Re: backdoor.afcore.bb HELL

From: Sandi - Microsoft MVP (sandi_hardmeier_at_mvps.org)
Date: 01/31/04 

Date: Sat, 31 Jan 2004 19:04:20 +0800

The problem with some malware,is it will recreate itself (with new *.dll
names) as soon as it detects that one of its processes have been shut down
or files
have been deleted. There are two programmes, not just one.. one of which is
the classic malware, the other is a monitoring service that restarts the
malware as soon as it detects the other is deleted, complete with new file
names.

I would use MSCONFIG and select 'diagnostic startup' to run only basic
services. Then track down and nuke the malware and all associated files that
I could find, using registry entries and MSCONFIG itself to track down as
many associated files as I could find.

I note that your friend is a long way away. I really don't think this is
something that can be done remotely. If the reinfector is missed, you're
back to square one. 

-- 
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://www.mvps.org/inetexplorer
"Shewman" <shewman@sympatico.ca> wrote in message
news:_cDSb.44891$mf4.1596318@news20.bellglobal.com...
> Hi,
>
> I've got a friend who has this trojan. I can't get rid of it. Found it in
> the registry and deleted the entries. Rebooted but the entries get added
> again. Tried uninstalling the dll, ftdpwmk.dll, but I get access denied.
> Everytime, I try another i.e. view processes, her PC reboots. Went into
> safe
> mode but I can't find the source file(s).
>
> I've tried searching google but didn't find anything. Also tried searching
> Norton and sophos
>
> Anyone have any ideas??? It's an XP PC. Unfortunately, she's a couple of
> hundred miles away. But I can remote into the PC.
>
> Thanks
>
>
>

Relevant Pages

  • Re: backdoor.afcore.bb HELL
    ... free Firewall.With secure dll authentication enabled,by ... >the classic malware, the other is a monitoring service ... using registry entries and MSCONFIG itself ...
    (microsoft.public.security)
  • Re: my besieged by ie pop-up ads post 01/10/2008 16:21
    ... restoring the aforementioned Norton BU and then restoring the ... | Which is why I recommended Autoruns in the first place since it allows ... and would become part of a DLL load chain. ... The name of malware DLL would ...
    (microsoft.public.security.virus)
  • Re: Sharing Data in DLLs
    ... 1- Use event log instead of a file. ... sync queue to store the log entries that need to be written. ... We are tyring to build a DLL which will write the log data to a text file. ... Multiple executables should use this dll to write data to same text file. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: New Worm or Worm Variant?
    ... be a way to start, but most malware is configurable, ... > non-interactive FTP session to download an exploit ... The DLL is just an FTP script file. ...
    (Incidents)
  • Technical details on the Stuxnet virus / malware
    ... Stuxnet malware was a rootkit it seems), and lived only in memory. ... Windows functions are loaded as needed from a DLL ...
    (alt.comp.anti-virus)