NEWS
PARASITES
SOFTWARE
FORUM
DIRECTORY
 
 
 
 
 
 
  
Register   FAQ   Login  

Regenerating malware





AddThis Social Bookmark Button AddThis Feed Button

       2-spyware forum index -> Removal of spyware, adware and other parasites
Author Message
MaximRecoil



Joined: 31 Dec 2005
Posts: 3
Post Post subject: Regenerating malware Reply with quote
On a PC that I am working on, Sygate is giving a message like this:



I ran Ewido and it found a file named ldCF2C.tmp in System32 and said it was a "downloader.zlob.dn". The problem is, this file manages to regenerate when removed, whether removed by Ewido or manually from a boot disk (it can't be deleted from within normal Windows because it is in use). It also has a semi-random naming scheme which goes like ld****.tmp, with the **** representing various random numbers and letters that it uses when it regenerates. This random naming scheme makes it impossible to do Google searches on it. "downloader.zlob.dn" turns up nothing other than a sponsored link to this site with removal instructions for Spyaxe which do not appear to be relevant.

So obviously there are some associated files or registry entries somewhere that need to be removed to keep this thing from coming back. Is anyone familiar with this?
Sat Dec 31, 2005 6:15 am
Back to top
MaximRecoil View user's profile Send private message
 
Capt D Stroyer



Joined: 01 Jan 2006
Posts: 1
Post Post subject: Regenerating Malware Reply with quote
I too have a similar if not identical problem I think it is a Trojan zlob variant possibly .bc variant.
I have been asked to permit access to winlogon which I have blocked.
There is a ldxxx.tmp in the windows system32 folder. This can be deleted in safe mode but regenerates as something else when you restart the PC. I have tried ewido and other trojan removers. Norton cannot delete it. I found this on a routine scan. I was wondering if I edit the file in safe mode and rename it from .tmp to .tsp or something would that render this file inoperable ?
I am still trying to find a solution post a reply if you succeed & I will too.
Sun Jan 01, 2006 4:59 pm
Back to top
Capt D Stroyer View user's profile Send private message
 
MaximRecoil



Joined: 31 Dec 2005
Posts: 3
Post Post subject: Reply with quote
OK, here is what worked for me. After some searching I found another thread somewhere where someone had a similar problem and he was directed to "SmitRem.exe". This worked for me. http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

Here are the instructions that I followed from the thread (I saved the instructions, but I didn't save the link to the thread):

Quote:
Hi brikeyes,
That file belongs to a smitfraud infection, please try this.

You may want to print out or make a copy of these instructions before starting, because you will not be able to connect to the internet during most of this fix.

Download smitRem.exe and save the file to your desktop.
http://noahdfear.geekstogo.com/click%20counter/click.php?id=1
Double click on the file to extract it to it's own folder on the desktop.

Next, please reboot your computer in Safe Mode by doing the following:
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
[*]Instead of Windows loading as normal, a menu should appear
[*]Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to this entry and click "Fix checked":

O2 - BHO: HomepageBHO - {e9ccf15d-4c68-4b5a-9e9a-8e12e4bd39bd} - C:\WINDOWS\system32\hp8879.tmp

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Your desktop and icons will disappear and then reappear again --- this is normal.
Wait for the tool to complete and Disk Cleanup to finish --- this may take a while; please be patient.

Next, run Ad-aware and perform a full scan. Remove everything found.

While still in Safe Mode run Ewido Security Suite

Next go to Start -> Control Panel, click Display -> Desktop -> Customize Desktop -> Web -> Uncheck "Security Info" if present.


Delete these files if still present, end process first:(might no longer present)
C:\WINDOWS\system32\1024\ld3F80.tmp
C:\WINDOWS\system32\1024\ldFAD4.tmp
C:\WINDOWS\system32\nvctrl.exe

Restart your computer in normal mode.

Run the Panda online virus scan at http://www.pandasoftware.com/products/activescan.htm


I bolded the file names that prompted me to try those instructions, even though my proplem file wasn't in a "1024" folder, nor did I even have a "1024" folder in System32. The relevant part of all of that for me was running the "RunThis.bat" file in the SmitRem folder in Safe Mode. That was what got rid of the ldxxx.tmp file is System32 and it didn't come back. That batch file runs through a list of files to get rid of a mile long, most of which you probably won't have on your system, but it definitely cleared the PC I was working on right up. I remember following similar instructions for a different PC I worked on about a year ago for something else which also used that SmitRem thing; good stuff. No more of Winlogon.exe trying to connect anywhere either.
Sun Jan 01, 2006 7:53 pm
Back to top
MaximRecoil View user's profile Send private message
 
       2-spyware forum index -> Removal of spyware, adware and other parasites All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




Recommended software:
Spyware Doctor
(91/100)
Spyware Doctor is a very powerful, but yet highly user-friendly spyware remover, made by PC Tools, reputable computer security experts. This product provides effective and easy-to-manage...
Malwarebytes Anti Malware
(89/100)
There are loads of malware removers on the net today and most of them are lightweight applications, which usually means they’re fast and don’t have many features. One such...
Spy Sweeper
(85/100)
Spy Sweeper is one of the most powerful and effective spyware removers available today. This Webroot Software's product uses unique, patent-pending parasite detection and removal...
Windows Defender
(80/100)
Windows Defender is a free anti-spyware program made by the leading software company to add native spyware protection to its most popular product - the Microsoft Windows operating...
SUPERAntiSpyware
(75/100)
SUPERAntiSpyware is a powerful, highly effective spyware remover introducing advanced parasite detection and removal features along with reliable real-time protection. The program is not...
Encyclopedia of parasites:
Latest Spyware Threats: VirusProtect Pro | VirusLocker | SpyCrush | ContraVirus | SpyLocked | SpyDawn | AntiVerminser | SpywareQuake | VirusBurst | AntiVermins | AntiVermeans | Zlob | PopCorn.net | MovieLand | TagASaurus | BraveSentry | VirusBurster | SystemDoctor | VirusRescue | MalwareWipe | SpySheriff | CmdService | Smitfraud | SpywareStrike | WinFixer | WinHound | PestTrap | UnSpyPC
Agreement of Use | Privacy policy | Webmasters | Contact us | RSS Feeds
© 2001-2007 2-spyware.com All Rights Reserved. Reproduction in part or whole without written permission is prohibited. Powered by: eSolutions. Forum powered by phpBB