Early Christmas Flu :S (PC)

Started by Tuomas, Tue 18/12/2007 10:06:41

Previous topic - Next topic
Print
# Go Down Pages1
User actions

Tuomas

Tue 18/12/2007 10:06:41 Last Edit: Tue 18/12/2007 12:02:33 by Tuomas
Hi hello.

I'm not quite sure how, but my computer has been severely infected by a lot of annoying viruses, well, trojans actually. Some guys at #AGS know the situation, but I thought I'd ask for help here. You see, the problem is this: I've got Avira AntiVir installed as the primary virus protection. Every now and then it pops up warning me that some program has tried to access certain files that it finds dangerous. These include such as jkkkkif.dll and ddcca.dll both in the windows/system32 folder. I tried googling for them, but learned nothing new.

Now what comes to removing these files, I tried Spybot S&D, which didn't find any of them. I tried AdAware, which also doesn't recognise them. I downloaded AVG and Windows Defender, yet neither of these react in any way. However everytime while going through files they try to access these certain files plus some more that I have, AntiVir alerts. I'm currently running Luke Filewalker, the antiVir scanner which in several hours loooks through my whole HD. Last night it did find in fact 4 copies of these two harmful files. So getting a detection it asks if I want to either quarantine, rename, ignore or delete them. Basically I move them all to quarantine for the program to delete them afterwards. However, the deleting mission is more tricky than supposed. It appears all these files are in use somehow, and thusly cannot be deleted manually or through the program. You know how it goes. So AntiVir suggests deleting them on the next startup, which I thought would solve everything. Well, as far as I know, it didn't. Nothing happened, and they're still here.

I was wondering if actually starting windows in safe mode would let me delete them, as most of the programs aren't running, and perhaps the files wouldn't be either. I don't know if there's something wrong with my boot sequence, but I hammered F8 to get to the selection menu. However, the arrow keys aren't working there, so I can't access safe mode, and I really don't know any other way of starting windows in it. I thought ask for advice here first and then go to resource control and end every possible program and after that try to remove them manually. We'll see, but I really need your help!

Cino

#1
Tue 18/12/2007 11:52:08
If you happen to get your hands on a standalone bootable disk or cd (most operating systems including dos, linux and windows are fine for this), you problably can mount your HD and delete the files. You can also try Start -> Run -> regedit [ENTER]
Look for HKEY_CURRENT_USER -> Software -> Microsoft -> Windows -> CurrentVersion -> Run
and you'll see what programs are run when windows loads up. Look for suspicious entries in there.
Also check HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows -> CurrentVersion -> Run
for the same reason.

R4L

#2
Tue 18/12/2007 11:54:45
Maybe it isn't safe to delete them. Believe me, I deleted a quarantined file one time, and I couldn't even boot my computer after.  ;D

Have you tried HijackThis? I hear it works great, if you haven't tried. Also, you can "buy" PC Tools' Spyware Doctor and download AVG Anti-Rootkit to see if they fix anything.

Quote from: Cino on Tue 18/12/2007 11:52:08
If you happen to get your hands on a standalone bootable disk or cd (most operating systems including dos, linux and windows are fine for this), you problably can mount your HD and delete the files. You can also try Start -> Run -> regedit [ENTER]
Look for HKEY_CURRENT_USER -> Software -> Microsoft -> Windows -> CurrentVersion -> Run
and you'll see what programs are run when windows loads up. Look for suspicious entries in there.
Also check HKEY_LOCAL_MACHINE -> Software -> Microsoft -> Windows -> CurrentVersion -> Run
for the same reason.

Or you can run msconfig if you need simplicity, although the registry works better.

Tuomas

#3
Tue 18/12/2007 17:23:06 Last Edit: Tue 18/12/2007 17:27:53 by Tuomas
Hi. HijackThis actually removed all except one of the .dlls. The one that stays is the one linked. Or actually I think it'sa vopy of it as there were two in the end.

Also, local machine gives me the run of the default, Adobe Reader Speed Launcher, ANIWZCS2Service, Cmaudio, D-Link Airplus G, MBM 5, Registry Mechanic, SunJavaUpdateScheduler and Zonealarm client. Nothing especially weird, the Current User runs default, ctfmon.exe, MsnMsgr, nothing special there.

Process Explorer finds this ddcca.dll to be under explorer.exe

Is there any other way of accessing safe mode than pressing F8 during startup?

dasjoe

#4
Tue 18/12/2007 17:35:44
see PM.

edit your boot.ini (found in the root directory of your system drive), add "/SAFEBOOT:MINIMAL" to the line that's referenced to as the default entry.

Quote from: boot.ini[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\windows
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\windows="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /SAFEBOOT:MINIMAL

do not copy the whole line unless you're booting from multi(0)disk(0)rdisk(0)partition(1)\windows, too
... it's quite easy being the best.

Tuomas

#5
Tue 18/12/2007 20:30:58
Yeah, k. Safe mode deosn't help... ummm... Thanks anyway, I'll keep that trick in mind... Heh, it appears I've caught the virus too, fever is rising :(
Print
Go Up Pages1
User actions
SMF spam blocked by CleanTalk