need a bat to run FIRST thing

  • Thread starter Thread starter ZenMasta
  • Start date Start date
Z

ZenMasta

Hi, I'm trying to remove some spyware from my pc that is attaching itself to
explorer so I can't delete it even by booting into safe mode. The spyware
replicates itself and creates additional entries in the registries, and
creates additional dlls in the system32 folder.

I know exactly which files I need to delete but I can't delete them because
they always "in use".

I've used hijackthis and I can remove everything but 2 files that are the
ones that keep recreating all the rest of the stuff. the files I need to
delete are labeled as browser helper objects in IE7. I can disable them but
there is no uninstall option and upon reboot they are always enabled again.

What I would like to do if at all possible is create a batch file that
deletes the specific files. Ideally delete files with date created of
12/3/2007 or newer, but I wouldn't want to accidentally use the wrong ><
symbol and hose my windows installation, so I'm fine with naming each file
for deletion.


I'm wondering what the best way to do this is.
edit autoexec.bat and add
CALL c:\myfile.bat ?

myfile.bat:
del C:\windows\system32\ddcbyvu.dll
del C:\windows\system32\pmkji.dll
del C:\windows\system32\pmnno.dll

Thanks in advance.
 
ZenMasta wrote:
> Hi, I'm trying to remove some spyware from my pc that is attaching
> itself to explorer so I can't delete it even by booting into safe
> mode. The spyware replicates itself and creates additional entries
> in the registries, and creates additional dlls in the system32
> folder.
> I know exactly which files I need to delete but I can't delete them
> because they always "in use".
>
> I've used hijackthis and I can remove everything but 2 files that
> are the ones that keep recreating all the rest of the stuff. the
> files I need to delete are labeled as browser helper objects in
> IE7. I can disable them but there is no uninstall option and upon
> reboot they are always enabled again.
> What I would like to do if at all possible is create a batch file
> that deletes the specific files. Ideally delete files with date
> created of 12/3/2007 or newer, but I wouldn't want to accidentally
> use the wrong >< symbol and hose my windows installation, so I'm
> fine with naming each file for deletion.
>
>
> I'm wondering what the best way to do this is.
> edit autoexec.bat and add
> CALL c:\myfile.bat ?
>
> myfile.bat:
> del C:\windows\system32\ddcbyvu.dll
> del C:\windows\system32\pmkji.dll
> del C:\windows\system32\pmnno.dll
>
> Thanks in advance.

EXPLORER is Windows.

So - wat 'spyware' is this? OR is this a Virus/Trojan?

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html
 
On Dec 11, 2:42 pm, "ZenMasta" <m...@nospam.com> wrote:
> Hi, I'm trying to remove some spyware from my pc that is attaching itself to
> explorer so I can't delete it even by booting into safe mode. The spyware
> replicates itself and creates additional entries in the registries, and
> creates additional dlls in the system32 folder.
>
> I know exactly which files I need to delete but I can't delete them because
> they always "in use".
>
> I've used hijackthis and I can remove everything but 2 files that are the
> ones that keep recreating all the rest of the stuff. the files I need to
> delete are labeled as browser helper objects in IE7. I can disable them but
> there is no uninstall option and upon reboot they are always enabled again.
>
> What I would like to do if at all possible is create a batch file that
> deletes the specific files. Ideally delete files with date created of
> 12/3/2007 or newer, but I wouldn't want to accidentally use the wrong ><
> symbol and hose my windows installation, so I'm fine with naming each file
> for deletion.
>
> I'm wondering what the best way to do this is.
> edit autoexec.bat and add
> CALL c:\myfile.bat ?
>
> myfile.bat:
> del C:\windows\system32\ddcbyvu.dll
> del C:\windows\system32\pmkji.dll
> del C:\windows\system32\pmnno.dll
>
> Thanks in advance.

Hello,

You have the vundo downloader trojan. You'll want to take care of
this. XP doesn't "normally" use the autoexec.bat file. Even creating
your .bat file to run out of, say, the Startup folder probably won't
work as the trojan is almost certainly loading early in the boot
process.

Have a read here for a fix for your trojan:

http://www.microsoft.com/communitie...&tid=8ee37f64-681d-432e-b820-46d8df1b8fee&p=1

Or, if you Google those dll files, I'm sure you'll find a number of
similar fixes. This is a common trojan infection.

Luck!
 
