdt.ini in the C:\WINDOWS directory.
    Renaming the rdt.ini did not do anything. I removed the above files from the
    C:\WINDOWS\SYSTEM32 directory from Safe Mode and rebooted the PC. It came up without
    the Popup Boxes but after rebooted again, all the above files got recreated and
    appeared in the C:\WINDOWS\SYSTEM32 directory.

    I did a google search and a couple places suggested to look for:
    ie2cltr.dll
    rdt.ini

    or
    C:\WINDOWS\system32\favset.exe --> Trojan.Favadd
    C:\WINDOWS\system32\howiper.exe --> Win32/Qhosts


    I couldn't find the files except rdt.ini file.

    I have removed basically everything that shows in Hijack This and system registry's
    Run area. I suspect the Spyware is loaded as a system service that I just need to
    find the dll file.

    BTW, Adaware SE doesn't detect it either.

    Thanks for all the helps.

    Dewaine

    Ben Myers wrote:

    > I've seen similar stuff before. Install Ad-Aware, update its definitions and
    > run. Also make sure the latest Spybot definitions are installed before running.
    >
    > If Ad-Aware and Spybot don't nail the problem, look at each entry shown by
    > HiJackThis. It helps to have internet access alongside the infected computer,
    > so you can access NAV and other anti-virus/spyware/adware info.
    >
    > Finally, ask your client when this behavior started. It may sound a bit risky,
    > but often a careful deletion of strangely named files from the WINDOWS and
    > WINDOWS/SYSTEM32 folders is the answer. The date when all this started is the
    > key, because the strangely name files will have file dates/times coinciding with
    > the start of the nasties. Of course, some of the nastyware installs itself with
    > equally bizarre file dates like Dec 31 1979, which is before the creation of the
    > world, according the Gates... Ben Myers
    >
    > On Wed, 07 Dec 2005 04:55:23 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM
    > PLZZZnc.rr.com> wrote:



  6. Re: Need help about this SPyware/Adware



    Checked that already. It wasn't it. Please see the update I posted under Ben
    Meyer's posting for follow up info. It is weird. I'm going out to get a copy
    of Spysweeper tomorrow and check the system later.

    Thanks.

    Dewaine

    Just a Friend wrote:

    > It would appear to me, that a malware web page has been set up as the
    > desktop.
    >
    > Right-click the desktop outside of the boxes and select Properties.
    >
    > Does the Display Properties window pop-up?
    >
    > (If no, go to Control Panel and select Display.)
    >
    > Click the Desktop tab and click the "Customize Desktop..." button.
    >
    > Select the Web tab, if anything is selected there, unselect it.
    > And delete anything but "My Current Home Page", but make sure it too is
    > unselected.
    >
    > If Lock Desktop Items is seleced, unselect it.
    >
    > Click OK till all Windows are closed.
    >
    > JaF



  7. Re: Need help about this SPyware/Adware

    Herman:

    Thanks. Still no goes. Back in the hunt again.

    Dewaine

    "Herman D. Knoble" wrote:

    > Dewaine:
    >
    > If you really want to remove the maleware I suggest taking
    > the following steps:
    >
    > 1) Get latest Ad-Aware spyware definition file from:
    > http://www.lavasoft.de/support/download/
    > I suggest that you download this defs.zip file on an uninfected computer;
    > then copy it to a 1.44M floppy diskette or a CD-R.
    >
    > 2) Reboot your infected computer and tap F8 once per second during restart
    > and when the menu appears select: Safe Mode without networking.
    >
    > 3) Unzip and insert the downlaoded file, defs.ref, in file location:



  8. Re: Need help about this SPyware/Adware

    Dewaine,

    You're right. This varmint starts up as a system service and/or a program NOT
    in the startup folder. It could also be a visual basic script or a CMD file.
    That's how it keeps replenishing itself, even after repeated attempts to delete
    the files.

    To find some of these files, you need to change some of the options in the Files
    icon of the control panel. Allow the system to display known file extensions,
    which is the "old way" of doing things. The "new" way, obscures useful info.
    Also, enable the display of hidden files AND system files.

    Other areas to look for these files include the %TEMP% folder and other areas in
    the primary user's Documents and Settings.

    I usually fine hijackthis to be an indispensible tool for removing rogue
    software not removed somewhat automatically by other software.

    Doesn't all this make you want to shoot the bastards who perpetrate this stuff?

