Spyware in WINNT folder

  • Thread starter Thread starter Arica
  • Start date Start date
A

Arica

My computer recently became invected with a nasty spyware
that constantly refreshes itself. Ad-aware finds the
hijacking files and temporarily removes it, but moments
later it refreshes itself. I believe it has hijacked my
lower right hand toolbar as there is a red circle with
an "X" in the middle. When you click on it you are
immediately sent to the website www.specialgoods.com. All
attempts to remove the program have been unsuccessful. I
have found the files because I know the exact date and
time it was installed but the root file is a .dll file and
it states that I cannot remove the file because it is a
system file that is constantly running.

Anyone that can offer technical suggestions would be
appreciated.Thanks.
 
Hi Arica

Any advise would be complete guesswork at this stage as
these tactics are used by alot of malware, Can you give
more info on what the .dll is called ?

Also try using Ewido Security Suite and MSAS in safe mode
as they will work better at removing the problem when the
problem is not running, You would need to download and
install Ewido and update in normal mode then boot into
safe mode(Reboot and keep tapping F8 then choose safe
mode from the list)

Also Ccleaner would be usefull to clear all your temp
folders incase the malware is saved in there andf
checking your Add/remove screen through control panel for
any suspicious entries, but if you need more help post
back the name of the dll and it should make it alot
easier to comment on this

Regards Andy
 
My computer recently became invected with a nasty spyware
that constantly refreshes itself. Ad-aware finds the
hijacking files and temporarily removes it, but moments
later it refreshes itself. I believe it has hijacked my
lower right hand toolbar as there is a red circle with
an "X" in the middle. When you click on it you are
immediately sent to the website www.specialgoods.com. All
attempts to remove the program have been unsuccessful. I
have found the files because I know the exact date and
time it was installed but the root file is a .dll file and
it states that I cannot remove the file because it is a
system file that is constantly running.

Anyone that can offer technical suggestions would be
appreciated.Thanks.
Click to expand...

Please take a look here
http://www.bleepingcomputer.com/forums/index.php?showtopic=22854
 
Thanks Andy,
In safe mode I ran adaware, microsoft anti-spy, and spybot
but the spyware seems to be running even in safe mode. The
file name I found is param32.dll and it is in the system32
folder. The icon (red circle with white 'x') shows up in
the lower right hand startup task bar even in safe mode.
MSAS did not detect anything, spybot found "spybloc" and
removed it but it kept coming back on rescans, and adaware
found desktop hijack icons (about 20 that refresh on the
desktop) and registrykeys which it removed and then they
would keep coming back about every 3 minutes.

If the spyware is running even in safe mode how am I to
remove it as it seems to be able to get around all the
anti-spy programs.

If you need any other info please let me know. Thanks
 
Hi Again

Go with Mikolaj's suggestion If you have problems email
me and we can run some fixes, It would be easier to fix
this through email if needed using Killbox and Hijack
This, If you need help start with sending a Hijack This
log to my email but not as a attachment as it changes the
log,It just shows everyline mixed together so then needs
sorting back to the way it should look so just post the
log as part of the email message to make it faster for me
to check the entries

Also see this page for abit more info on this:

http://www.bleepingcomputer.com/analysis/?anal=globolook-
dropper

With fixes I would start by running Ewido in safe
mode,Then use MSAS and Finally Ccleaner if the problem is
still there I need to see a Hijack this log before giving
fix instructions to see what OS you have as It could
cause damage to give instructions that doesnt relate to
your system.

Just let me know if you need help

Andy
 
Back
Top