--
jad


"ZenMasta" wrote:

> Hi, I'm trying to remove some spyware from my pc that is attaching itself to
> explorer so I can't delete it even by booting into safe mode. The spyware
> replicates itself and creates additional entries in the registries, and
> creates additional dlls in the system32 folder.
>
> I know exactly which files I need to delete but I can't delete them because
> they always "in use".
>
> I've used hijackthis and I can remove everything but 2 files that are the
> ones that keep recreating all the rest of the stuff. the files I need to
> delete are labeled as browser helper objects in IE7. I can disable them but
> there is no uninstall option and upon reboot they are always enabled again.
>
> What I would like to do if at all possible is create a batch file that
> deletes the specific files. Ideally delete files with date created of
> 12/3/2007 or newer, but I wouldn't want to accidentally use the wrong ><
> symbol and hose my windows installation, so I'm fine with naming each file
> for deletion.
>
>
> I'm wondering what the best way to do this is.
> edit autoexec.bat and add
> CALL c:\myfile.bat ?
>
> myfile.bat:
> del C:\windows\system32\ddcbyvu.dll
> del C:\windows\system32\pmkji.dll
> del C:\windows\system32\pmnno.dll
>
> Thanks in advance.
>
> Before editing anything, run a thorough scan of your system to rid it of viruses. One way to do it online is to try the scanner at http://www.ca.com which is a free scan and will run in under 5 minutes. The removal is also free. Computer Associates is a very trusted website.
 
"ZenMasta" <me@nospam.com> wrote in message
news:%23Q3q53CPIHA.292@TK2MSFTNGP02.phx.gbl...
> Hi, I'm trying to remove some spyware from my pc that is attaching itself
> to explorer so I can't delete it even by booting into safe mode. The
> spyware replicates itself and creates additional entries in the
> registries, and creates additional dlls in the system32 folder.
>
> I know exactly which files I need to delete but I can't delete them
> because they always "in use".
>
> I've used hijackthis and I can remove everything but 2 files that are the
> ones that keep recreating all the rest of the stuff. the files I need to
> delete are labeled as browser helper objects in IE7. I can disable them
> but there is no uninstall option and upon reboot they are always enabled
> again.

Did you try doing this in Safe Mode?


> What I would like to do if at all possible is create a batch file that
> deletes the specific files.

Not needed and if you can't delete the files manually, the batch file won't
be able to either.

You need to not load them in the first place, which means either booting
from another OS (CD or host) or Safe Mode.

>Ideally delete files with date created of 12/3/2007 or newer, but I
>wouldn't want to accidentally use the wrong >< symbol and hose my windows
>installation, so I'm fine with naming each file for deletion.
>
>
> I'm wondering what the best way to do this is.

It isn't with a batch file. Boot with another CD, and delete the files
manually.

Or, attach the drive to another system via a USB2 case and scan it with an
A/V utility.

HTH
-pk


> edit autoexec.bat and add
> CALL c:\myfile.bat ?
>
> myfile.bat:
> del C:\windows\system32\ddcbyvu.dll
> del C:\windows\system32\pmkji.dll
> del C:\windows\system32\pmnno.dll
>
> Thanks in advance.
 
Claymore, you hit it right on the head. Although I'm surprised you found it
because I did try searching for many of these file names but only returned a
result once for geeda.dll and didn't find a resolve. I realize these files
are loading at boot which was why I was hoping I could make a bat file that
would run hopefully BEFORE these do :P

I don't have another pc to plug my HD into, if I did I definitely would have
as it seems to be the best/easiest thing to do.

It just sucks that all these av programs you can pay for are easily out
menouvered by 2bit trojans that load at boot or whatever. I do have a
subscription for an av app plus I use freeware stuff like spybot. I don't
understand why these programs (av/antispyware) don't use the same kind of
rootkit/boot loading tactics so they can remove the spyware/viruses.
 
"ZenMasta" <me@nospam.com> wrote in message
news:OLhEfJEPIHA.2376@TK2MSFTNGP02.phx.gbl...
> Claymore, you hit it right on the head. Although I'm surprised you found
> it because I did try searching for many of these file names but only
> returned a result once for geeda.dll and didn't find a resolve. I realize
> these files are loading at boot which was why I was hoping I could make a
> bat file that would run hopefully BEFORE these do :P
>
> I don't have another pc to plug my HD into, if I did I definitely would
> have as it seems to be the best/easiest thing to do.


You can also use boot CDs, such as the XP CD (into the recovery console) and
most Linux Live Boot CDs. The Ubuntu CD works very well.