    .... Ben Myers

    On Thu, 08 Dec 2005 05:09:17 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM
    PLZZZnc.rr.com> wrote:

    >Well:
    >
    >Spent a bit more time on this and here is what I found:
    >
    >It created the following files in the C:\Windows\system32 folder:
    >
    >C:\WINDOWS\system32\insurance.bmp
    >C:\WINDOWS\system32\close.bmp
    >C:\WINDOWS\system32\spyware.bmp
    >C:\WINDOWS\system32\xxx.bmp
    >C:\WINDOWS\system32\pharmacy.bmp
    >C:\WINDOWS\system32\gambling.bmp
    >C:\WINDOWS\system32\dating.bmp
    >C:\WINDOWS\system32\idesk.conf
    >
    >It also created a file rdt.ini in the C:\WINDOWS directory.
    >Renaming the rdt.ini did not do anything. I removed the above files from the
    >C:\WINDOWS\SYSTEM32 directory from Safe Mode and rebooted the PC. It came up without
    >the Popup Boxes but after rebooted again, all the above files got recreated and
    >appeared in the C:\WINDOWS\SYSTEM32 directory.
    >
    >I did a google search and a couple places suggested to look for:
    >ie2cltr.dll
    >rdt.ini
    >
    >or
    >C:\WINDOWS\system32\favset.exe --> Trojan.Favadd
    >C:\WINDOWS\system32\howiper.exe --> Win32/Qhosts
    >
    >
    >I couldn't find the files except rdt.ini file.
    >
    >I have removed basically everything that shows in Hijack This and system registry's
    >Run area. I suspect the Spyware is loaded as a system service that I just need to
    >find the dll file.
    >
    >BTW, Adaware SE doesn't detect it either.
    >
    >Thanks for all the helps.
    >
    >Dewaine
    >
    >Ben Myers wrote:
    >
    >> I've seen similar stuff before. Install Ad-Aware, update its definitions and
    >> run. Also make sure the latest Spybot definitions are installed before running.
    >>
    >> If Ad-Aware and Spybot don't nail the problem, look at each entry shown by
    >> HiJackThis. It helps to have internet access alongside the infected computer,
    >> so you can access NAV and other anti-virus/spyware/adware info.
    >>
    >> Finally, ask your client when this behavior started. It may sound a bit risky,
    >> but often a careful deletion of strangely named files from the WINDOWS and
    >> WINDOWS/SYSTEM32 folders is the answer. The date when all this started is the
    >> key, because the strangely name files will have file dates/times coinciding with
    >> the start of the nasties. Of course, some of the nastyware installs itself with
    >> equally bizarre file dates like Dec 31 1979, which is before the creation of the
    >> world, according the Gates... Ben Myers
    >>
    >> On Wed, 07 Dec 2005 04:55:23 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM
    >> PLZZZnc.rr.com> wrote:

    >



  9. Re: Need help about this SPyware/Adware

    Dewaine: Did you do an up-to-date scan while in SAFE MODE?
    Did you do a Full System Scan with Ad-Aware?

    When starting in Safe Mode only basic services are started,
    and no startup modules (e.g.,
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run)
    are not started.

    Skip

    On Thu, 08 Dec 2005 05:10:44 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
    wrote:

    -|Herman:
    -|
    -|Thanks. Still no goes. Back in the hunt again.
    -|
    -|Dewaine
    -|
    -|"Herman D. Knoble" wrote:
    -|
    -|> Dewaine:
    -|>
    -|> If you really want to remove the maleware I suggest taking
    -|> the following steps:
    -|>
    -|> 1) Get latest Ad-Aware spyware definition file from:
    -|> http://www.lavasoft.de/support/download/
    -|> I suggest that you download this defs.zip file on an uninfected computer;
    -|> then copy it to a 1.44M floppy diskette or a CD-R.
    -|>
    -|> 2) Reboot your infected computer and tap F8 once per second during restart
    -|> and when the menu appears select: Safe Mode without networking.
    -|>
    -|> 3) Unzip and insert the downlaoded file, defs.ref, in file location:


  10. Re: Need help about this SPyware/Adware

    Doing a Google search on rdt.ini shows
    that you may have the TR/Dldr.Agent.tc.4 - Trojan
    See: http://www.avira.com/en/threats/TR_D...4_details.html
    and http://www3.ca.com/securityadvisor/p...x?id=453096275

    Skip

    On Thu, 08 Dec 2005 05:09:17 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
    wrote:

    -|rdt.ini


  11. Re: Need help about this SPyware/Adware

    Running Ad-Aware and Spybot in safe mode will do a good job of removing FILES
    which are causing the damage, but parts of the registry are definitely left
    untouched in safe mode. Whether the system is booted in safe mode or not, the
    result is sort of a "working" registry. I do not know what else to call it.
    Windows boots up and builds a different working registry every time, merging in
    the HKCU entries for whomever logged onto the system.

