Virus? Trojan? Machine Defect? Norton Mistakes?

[Alan]

Hi,

 

Me back with questions for you computer and security experts.

 

Ok, here is the thing, awhile back I started having problems with my browser, it seemed to be a browser hijacker ' as I have scanned and found alot of them' and when I set my homepage to like TCH Forums, It always sends me to 'about:blank' and it ALWAYS sends me to some search engine.

 

When I use my Yahoo! messenger and open a messaging window, it always pops up two windows, one is the search engine and another is an advertisement about spyware.

 

After scanning with norton and finding a dabafall.dll file which was an at-risk file and trying to have norton delete it, and it failing I rebooted in safe mode and tried to have norton delete it then, without success. Is there anyway to delete .dll files from the System32 folder by hand? Without a destructive reformat?

 

Thanks,

Alan

[TCH-Andy]

Hi Alan,

 

Yes, that's a nasty little trojan you have there.

 

I would use firefox as a browser

 

and also have a look at http://www.spywareinfo.com/~merijn/ for a few tools to get rid of it.

[TCH-Andy]

I'd also have a look at Bob's excellent suggestions in the thread at http://www.totalchoicehosting.com/forums/i...?showtopic=9310

[Alan]

Thanks,

 

I also use Firefox for my browsing, but I am also a Member Plus on the MSN Gaming Zone.

 

There is also the problem that the MSN Gaming Zone does not support Firefox ( Therefore you have to have Internet Explorer to be able to use the gaming network ).

 

Thanks for your help,

I am reading those links now.

-Alan

[Alan]

Results:

 

Done!

Removed from your system:

- CWS.HiddenDll

- 6 infected IE registry values

 

 

Thanks Andy, looks like it is all cleaned up now.

[Alan]

Just incase anyone has the same problems, once you run the program you will still get popups in Yahoo! Messenger ( Or I did ) to fix those, update your definitions of Spybot S&D / Ad-Aware SE if you have them and then run both of those, once finished you will not have any problems.

[ThumpAZ]

Alan,

Glad to hear of your success story. But I must give a word of caution to others experiencing similar nightmares... CWShredder, SpyBot, Ad-Aware and most all AntiVirus programs will sometimes fail to find many of todays more obscure browser hijackers and associated trojans. Sometimes even WinPatrol and HijackThis cannot see any problems... especially with shell programs.

Your best defense is a skeptical browsing technique, and keeping track of when something starts happening.

If you are fortunate enough to know when the infection began, you can do a search of the computer for *.* with a modified date of that day, or a couple of days surrounding it (if unsure of exactly what day). Then start searching the web as best you can with the names of any DLL and EXE files found that were modified in that time frame. Most often these are going to end up being the culprit files.

 

I recently (this morning, in fact) just got through cleaning up an infection on my laptop that was due to my own stupidity... I turned off the WinXP_SP2 firewall and ZoneAlarm the other day while testing something out, and forgot to turn them back on. Then I was searching for something and clicked on a result... BAM! nearly 8 hours later, that machine is clean and not simply reinstalled.

 

Even though TCH is not a support site for operating systems and such type items, we will try to help you as best we can... so post up with your questions.

Edited November 19, 2004 by TCH-Glenn

[Alan]

Hi Glenn,

 

Yes, this problem was caused by my own stupidity aswell. I have been disabling my firewall to play certain games that I enjoy and not just going into the firewall options and allowing the ports to be used.

 

I have never thought about doing a search for the .dll files, and will surely try that from now on.

 

I always thought that the only files which could contain viruses / trojans where .zip, .tar, .exe ? And other application programs, is that just a misunderstanding on my part?

[TCH-Rob]

You know Alan, if you didnt visit "THOSE" sites this would not happen. Besides, you arent old enough for that yet.

[ThumpAZ]

The initial file is contained, typically, within an portable executable (exe, tar, zip, etc.). However, programs most always have friends along for the ride. They create dynamic link libraries (dll) files so the same snippets of code can be called from within the executables without having to retype it every time. This keeps the files smaller.

Another interesting that can happen is that the place a notifier in the registry so they can realize, at startup, if an attempt has been made to uninstall the program and silently reinstall it. This is almost always found in the registry (as a call to the dll file (most often in the %root%\system32 - for XP - folder) and a reg_cz code that exists somewhere else in the registry. This is most often at (XP Example) HKLM\Software\Microsoft\WindowsNT\Current Version\Winlogon\Notify.

Also, normally, the executables are set to startup at HKLM\Software\Microsoft\Windows\Current Version\Run.

 

*NOTE* DO NOT GO ALL WILLY-NILLY EDITING YOUR REGISTRY AND ALWAYS EXPORT THE ENTIRE REGISTRY BEFORE MAKING ANY CHANGES

 

Spammers are getting more and more nefarious these days, and making it harder and harder to get rid of the programs they get you with. Another *cute* thing they like to do, to stay in good standings with their hosts when not running their own servers, is to provide you with an "uninstaller" that is available over the web. However, these uninstallers quite often do not work or leave files behind that make it easier for you to become reinfected later.

 

Now, don't I just love knowing this stuff? [Yosemite_Sam]OOOOOHH!!! I HATE Spammers[/Yosemite_Sam]