Adware Removal Problem

Discussion in 'NOD32 version 2 Forum' started by Chris74656, Feb 15, 2007.

Thread Status:
Not open for further replies.
  1. Chris74656

    Chris74656 Registered Member

    Joined:
    Feb 15, 2007
    Posts:
    24
    One of my friends kids has a computer (that did have NOD32 2.6.x but I've upgraded it to 2.7.x) that apparently has some type of adware that NOD32 can't remove and that I can't seem to remove manually either. NOD32 detects it as Win32/adware.virtumonde.O and the problem dll seems to be vddiwn.dll but the the thing is that even in safe mode I can't delete that file and using process explorer to check what processes have that file open shows me:
    Winlogon.exe Dll
    Winlogon.exe Handle
    iexplore.exe
    explorer.exe

    I know that it's possible to terminate both iexplore.exe and explorer.exe processes with task manager and still run a command prompt to manually delete a file but terminating Winlogin causes the system to shutdown and restart. Does anyone have any idea's on how I can clean this off the computer?

    Thanks,

    - Chris LeFebvre
     
  2. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Hello, Chris74656! Welcome to Wilders!

    Where is that .dll located ?
    You can go here: http://ccollomb.free.fr/unlocker/ download the program and then go to the folder where is that .dll and right-click it and select:"Unlock and delete". It will work.

    But first post here where is that file located.
     
  3. ASpace

    ASpace Guest

    Hello Chris and Welcome to Wilders !

    As Pykko said , it is really important to mention the whole path of the infected DLL file , as well as other infected files . The whole path would be in a way (example)
    C:\Windows\system32\test.dll (example)

    Then we will help you delete than file and remain clean . Also doesn't NOD32 attempt to delete the file on reboot .
     
  4. Chris74656

    Chris74656 Registered Member

    Joined:
    Feb 15, 2007
    Posts:
    24
    Thanks for the welcome and quick reply, in answer to your questions:

    The full path to the file is: C:\winnt\registration\vddiwn.dll

    At the end of the In Depth Analysis \ Scan & Clean NOD32 does report that one or more files were locked and asks if you want to clean them on the next reboot to which I answer Yes but after the reboot NOD32 does not seem able to clean this and I had assumed that it was for the same reason that I couldn't manually remove this in safe mode i.e. that this dll has somehow hooked itself to these critical system processes that windows can't run without. I'll give this a try in the next day or so and report back on the results.

    Thanks,

    - Chris LeFebvre
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Chris, welcome to Wilders.

    Please follow the instructions found HERE

    Let us know how you go...

    Cheers :D
     
  6. DavidCo

    DavidCo Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    503
    Location:
    UK
    Should Nod detect this ********
    It seems that there are new variants around:eek:

    There is a virtumonde tool at lavasoft

    edit - Ooops, lots of update for the variants.
     
    Last edited: Feb 16, 2007
  7. ASpace

    ASpace Guest


    1. Download The Avenger here and save on your Desktop


    2. Download this file (the script) here and save on your Desktop

    3. open the program: avenger.exe.
    4. in the program choose Load Script From File
    5. browse to find the file/the script I gave you (kill.txt) , press the Glass icon to see the script and when you are ready ...
    6. press on the traffic light icon.

    Now , your computer will boot, and The Avenger will run the script file before all the exe and the dll files of the malware.After restart the malware files will be gone . The Avenger will inform you with a log text file you'll see after you reboot .

    After that , follow Blackspear's post to
    1.Perform full scan with updated NOD32
    2.Download and send NOD32 support log files of HijackThis and MS AutoRuns , which will help them identify if there are some left overs of the malware .

    For second opinion , you can download , update and run a dedicated anti-spyware software such Spybot Search and Destroy (but this is just an option)
    Good luck :thumb:
     
    Last edited by a moderator: Feb 20, 2007
  8. Chris74656

    Chris74656 Registered Member

    Joined:
    Feb 15, 2007
    Posts:
    24
    Thanks to HiTech_Boy, the information you provided allowed me to remove that problem dll and the system now scans clean (other than the backup zip file that The Avenger created) with both NOD32 and Spybot.

    I had put Spybot Search and Destroy on their computers a while ago with instructions to update and scan at least every other week. As far as I know the kids do perform them but of course being teenagers it's hard to get details of what exactly lead up to this problem but it's fixed now and my thanks (as well as their fathers thanks) to everyone who contributed.

    Regards,

    - Chris LeFebvre
     
  9. ASpace

    ASpace Guest

    You are welcome ! :thumb:
     
Thread Status:
Not open for further replies.