HTH
-pk

>
> It just sucks that all these av programs you can pay for are easily out
> menouvered by 2bit trojans that load at boot or whatever. I do have a
> subscription for an av app plus I use freeware stuff like spybot. I don't
> understand why these programs (av/antispyware) don't use the same kind of
> rootkit/boot loading tactics so they can remove the spyware/viruses.
 
"Patrick Keenan" <test@dev.null> wrote in message
news:u3Sm3kDPIHA.1188@TK2MSFTNGP04.phx.gbl...
> "ZenMasta" <me@nospam.com> wrote in message
> news:%23Q3q53CPIHA.292@TK2MSFTNGP02.phx.gbl...
> > Hi, I'm trying to remove some spyware from my pc that is attaching itself
> > to explorer so I can't delete it even by booting into safe mode. The
> > spyware replicates itself and creates additional entries in the
> > registries, and creates additional dlls in the system32 folder.
> >
> > I know exactly which files I need to delete but I can't delete them
> > because they always "in use".
> >
> > I've used hijackthis and I can remove everything but 2 files that are the
> > ones that keep recreating all the rest of the stuff. the files I need to
> > delete are labeled as browser helper objects in IE7. I can disable them
> > but there is no uninstall option and upon reboot they are always enabled
> > again.
>
> Did you try doing this in Safe Mode?

Just had a run-in with this miserable SOB myself.

Got it by using a Java applet on Ebay to view pix
of mdse. My Sun Java wasn't up-to-date :-( and
got "exploited".

Vundo can't be removed in Safe Mode either.

It takes the VundoFix tool + often a vundofix.vft file
with the name + path of the "unremovable" file(s)
dragged & dropped onto the VundoFix window for
those it misses.

And then removal of Registry entries it creates with
HijackThis.


>
>
> > What I would like to do if at all possible is create a batch file that
> > deletes the specific files.
>
> Not needed and if you can't delete the files manually, the batch file won't
> be able to either.
>
> You need to not load them in the first place, which means either booting
> from another OS (CD or host) or Safe Mode.
>
> >Ideally delete files with date created of 12/3/2007 or newer, but I
> >wouldn't want to accidentally use the wrong >< symbol and hose my windows
> >installation, so I'm fine with naming each file for deletion.
> >
> >
> > I'm wondering what the best way to do this is.
>
> It isn't with a batch file. Boot with another CD, and delete the files
> manually.
>
> Or, attach the drive to another system via a USB2 case and scan it with an
> A/V utility.
>
> HTH
> -pk
>
>
> > edit autoexec.bat and add
> > CALL c:\myfile.bat ?
> >
> > myfile.bat:
> > del C:\windows\system32\ddcbyvu.dll
> > del C:\windows\system32\pmkji.dll
> > del C:\windows\system32\pmnno.dll
> >
> > Thanks in advance.
>
>
 
ZenMasta wrote:
> Hi, I'm trying to remove some spyware from my pc that is attaching
> itself to explorer so I can't delete it even by booting into safe mode.
> The spyware replicates itself and creates additional entries in the
> registries, and creates additional dlls in the system32 folder.


Try one of these free Virus Removal Tools:

Avast! One tool for any current virus
http://www.avast.com/eng/avast-virus-cleaner.html

Symantec Virus Removal Tools
http://www.symantec.com/business/security_response/removaltools.jsp

F-Secure Virus Removal Tools
http://www.f-secure.com/download-purchase/tools.shtml

Kaspersky Virus Removal Tools
http://www.kaspersky.com/removaltools

--
Joe =o)
 
Thanks for the tip regarding boot cd's. I didn't think about that (well, not
the ubuntu ones). I've tried system restore/win xp before and ended up with
a hosed system once so I didn't want to go there.
 
On Dec 12, 1:01 pm, "ZenMasta" <m...@nospam.com> wrote:
> Thanks for the tip regarding boot cd's. I didn't think about that (well, not
> the ubuntu ones). I've tried system restore/win xp before and ended up with
> a hosed system once so I didn't want to go there.

Hello again,

Google "vundo removal" for the instructions to remove this trojan.

Luck!
 

Similar threads

AWS
The many lives of BlackCat ransomware
Replies
0
Views
267
AWS
AWS
AWS
Hive ransomware gets upgrades in Rust
Replies
0
Views
229
AWS
AWS
AWS
Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices
Replies
0
Views
239
AWS
AWS
AWS
A closer look at Qakbot’s latest building blocks (and how to knock them down)
Replies
1
Views
293
Tony D
Tony D
AWS
FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines
Replies
2
Views
765
allheart55 (Cindy E)
allheart55 (Cindy E)
Back
Top