Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Assumed Malware; C:\windows\system32\pdrik.exe...


  • Please log in to reply
2 replies to this topic

#1 Furion

Furion

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 17 September 2006 - 11:41 AM

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pdrik.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,ayymvbd.exe

Those two -- from a hijackthis log. Either way, these two won't remove. Have tried safe mode combined with move-on-boot. No installations in add/remove programs, and search engines give absolutely no information with pdrik.exe, same as ayymvbd.exe. ytbelv.exe is also listed in processes, under the process manager. I've tinkered with registries, too. They kept re-creating and fixing themselves.

Causes random pop-ups about scans and tries to prompt you to download an "anti-virus" software. I also hear an occasional clicking/beeping type noise. This noise is really quiet, and can only hear it with my volume turned all the way up. Either way, I can usually get rid of most malware and other such things on my own, without help from forums or guides or anything. This one, however, seems to not want to... die.

Any help would be. Helpful, yes =)

Edited by Furion, 17 September 2006 - 01:06 PM.


BC AdBot (Login to Remove)

 


m

#2 Starbuck

Starbuck

    'r Brudiwr


  • Malware Response Team
  • 4,146 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midlands, UK
  • Local time:10:42 AM

Posted 17 September 2006 - 03:20 PM

Hi Furion
Although you are using HijackThis, you don't say what experience you have with this program!
You give these 2 lines...
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\pdrik.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,ayymvbd.exe

but are there any other lines in the
F0 and F1 section that could correspond with these?
When these lines are deleted using Hjt, it doesn't remove the actual program..... that has to be done manually.

ytbelv.exe is also listed in processes

Do you know how to stop a process and then get rid of the program?
What else is there in your log?
If you are not trained properly in the use of Hjt, i strongly recommend that you submit a Hjt log and let one of the experts talk you through it.

If you scroll down this link.....Preperation guide for posting a Hjt log it will explain just how to post a log.

It may take a while to get a response because the HJT Team members are very busy. Please be patient as they are volunteers who will help you out as soon as possible. Once you have made your post, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have no replies as this makes it easier for them to identify those who have not been helped. If you post another response, a team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files on your own, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show in the log you already posted. Further, any modification you make may complicate the malware removal process and could adversely affect your system.

BBPP6nz.png


#3 Furion

Furion
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:42 AM

Posted 17 September 2006 - 03:28 PM

Well, I have quite a bit of experience with HiJackThis. I know how to identify every single entry, telling whether it is something I want to keep/need to keep, if it's nasty, and of it's potentially bad (in which I then look around at the hijackthis log uploader place, to make sure). This is why there are only these two entries -- I have all the ones I know are perfectly find ticked as hidden. I killed off about six other lines (removing the files too, yes), and these ones persisted. As for processes, I do know how to stop them, and I had indeed tried. They automatically re-popped up on process.

Either way, I have fixed my problem by using the ewido anti-spyware/malware thing. It took a long-ass time to scan, but it indeed found it all, removed it, and I no longer have the blasted thing. Thanks for the attempt in help, though =)

Though, in closing, I did state "Either way, I can usually get rid of most malware and other such things on my own." I figured that'd show my experience; I mean, most I could get rid of. Editing/deleting registries (which this re-created and/or fixed editted entries) didn't even work for this one.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users