    I have had to de-louse infected systems by repeatedly logging off and logging on
    as a different user of a computer used by five different family members. With
    each login, I ran Spybot and Ad-Aware to remove the infected registry entries
    for each HKCU... Ben Myers

    On Thu, 08 Dec 2005 11:20:24 -0500, Herman D. Knoble
    wrote:

    >Dewaine: Did you do an up-to-date scan while in SAFE MODE?
    >Did you do a Full System Scan with Ad-Aware?
    >
    >When starting in Safe Mode only basic services are started,
    >and no startup modules (e.g.,
    >HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run)
    >are not started.
    >
    >Skip
    >
    >On Thu, 08 Dec 2005 05:10:44 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
    >wrote:
    >
    >-|Herman:
    >-|
    >-|Thanks. Still no goes. Back in the hunt again.
    >-|
    >-|Dewaine
    >-|
    >-|"Herman D. Knoble" wrote:
    >-|
    >-|> Dewaine:
    >-|>
    >-|> If you really want to remove the maleware I suggest taking
    >-|> the following steps:
    >-|>
    >-|> 1) Get latest Ad-Aware spyware definition file from:
    >-|> http://www.lavasoft.de/support/download/
    >-|> I suggest that you download this defs.zip file on an uninfected computer;
    >-|> then copy it to a 1.44M floppy diskette or a CD-R.
    >-|>
    >-|> 2) Reboot your infected computer and tap F8 once per second during restart
    >-|> and when the menu appears select: Safe Mode without networking.
    >-|>
    >-|> 3) Unzip and insert the downlaoded file, defs.ref, in file location:
    >



  12. Re: Need help about this SPyware/Adware

    Ben: thanks.

    It is my understanding that if Ad-Aware SE Personal is run in Safe Mode
    and the type of scan is: Full System Scan
    it will remove spyware in registry entries (it will report "deep scanning
    registry). Also Ad-Aware has settings: (under Tweak Settings)
    Scan Registry for all users which if checked will scan the registry
    for all users (from an user with Admin privileges). Likewise under
    Scan Settings there are two options to Scan Registry and Deep Scan
    Registry. These should be set on.

    Finally, There are settings for Ad-Aware SE Plus (and above) which
    (by setting Ad=Watch on and configuring it properly)will prevent
    registry modifications in the first place.
    The cost for Ad-Aware SE Plus is modest ($27).

    Skip


    On Thu, 08 Dec 2005 18:49:00 GMT, ben_myers_spam_me_not @ charter.net (Ben Myers) wrote:

    -|Running Ad-Aware and Spybot in safe mode will do a good job of removing FILES
    -|which are causing the damage, but parts of the registry are definitely left
    -|untouched in safe mode. Whether the system is booted in safe mode or not, the
    -|result is sort of a "working" registry. I do not know what else to call it.
    -|Windows boots up and builds a different working registry every time, merging in
    -|the HKCU entries for whomever logged onto the system.
    -|
    -|I have had to de-louse infected systems by repeatedly logging off and logging on
    -|as a different user of a computer used by five different family members. With
    -|each login, I ran Spybot and Ad-Aware to remove the infected registry entries
    -|for each HKCU... Ben Myers
    -|
    -|On Thu, 08 Dec 2005 11:20:24 -0500, Herman D. Knoble
    -| wrote:
    -|
    -|>Dewaine: Did you do an up-to-date scan while in SAFE MODE?
    -|>Did you do a Full System Scan with Ad-Aware?
    -|>
    -|>When starting in Safe Mode only basic services are started,
    -|>and no startup modules (e.g.,
    -|>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run)
    -|>are not started.
    -|>
    -|>Skip
    -|>
    -|>On Thu, 08 Dec 2005 05:10:44 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
    -|>wrote:
    -|>
    -|>-|Herman:
    -|>-|
    -|>-|Thanks. Still no goes. Back in the hunt again.
    -|>-|
    -|>-|Dewaine
    -|>-|
    -|>-|"Herman D. Knoble" wrote:
    -|>-|
    -|>-|> Dewaine:
    -|>-|>
    -|>-|> If you really want to remove the maleware I suggest taking
    -|>-|> the following steps:
    -|>-|>
    -|>-|> 1) Get latest Ad-Aware spyware definition file from:
    -|>-|> http://www.lavasoft.de/support/download/
    -|>-|> I suggest that you download this defs.zip file on an uninfected computer;
    -|>-|> then copy it to a 1.44M floppy diskette or a CD-R.
    -|>-|>
    -|>-|> 2) Reboot your infected computer and tap F8 once per second during restart
    -|>-|> and when the menu appears select: Safe Mode without networking.
    -|>-|>
    -|>-|> 3) Unzip and insert the downlaoded file, defs.ref, in file location:
    -|>


