Re: backdoor.afcore.bb HELL

From: Mike Burgess (winhelp2002_at_spamthis.com)
Date: 02/01/04 

Date: Sun, 1 Feb 2004 06:20:38 -0500

Very Agoboted,
>"There is no fix on the net that I can discern"
Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm
Note: be *sure* to follow-up with HijackThis
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 01-31-04]
Please post replies to this Newsgroup, email address is invalid 

--
"Very Agoboted" <anonymous@discussions.microsoft.com> wrote in message
news:742801c3e7f3$d1bb2d40$a101280a@phx.gbl...
> I am in the same boat.These things are a true nightmare
> for a non-I.T.expert to deal with.There is no fix on the
> net that I can discern.
>
> Far from being incensed,I am intrigued by the method in
> which the Trojan was slipped onto my machine.
>
> If a computer in which the messenger sevice has been
> deleted,Windows Messenger,also vanquished,running no
> third party chat software,dangerous services
> disabled,firewalled and patched to the gills,etc can be
> compromised,then what hope is there for home users?
> The average Joe who just wants to e-mail his mates in Oz?
>
> I would suggest,that a future issue of XP lists its own
> legitimate entries in the registry in blue or
> something.Furthermore,all dlls belonging to genuine
> Microsoft componants should be coded in some way to make
> it more easy to spot rogue ones.
>
> It may be asking the impossible,but it is in the
> interests of vast corporate entities to sponsor the
> development of free,good quality A.V.programmes and
> Firewalls,for home users.
>
> Trojans are insidious,by their very nature almost
> impossible to spot.I was alerted initially by the Sygate
> free Firewall.With secure dll authentication enabled,by
> observation,you can ascertain which particular app
> is "rogue".
>
> This is by no means an adequate method of eradication-
> rather more one of containment.But are we expected to
> perform reformats and clean reinstalls every time one of
> these ghastly things trespasses?
> >-----Original Message-----
> >The problem with some malware,is it will recreate itself
> (with new *.dll
> >names) as soon as it detects that one of its processes
> have been shut down
> >or files
> >have been deleted.  There are two programmes, not just
> one.. one of which is
> >the classic malware, the other is a monitoring service
> that restarts the
> >malware as soon as it detects the other is deleted,
> complete with new file
> >names.
> >
> >I would use MSCONFIG and select 'diagnostic startup' to
> run only basic
> >services. Then track down and nuke the malware and all
> associated files that
> >I could find, using registry entries and MSCONFIG itself
> to track down as
> >many associated files as I could find.
> >
> >I note that your friend is a long way away. I really
> don't think this is
> >something that can be done remotely. If the reinfector
> is missed, you're
> >back to square one.
> >
> >-- 
> >_______________________________________
> >Sandi - Microsoft MVP since 1999 (IE/OE)
> >http://www.mvps.org/inetexplorer
> >
> >"Shewman" <shewman@sympatico.ca> wrote in message
> >news:_cDSb.44891$mf4.1596318@news20.bellglobal.com...
> >> Hi,
> >>
> >> I've got a friend who has this trojan. I can't get rid
> of it. Found it in
> >> the registry and deleted the entries. Rebooted but the
> entries get added
> >> again. Tried uninstalling the dll, ftdpwmk.dll, but I
> get access denied.
> >> Everytime, I try another i.e. view processes, her PC
> reboots. Went into
> >> safe
> >> mode but I can't find the source file(s).
> >>
> >> I've tried searching google but didn't find anything.
> Also tried searching
> >> Norton and sophos
> >>
> >> Anyone have any ideas??? It's an XP PC. Unfortunately,
> she's a couple of
> >> hundred miles away. But I can remote into the PC.
> >>
> >> Thanks
> >>
> >>
> >>
> >
> >.
> >

Relevant Pages

  • Re: backdoor.afcore.bb HELL
    ... > As you can see in the HijackThis log, ... > These type trojans use random file names. ... >> the registry and deleted the entries. ... >> I've tried searching google but didn't find anything. ...
    (microsoft.public.security)
  • How to check whether a dll or ocx has been registered?
    ... Please advise a quick way to verify manually whether a dll or ocx has been ... By searching the dll in the regedit many entries may ...
    (microsoft.public.windowsxp.configuration_manage)
  • Re: Linking DLLs across different compilers and languages
    ... Depends on what you are searching for and how you are searching for it. ... But the sort order doesn't matter when you ... A DLL of a specific type is simply a DLL regardless of compiler vendor ...
    (microsoft.public.vc.mfc)
  • Re: OT: Fun With Fireworks
    ... > Apologies if this is a ginge, I've googled - but searching this ... > million entries. ...
    (uk.rec.motorcycles)
  • Re: Delete all AutoComplete contacts
    ... are stored for your Profile Profile ... Try searching for *.nk2 to include hidden, delete the complete file, it will ... It cannot contain 'thousands of entries' as there is a limit on the number, ... Time consuming, yes -- I have about a thousand entries in autocomplete, ...
    (microsoft.public.outlook.general)