dvd4free.dll cannot delete or edit reg entry

[bristolxyz]

I have the dreaded dvd4free.dll in my system32 folder. It will not delete.

I have the dvd4free registy entry that comes back as soon as I delete the notify keys for it. I've tried HJT, spysweeper, spybot s&d to name a few. I've tried killfile to delete the file, tried to wipe it and it still persists to come back.
There is nothing in my HJT log that makes reference to it.

I get no popups, just an annoying "virus found" from AVG.

Is there a long way around to remove the files and the registry entry?

Thanks in advance.

bristol

CTO
MSCE, CCNA, Novell, Symantec SS

 

[electronicsfreak]

Check the dll cache folder and see if the file is in there as well. If so delete it there first, then system32 folder. Also reccomend running a full system scan in safe mode with ewido.

http://www.ewido.net/en/

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[electronicsfreak]

forgot to mention, dllcache is in the system32 folder.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[bristolxyz]

There is not matching dll in the dllcache folder. I used ewido as well (in safe mode). I can't figure out a way to stop it from reproducing. I tried to delete the reg key, but it comes back in an instant (is there a process that controls this, if so, I've not been able to find it).

I ran spysweeper as well (in safe mode).

No luck.

I also ran the look2me cleaner and several other tools.
I dont know if it is making any periodic connections, I used arp -g and netstat to check for backdoor connectins, but all looks normal.

Any ideas? My guess is that I am going to have to keep using various tools until I foind one that works...



CTO
MSCE, CCNA, Novell, Symantec SS

 

[BadBigBen]

Even though you say that you checked the HJT log, and found nothing, post the LOG here, we may be able to discern what is running or gets loaded, that makes it resident...

ALSO a word for the wise, TURN off SYSTEM RESTORE when you clean out MALWARE...



Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

 

[bristolxyz]

Well, I seem to have finally got the dll and reg enrty cleaned out. I used spy sweeper 3 times in safe mode, with a restart each time. I'm going to keep spy sweeper running for a bit and see how I lke it.
I now have a USB thumb drive loaded with a bunch of virus / malware removal tools to use just in case.

Seems all this was related to the spy sherrif virus.

Logfile of HijackThis v1.97.7
Scan saved at 7:01:50 AM, on 3/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\NoFlash\NoFlash.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Zips\HijackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Bullshit
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BCWipe\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [No! Flash] C:\Program Files\NoFlash\NoFlash.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Linked Ima&ges - C:\IEimage.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O15 - Trusted Zone:

http://*.windowsupdate.microsoft.com

O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) -

http://www.clerk.org/activex/smsx.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142392407218

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

CTO
MSCE, CCNA, Novell, Symantec SS

 

[electronicsfreak]

This appears to have been run in safe mode. If you can run it in normal mode and run this program again and post the log then.


Remove this entry
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Bullshit

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[BadBigBen]

Besides that, get V. 1.99.1 instead of that old version you are using...



Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."