TechTalkz.com Technology & Computer Troubleshooting Forums - View Single Post

07-11-2007, 11:09 PM

"Fruit2O" wrote in message
news:1eaki3l7ek0l15e4uqvrmdhbn09k6d298e@4ax.com...
>
> "VanguardLH" wrote:
>>
>>"Fruit2O" wrote ...
>>> I use BitDefender (it will not run in Safe Mode). During my last
>>> scan,
>>> it found the following which it cannot delete or quarantine
>>> because
>>> they are embedded:
>>>
>>> 1. Adware.Dogpile.l
>>>
>>> C:\WINDOWS\Downloaded Program
>>> Files\CONFLICT.1\Toolbar_cobrand.EXE=]wise0080
>>>
>>> I cannot find CONFLICT.1
>>>
>>> 2. Adware.Dogpile.l
>>>
>>> C:\WINDOWS\Downloaded Program
>>> Files\CONFLICT.1\Toolbar_cobrand.EXE=](Embedded EXE r)=]wise0080
>>>
>>> 3. Backdoor.Dssdoor.C
>>>
>>> D:\System Volume
>>> Information\_restore(AB4B39B1-ECCC-40C6-B62403F7E55B5A)\RP850\Ao467860.exe=]RAR
>>> Sfx o)=]RunSequence.exe
>>>
>>> 4. Backdoor.Dssdoor.C
>>>
>>> D:\System Volume
>>> Information\_restore(AB4B39B1-ECCC-40C6-B62403F7E55B5A)\RP850\Ao467860.exe=]RAR
>>> Sfx o)=]_aps activator.exe
>>>
>>> Can someone tell me how to get rid of them? Thanks............
>>
>>So what does "embedded" mean to you so that we know what you mean?
>>I
>>don't use BitDefender. The free version is only a on-demand
>>scanner.
>>If "embedded" means a packed file then the scanner should still be
>>able to point to the file containing the program. If "embedded"
>>means
>>rootkit, those can be nasty to remove so you might want to consider
>>backing up all your data files and plan for a partition reformat and
>>fresh OS install. You might want to try other anti-malware programs
>>specifically aimed at detecting rootkits. SysInternals has their
>>Rootkit Revealer but you need to know how it works and it doesn't do
>>any cleanup but just lets you know of a possible rootkit (some
>>drivers
>>act like them; e.g., Daemon-Tools). Grisoft has their AVG
>>AntiRootkit
>>scanner plus you might want to use their AVG AntiSpyware (which used
>>to be called ewido). a-squared has low coverage (compared to ewido)
>>but you could use it as another on-demand scanner (it is v-e-r-y
>>slow
>>to scan). You never mention WHAT you use as your primary anti-virus
>>program that include on-access scanning. Other products to try are
>>Spybot S&D, Lavasoft Ad-Aware, and HijackThis. Some folks have used
>>PC Tools "Spyware Doctor" (I only remember trialing it in a VM under
>>VMWare Server and decided to discard it but don't remember why).
>>Unless you buy it, the OnGuard protection is only trialware.
>>F-Secure
>>has their Blacklight rootkit scanner but I haven't used it in over a
>>year, maybe two years.
>>
>>Some files, whether goodware or malware, do not exist until the
>>parent
>>program is executed. That is, the program generates a new file and
>>that is the one it runs or uses as an ancilliary/helper program. So
>>it is possible you won't find those files unless the parent program
>>is
>>running.
>>
>>The output you show from BitDefender is not very explanatory. Are
>>the
>>"files" that it (you) mentions the actual files or are they
>>shortcuts
>>or favorites stored somewhere else that reference these file names?
>>Are they remnant registry entries (so the file may not even exist
>>anymore although pointers to them still exist in the registry)?
>>That
>>a path and filename are outputted doesn't say if a file is being
>>identified, a shortcut to that file, a registry pointer to that
>>file,
>>a favorite, or what.
>>
>>If the path appears that it does exist and that is what BitDefender
>>is
>>pointing to (a path and file), did you check if you enabled Explorer
>>to see hidden folders/files? Did you open a DOS shell and use the
>>'cd' command to navigate there?
>>
>>The pests in the restore points are easily eliminated by turning off
>>System Restore which clears out all old restore point files, then
>>turn
>>it back on.
>>
>>They have their own forum at http://forum.bitdefender.com/ where you
>>can ask other users familiar with the same program about the alerts
>>you are getting.
>
> Please refer to my original post on this subject: Item nos. 1 and 2
> show a file called CONFLICT.1. I can't find it in Windows XP Pro
> even
> though I should be able to see all hidden files. However, when I
> looked in DOS mode, there they were. Please explain how this can
> happen. It will help me a great deal in the future.
> Thanks.........

When you say you could not "find" the folder, and assuming Explorer is
configured to show both hidden AND *system* files, did you manually
dig through Explorer to navigate through the folders or did you use
the Search function in Windows XP?

