that is exactly what it is doing, it is bound into winlogon.exe and is making connections to that Ip:69.20.20.161 and whenever I delete or do anything it is finding its way back in through winlogon.exe and that rundll32.exe file. nasty crap
Printable View
that is exactly what it is doing, it is bound into winlogon.exe and is making connections to that Ip:69.20.20.161 and whenever I delete or do anything it is finding its way back in through winlogon.exe and that rundll32.exe file. nasty crap
[off topic --- slightly]
I'm not capable of answering these type of problems, but one question that keeps coming up into my mind :
What size is the offending file ? I seem to recall reading that the average baddie is only [at most] a couple of kilobytes long, which isn't really a great deal of code to be able to do all that the newer species are apparently capable of.
Are there any places I can read up on these points ?
You probably have tried countless things, however NoAdware is the only one claiming they can remove it.
www.NoAdware.net
good luck.
Thanks for that suggestion, Relyt... my customer is gone already, though, so I can't test it :(
I checked a last time right before she came to pick it up with both AdAware and Spybot. Both gave clean results. Then when she was here, I fired up AdAware, took 10 seconds and BANG: four new entries... try explaining that...
Spyrus > Have you tried AdAware with the VX2-plugin? I can't test it to see if it works (since the customer is gone already)... I know the plug-in works, but not if it's efficient or not...
http://www.lavasoftusa.com/software/...2cleaner.shtml
Just ran noadaware which found some stuff but didnt really do anything and wants you to pay for it before it will clean.... But it leaves you the directories where the stuff is so you can manually delete (didnt fix the problem)
Neg: Adawares lil program didnt do anything for me
Something else I tried was booting to Knoppix (Live cd), then trying to delete that winupdak.dll. The first time I checked, it wasn't there. Went back to Windows, scanned the entire box in safe mode with everything imagineable, and it came up clean. Rebooted to Knoppix, the winupdak.dll was there again (in system32\winupdak.dll) and Knoppix couldn't delete it! Rebooted to Windows, no winupdak.dll to be seen... it almost seems like it's physically attaching itself to the hard drive and is going in stealth mode :)
I have been following both threads on this and just have one question(wish I could tell you how to remove it, but I can't).
Where does this baddy come from? Is it downloaded, or bundled with something else? Is there a comman web site that comprimises pc's, or what?
I have tried researching various sites to see what others are saying about this, but no one is mentioning where it comes from.
Here's info on its origins, mox.
Thanks Neg.
After considering that this varient is an IE exploit, I might have a solution, but don't have anyway of testing it.Then you can use some of the other tools and suggestion in this Microsoft artical http://support.microsoft.com/kb/318378/EN-US/ , which the above quote comes from.Quote:
By default, Internet Explorer 6 is preinstalled in all versions of Windows XP and cannot be removed. To provide computer manufacturers more flexibility in configuring desktop versions of Windows XP, Microsoft has made it possible for OEMs, administrators, and users to remove user access to Internet Explorer while leaving the Internet Explorer code intact and fully functional to make sure the functionality of programs and operating system functions that rely on it. For example, Windows XP supports an "IEAccess=off" switch in the Unattend.txt file, and Internet Explorer has been added to the Add/Remove Windows Components section of the Add/Remove Programs tool in Control Panel. This does not reinstall Internet Explorer.
Basically, you would be attempting to remove most of the registry entries dealing with IE and then reinstalling IE from a OS disc and redoing all the registry keys. Hopefully, this would remove the baddies base and registry exploits and allow you to do a clean install of IE.
I could go on and say.....just don't use IE, but I am sure that you have already tried to convince the users of that already.