Unknown Spyware

  • Thread starter Thread starter Rick Dyess
  • Start date Start date
R

Rick Dyess

I have ran across an process that when stopped creates a
new process. It deletes the process and the registry key
and creates a new file and key any time it is stopped I
have ran every utility I can get my hands on and nothing
has caught it yet. the following is a list of the files
names I have seen while working on this
system:ayjqij.exe ,aqqsut.exe ,ansldf.exe ,bfnspfn.exe ,bw
spls.exe ,blhdcre.exe ,bbcjnbt.exe ,bvvfujw.exe ,cusoeh.ex
e ,cjwvnk.exe ,dzzmqn.exe ,dsyhni.exe ,eegcqg.exe ,extajn.
exe ,eaytep.exe ,eldebt.exe ,fewazry.exe ,fllfpb.exe ,gxid
rhw.exe ,gcwmjkp.exe ,gnwgxtp.exe ,hitnjy.exe ,hnwwar.exe
,hjeswpf.exe ,hhmmth.exe ,ingoykn.exe ,jtjxkh.exe ,jhzzbaw
..exe ,kyzmig.exe ,kqzpqus.exe ,hjeswpf.exe ,hgvprfh.exe ,h
pwzubt.exe ,lcqicmi.exe ,llmanjz.exe ,mshfxe.exe ,musbow.e
xe ,mdusjza.exe ,nmfdby.exe ,nrsrdad.exe ,njjfjm.exe ,ovds
zg.exe ,pigsgrw.exe ,ppuouj.exe ,qemrogc.exe ,qnoknnm.exe
,ppkvtcu.exe ,phpcbhd.exe ,povisn.exe ,ramuaa.exe ,jhboclj
..exe ,sedjczr.exe ,semros.exe ,tenpck.exe ,ubbfkpp.exe ,vu
libsu.exe ,vulibsu.exe ,vrhtgfa.exe ,wlvuvh.exe ,wlvuvh.ex
e ,wizawb.exe ,yrbyhtf.exe ,yfcafc.exe ,ytpai.exe ,zxxrqeb
..exe ,zibxjhn.exe Some of these file names repeat but
there is not real pattern that I can see. hope that
someone else has seen this and knows how to get rid of it.

Thanks Rick
 
I see these guys all the time. Like Whack-a-mole. One
goes down and another one pops up. Usually there are two
processes running and each protects the other. You have
to start in Safe Mode to have a chance against them. Then
run HijackThis and check/Fix Checked their entries. If
you see them running in Safe Mode with Task Manager then
you will need to stop them both (quickly!) with pocket
killbox

http://www.bleepingcomputer.com/files/killbox.php

or you can try DiamondCS's Advanced Process Termination or
TaskMan+ or Advanced Process Manipulator (APM).

http://www.diamondcs.com.au/index.php?page=products

APM will show you what processes are running and can open
them up and show you the DLLs they use and let you unload
selected DLLs. Very handy when they crawl in via the
winlogon notify and attach themselves to explorer and/or
winlogon.

It also helps to set up Windows Explorer to show all files
and extensions and then go to the windows and
windows\system32 folders, sort by date and then remove any
files with the same date. Then empty your temp folders.
I've seen them where you can't delete them but you can
rename them. Then after the next reboot you can delete
them.

Get HijackThis.exe from
http://tomcoyote.org/hjt/hjt199//HijackThis.exe

Save it to C:\hjt (new folder) then Open it and select
Scan and Save Log. Note where you saved the log then
send it to me as an attachment. Put Hijack in the subject
so I'll know it's not spam. I'll be glad to help you get
rid of it.

Ron Kinner
Microsoft MVP 2004 & 2005
(e-mail address removed)
 
This is the same thing i have, i believe. i have been
fighting it for a week. Sunday i spent all day on the
bloody thing, and even removed rootkit files with
blacklight. erradicated everything, and the thing came
right back when booting to normal mode. This is even
after 3 virus scanners and many spyware removers did
their job and removed what i thought was all. I have not
used killbox or apm, but will give them both a try and
repost. MS Antispyware attempts to block this thing and
recognizes it as unclassified.spyware.57 on my machine. i
have submitted it.

Brad
 
Back
Top