I was running an old image of windows XP and got something i didn't see in a while, one of those pop ups that send you to the wrong site. The unusual thing was I've never seen one for Firefox before which is one of the reasons Firefox is so popular. I'm posting this because because the only thing that stopped it is useful for any of these morphing type programs.
First heres the usual steps. update and run the virus program. It finds something but the program is still there after a restart. I try the adware and spybot which both show something but he remove doesn't work. Next I try the Microsoft windows Malicious Software Removal Tool. all to no avail. Once you get all the updates to the programs you usually boot and safe mode no network and try again. THis sometimes works because the infected file will not be loaded. Next step is to get rid of the entry where it getting loaded. Here a list of programs for that. Msconfig, Autoruns, Startup Manager, Hijackthis. Startup Manager is probably the easiest to use and Autoruns shows the most of whats begin loaded. All of these programs are free. If you use these programs a few times you'll notice new or odd entries right away. On the average machine about half the things being loaded are unneeded. But back to the point. I notice and an entry for yaywxUNG.dll I've never see it before and of course the name stands out. Oddly you think they would think of names that wouldn't stand out as much . I remove the entries and reboot, still no good. Next i go to safe mode to delete the file. Even in safe mode the file is locked I sort by date and notice a few other names. created around the same time. so I make a file to delete them that starts up
del c:\WINDOWS\system32\yaywxUNG.dll
del c:\WINDOWS\system32\iifdeEWP.dll
del c:\WINDOWS\system32\~.exe
del c:\WINDOWS\system32\xjbqytax.dll
del c:\WINDOWS\system32\tyegkine.dll
del c:\WINDOWS\system32\spwwfy.dll
del c:\WINDOWS\system32\tmqsav.dll
del c:\WINDOWS\system32\jyvbqogl.dll
del c:\WINDOWS\system32\eduufddg.dll
del c:\WINDOWS\system32\jpewyevf.dll
del c:\WINDOWS\system32\zllzir.dll
del c:\WINDOWS\system32\vfblefwn.dll
del c:\WINDOWS\system32\hnjtpadi.dll
del c:\WINDOWS\system32\deploytk.dll
del c:\WINDOWS\system32\iifdeEWP.dll
And still its running
The how and why. Theres 3 reasons the above steps where ineffective. The program is loaded as a dll file and is locked. The program also creates new names. The other reason is when you remove the registry entry that starts it, the key is either locked or the program is just putting it back in.
The solution is to boot with some thing else and just delete the files. Which can be anything with out the virus. I used a windows Vista PE CD for a specific reason. But any thing you can boot to will work. A multiboot setup, another hard drive that you can switch to in the bios, CD, USB drive. Most cases I just run a CD or USB with bart pe that has explorer.exe on. Just go to run and type in explorer. Find the bad file and delete it. This machine was using RAID. This is one of the problems with RAID. Most of the Windows versions that run from a USB drive or CD will not see the disk neither will most other utility boot disks. But Microsoft has a free tool that is is useful for this and a wide range of other problems Vista PE. Which is a version of Vista that boots to the CD or USB. I first used it to run programs like ghost32.exe . I only hacked it a little. there is no explorer so I added a few free file managers. I later found out the one from windows 4 winfile.exe works fine if you get all the files it needs to run. . I guess i should just try every potable utility I have to see which ones work, but so far i have had good luck. This disk is pretty much a must have because there pretty much no other easy way to get into Raid Disk with out opening up the machine. I doubt there is any live linux that reads it, but i really didn't look into it.
In conclusion it seems the virus got in through a hole in old version of Java. They say the best bet with java is to remove all the old versions and get the newest one at http://java.com, hopefully in the near future someone will put together a vista PE disk that is loaded with lots of utilities like that hiens or bart pe disk.
Tuesday, December 9, 2008
Wednesday, December 12, 2007
FEBE backups windows vista
I ran into a problem with FEBE not saving backups after adding Firefox and FEBE to a new windows Vista machine. It might have been caused in the order of how I did things. But it seems the problem was caused by Microsoft moving where the temp directory is again. Just click on debug in the FEBE options and reset to the new temp directory
Windows 2000
C:\DOCUME~1\username\LOCALS~1\Temp\febe.tmp
windows Vista
C:\Users\username\AppData\Local\temp\febe.tmp
Windows 2000
C:\DOCUME~1\username\LOCALS~1\Temp\febe.tmp
windows Vista
C:\Users\username\AppData\Local\temp\febe.tmp
Wednesday, November 21, 2007
Musicmatch Yahoo And Splash screens
After Yahoo's purchase of Musicmatch the upgrade is more like a downgrade. It adds lots of junk to what was one of the best stand alone music players. Even worse they added a splash screen to older versions asking you to downgrade even if you payed for lifetime updates. I looked around and there doesn't seen to be a way to remove the splash screen once it gets added. Here's a slight workaround if you don't need to connected to them to download music. Use a firewall programs like Zonealarm and block Musicmatch from updating. If you already have it remove it then reinstall. You might need your key to use some of the features.
Maybe someone can make a better workaround. Or maybe Yahoo can put it back the way it was to regain some goodwill.
Maybe someone can make a better workaround. Or maybe Yahoo can put it back the way it was to regain some goodwill.
Wednesday, October 31, 2007
mobsync.exe another unneeded startup program for HiJack This
mobsync.exe Only needed if you use internet explorer and use the read web pages offline feature. It shows up in hijack this I"m not sure if autotruns or msconfig shows if.
Wednesday, August 22, 2007
last dll portable program apps rant
I think about 90 % of programs easily could or should be portable apps.
Just include the 1 or 2 dll;s needed.
Also this is my idea and I have no idea why I didn't see it yet.
Add a menu item that adds the extension and and any other thing to the registry that add to its functionality.
Also can take out what it added to the registry.
Just include the 1 or 2 dll;s needed.
Also this is my idea and I have no idea why I didn't see it yet.
Add a menu item that adds the extension and and any other thing to the registry that add to its functionality.
Also can take out what it added to the registry.
More dll rants
msvbvm60.dll
This one is needed for hijack this
msvcr80.dll
MSVCRT10.DLL
These 2 are need for some other programs which I forget a the moment.
This one is needed for hijack this
msvcr80.dll
MSVCRT10.DLL
These 2 are need for some other programs which I forget a the moment.
Acrobat goes portable
I love programs that only need 2 or 2 dll's to work on there own. These 2 work for acrobat
msvcp71.dll msvcr71.dll
msvcp71.dll msvcr71.dll
Monday, July 30, 2007
ssv.dll
I'm always finding things to remove with HiJackTHis. Unless you use the Java Console In Microsoft internet explorer. Which can found by clicking on tools in the menu you can remove this feature.
Subscribe to:
Posts (Atom)