Hijack This: "Obfustat.zta" virus and innumerable

  • SludgeFactory
  • Newbie
  • Newbie
  • SludgeFactory
  • Posts: 9

Post 3+ Months Ago

I have done scans on the computer with Ad-aware, Spybot: Search and Destroy, and a virus scan all in safe mode and this problem still won't go away. Any help would be much appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 6:23:36 PM, on 11/23/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Latwkgzj] C:\Program Files\Common Files\a?sembly\m?config.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1024859779
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MrobeService - Unknown owner - C:\WINDOWS\System32\MRobeService.exe (file missing)
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

Remove the following using hijackthis...

Quote:
O4 - HKCU\..\Run: [Latwkgzj] C:\Program Files\Common Files\a?sembly\m?config.exe


That's pretty much it...
  • SludgeFactory
  • Newbie
  • Newbie
  • SludgeFactory
  • Posts: 9

Post 3+ Months Ago

Thank you for the quick response!

I did what you recommended and when I restarted my computer the problem was still there. To be more exact, I am using the free version of the AVG antivirus program and typically right away when I start the computer or when I open a web browser a warning from AVG pops up stating:

Threat detected: While opening file: C:\WINDOWS\System32\DGAADGA.DLL
Virus identified Obfustat.ZTA

Also, I believe random windows still pop up when I browse anywhere on the internet.

I ran another hijack scan as well and here is what that one said:

Logfile of HijackThis v1.99.1
Scan saved at 9:09:34 PM, on 11/23/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1024859779
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MrobeService - Unknown owner - C:\WINDOWS\System32\MRobeService.exe (file missing)
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6250
  • Loc: Seattle, WA

Post 3+ Months Ago

The culprit is probably hiding on your system in a place that HijackThis normally doesn't check. Although it is unlikely to solve the problem, I'd recommend fixing the following entry:
Quote:
O23 - Service: MrobeService - Unknown owner - C:\WINDOWS\System32\MRobeService.exe (file missing)
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

I heard that MSIE7 was better than MSIE6
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6250
  • Loc: Seattle, WA

Post 3+ Months Ago

That depends on how you define "better".
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

Better as in Better... has a better rendering engine... that type of better...
  • SludgeFactory
  • Newbie
  • Newbie
  • SludgeFactory
  • Posts: 9

Post 3+ Months Ago

As far as IE is concerned, it may or may not be better...I don't know as this isn't my computer, I am trying to fix it for a friend. Personally I like to use Firefox but I do know that IE7 is nice because it finally has the tabbed browsing.

Anyway, thanks to everyone who tried to help me. I tried fixing the last bit of information like you pointed out, spork, but that didnt' seem to fix the underlying problem I am having. I was afraid that this might be something that hijackthis wouldn't be able to find. I didn't want to have to format as the owner of this computer never got the backup discs for it, but that seems to be my only alternative right now.
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6250
  • Loc: Seattle, WA

Post 3+ Months Ago

SludgeFactory wrote:
Threat detected: While opening file: C:\WINDOWS\System32\DGAADGA.DLL
Virus identified Obfustat.ZTA

Have you tried manually deleting that file?
  • SludgeFactory
  • Newbie
  • Newbie
  • SludgeFactory
  • Posts: 9

Post 3+ Months Ago

I have tried to manually delete it several different ways but it says that access is denied to me because it is in use. I've tried doing it in safe mode but it said the same thing. So, now I'm trying to remember dos commands (it's been awhile since I've had to use those) to see if I boot up in safe mode with the command that I can at least change the filename to some nonexistent extension and then maybe delete it.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

Download unlocker and then try to delete it... once it says you can't that unlocker will get to work and closes any other program that is using that file...
  • SludgeFactory
  • Newbie
  • Newbie
  • SludgeFactory
  • Posts: 9

Post 3+ Months Ago

Bogey wrote:
Download unlocker and then try to delete it... once it says you can't that unlocker will get to work and closes any other program that is using that file...


Well, what I tried to do proved a fruitless venture, so I will give it a try.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

SludgeFactory wrote:
Bogey wrote:
Download unlocker and then try to delete it... once it says you can't that unlocker will get to work and closes any other program that is using that file...


Well, what I tried to do proved a fruitless venture, so I will give it a try.


Hope it works... I'm sure it works :)
  • SludgeFactory
  • Newbie
  • Newbie
  • SludgeFactory
  • Posts: 9

Post 3+ Months Ago

Well, I bring dark tidings...it didn't work. Unlocker said it wasn't locked but then it said it could still deal with the file. So I said to delete it and then and error popped up saying the file could not be deleted. Do you wan? to perform the requested operation upon reboot? I of course said yes and rebooted but then it did the exact same thing.

Unlocker, you devious program you...you lied to me! *cries*

So, anyway, I realize (hope) that I could possibly be trying to use the program wrong upon startup, so if that is true please correct me!
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

Try this... open CMD and type in the following command...

DEL /F DGAADGA.DLL

Maybe you need the full address so...

DEL /F C:\WINDOWS\System32\DGAADGA.DLL

But try the top one first... just to be on the safe side...

