Hijack This: "Obfustat.zta" virus and innumerable

I've had similar trouble with nasty DLL's in the past. I ended up using a program called Advanced Process Manipulation, which allowed me to detach the DLL from its host process, thus freeing it for deletion. You might want to try this in conjunction with KillBox:

Advanced Process Manipulation:
http://www.download3000.com/download_10376.html

Killbox:
http://killbox.net/

1. Try using Killbox to delete the file. Killbox will attempt to close the process that's using the file and then delete it. If that does not work, try the following:

2. Use Advanced Process Manipulation to find the process on your system that's using the DLL that you're trying to delete. You'll see the DLL listed there. Detach the DLL from the process, and then use Killbox to delete it.

If this doesn't work for you, post back here letting me know and I'll give you a third thing to try. However, at the moment it's 1 a.m. and I'm going to get some sleep.

That won't work if the DLL is in use by a system process.

the /F means forcefully...

Okay, the command prompt didn't work and neither did the KillBox. When I tried to use Killbox it wouldn't delete it so I tried to do the delete on reboot option but the computer would always just not reboot at all.

So I ran the APM program and the dgaadga.dll file never showed up in it. I checked thrice and couldn't find anything.

Greetings:

I have the same issue however the virus is listed as a BHO dll file; "dataclena" an extra "a"; I cannot find anything to remove it. I do not know if this is related or not but, my system will not boot up in safe mode. It stops during the driver load and the hard drive continues spining. The system does not have a problem booting up normally. Thank you for any assistance you can provide.

I know it does, but it still won't work if the DLL is in use.


Download process explorer:
http://www.microsoft.com/technet/sysint ... lorer.mspx

You should be able to use PE to find out exactly which process is using that DLL. Good places to look using PE are in any svchost.exe, but make sure you look through all of them until you find it. Then go back to step 2 from before.

If you're still having trouble, you can use PE to freeze the process that's using the DLL, then detach it using APM, then delete it with Killbox. Just know that freezing or killing a process, expecially an instance of svchost, can throw your system out of whack, but don't panic too much, it will be fine when you reboot.

Okay, I used PE and looked through all the processes to see if I could find the dgaadga.dll but it was nowhere to be found. I even did the in-program search function for the name and then the handle and it still came up as not found.

Than you got a very unusual and a very stubborn virus over there...

You are using an administrative account on the computer... correct?

Yes, apparently I do. I'm just gonna have to format the pile of junk and call it good.

Thanks to everyone for their help...I greatly appreciate it! Even though it didn't fix this problem it definitely was a learning experience.

Thanks folks, was able to get cleaned up with unlocker.

Hello everyone,
I tried everything suggested and in the end I was able to stop getting the OBFUSTAT.ZTA virus alert from AVG. Using spybot system internals I discovered that it was a BHO browser helper object and after trying everything on this forum it occured to me it must be in the IE Add-ons list and sure enough I found and disabled it and it stopped popping up. I don't know what it was from but everything I use seems to be working fine. So heres how I fixed it .... right or wrong.... it stopped LOL
Open Internet Explorer (I'm using 7.0.5730.11) navigate to TOOLS, Manage Add-ons, Enable or Disable Add-ons..., find and select the name of the file that pops up as being infected (mine was omdmomd.dll) then choose Disable in the settings box at the bottom of this window.. Thats it.

