I've done everything but the RIGHT thing...

Yet another weepy frustrated plea for help.

I've done everything in the sticky threads, in some cases several times (many before coming here and finding this forum) but I've gone back and done everything in the DO NOT POST UNTIL... thread (by the numbers) in the hopes that I'd missed something on my own. I had not.

AdAware gives me six occurances of Virtumundo that won't stay deleted, but otherwise my problem acts more like StopGuard: I have a process that gets rerun automatically, and manual deletion of references to it via regedit don't work: the references appear again. So whatever the culprit, I just can't find it and kill it for good.

My manifestation is the process "dvdplay.exe" - and "yalpdvd" files that show up in c:\windows\system (hidden INI, and bak, and tmp). No combination of Adaware / SpyBot / HJT (including the Delete a file on Reboot, just not the right file) AND file and registry entry deletion has yet found the source that keeps spitting this hairball back up. I've read several (hundred?) of the similar threads, and tried to apply the steps and advice given to what HJT etc. was showing me on my screen, but I haven't had any success.

I've never ever seen anything like this, and I've repaired lots and lots and lots of sick and broken computers...

Please help.

Thank you,
Keith

 

axtogrind......

I'm a relative newbie to the spyware battle, and most of my knowledge has come from doing what people suggest in these threads. My most recent problem involved a .exe running constantly and utilizing 85%-90% of my CPU, which may be similar to the problem you are encountering.

All I can tell you is what worked for me the best was completing a Trend-Micro Scan in safe mode with all hidden files and extensions enabled (not-hidden). Then installing and running a trial version of Giant Antispyware (smart scan), which got most of the items that were non-cleanable from the Trend-Micro Scan. The BitDefender scan also helped to pick out more hidden trojans. I used the scan first, determined where most of the spyware was located (in my case, c:\winnt), and then did another scan on those specific folders with the "autoclean" function clicked on. The items remaining which could not be removed by BitDefender were cleaned out by a-squared free edition. I followed all the directions in the "Read me first..." thread, so you may have done this all, except for maybe the Giant Anti-spy part. Sorry if this doesn't help.

 

Hi Keith,

Please go ahead and send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Send us a log and we'll go from there. I'll try to check back when I get a chance. Be patient - I have a number of threads ahead of yours, and only so much free time

Best,
PP

 

Thank you. At 2:30am, I thought I had it: on a lark, while still in Safe Mode, I ran msconfig and identified two suspect exe's, had HJT kill them on reboot, and with some more AA and SB that seemed to be the end of it (this time when they found things and reported them cleaned, the items STAYED cleaned - and the evil process didn't come back, nor did any other hogs appear). Then, after two reboots into Safe Mode with nothing turning up in Ad Aware or Spybot, when I booted back to normal old Windows, and after 45 minutes of repeated Ad Aware and Spybot (all a-ok) runs, McAfee now finds several (10) BackDoor BDD and a Vitumondo - just when I thought I had it all, for real... (maybe, fingers crossed, these are really the final inactive remnants...) [BTW, none of the previous McAfee or Symantec scans turned these up. ?]

Anyway, here is the HJT log. If McAfee won't clean these things it has found (and I can't manually remove them) then my next recommendation to the owner will be to let me save her docs, and wipe the disk and start over.

Thank you in advance for any assistance you can provide, when and if you can get to it.

Keith

 

Hi Keith,

That log is clean! Though, for further reference, it's a good idea to put HJT in its own safe folder - C:\Program Files\HijackThis.

There may be remnants, but they are not in your log. Regarding wiping the disk - While effective, what's to stop you from getting reinfected the next time you surf the net? This baddie seems to get by a lot of Anti-spyware tools!

Best,
PP

 

Thanks, PP: a subsequent mcafee is still ongoing, but clean so far. I suppose those were the last of the last remnants. And just in time for a Monday pickup!

And as to reinfection, aside from current immunization, I'm going to educate the client regarding safe (safer?) surfing.

Is "c:\program files\hijack this" a more safe folder for the program than "C:\Documents and Settings\Shawn\Desktop\Keith's Stuff\hijackthis\HijackThis.exe"?

Thanks again for the look at the log, the hours of posts helping others, and your time.

Keith

 

I suggest that you put some of Chaslang's suggestions in play: How to Protect yourself from malware!

Yes - The backups saved by HJT are less likely to be inadvertantly deleted if you place it where I suggested.

You're welcome
PP

 

Backups?

 

YUP Backups. You'd be surprised how many people run this powerful tool without understanding it fully. Or. . . Maybe you wouldn't

PP

 

I was, for anyone else reading this, just kidding: all of HJT's backups are appropriately tucked away in their subfolder... though not as safely as if I had run HJT from a more proper locale, such as c:\program files\Hijack This

All latest scans have turned up nothing bad: thank you again.
K