...

http://support.microsoft.com/?kbid=320081

http://support.microsoft.com/?kbid=120716
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6250
  • Loc: Seattle, WA

Post 3+ Months Ago

I've had similar trouble with nasty DLL's in the past. I ended up using a program called Advanced Process Manipulation, which allowed me to detach the DLL from its host process, thus freeing it for deletion. You might want to try this in conjunction with KillBox:

Advanced Process Manipulation:
http://www.download3000.com/download_10376.html

Killbox:
http://killbox.net/

1. Try using Killbox to delete the file. Killbox will attempt to close the process that's using the file and then delete it. If that does not work, try the following:

2. Use Advanced Process Manipulation to find the process on your system that's using the DLL that you're trying to delete. You'll see the DLL listed there. Detach the DLL from the process, and then use Killbox to delete it.

If this doesn't work for you, post back here letting me know and I'll give you a third thing to try. However, at the moment it's 1 a.m. and I'm going to get some sleep.
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6250
  • Loc: Seattle, WA

Post 3+ Months Ago

Bogey wrote:
Try this... open CMD and type in the following command...

DEL /F DGAADGA.DLL

Maybe you need the full address so...

DEL /F C:\WINDOWS\System32\DGAADGA.DLL

But try the top one first... just to be on the safe side

That won't work if the DLL is in use by a system process.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

the /F means forcefully...
  • SludgeFactory
  • Newbie
  • Newbie
  • SludgeFactory
  • Posts: 9

Post 3+ Months Ago

Okay, the command prompt didn't work and neither did the KillBox. When I tried to use Killbox it wouldn't delete it so I tried to do the delete on reboot option but the computer would always just not reboot at all.

So I ran the APM program and the dgaadga.dll file never showed up in it. I checked thrice and couldn't find anything.
  • stkhunter
  • Born
  • Born
  • stkhunter
  • Posts: 2

Post 3+ Months Ago

Greetings:

I have the same issue however the virus is listed as a BHO dll file; "dataclena" an extra "a"; I cannot find anything to remove it. I do not know if this is related or not but, my system will not boot up in safe mode. It stops during the driver load and the hard drive continues spining. The system does not have a problem booting up normally. Thank you for any assistance you can provide.
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6250
  • Loc: Seattle, WA

Post 3+ Months Ago

Bogey wrote:
the /F means forcefully...

I know it does, but it still won't work if the DLL is in use.

SludgeFactory wrote:
So I ran the APM program and the dgaadga.dll file never showed up in it. I checked thrice and couldn't find anything.

Download process explorer:
http://www.microsoft.com/technet/sysint ... lorer.mspx

You should be able to use PE to find out exactly which process is using that DLL. Good places to look using PE are in any svchost.exe, but make sure you look through all of them until you find it. Then go back to step 2 from before.

If you're still having trouble, you can use PE to freeze the process that's using the DLL, then detach it using APM, then delete it with Killbox. Just know that freezing or killing a process, expecially an instance of svchost, can throw your system out of whack, but don't panic too much, it will be fine when you reboot.
  • SludgeFactory
  • Newbie
  • Newbie
  • SludgeFactory
  • Posts: 9

Post 3+ Months Ago

Okay, I used PE and looked through all the processes to see if I could find the dgaadga.dll but it was nowhere to be found. I even did the in-program search function for the name and then the handle and it still came up as not found.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

SludgeFactory wrote:
Okay, I used PE and looked through all the processes to see if I could find the dgaadga.dll but it was nowhere to be found. I even did the in-program search function for the name and then the handle and it still came up as not found.


Than you got a very unusual and a very stubborn virus over there...

You are using an administrative account on the computer... correct?
  • SludgeFactory
  • Newbie
  • Newbie
  • SludgeFactory
  • Posts: 9

Post 3+ Months Ago

Bogey wrote:
SludgeFactory wrote:
Okay, I used PE and looked through all the processes to see if I could find the dgaadga.dll but it was nowhere to be found. I even did the in-program search function for the name and then the handle and it still came up as not found.


Than you got a very unusual and a very stubborn virus over there...

You are using an administrative account on the computer... correct?


Yes, apparently I do. I'm just gonna have to format the pile of junk and call it good.

Thanks to everyone for their help...I greatly appreciate it! Even though it didn't fix this problem it definitely was a learning experience.
  • stkhunter
  • Born
  • Born
  • stkhunter
  • Posts: 2

Post 3+ Months Ago

Thanks folks, was able to get cleaned up with unlocker.
  • cnsrol
  • Born
  • Born
  • cnsrol
  • Posts: 1

Post 3+ Months Ago

Hello everyone,
I tried everything suggested and in the end I was able to stop getting the OBFUSTAT.ZTA virus alert from AVG. Using spybot system internals I discovered that it was a BHO browser helper object and after trying everything on this forum it occured to me it must be in the IE Add-ons list and sure enough I found and disabled it and it stopped popping up. I don't know what it was from but everything I use seems to be working fine. So heres how I fixed it .... right or wrong.... it stopped LOL
Open Internet Explorer (I'm using 7.0.5730.11) navigate to TOOLS, Manage Add-ons, Enable or Disable Add-ons..., find and select the name of the file that pops up as being infected (mine was omdmomd.dll) then choose Disable in the settings box at the bottom of this window.. Thats it.

