Dealing with a tricky virus

Zombiemambo

I'm trying to track this fucker down, it appears to just spam pop-ups. I've been paying attention to what's been trying to connect to the internet or install new stuff, and I've found two .dll files: nebipomo.dll and jowokuyu.dll. Problem is, I can't find the fucking files in question. I looked at the file path and still nadda. What can I do? I tried revealing hidden files and folders.

Xantus

deleting files manually? what?

boot into safe mode with networking, install http://www.superantispyware.com/onlinescan.html
update, scan. come back if it doesn't clean you up.

(if it finds files in /systemvolumeinformation/restore/... then you need to turn off system restore after the scan finishes, but before you reboot. or it will come back.)

Zombiemambo

Xantus wrote: »

deleting files manually? what?

boot into safe mode with networking, install http://www.superantispyware.com/onlinescan.html
update, scan. come back if it doesn't clean you up.

I forgot to mention that scans didn't show anything. I'll try that though, thanks.

TetraNitroCubane

Ditto Xantus' advice with MalwareBytes Antimalware and ESET's online scanner, if you haven't used these in your scans yet. Make sure MalwareBytes is up to date first.

MalwareBytes and SuperAntispyware are fantastic at getting rid of rogue antivirus and spyware apps, but not so great at some nastier trojans and virus files. ESET's pretty great at the virus and trojan side, but not so hot at the spyware and such. Using multiple tools should help out.

Edit: If the bastard's really hard to find, and you're running XP, you might want to look into a program called Combofix. It's a rough bitch to run sometimes, but it'll clean deep, and hopefully find anything that's down there. Another note: If you find anything identified as a rootkit, then my advice is to NifO and reformat. Once a rootkit's on the machine, there's no way to be sure you ever got it off.

DrFrylock

You could have a halfassed rootkit going on (a really good rootkit would hide from you not only the files themselves, but also the processes).

Might try:

http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

Xantus

TetraNitroCubane wrote: »

Another note: If you find anything identified as a rootkit, then my advice is to NifO and reformat. Once a rootkit's on the machine, there's no way to be sure you ever got it off.

sometimes true...I've had rather good luck with http://www.gmer.net/ ymmv

Zombiemambo

DrFrylock wrote: »

You could have a halfassed rootkit going on (a really good rootkit would hide from you not only the files themselves, but also the processes).

Might try:

http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

Well it's definitely not hiding the processes, these .dlls immediately try to install global hooks in any program I'm trying to run. Avast! caught some malware, hopefully this GMer can get rid of the rootkit.

Sipex

You have the dll files, look for specified removal tools on google and see if you get anything.

Zombiemambo

Well the problem is, I know the names of the .dll files, but they've been hidden away. I hope -something- can get rid of them.

pacbowl

I spent all last weekend cleaning a variation of Vundo off my computer and it sounds very similar to what you have. That fucker was hard to get rid of. It kept disabling Malwarebytes Antimalware and nothing else would see it. Microsoft Defender, Ad-Aware, Avast, Trendmicro online, Spybot and various Vundo removal tools either couldn't find it or remove it.

I knew it was still there because it kept adding a random named .dll to the startup.

After finding and following the first set of instructions here and running Malwarebytes 3 times + rebooting, I finally killed it.

edit: spelling

baudattitude

I had something very similar on a development box at work; it had two weirdly named .dll files in %WINDIR% and was pretty damned impervious to deletion, even in safe mode which I thought was a pretty good trick.

Turns out it tied itself to the winlogin process, which is pretty much always running, which then locked the files from deletion.

Fortunately, this was a development box, so it had Process Explorer on it. I was able to kill the running winlogin process, then delete the two .dll files, and from there reboot in safe mode and clean up the rest of the mess.

Depending on how much of that just made sense, that might help you too.

Edit: Make sure you have "show system files" checked in addition to "show hidden files"; it might be tagging the files with +h +s and Windows gives those an extra level of obscurity.

Zombiemambo

Hey, thanks for all of the help guys - the virus is still around but under control, and I know what it's doing so I haven't had trouble with finding out what it's been up to. I'll be running more scans and, if necessary, wiping my PC, but I would prefer not to.

cooljammer00

Would something like HijackThis! work?

Zombiemambo

That Malwarebytes thing describes a virus that sounds just like mine, and is even doing the same thing during the installation process, so I'm going to assume that's what it is, and hope this thing can get rid of the SOB. Thanks again for helping out!