Let me know if this works for anyone else.. This has been a heck of a pain in the you know what... Thanks for all the suggestions though!

cnsrol

man, it is the first time i see sombody saying that unlocker does work hehehehe.

anyway if you can;t delete that file manually even with unlocker, then try this.

goto http://www.knoppix.org/ and download the newest knoppix image.

then burn the image to a cd and boot up from it as if you were going to re install windows.

it will take a while to download that image, but the good thing about this is that you will be welcome to the bootable operating system world lol.

once you have boot up from the image, then just look for that file in your windows partition and delete it.

if you tell me you can;t delete it, man it will be hard for me to believe that lol.

by the way, keep that copy o that cd you will burn, it is great for recovery purposes.

another thing you might wanna try is to kill explorer.exe and open a cmd shell then type

del C:\WINDOWS\System32\DGAADGA.DLL -f

it might work, but who knows. another thing you might try is to get system priviliges in your computer and delte the file. there are 2 ways to do it, i promise i will tell you later if nobody else helps you with this, (i have class in 5 minutes so i gotta go) anway i hope this helps. cya

Wow, I really owe you guys one. I picked up Obfustat.ZTA a couple of days ago as the C:\Windows\System32\dfshimw.dll file. AVG found it but couldn't get rid of it. I googled it and found this thread. I've tried everything here and Knoppix finally gave me the ability to delete it. (My last option would have been to open the case and hook up a second bootable hard drive with XP/NTFS on it, boot from that drive and then go hunting. I'm sure glad I didn't have to do that.)

Here are the things I found it doing:
- Whenever I started Internet Explorer, a bunch of other spyware programs were downloaded and begin running.
- Dfshimw.dll schedules a system level command to run itself as an application (using rundll32.exe) every afternoon at 3:57pm.
- It takes down Spybot TeaTimer and removes it from startup.
- It *may* be trying to access the internet disguised as Windows Explorer. (Or maybe that's one of its friends phoning home.)

Here's what I did, in the order of my fumbling around.
0 - Disabled my wireless network adapter to keep things contained. (I found this forum online using my second PC.)
1 - AVG Antivirus - found the dfshimw.dll file but could not clean it.
2 - Spybot - did not find it during scan but was able to remove it from startup.
3 - Spycatcher - did not find it but killed all the friends it invited into my house.
4 - Internet Explorer - I manually removed it from the Add-Ons list as suggested and sure enough everything calmed down. AVG, however, kept finding it each time I scanned.
5 - HijackThis - couldn't find it running.
6 - Command Prompt, Del /F... - access denied.
7 - Unlocker - couldn't delete dfshimw.dll, just as described by other people in this thread.
8 - Killbox - couldn't delete it.
9 - Advanced Process Manipulation - couldn't find it running.
10 - Process Explorer - couldn't find it running.
11 - System Privileges - I googled and found a page explaining how to obtain system privileges. It worked as advertised except that I still couldn't delete the file. This was very valuable though - when I ran the "at" command to schedule myself a command prompt I found that dfshimw.dll had already scheduled a task to run itself as an app every afternoon!
12 - Tried all of the above tools while logged in with system privileges - same results; can't delete or clean the file.
13 - Knoppix - yea baby, I've been wanting something like this for years! Bootable CDs with NTFS access are a godsend. I downloaded it as suggested, burned a bootable image CD (check the options when you burn), and booted my PC up with Knoppix. Mounted my hard drive, browsed over to the file and had the immensely satisfying pleasure of right-click deleting dfshimw.dll. Woo Hoo!
14 - I used Ccleaner to remove all the registry entries related to dfshimw.dll. One could not be deleted.
15 - I used TuneUp Utilities 2007 to further clean up the registry entries left behind by dfshimw.dll.
16 - I tried removing that last registry entry using regedit. No luck.
17 - I logged in again with system privileges using the "at" command and figured out how to remove the scheduled task. (at the command prompt, type 'at /delete' and say yes when it asks.)
18 - I tried using Ccleaner and regedit to remove the last entry while logged in with system privileges. No luck. (The data for that entry is C:\InProcServer\c:\windows\system32\dfshimw.dll.)
19 - I ran full scans using AVG and Spycatcher, which turned up clean.

I just want to say thank you to everyone who made so many great suggestions in this thread. I've learned a ton from this and picked up a small pile of great tools. The bootable Knoppix CD saved the day - I would suggest that everyone reading this make one NOW and keep it handy for days like this.