Let me know if this works for anyone else.. This has been a heck of a pain in the you know what... Thanks for all the suggestions though!

cnsrol
  • bodom321
  • Graduate
  • Graduate
  • bodom321
  • Posts: 141

Post 3+ Months Ago

man, it is the first time i see sombody saying that unlocker does work hehehehe.

anyway if you can;t delete that file manually even with unlocker, then try this.

goto http://www.knoppix.org/ and download the newest knoppix image.

then burn the image to a cd and boot up from it as if you were going to re install windows.

it will take a while to download that image, but the good thing about this is that you will be welcome to the bootable operating system world lol.

once you have boot up from the image, then just look for that file in your windows partition and delete it.

if you tell me you can;t delete it, man it will be hard for me to believe that lol.

by the way, keep that copy o that cd you will burn, it is great for recovery purposes.

another thing you might wanna try is to kill explorer.exe and open a cmd shell then type

del C:\WINDOWS\System32\DGAADGA.DLL -f

it might work, but who knows. another thing you might try is to get system priviliges in your computer and delte the file. there are 2 ways to do it, i promise i will tell you later if nobody else helps you with this, (i have class in 5 minutes so i gotta go) anway i hope this helps. cya
  • ThankYouKnoppix
  • Born
  • Born
  • ThankYouKnoppix
  • Posts: 1

Post 3+ Months Ago

Wow, I really owe you guys one. I picked up Obfustat.ZTA a couple of days ago as the C:\Windows\System32\dfshimw.dll file. AVG found it but couldn't get rid of it. I googled it and found this thread. I've tried everything here and Knoppix finally gave me the ability to delete it. (My last option would have been to open the case and hook up a second bootable hard drive with XP/NTFS on it, boot from that drive and then go hunting. I'm sure glad I didn't have to do that.)

Here are the things I found it doing:
- Whenever I started Internet Explorer, a bunch of other spyware programs were downloaded and begin running.
- Dfshimw.dll schedules a system level command to run itself as an application (using rundll32.exe) every afternoon at 3:57pm.
- It takes down Spybot TeaTimer and removes it from startup.
- It *may* be trying to access the internet disguised as Windows Explorer. (Or maybe that's one of its friends phoning home.)

Here's what I did, in the order of my fumbling around.
0 - Disabled my wireless network adapter to keep things contained. (I found this forum online using my second PC.)
1 - AVG Antivirus - found the dfshimw.dll file but could not clean it.
2 - Spybot - did not find it during scan but was able to remove it from startup.
3 - Spycatcher - did not find it but killed all the friends it invited into my house.
4 - Internet Explorer - I manually removed it from the Add-Ons list as suggested and sure enough everything calmed down. AVG, however, kept finding it each time I scanned.
5 - HijackThis - couldn't find it running.
6 - Command Prompt, Del /F... - access denied.
7 - Unlocker - couldn't delete dfshimw.dll, just as described by other people in this thread.
8 - Killbox - couldn't delete it.
9 - Advanced Process Manipulation - couldn't find it running.
10 - Process Explorer - couldn't find it running.
11 - System Privileges - I googled and found a page explaining how to obtain system privileges. It worked as advertised except that I still couldn't delete the file. This was very valuable though - when I ran the "at" command to schedule myself a command prompt I found that dfshimw.dll had already scheduled a task to run itself as an app every afternoon!
12 - Tried all of the above tools while logged in with system privileges - same results; can't delete or clean the file.
13 - Knoppix - yea baby, I've been wanting something like this for years! Bootable CDs with NTFS access are a godsend. I downloaded it as suggested, burned a bootable image CD (check the options when you burn), and booted my PC up with Knoppix. Mounted my hard drive, browsed over to the file and had the immensely satisfying pleasure of right-click deleting dfshimw.dll. Woo Hoo!
14 - I used Ccleaner to remove all the registry entries related to dfshimw.dll. One could not be deleted.
15 - I used TuneUp Utilities 2007 to further clean up the registry entries left behind by dfshimw.dll.
16 - I tried removing that last registry entry using regedit. No luck.
17 - I logged in again with system privileges using the "at" command and figured out how to remove the scheduled task. (at the command prompt, type 'at /delete' and say yes when it asks.)
18 - I tried using Ccleaner and regedit to remove the last entry while logged in with system privileges. No luck. (The data for that entry is C:\InProcServer\c:\windows\system32\dfshimw.dll.)
19 - I ran full scans using AVG and Spycatcher, which turned up clean.

I just want to say thank you to everyone who made so many great suggestions in this thread. I've learned a ton from this and picked up a small pile of great tools. The bootable Knoppix CD saved the day - I would suggest that everyone reading this make one NOW and keep it handy for days like this.

Post Information

  • Total Posts in this topic: 28 posts
  • Users browsing this forum: chris-fry and 93 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.