Re: Need help removing malware

On Thu, 1 Nov 2007 12:42:52 -0500, "VanguardLH"
<VanguardLH@xxxxxxxxxxxx> wrote:

"Fruit2O" wrote in message
news:jtaii3h07qf3rj6ih3j44fbbk3l4v09ma9@xxxxxxxxxx
I use BitDefender (it will not run in Safe Mode). During my last
scan,
it found the following which it cannot delete or quarantine because
they are embedded:

1. Adware.Dogpile.l

C:\WINDOWS\Downloaded Program
Files\CONFLICT.1\Toolbar_cobrand.EXE=]wise0080

I cannot find CONFLICT.1

2. Adware.Dogpile.l

C:\WINDOWS\Downloaded Program
Files\CONFLICT.1\Toolbar_cobrand.EXE=](Embedded EXE r)=]wise0080

3. Backdoor.Dssdoor.C

D:\System Volume
Information\_restore(AB4B39B1-ECCC-40C6-B62403F7E55B5A)\RP850\Ao467860.exe=]RAR
Sfx o)=]RunSequence.exe

4. Backdoor.Dssdoor.C

D:\System Volume
Information\_restore(AB4B39B1-ECCC-40C6-B62403F7E55B5A)\RP850\Ao467860.exe=]RAR
Sfx o)=]_aps activator.exe

Can someone tell me how to get rid of them? Thanks............


So what does "embedded" mean to you so that we know what you mean? I
don't use BitDefender. The free version is only a on-demand scanner.
If "embedded" means a packed file then the scanner should still be
able to point to the file containing the program. If "embedded" means
rootkit, those can be nasty to remove so you might want to consider
backing up all your data files and plan for a partition reformat and
fresh OS install. You might want to try other anti-malware programs
specifically aimed at detecting rootkits. SysInternals has their
Rootkit Revealer but you need to know how it works and it doesn't do
any cleanup but just lets you know of a possible rootkit (some drivers
act like them; e.g., Daemon-Tools). Grisoft has their AVG AntiRootkit
scanner plus you might want to use their AVG AntiSpyware (which used
to be called ewido). a-squared has low coverage (compared to ewido)
but you could use it as another on-demand scanner (it is v-e-r-y slow
to scan). You never mention WHAT you use as your primary anti-virus
program that include on-access scanning. Other products to try are
Spybot S&D, Lavasoft Ad-Aware, and HijackThis. Some folks have used
PC Tools "Spyware Doctor" (I only remember trialing it in a VM under
VMWare Server and decided to discard it but don't remember why).
Unless you buy it, the OnGuard protection is only trialware. F-Secure
has their Blacklight rootkit scanner but I haven't used it in over a
year, maybe two years.

Some files, whether goodware or malware, do not exist until the parent
program is executed. That is, the program generates a new file and
that is the one it runs or uses as an ancilliary/helper program. So
it is possible you won't find those files unless the parent program is
running.

The output you show from BitDefender is not very explanatory. Are the
"files" that it (you) mentions the actual files or are they shortcuts
or favorites stored somewhere else that reference these file names?
Are they remnant registry entries (so the file may not even exist
anymore although pointers to them still exist in the registry)? That
a path and filename are outputted doesn't say if a file is being
identified, a shortcut to that file, a registry pointer to that file,
a favorite, or what.

If the path appears that it does exist and that is what BitDefender is
pointing to (a path and file), did you check if you enabled Explorer
to see hidden folders/files? Did you open a DOS shell and use the
'cd' command to navigate there?

The pests in the restore points are easily eliminated by turning off
System Restore which clears out all old restore point files, then turn
it back on.

They have their own forum at http://forum.bitdefender.com/ where you
can ask other users familiar with the same program about the alerts
you are getting.

You went to the trouble of replying in detail - so I will reply also.

What I sent in my original post is all I have. I use BitDefender as my
AV. It found the problems when I ran an independent deep scan. I have
and use the other programs you refer to except Hijack This. I know I
can eliminate the problems in Restore - but when I turn on Restore
again, they will probably just show up again. By embedded, I believe
the problems are in 'packed' files. However, I can't find some of them
even though I have 'Show Hidden Files' turned on. I haven't tried to
find these files in a DOS shell yet.
.

Relevant Pages

  • Re: Need help removing malware
    ... If "embedded" means a packed file then the scanner should still be able to point to the file containing the program. ... If "embedded" means rootkit, those can be nasty to remove so you might want to consider backing up all your data files and plan for a partition reformat and fresh OS install. ... Are they remnant registry entries? ... The pests in the restore points are easily eliminated by turning off System Restore which clears out all old restore point files, ...
    (alt.comp.anti-virus)
  • Re: Need help removing malware
    ... The free version is only a on-demand scanner. ... Rootkit Revealer but you need to know how it works and it doesn't do ... Are they remnant registry entries (so the file may not even exist ... System Restore which clears out all old restore point files, ...
    (alt.comp.anti-virus)
  • Re: Need help removing malware
    ... The free version is only a on-demand scanner. ... Rootkit Revealer but you need to know how it works and it doesn't do ... Are they remnant registry entries (so the file may not even exist ... System Restore which clears out all old restore point files, ...
    (alt.comp.anti-virus)
  • RE: strange telnet behavior
    ... change much itself but the attacker who used the rootkit can change ... Make complete backup of all system files, drives, etc. for analysis of the ... Otherwise restore backups to ... system made prior to the compromise is another option. ...
    (Incidents)
  • Re: Questionable Item in Restore Feature
    ... The tech person today went all through the same processes (via ... conversations began and he came back want to do a wipe and restore. ... something with the scanner and I don't know what to ask for with Dell. ... a Kernel-Mode Driver install process on one of the various devices installed. ...
    (microsoft.public.windowsxp.general)