  13. Re: Need help about this SPyware/Adware

    Ooooh! Those are interesting options. Thank YOU for the info... Ben Myers

    On Thu, 08 Dec 2005 14:46:04 -0500, Herman D. Knoble
    wrote:

    >Ben: thanks.
    >
    >It is my understanding that if Ad-Aware SE Personal is run in Safe Mode
    >and the type of scan is: Full System Scan
    >it will remove spyware in registry entries (it will report "deep scanning
    >registry). Also Ad-Aware has settings: (under Tweak Settings)
    >Scan Registry for all users which if checked will scan the registry
    >for all users (from an user with Admin privileges). Likewise under
    >Scan Settings there are two options to Scan Registry and Deep Scan
    >Registry. These should be set on.
    >
    >Finally, There are settings for Ad-Aware SE Plus (and above) which
    >(by setting Ad=Watch on and configuring it properly)will prevent
    >registry modifications in the first place.
    >The cost for Ad-Aware SE Plus is modest ($27).
    >
    >Skip
    >
    >
    >On Thu, 08 Dec 2005 18:49:00 GMT, ben_myers_spam_me_not @ charter.net (Ben Myers) wrote:
    >
    >-|Running Ad-Aware and Spybot in safe mode will do a good job of removing FILES
    >-|which are causing the damage, but parts of the registry are definitely left
    >-|untouched in safe mode. Whether the system is booted in safe mode or not, the
    >-|result is sort of a "working" registry. I do not know what else to call it.
    >-|Windows boots up and builds a different working registry every time, merging in
    >-|the HKCU entries for whomever logged onto the system.
    >-|
    >-|I have had to de-louse infected systems by repeatedly logging off and logging on
    >-|as a different user of a computer used by five different family members. With
    >-|each login, I ran Spybot and Ad-Aware to remove the infected registry entries
    >-|for each HKCU... Ben Myers
    >-|
    >-|On Thu, 08 Dec 2005 11:20:24 -0500, Herman D. Knoble
    >-| wrote:
    >-|
    >-|>Dewaine: Did you do an up-to-date scan while in SAFE MODE?
    >-|>Did you do a Full System Scan with Ad-Aware?
    >-|>
    >-|>When starting in Safe Mode only basic services are started,
    >-|>and no startup modules (e.g.,
    >-|>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run)
    >-|>are not started.
    >-|>
    >-|>Skip
    >-|>
    >-|>On Thu, 08 Dec 2005 05:10:44 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
    >-|>wrote:
    >-|>
    >-|>-|Herman:
    >-|>-|
    >-|>-|Thanks. Still no goes. Back in the hunt again.
    >-|>-|
    >-|>-|Dewaine
    >-|>-|
    >-|>-|"Herman D. Knoble" wrote:
    >-|>-|
    >-|>-|> Dewaine:
    >-|>-|>
    >-|>-|> If you really want to remove the maleware I suggest taking
    >-|>-|> the following steps:
    >-|>-|>
    >-|>-|> 1) Get latest Ad-Aware spyware definition file from:
    >-|>-|> http://www.lavasoft.de/support/download/
    >-|>-|> I suggest that you download this defs.zip file on an uninfected computer;
    >-|>-|> then copy it to a 1.44M floppy diskette or a CD-R.
    >-|>-|>
    >-|>-|> 2) Reboot your infected computer and tap F8 once per second during restart
    >-|>-|> and when the menu appears select: Safe Mode without networking.
    >-|>-|>
    >-|>-|> 3) Unzip and insert the downlaoded file, defs.ref, in file location:
    >-|>
    >



  14. Re: Need help about this SPyware/Adware

    Ben & Skip:

    Yes. I suspect it is a service being loaded or hooked into the Windows Explorer. As for
    all these Virus & Malware writers, to a degree we the computer geeks should actually
    thank them and Microsoft for creating job opportunity for us. My customer has decided
    to replace this PC because it was sold to him with a bootlegged copy of XP Pro & Office
    loaded on it. I've already backed and transferred the data to his new computer. It is
    now more personal. I just don't like being beaten by a PC. I got busy today fixing a
    couple laptops that have bad power connectors and a few Laser printers.

