TechTalkz.com Technology & Computer Troubleshooting Forums - View Single Post

07-11-2007, 11:09 PM

On Thu, 1 Nov 2007 19:11:11 -0500, "VanguardLH"
<VanguardLH@mail.invalid> wrote:

>"Fruit2O" wrote in message
>news:1eaki3l7ek0l15e4uqvrmdhbn09k6d298e@4ax.com.. .
>>
>> "VanguardLH" wrote:
>>>
>>>"Fruit2O" wrote ...
>>>> I use BitDefender (it will not run in Safe Mode). During my last
>>>> scan,
>>>> it found the following which it cannot delete or quarantine
>>>> because
>>>> they are embedded:
>>>>
>>>> 1. Adware.Dogpile.l
>>>>
>>>> C:\WINDOWS\Downloaded Program
>>>> Files\CONFLICT.1\Toolbar_cobrand.EXE=]wise0080
>>>>
>>>> I cannot find CONFLICT.1
>>>>
>>>> 2. Adware.Dogpile.l
>>>>
>>>> C:\WINDOWS\Downloaded Program
>>>> Files\CONFLICT.1\Toolbar_cobrand.EXE=](Embedded EXE r)=]wise0080
>>>>
>>>> 3. Backdoor.Dssdoor.C
>>>>
>>>> D:\System Volume
>>>> Information\_restore(AB4B39B1-ECCC-40C6-B62403F7E55B5A)\RP850\Ao467860.exe=]RAR
>>>> Sfx o)=]RunSequence.exe
>>>>
>>>> 4. Backdoor.Dssdoor.C
>>>>
>>>> D:\System Volume
>>>> Information\_restore(AB4B39B1-ECCC-40C6-B62403F7E55B5A)\RP850\Ao467860.exe=]RAR
>>>> Sfx o)=]_aps activator.exe
>>>>
>>>> Can someone tell me how to get rid of them? Thanks............
>>>
>>>So what does "embedded" mean to you so that we know what you mean?
>>>I
>>>don't use BitDefender. The free version is only a on-demand
>>>scanner.
>>>If "embedded" means a packed file then the scanner should still be
>>>able to point to the file containing the program. If "embedded"
>>>means
>>>rootkit, those can be nasty to remove so you might want to consider
>>>backing up all your data files and plan for a partition reformat and
>>>fresh OS install. You might want to try other anti-malware programs
>>>specifically aimed at detecting rootkits. SysInternals has their
>>>Rootkit Revealer but you need to know how it works and it doesn't do
>>>any cleanup but just lets you know of a possible rootkit (some
>>>drivers
>>>act like them; e.g., Daemon-Tools). Grisoft has their AVG
>>>AntiRootkit
>>>scanner plus you might want to use their AVG AntiSpyware (which used
>>>to be called ewido). a-squared has low coverage (compared to ewido)
>>>but you could use it as another on-demand scanner (it is v-e-r-y
>>>slow
>>>to scan). You never mention WHAT you use as your primary anti-virus
>>>program that include on-access scanning. Other products to try are
>>>Spybot S&D, Lavasoft Ad-Aware, and HijackThis. Some folks have used
>>>PC Tools "Spyware Doctor" (I only remember trialing it in a VM under
>>>VMWare Server and decided to discard it but don't remember why).
>>>Unless you buy it, the OnGuard protection is only trialware.
>>>F-Secure
>>>has their Blacklight rootkit scanner but I haven't used it in over a
>>>year, maybe two years.
>>>
>>>Some files, whether goodware or malware, do not exist until the
>>>parent
>>>program is executed. That is, the program generates a new file and
>>>that is the one it runs or uses as an ancilliary/helper program. So
