I just finished cleaning (as in laboriously manually
tracking down and terminating) a very nasty new breed
of ad/spyware.

This one was so nasty it could even protect itself in
safe mode.

I didn't keep extensive notes, but it put this folder
in Program Files\wwxtvxsr which contained the files
fogDGwBM.exe fogDGwBM.dll and some others, all of
were tagged as "in use" in normal and safe mode.
Another file named ikwin.sys was in system32\drivers
and also always "in use".

In the registry were keys named IKwin which had
"errors" that made them un-editable and un-deletable.
Some of them would vanish in safe mode.

I finally got it all by booting with ERD Commander and
searching the Registry for fogDGwBM and wwxtvxsr.
Curiously, it "couldn't find" anything named ikwin in
the Registry but I ran across a key named that
(and deleted it!) while searching for the other two.
The ikwin.sys was similarily "invisible" to the ERD
Commander file search. I finally rooted it out from
path data in the Registry.

One clue to where this came from might be the name of
the Run key that would launch fogDGwBM.exe. dQpHY5Ex
(Which is likely a randomly generated name.)

AdAware SE 6.0 with the latest update can find part
of this, but it's beyond that software's ability to
completely remove. Spybot Search & Destroy 1.4 with
the latest updates didn't see any of it. (1.4 was just
released May 31st.) 1.4 now has the ability to scan
other 2000/XP installs and their Registries on the
same PC. No other spyware/adware remover can do that,
and Spybot is freeware. :)

One potential "BOFH" tactic that may help in this and
similar cases is to boot up completely then either
turn off the input power switch on the power supply
or pull the power cord if you don't have a switch.
Then restore power and boot up using F8 to go into
Safe Mode. That should prevent the program from
restoring the Run command in the Registry during
shutdown, along with stopping it from removing the
"bad" Registry data that can't be edited or removed
in normal mode.

I sent my notes on this to the guy who does Spybot.
Hopefully he can figure out a way to remove this
and others like it. Winternals ERD Commander isn't
cheap software, but its bootable CD is the ultimate
utility for "doctoring" a problem system that won't
boot at all or is infected with junk that can protect
itself from being removed while the Windows install
on the box is running.

It will be total Fandemonium!
August (Fri) 5th, (Sat) 6th & (Sun) 7th, 2005

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

Mac-N-DOS is sponsored by <http://lowendmac.com/> and...

    /      Buy books, CDs, videos, and more from Amazon.com     \
   / <http://www.amazon.com/exec/obidos/redirect-home/lowendmac> \

      Support Low End Mac <http://lowendmac.com/lists/support.html>

Mac-N-DOS list info:    <http://lowendmac.com/lists/macndos.shtml>
  --> AOL users, remove "mailto:";
Send list messages to:  <mailto:mac-n-dos@mail.maclaunch.com>
To unsubscribe, email:  <mailto:[EMAIL PROTECTED]>
For digest mode, email: <mailto:[EMAIL PROTECTED]>
Subscription questions: <mailto:[EMAIL PROTECTED]>
Archive: <http://www.mail-archive.com/mac-n-dos%40mail.maclaunch.com/>

iPod Accessories for Less
at 1-800-iPOD.COM
Fast Delivery, Low Price, Good Deal

Reply via email to