    Skip. I have already checked the first link out and the second link I have not seen yet.
    I'll try it out when I have a chance. Will keep you guys updated on this thing.

    Thanks.
    Dewaine

    "Herman D. Knoble" wrote:

    > Doing a Google search on rdt.ini shows
    > that you may have the TR/Dldr.Agent.tc.4 - Trojan
    > See: http://www.avira.com/en/threats/TR_D...4_details.html
    > and http://www3.ca.com/securityadvisor/p...x?id=453096275
    >
    > Skip
    >
    > On Thu, 08 Dec 2005 05:09:17 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
    > wrote:
    >
    > -|rdt.ini



  15. Re: Need help about this SPyware/Adware

    Until the usual adware programs are updated to deal with it (I can't
    get rid of it either) you can, as a temporary measure, edit idesk.conf
    (C:\windows\system32) to make it empty, then make it read-only (then
    can do the same with the .bmp files). That stops it displaying.


  16. Re: Need help about this SPyware/Adware

    You got the latest and greatest in malware, courtesy of a
    exploitation in explorer. The files are hidden via Rootkit.
    Clicking on show all hidden files will NOT show the files. You hav
    to get a program that will show the rootkit hidden files. Spysweepe
    as someone mentioned, has under options, a check for these files, bu
    I havent tried it

    I cleaned them off from mine by using Autodad suggestion (which i
    free).

    Go here - http://forums.subratam.org/index.php?showtopic=6121 , an
    scroll halfway down to Autodad, where he gives link to downloa
    blacklight, and then rootkill. You will need one program to find
    and the other to eliminate. Then use spysweeper to clean up th
    remnants, if you wish. (I dont know how well spysweeper's versio
    works for initial, I bought it and used it after doing above). Yo
    will find between 5 and 8 hidden files on your computer, and mos
    likely idesk (idemlog.exe) adware crap as well. I had to us
    spysweeper to get the idesk crap off

    good luck


  17. Re: Need help about this SPyware/Adware


    wrote in message
    news:439852ca.314661@nntp.charter.net...
    > Dewaine,
    >
    > You're right. This varmint starts up as a system service and/or a program
    > NOT
    > in the startup folder. It could also be a visual basic script or a CMD
    > file.
    > That's how it keeps replenishing itself, even after repeated attempts to
    > delete
    > the files.
    >
    > To find some of these files, you need to change some of the options in the
    > Files
    > icon of the control panel. Allow the system to display known file
    > extensions,
    > which is the "old way" of doing things. The "new" way, obscures useful
    > info.
    > Also, enable the display of hidden files AND system files.


    Also, look for dll's that have a file date/time that is more or less the
    last time you rebooted. Some nasties have a 2 program approach where each
    program generates the other at system start, using random names.



  18. Re: Need help about this SPyware/Adware

    I'm calling this the iDesk Trojan. When I had a few clients with these
    issues, I couldn't find any good info on how to get rid of it, as
    Adaware, Spybot and the others couldn't get rid of it.. Had to figure
    this one out on my own...

    Forget trying to install this and that in hopes of removing the
    virus/trojan/etc. It's MUCH easier than that...

    c:\windows\system32\taskkill.exe /IM idemlog.exe

    Then delete all files that the program put in system32 folder. Check
    the dates (sort by date), all the dates/times are likely the same.
    Some of the files I had to deal with were named:

    idesk.conf
    howiper.exe
    sphlp32.exe
    close.bmp
    favset.exe
    spyware.bmp
    insurance.bmp
    xxx.bmp
    dating.bmp
    pharmacy.bmp
    gambling.bmp
    hgqhp.exe
    pppcgm.exe
    idemlog.exe
    fran-hot.exe
    qurrv.dll
    filesafer23.exe


    Afterwards, reboot. Should be all set now...

    Regards,
    TJ Tryon, President
    Lighthouse Consulting Group
    http://www.lhc-group.com


+ Reply to Thread