>>>it is possible you won't find those files unless the parent program
>>>is
>>>running.
>>>
>>>The output you show from BitDefender is not very explanatory. Are
>>>the
>>>"files" that it (you) mentions the actual files or are they
>>>shortcuts
>>>or favorites stored somewhere else that reference these file names?
>>>Are they remnant registry entries (so the file may not even exist
>>>anymore although pointers to them still exist in the registry)?
>>>That
>>>a path and filename are outputted doesn't say if a file is being
>>>identified, a shortcut to that file, a registry pointer to that
>>>file,
>>>a favorite, or what.
>>>
>>>If the path appears that it does exist and that is what BitDefender
>>>is
>>>pointing to (a path and file), did you check if you enabled Explorer
>>>to see hidden folders/files? Did you open a DOS shell and use the
>>>'cd' command to navigate there?
>>>
>>>The pests in the restore points are easily eliminated by turning off
>>>System Restore which clears out all old restore point files, then
>>>turn
>>>it back on.
>>>
>>>They have their own forum at http://forum.bitdefender.com/ where you
>>>can ask other users familiar with the same program about the alerts
>>>you are getting.
>>
>> Please refer to my original post on this subject: Item nos. 1 and 2
>> show a file called CONFLICT.1. I can't find it in Windows XP Pro
>> even
>> though I should be able to see all hidden files. However, when I
>> looked in DOS mode, there they were. Please explain how this can
>> happen. It will help me a great deal in the future.
>> Thanks.........
>
>
>When you say you could not "find" the folder, and assuming Explorer is
>configured to show both hidden AND *system* files, did you manually
>dig through Explorer to navigate through the folders or did you use
>the Search function in Windows XP?
>
>The search function in Windows XP is really fucked up. Under Windows
>NT and 2000, the search simply did a pattern match against the
>criteria to find the filenames. Under Windows XP, search will only
>show files for which it has a viewer; that is, if their search can
>look inside the file then it will find it. You can be in a DOS shell
>and a 'dir' will show the file but a search, even when specifying that
>folder only, won't list it. This sucks and has been a stupid mistake
>by Microsoft. The file search included in Windows XP is unreliable
>which means it is worthless. Instead I use a product called Agent
>Ransack (yeah, not a good product name) which is the free version of
>FileLocator Pro. Besides going back to a real file search tool, it
>will let you specify regular expressions to more accurately identify
>what you are searching for, or you can revert to using just the inane
>wildcarding that Microsoft supports. Just because the Search included
>in Windows XP doesn't find a file doesn't mean that it doesn't exist.
>It just means the stupidly malcoded search tool can't read that file's
>content so it decides not to show it to you. Yeah, stupid.
>
>http://www.mythicsoft.com/agentransack/

