Possible malware question (Zestyfind)
May 25, 2004 11:37 AM   Subscribe

I've got a file on my pc which won't go away. I was infested with the Zestyfind adware a couple of months ago. Ad-aware managed to get rid everything but a .dll file (the name for which I'm posting inside the thread). Each time I run adaware it deletes the file or tells me it will next time I reboot, but even after that there it is still. Until now it would load up a window with some advert on. Now it's started crashing explorer instead because of an error accessing said .dll (I've tried using other browsers and it still happens -- it must be just because I'm online). Anyone got any ideas because this is driving me up the wall.

The filename is...

msg{E7B784C0-3E1C-11D8-95E4-444553540000}0115.dll
posted by feelinglistless to Computers & Internet (11 answers total)
 
Is this Windows 9x of some kind? If so, boot to the command line and delete it from there. If it's one of the NTs, you're going to have slightly more trouble, but you might be able to come up in "Safe Mode" and delete the file. Failing that, as long as you're not running NTFS you could probably boot from a FreeDOS CD or floppy and delete the file.

If it's on NTFS, well, STBY. Don't the recent NTs -- at least NT5 and NT5.1 -- have some kind of faux command line administrative boot mode? You ought to be able to remove the file that way.

None of this, however, will necessarily fix Explorer crashes, but it's worth a shot.
posted by majick at 11:49 AM on May 25, 2004


Try other spyware cleaners, like spybot. No one spyware catcher is 100% effective, you need a double or triple dose to clean everything out.
posted by signal at 11:57 AM on May 25, 2004


this is a test post because MeFi is acting funny....
posted by badstone at 12:06 PM on May 25, 2004


A while back on AskMe, someone turned me on to Process Explorer, a much, much better version of Windows Task Manager. You might be able to use it to help solve your problem. It will allow you to search for a dll, and when you do so, it also tells you the executable that is using the dll. Knowing what that executable is might help you track down the root of your problem.
posted by badstone at 12:09 PM on May 25, 2004


Try this, this and maybe even this, too.
(shame on you, badstone, take it to MeTa)
posted by signal at 12:11 PM on May 25, 2004


Once you find the executable that's calling the dll, you then ought to be able to go into the registry, per jfuller's comment in this thread and see if it is an app that is launched at startup.
posted by badstone at 12:13 PM on May 25, 2004


(the problem was specific to posting here, signal. relax, it's not like there are thousands of users viewing this thread and being tortured by my comment)
posted by badstone at 12:15 PM on May 25, 2004


Thanks for the help -- and I'll be able to try it when I work out why I'm now suddenly getting the following error instead when I go online ...

RUNDLL32 caused an invalid page fault in
module NNSWAN16.DLL at 0177:10016e94.
Registers:
EAX=00000000 CS=0177 EIP=10016e94 EFLGS=00010213
EBX=0000000c SS=017f ESP=016ada5c EBP=016ada68
ECX=00000008 DS=017f ESI=014a7ffc FS=21b7
EDX=7efefeff ES=017f EDI=014a8000 GS=0000
Bytes at CS:EIP:
f2 ae f7 d9 03 cb 8b fe 8b 75 0c f3 a6 8a 46 ff
Stack dump:
000000c8 10035d38 016aec9c 016ae85c 1000c61b 014a7ffc 10035d38 0000000c 10035d38 00000000 00000000 016aec9c 02020101 536e6957 206b636f 00302e32

(when I start up my machine I get a window saying I'm not online -- are they connected?)
posted by feelinglistless at 1:06 PM on May 25, 2004


Rundll32 is used to launch other processes. Possibly whatever processes are in NNSWAN16.DLL.

Get a pal to burn you a copy of Bart PE, which is a preinstalled environment of Winders, or Knoppix, which is a port of Linux. Both are cd-bootable. Boot from the cd, and you can see the NTFS files. and delete the bad nasty one.

bad, badstone. no cookie.
posted by theora55 at 6:07 PM on May 25, 2004


Thanks everyone. I'll be able to try it all out when my real life cold disappears...
posted by feelinglistless at 10:05 AM on May 26, 2004


Me again. Just a follow up -- I've just been able to post the following to my weblog. Thanks again everyone...

"On the upside, I've finally sorted out my computer problems after an oblique reference in a page linked from this thread at Ask Metafilter. I had been infected by the Look2Me adware which kept hijacking my browser, sucked up cpu and slowed my processor. Kill2Me seems to have done the trick. I'm touching wood as I type this."
posted by feelinglistless at 2:14 PM on May 31, 2004


« Older Saving Streaming Music   |   Help me fine one-step DVD copying software Newer »
This thread is closed to new comments.