The search function in Windows XP is really fucked up. Under Windows
NT and 2000, the search simply did a pattern match against the
criteria to find the filenames. Under Windows XP, search will only
show files for which it has a viewer; that is, if their search can
look inside the file then it will find it. You can be in a DOS shell
and a 'dir' will show the file but a search, even when specifying that
folder only, won't list it. This sucks and has been a stupid mistake
by Microsoft. The file search included in Windows XP is unreliable
which means it is worthless. Instead I use a product called Agent
Ransack (yeah, not a good product name) which is the free version of
FileLocator Pro. Besides going back to a real file search tool, it
will let you specify regular expressions to more accurately identify
what you are searching for, or you can revert to using just the inane
wildcarding that Microsoft supports. Just because the Search included
in Windows XP doesn't find a file doesn't mean that it doesn't exist.
It just means the stupidly malcoded search tool can't read that file's
content so it decides not to show it to you. Yeah, stupid.

http://www.mythicsoft.com/agentransack/

07-11-2007, 11:09 PM	#11
VanguardLH Guest Posts: n/a	Re: Need help removing malware "Fruit2O" wrote in message news:1eaki3l7ek0l15e4uqvrmdhbn09k6d298e@4ax.com... > > "VanguardLH" wrote: >> >>"Fruit2O" wrote ... >>> I use BitDefender (it will not run in Safe Mode). During my last >>> scan, >>> it found the following which it cannot delete or quarantine >>> because >>> they are embedded: >>> >>> 1. Adware.Dogpile.l >>> >>> C:\WINDOWS\Downloaded Program >>> Files\CONFLICT.1\Toolbar_cobrand.EXE=]wise0080 >>> >>> I cannot find CONFLICT.1 >>> >>> 2. Adware.Dogpile.l >>> >>> C:\WINDOWS\Downloaded Program >>> Files\CONFLICT.1\Toolbar_cobrand.EXE=](Embedded EXE r)=]wise0080 >>> >>> 3. Backdoor.Dssdoor.C >>> >>> D:\System Volume >>> Information\_restore(AB4B39B1-ECCC-40C6-B62403F7E55B5A)\RP850\Ao467860.exe=]RAR >>> Sfx o)=]RunSequence.exe >>> >>> 4. Backdoor.Dssdoor.C >>> >>> D:\System Volume >>> Information\_restore(AB4B39B1-ECCC-40C6-B62403F7E55B5A)\RP850\Ao467860.exe=]RAR >>> Sfx o)=]_aps activator.exe >>> >>> Can someone tell me how to get rid of them? Thanks............ >> >>So what does "embedded" mean to you so that we know what you mean? >>I >>don't use BitDefender. The free version is only a on-demand >>scanner. >>If "embedded" means a packed file then the scanner should still be >>able to point to the file containing the program. If "embedded" >>means >>rootkit, those can be nasty to remove so you might want to consider >>backing up all your data files and plan for a partition reformat and >>fresh OS install. You might want to try other anti-malware programs >>specifically aimed at detecting rootkits. SysInternals has their >>Rootkit Revealer but you need to know how it works and it doesn't do >>any cleanup but just lets you know of a possible rootkit (some >>drivers >>act like them; e.g., Daemon-Tools). Grisoft has their AVG >>AntiRootkit >>scanner plus you might want to use their AVG AntiSpyware (which used >>to be called ewido). a-squared has low coverage (compared to ewido) >>but you could use it as another on-demand scanner (it is v-e-r-y >>slow >>to scan). You never mention WHAT you use as your primary anti-virus >>program that include on-access scanning. Other products to try are >>Spybot S&D, Lavasoft Ad-Aware, and HijackThis. Some folks have used >>PC Tools "Spyware Doctor" (I only remember trialing it in a VM under >>VMWare Server and decided to discard it but don't remember why). >>Unless you buy it, the OnGuard protection is only trialware. >>F-Secure >>has their Blacklight rootkit scanner but I haven't used it in over a >>year, maybe two years. >> >>Some files, whether goodware or malware, do not exist until the >>parent >>program is executed. That is, the program generates a new file and >>that is the one it runs or uses as an ancilliary/helper program. So >>it is possible you won't find those files unless the parent program >>is >>running. >> >>The output you show from BitDefender is not very explanatory. Are >>the >>"files" that it (you) mentions the actual files or are they >>shortcuts >>or favorites stored somewhere else that reference these file names? >>Are they remnant registry entries (so the file may not even exist >>anymore although pointers to them still exist in the registry)? >>That >>a path and filename are outputted doesn't say if a file is being >>identified, a shortcut to that file, a registry pointer to that >>file, >>a favorite, or what. >> >>If the path appears that it does exist and that is what BitDefender >>is >>pointing to (a path and file), did you check if you enabled Explorer >>to see hidden folders/files? Did you open a DOS shell and use the >>'cd' command to navigate there? >> >>The pests in the restore points are easily eliminated by turning off >>System Restore which clears out all old restore point files, then >>turn >>it back on. >> >>They have their own forum at http://forum.bitdefender.com/ where you >>can ask other users familiar with the same program about the alerts >>you are getting. > > Please refer to my original post on this subject: Item nos. 1 and 2 > show a file called CONFLICT.1. I can't find it in Windows XP Pro > even > though I should be able to see all hidden files. However, when I > looked in DOS mode, there they were. Please explain how this can > happen. It will help me a great deal in the future. > Thanks......... When you say you could not "find" the folder, and assuming Explorer is configured to show both hidden AND system files, did you manually dig through Explorer to navigate through the folders or did you use the Search function in Windows XP? The search function in Windows XP is really fucked up. Under Windows NT and 2000, the search simply did a pattern match against the criteria to find the filenames. Under Windows XP, search will only show files for which it has a viewer; that is, if their search can look inside the file then it will find it. You can be in a DOS shell and a 'dir' will show the file but a search, even when specifying that folder only, won't list it. This sucks and has been a stupid mistake by Microsoft. The file search included in Windows XP is unreliable which means it is worthless. Instead I use a product called Agent Ransack (yeah, not a good product name) which is the free version of FileLocator Pro. Besides going back to a real file search tool, it will let you specify regular expressions to more accurately identify what you are searching for, or you can revert to using just the inane wildcarding that Microsoft supports. Just because the Search included in Windows XP doesn't find a file doesn't mean that it doesn't exist. It just means the stupidly malcoded search tool can't read that file's content so it decides not to show it to you. Yeah, stupid. http://www.mythicsoft.com/agentransack/