Hi,

I've got a friend who has this trojan. I can't get rid of it. Found it in
the registry and deleted the entries. Rebooted but the entries get added
again. Tried uninstalling the dll, ftdpwmk.dll, but I get access denied.
Everytime, I try another i.e. view processes, her PC reboots. Went into safe
mode but I can't find the source file(s).

I've tried searching google but didn't find anything. Also tried searching
Norton and sophos

Anyone have any ideas??? It's an XP PC. Unfortunately, she's a couple of
hundred miles away. But I can remote into the PC.

Thanks

[ Post a follow-up to this message ]

The problem with some malware,is it will recreate itself (with new *.dll
names) as soon as it detects that one of its processes have been shut down
or files
have been deleted.  There are two programmes, not just one.. one of which is
the classic malware, the other is a monitoring service that restarts the
malware as soon as it detects the other is deleted, complete with new file
names.

I would use MSCONFIG and select 'diagnostic startup' to run only basic
services. Then track down and nuke the malware and all associated files that
I could find, using registry entries and MSCONFIG itself to track down as
many associated files as I could find.

I note that your friend is a long way away. I really don't think this is
something that can be done remotely. If the reinfector is missed, you're
back to square one.

--
_______________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://www.mvps.org/inetexplorer

"Shewman" <shewman@sympatico.ca> wrote in message
news:_cDSb.44891$mf4.1596318@news20.bellglobal.com...
quote:

> Hi,
>
> I've got a friend who has this trojan. I can't get rid of it. Found it in
> the registry and deleted the entries. Rebooted but the entries get added
> again. Tried uninstalling the dll, ftdpwmk.dll, but I get access denied.
> Everytime, I try another i.e. view processes, her PC reboots. Went into
> safe
> mode but I can't find the source file(s).
>
> I've tried searching google but didn't find anything. Also tried searching
> Norton and sophos
>
> Anyone have any ideas??? It's an XP PC. Unfortunately, she's a couple of
> hundred miles away. But I can remote into the PC.
>
> Thanks
>
>
>

[ Post a follow-up to this message ]

I am in the same boat.These things are a true nightmare
for a non-I.T.expert to deal with.There is no fix on the
net that I can discern.

Far from being incensed,I am intrigued by the method in
which the Trojan was slipped onto my machine.

If a computer in which the messenger sevice has been
deleted,Windows Messenger,also vanquished,running no
third party chat software,dangerous services
disabled,firewalled and patched to the gills,etc can be
compromised,then what hope is there for home users?
The average Joe who just wants to e-mail his mates in Oz?

I would suggest,that a future issue of XP lists its own
legitimate entries in the registry in blue or
something.Furthermore,all dlls belonging to genuine
Microsoft componants should be coded in some way to make
it more easy to spot rogue ones.

It may be asking the impossible,but it is in the
interests of vast corporate entities to sponsor the
development of free,good quality A.V.programmes and
Firewalls,for home users.

Trojans are insidious,by their very nature almost
impossible to spot.I was alerted initially by the Sygate
free Firewall.With secure dll authentication enabled,by
observation,you can ascertain which particular app
is "rogue".

This is by no means an adequate method of eradication-
rather more one of containment.But are we expected to
perform reformats and clean reinstalls every time one of
these ghastly things trespasses?
quote:

>-----Original Message-----
>The problem with some malware,is it will recreate itself

(with new *.dll
quote:

>names) as soon as it detects that one of its processes

have been shut down
quote:

>or files
>have been deleted.  There are two programmes, not just

one.. one of which is
quote:

>the classic malware, the other is a monitoring service

that restarts the
quote:

>malware as soon as it detects the other is deleted,

complete with new file
quote:

>names.
>
>I would use MSCONFIG and select 'diagnostic startup' to

run only basic
quote:

>services. Then track down and nuke the malware and all

associated files that
quote:

>I could find, using registry entries and MSCONFIG itself

to track down as
quote:

>many associated files as I could find.
>
>I note that your friend is a long way away. I really

don't think this is
quote:

>something that can be done remotely. If the reinfector

is missed, you're
quote:

>back to square one.
>
>--
>_______________________________________
>Sandi - Microsoft MVP since 1999 (IE/OE)
>http://www.mvps.org/inetexplorer
>
>"Shewman" <shewman@sympatico.ca> wrote in message
>news:_cDSb.44891$mf4.1596318@news20.bellglobal.com... 
of it. Found it in[QUOTE] 
entries get added[QUOTE] 
get access denied.[QUOTE] 
reboots. Went into[QUOTE] 
Also tried searching[QUOTE] 
she's a couple of[QUOTE] 
>
>.
>

[ Post a follow-up to this message ]

Shewman,
Use the below as a reference only!
http://computercops.biz/postt12463.html

As you can see in the HijackThis log, (as Sandi mentioned)
These type trojans use random file names.
[example]
F1 - win.ini: run=yxxsdvxn.exe, tdmpuv.exe, dsgkatjskt.exe,
cduklntejyvc.exe, lvtucjb.exe

Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm
 ________________________________________
____________________
Mike Burgess  [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 01-25-04]
Please post replies to this Newsgroup, email address is invalid
--

"Shewman" <shewman@sympatico.ca> wrote in message
news:_cDSb.44891$mf4.1596318@news20.bellglobal.com...
quote:

> Hi,
>
> I've got a friend who has this trojan. I can't get rid of it. Found it in
> the registry and deleted the entries. Rebooted but the entries get added
> again. Tried uninstalling the dll, ftdpwmk.dll, but I get access denied.
> Everytime, I try another i.e. view processes, her PC reboots. Went into

safe
quote:

> mode but I can't find the source file(s).
>
> I've tried searching google but didn't find anything. Also tried searching
> Norton and sophos
>
> Anyone have any ideas??? It's an XP PC. Unfortunately, she's a couple of
> hundred miles away. But I can remote into the PC.
>
> Thanks
>
>
>

[ Post a follow-up to this message ]

Very Agoboted,
quote:

>"There is no fix on the net that I can discern"

Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm
Note: be *sure* to follow-up with HijackThis
 ________________________________________
____________________
Mike Burgess  [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 01-31-04]
Please post replies to this Newsgroup, email address is invalid
--

"Very Agoboted" <anonymous@discussions.microsoft.com> wrote in message
news:742801c3e7f3$d1bb2d40$a101280a@phx.gbl...[QUOTE]
> I am in the same boat.These things are a true nightmare
> for a non-I.T.expert to deal with.There is no fix on the
> net that I can discern.
>
> Far from being incensed,I am intrigued by the method in
> which the Trojan was slipped onto my machine.
>
> If a computer in which the messenger sevice has been
> deleted,Windows Messenger,also vanquished,running no
> third party chat software,dangerous services
> disabled,firewalled and patched to the gills,etc can be
> compromised,then what hope is there for home users?
> The average Joe who just wants to e-mail his mates in Oz?
>
> I would suggest,that a future issue of XP lists its own
> legitimate entries in the registry in blue or
> something.Furthermore,all dlls belonging to genuine
> Microsoft componants should be coded in some way to make
> it more easy to spot rogue ones.
>
> It may be asking the impossible,but it is in the
> interests of vast corporate entities to sponsor the
> development of free,good quality A.V.programmes and
> Firewalls,for home users.
>
> Trojans are insidious,by their very nature almost
> impossible to spot.I was alerted initially by the Sygate
> free Firewall.With secure dll authentication enabled,by
> observation,you can ascertain which particular app
> is "rogue".
>
> This is by no means an adequate method of eradication-
> rather more one of containment.But are we expected to
> perform reformats and clean reinstalls every time one of
> these ghastly things trespasses? 
> (with new *.dll 
> have been shut down 
> one.. one of which is 
> that restarts the 
> complete with new file 
> run only basic 
> associated files that 
> to track down as 
> don't think this is 
> is missed, you're 
> of it. Found it in 
> entries get added 
> get access denied. 
> reboots. Went into 
> Also tried searching 
> she's a couple of 

[ Post a follow-up to this message ]

Thanks Mike, I'll check it out


"Mike Burgess" <winhelp2002@spamthis.com> wrote in message
news:u06WoUL6DHA.360@TK2MSFTNGP12.phx.gbl...
quote:

> Shewman,
> Use the below as a reference only!
> http://computercops.biz/postt12463.html
>
> As you can see in the HijackThis log, (as Sandi mentioned)
> These type trojans use random file names.
> [example]
> F1 - win.ini: run=yxxsdvxn.exe, tdmpuv.exe, dsgkatjskt.exe,
> cduklntejyvc.exe, lvtucjb.exe
>
> Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines
> http://mvps.org/winhelp2002/unwanted.htm
>  ________________________________________
____________________
> Mike Burgess  [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
> Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
> http://www.mvps.org/winhelp2002/hosts.htm [updated 01-25-04]
> Please post replies to this Newsgroup, email address is invalid
> --
>
> "Shewman" <shewman@sympatico.ca> wrote in message
> news:_cDSb.44891$mf4.1596318@news20.bellglobal.com... 
in[QUOTE] 
> safe 
searching[QUOTE] 
>
>

[ Post a follow-up to this message ]

Hi Sandi,

Thanks for the suggestion. I'll read up on MSCONFIG.

Yeah, unfortunately  I'll have to try and do it remotely.

