Anyone seen this before?
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Anyone seen this before?

  1. #1
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658

    Anyone seen this before?

    OK....my AV (AVG) will not load, cannot be started manually. Double-click, hourglass for a microsecond and then nothing. The same thing applies to my TASK MANAGER (Win XP)...no open, so I can't see what processes are running.

    But wait...I've got Swat-It, which has a process viewer. Lo and behold, I see a process called ydjfnj.exe that is totally new to me. I googled it and got NO RESULTS. When I killed the process, my AV and task manager became functional again. I'm scanning with AVG even as I type, but I'm curious as to if anyone else is familiar with this "ydjfnj.exe" bastard that has invaded my box. I'll let y'all know if AVG or Swat-It finds anything in a bit.
    Al
    It isn't paranoia when you KNOW they're out to get you...

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    I've seen problems similar to that... however not with that filename, mind you we have a running list of 35 filenames so it's safe to say there are more that we've yet to identify... Have you checked your registry... search for the executables name... namely the various Run, RunOnce, RunServices and RunServicesOnce keys... that's where the virus I've been dealing with tends to reside... See if it has a key that is misleading... Windows Update, Sp2, AutoUpdater and about 40 other "safe" sounding key names are used...

    We've found that the TrendMicro sysclean package (and a custom script) are the only two pieces of software that fully clean the problem... You can download it from http://www.trendmicro.com/download/dcs.asp. Just make sure you get the latest lpt file... there are instructions with it on downloading the definitions... or you can grab them from http://www.trendmicro.com/download/pattern.asp

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    I'd have to guess that it is a random process name. I've seen malware create random process names so it is harder to detect them and track them down. But they clearly stand out to the trained eye. I've never had any spyware block my av or my task manager, so I'd suspect its a virus of some sort.

    I've seen some really bad malware that would check to see if its random processes had been killed... if one had been killed... it starts two more random processes. Pretty soon you can't keep up with the killing and use all system resources...

    It really wanted to hide itself... and blocked certain programs... but since you couldn't use those programs you got suspicious... funny how that works. I wonder what % of people never notice...

    Keep us informed as to what bug bit ya.

    BTW: If you are using XP, you can use the command tasklist in CLI as an alternative if you can't get the task manager to display. Or, even better... fport or pstools.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    It is a random process name. DL stinger and run that along adaware. In my experience you need multiple programs to get rid of different portions of this virus. it is a serious painin the ass. I would just back up my files and format if I were you. It is eventually what I did.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    You think that the"old fart" is going to backup/format/reinstall?

    Nah... he'll track the focker down and kill it where it sleeps.

    I've been able to get rid of any malware that I've been infected with. It just takes a bit of out smarting the infection. Most of the time... upated programs and a good scan/clean from safe mode will take care of them. Just hope that it hasn't done much damage. If you find out that the malware you were infected with caused damage that can't be repaired.. then its time to format/reload. But thats only my opinion.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    OK...AVG finds nothing. BTW...before I killed the process, I was also unable to access msconfig. Now that I can, guess who I found in my startup list....that's right, the BASTARD file mentioned above. I also found it in the windows/system32 folder...last modification date 8/23/2001, which would make it appear to be a legit system file. Needless to say, I took it out of the startup process and deleted the mo-fo. If all goes well I'll post after I reboot....if not I'll see ya in safe mode in a few.
    Al
    It isn't paranoia when you KNOW they're out to get you...

  7. #7
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    Scratch one pain in the ass....I'd still like to know where it came from though....I need to hunt down its parents and kill them.

    BTW....I've still got it in my recycle bin if anyone wants it....or maybe I can sell it on ebay.
    Al
    It isn't paranoia when you KNOW they're out to get you...

  8. #8
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    I'll take a compressed copy of it... I'll compare it to the live ones that we've archived to study.

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  9. #9
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    OK...it looks like it's C++ and is the spawn of some kiddiot named netmaniac. Here's a zipped copy...
    Al
    It isn't paranoia when you KNOW they're out to get you...

  10. #10
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    huh...found this in it too...

    C:\Dokumente und Einstellungen\Willi Bauer\Desktop\woopiebot\Debug\rBot.pdb
    Al
    It isn't paranoia when you KNOW they're out to get you...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •