I just finished cleaning (as in laboriously manually tracking down and terminating) a very nasty new breed of ad/spyware.
This one was so nasty it could even protect itself in safe mode. I didn't keep extensive notes, but it put this folder in Program Files\wwxtvxsr which contained the files fogDGwBM.exe fogDGwBM.dll and some others, all of which were tagged as "in use" in normal and safe mode. Another file named ikwin.sys was in system32\drivers and also always "in use". In the registry were keys named IKwin which had "errors" that made them un-editable and un-deletable. Some of them would vanish in safe mode. I finally got it all by booting with ERD Commander and searching the Registry for fogDGwBM and wwxtvxsr. Curiously, it "couldn't find" anything named ikwin in the Registry but I ran across a key named that (and deleted it!) while searching for the other two. The ikwin.sys was similarily "invisible" to the ERD Commander file search. I finally rooted it out from the path data in the Registry. One clue to where this came from might be the name of the Run key that would launch fogDGwBM.exe. dQpHY5Ex (Which is likely a randomly generated name.) AdAware SE 6.0 with the latest update can find part of this, but it's beyond that software's ability to completely remove. Spybot Search & Destroy 1.4 with the latest updates didn't see any of it. (1.4 was just released May 31st.) 1.4 now has the ability to scan other 2000/XP installs and their Registries on the same PC. No other spyware/adware remover can do that, and Spybot is freeware. :) One potential "BOFH" tactic that may help in this and similar cases is to boot up completely then either turn off the input power switch on the power supply or pull the power cord if you don't have a switch. Then restore power and boot up using F8 to go into Safe Mode. That should prevent the program from restoring the Run command in the Registry during shutdown, along with stopping it from removing the "bad" Registry data that can't be edited or removed in normal mode. I sent my notes on this to the guy who does Spybot. Hopefully he can figure out a way to remove this and others like it. Winternals ERD Commander isn't cheap software, but its bootable CD is the ultimate utility for "doctoring" a problem system that won't boot at all or is infected with junk that can protect itself from being removed while the Windows install on the box is running. It will be total Fandemonium! August (Fri) 5th, (Sat) 6th & (Sun) 7th, 2005 http://www.fandemonium.org __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- Mac-N-DOS is sponsored by <http://lowendmac.com/> and... / Buy books, CDs, videos, and more from Amazon.com \ / <http://www.amazon.com/exec/obidos/redirect-home/lowendmac> \ Support Low End Mac <http://lowendmac.com/lists/support.html> Mac-N-DOS list info: <http://lowendmac.com/lists/macndos.shtml> --> AOL users, remove "mailto:"; Send list messages to: <mailto:mac-n-dos@mail.maclaunch.com> To unsubscribe, email: <mailto:[EMAIL PROTECTED]> For digest mode, email: <mailto:[EMAIL PROTECTED]> Subscription questions: <mailto:[EMAIL PROTECTED]> Archive: <http://www.mail-archive.com/mac-n-dos%40mail.maclaunch.com/> iPod Accessories for Less at 1-800-iPOD.COM Fast Delivery, Low Price, Good Deal www.1800ipod.com