"Sandi - Microsoft MVP" <sandi_hardmeier@mvps.org> wrote in message
news:u0WTgk%235DHA.2064@TK2MSFTNGP11.phx.gbl...
quote:

> The problem with some malware,is it will recreate itself (with new *.dll
> names) as soon as it detects that one of its processes have been shut down
> or files
> have been deleted.  There are two programmes, not just one.. one of which

is
quote:

> the classic malware, the other is a monitoring service that restarts the
> malware as soon as it detects the other is deleted, complete with new file
> names.
>
> I would use MSCONFIG and select 'diagnostic startup' to run only basic
> services. Then track down and nuke the malware and all associated files

that
quote:

> I could find, using registry entries and MSCONFIG itself to track down as
> many associated files as I could find.
>
> I note that your friend is a long way away. I really don't think this is
> something that can be done remotely. If the reinfector is missed, you're
> back to square one.
>
> --
> _______________________________________
> Sandi - Microsoft MVP since 1999 (IE/OE)
> http://www.mvps.org/inetexplorer
>
> "Shewman" <shewman@sympatico.ca> wrote in message
> news:_cDSb.44891$mf4.1596318@news20.bellglobal.com... 
in[QUOTE] 
searching[QUOTE] 
>

[ Post a follow-up to this message ]

OK, here's how I got rid of afcore.bb:

- uninstalled the offending DLL
- got rid of the existing anti-virus program AVG and had her install Norton
- Norton found 2 offending programs, AF.EXE and audio.exe
- reboot and now everything is fine.

"Sandi - Microsoft MVP" <sandi_hardmeier@mvps.org> wrote in message
news:u0WTgk%235DHA.2064@TK2MSFTNGP11.phx.gbl...
quote:

> The problem with some malware,is it will recreate itself (with new *.dll
> names) as soon as it detects that one of its processes have been shut down
> or files
> have been deleted.  There are two programmes, not just one.. one of which

is
quote:

> the classic malware, the other is a monitoring service that restarts the
> malware as soon as it detects the other is deleted, complete with new file
> names.
>
> I would use MSCONFIG and select 'diagnostic startup' to run only basic
> services. Then track down and nuke the malware and all associated files

that
quote:

> I could find, using registry entries and MSCONFIG itself to track down as
> many associated files as I could find.
>
> I note that your friend is a long way away. I really don't think this is
> something that can be done remotely. If the reinfector is missed, you're
> back to square one.
>
> --
> _______________________________________
> Sandi - Microsoft MVP since 1999 (IE/OE)
> http://www.mvps.org/inetexplorer
>
> "Shewman" <shewman@sympatico.ca> wrote in message
> news:_cDSb.44891$mf4.1596318@news20.bellglobal.com... 
in[QUOTE] 
searching[QUOTE] 
>

[ Post a follow-up to this message ]

Hi there! 

I had the same problem, took me 3 hours to get rid of this nasty little bast
erd! But if you know what to do, it will only take you 3 minutes :P 

I copied this from an other forum, it worked fine for me. Only remember to l
og in as administrator, otherwise you'll get the message "acced denied".....
.took me half an hour to figure that out :P......me so stupid.....I used nor
ton for a final scan to remove all infected files or whatever they were.  

Click on the Start button on your desktop, go to Run, type in regedit and cl
ick OK. 

The Registry Editor window will open. Navigate to the following registry fol
der:  HKEY_Local_Machine\Software\Micrsoft\Win
dows\CurrentVersion\Run (You do
 this by clicking on the "+" sign next to the Hkey Local Machine folder, the
n the "+" sign next to Software, then Microsoft, then Windows, then Current 
Version, and then click on the actual Run folder). 

In the Run folder, you will see a number of entries for programs that are st
arted automatically when Windows starts. Look for an entry that looks like t
his: 

rundll32 C:\Windows\System32:xxxxxxx.dll,Init 1 

The xxxxxxx.dll could be any set of letters and numbers ending with ".dll", 
as this trojan creates this filename randomly. Write down the exact name of 
this filename. 

Leave the Registry Editor window open exactly where it is, but click on the 
Start button again, and again choose Run. 

In the Run text box, type in the following command (replacing xxxxxxx.dll wi
th the filename you wrote down in step 3): 

rundll32 C:\Windows\system32:xxxxxxx.dll,Uninstall 

This command is case sensitive, so all of the letters in the command and fil
e name must match. <b>Make sure that you are logged in as Adminstrator!!!!</
b>Otherwise you'll get the message"acced denied". 

Click the OK button. You should see a window indicating that Aflooder (or AF
) is being uninstalled (if there is an OK button to click to proceed, click 
it). 

When it seems that the uninstall has finished, click back on the Registry Ed
itor window. It should still be displaying the contents of the Run folder as
 it was in step 3. Hit the F5 key on your keyboard to refresh the contents o
f that Run folder. You may see that the entry you saw in step 3 has disappea
red now that the uninstall has taken place. If it has not, click once on tha
t entry: 

rundll32 C:\Windows\System32:xxxxxxx.dll,Init 1 

..to highlight it, then hit the Delete key on your keyboard to delete it. I
f you are asked if you are sure you want to do this, choose Yes. 

Close the Registry Editor window, and reboot your computer. Aflooder should 
now be removed. 

Trend Micro, an anti-virus software vendor, claims that you can avoid being re-infected
 with this trojan by installing the following Internet Explorer security patch: ht
tp://www.microsoft.com/te...
/MS03-032.asp. We suggest that you download and install that patch, as it ma
y indeed prevent re-infection. 

If Aflooder changed your Internet Explorer home page to www.surferbar.com, m
ake sure to change it back to normal. The home page setting for Internet Exp
lorer can be found by clicking on Tools on the menu bar, then Internet Optio
ns.

[ Post a follow-up to this message ]