Thanks for the good advice. BTW, I drilled down manually for the file
(folder) - but still couldn't find it in Windows. I'm going to get
Agent Ransack. Thanks again........

07-11-2007, 11:09 PM	#12
Fruit2O Guest Posts: n/a	Re: Need help removing malware On Thu, 1 Nov 2007 19:11:11 -0500, "VanguardLH" <VanguardLH@mail.invalid> wrote: >"Fruit2O" wrote in message >news:1eaki3l7ek0l15e4uqvrmdhbn09k6d298e@4ax.com.. . >> >> "VanguardLH" wrote: >>> >>>"Fruit2O" wrote ... >>>> I use BitDefender (it will not run in Safe Mode). During my last >>>> scan, >>>> it found the following which it cannot delete or quarantine >>>> because >>>> they are embedded: >>>> >>>> 1. Adware.Dogpile.l >>>> >>>> C:\WINDOWS\Downloaded Program >>>> Files\CONFLICT.1\Toolbar_cobrand.EXE=]wise0080 >>>> >>>> I cannot find CONFLICT.1 >>>> >>>> 2. Adware.Dogpile.l >>>> >>>> C:\WINDOWS\Downloaded Program >>>> Files\CONFLICT.1\Toolbar_cobrand.EXE=](Embedded EXE r)=]wise0080 >>>> >>>> 3. Backdoor.Dssdoor.C >>>> >>>> D:\System Volume >>>> Information\_restore(AB4B39B1-ECCC-40C6-B62403F7E55B5A)\RP850\Ao467860.exe=]RAR >>>> Sfx o)=]RunSequence.exe >>>> >>>> 4. Backdoor.Dssdoor.C >>>> >>>> D:\System Volume >>>> Information\_restore(AB4B39B1-ECCC-40C6-B62403F7E55B5A)\RP850\Ao467860.exe=]RAR >>>> Sfx o)=]_aps activator.exe >>>> >>>> Can someone tell me how to get rid of them? Thanks............ >>> >>>So what does "embedded" mean to you so that we know what you mean? >>>I >>>don't use BitDefender. The free version is only a on-demand >>>scanner. >>>If "embedded" means a packed file then the scanner should still be >>>able to point to the file containing the program. If "embedded" >>>means >>>rootkit, those can be nasty to remove so you might want to consider >>>backing up all your data files and plan for a partition reformat and >>>fresh OS install. You might want to try other anti-malware programs >>>specifically aimed at detecting rootkits. SysInternals has their >>>Rootkit Revealer but you need to know how it works and it doesn't do >>>any cleanup but just lets you know of a possible rootkit (some >>>drivers >>>act like them; e.g., Daemon-Tools). Grisoft has their AVG >>>AntiRootkit >>>scanner plus you might want to use their AVG AntiSpyware (which used >>>to be called ewido). a-squared has low coverage (compared to ewido) >>>but you could use it as another on-demand scanner (it is v-e-r-y >>>slow >>>to scan). You never mention WHAT you use as your primary anti-virus >>>program that include on-access scanning. Other products to try are >>>Spybot S&D, Lavasoft Ad-Aware, and HijackThis. Some folks have used >>>PC Tools "Spyware Doctor" (I only remember trialing it in a VM under >>>VMWare Server and decided to discard it but don't remember why). >>>Unless you buy it, the OnGuard protection is only trialware. >>>F-Secure >>>has their Blacklight rootkit scanner but I haven't used it in over a >>>year, maybe two years. >>> >>>Some files, whether goodware or malware, do not exist until the >>>parent >>>program is executed. That is, the program generates a new file and >>>that is the one it runs or uses as an ancilliary/helper program. So >>>it is possible you won't find those files unless the parent program >>>is >>>running. >>> >>>The output you show from BitDefender is not very explanatory. Are >>>the >>>"files" that it (you) mentions the actual files or are they >>>shortcuts >>>or favorites stored somewhere else that reference these file names? >>>Are they remnant registry entries (so the file may not even exist >>>anymore although pointers to them still exist in the registry)? >>>That >>>a path and filename are outputted doesn't say if a file is being >>>identified, a shortcut to that file, a registry pointer to that >>>file, >>>a favorite, or what. >>> >>>If the path appears that it does exist and that is what BitDefender >>>is >>>pointing to (a path and file), did you check if you enabled Explorer >>>to see hidden folders/files? Did you open a DOS shell and use the >>>'cd' command to navigate there? >>> >>>The pests in the restore points are easily eliminated by turning off >>>System Restore which clears out all old restore point files, then >>>turn >>>it back on. >>> >>>They have their own forum at http://forum.bitdefender.com/ where you >>>can ask other users familiar with the same program about the alerts >>>you are getting. >> >> Please refer to my original post on this subject: Item nos. 1 and 2 >> show a file called CONFLICT.1. I can't find it in Windows XP Pro >> even >> though I should be able to see all hidden files. However, when I >> looked in DOS mode, there they were. Please explain how this can >> happen. It will help me a great deal in the future. >> Thanks......... > > >When you say you could not "find" the folder, and assuming Explorer is >configured to show both hidden AND system files, did you manually >dig through Explorer to navigate through the folders or did you use >the Search function in Windows XP? > >The search function in Windows XP is really fucked up. Under Windows >NT and 2000, the search simply did a pattern match against the >criteria to find the filenames. Under Windows XP, search will only >show files for which it has a viewer; that is, if their search can >look inside the file then it will find it. You can be in a DOS shell >and a 'dir' will show the file but a search, even when specifying that >folder only, won't list it. This sucks and has been a stupid mistake >by Microsoft. The file search included in Windows XP is unreliable >which means it is worthless. Instead I use a product called Agent >Ransack (yeah, not a good product name) which is the free version of >FileLocator Pro. Besides going back to a real file search tool, it >will let you specify regular expressions to more accurately identify >what you are searching for, or you can revert to using just the inane >wildcarding that Microsoft supports. Just because the Search included >in Windows XP doesn't find a file doesn't mean that it doesn't exist. >It just means the stupidly malcoded search tool can't read that file's >content so it decides not to show it to you. Yeah, stupid. > >http://www.mythicsoft.com/agentransack/ Thanks for the good advice. BTW, I drilled down manually for the file (folder) - but still couldn't find it in Windows. I'm going to get Agent Ransack. Thanks again........