GoH1aW5G.exe (19)

1 Name: 4n0n4ym0u5 h4xx0r : 2008-09-10 22:03 ID:6s7fYHgW

Can somebody please tell me how to get rid of this irritating piece of spyware? It's been bothering me for days now, and constantly pops up ads; also, it doesn't seem to show up in Ad-Aware.

It's located in my C:/Windows folder, but if I delete it (after shutting down the process), it shows up again later on when it decides to boot again. Any help would be greatly appreciated.

2 Name: 4n0n4ym0u5 h4xx0r : 2008-09-10 23:13 ID:CU3qPZb6

>Ad-Aware.

That fucking software!

3 Name: 4n0n4ym0u5 h4xx0r : 2008-09-11 02:15 ID:6s7fYHgW

>That fucking software!

What about it?

4 Name: 4n0n4ym0u5 h4xx0r : 2008-09-11 06:49 ID:Heaven

>>1
delete everything off your hard drive and reinstall.

5 Name: 4n0n4ym0u5 h4xx0r : 2008-09-11 19:37 ID:Heaven

OP here. I was able to get rid of the pesky file once and for all by deleting both the file itself and a related file. I should have thought of this earlier tbh

Thanks a lot to >>4 for trying to help, though.

6 Name: 4n0n4ym0u5 h4xx0r : 2008-09-11 21:24 ID:Heaven

For what it's worth, "HijackThis!" is pretty useful for these situations. :3

7 Name: 4n0n4ym0u5 h4xx0r : 2008-09-14 09:19 ID:Heaven

Reinstall and quit running everything with admin privileges. Get a good antivirus program as well. That or you could just keep running your compromised operating system like nothing ever happened.

8 Name: 4n0n4ym0u5 h4xx0r : 2008-09-16 00:12 ID:Heaven

>>7

>you could just keep running your compromised operating system like nothing ever happened.

Probably this, because my PC's old as fuck and starting to go to shit anyway.

9 Name: 4n0n4ym0u5 h4xx0r : 2008-09-16 12:29 ID:jfC7HuvH

You need to find out how it keeps reloading itself. Search for it in the registry (run\regedit). It's usually something like local_user\software\microsoft\windows\run or runonce or runservices. Delete any references to it there.

There's also one called AppInit_DLLs which is the most evil thing Microsoft ever did to its own software. Just search for it in the registry and delete anything suspicious (there really shouldn't be anything there).

Now tell us: Did you see anything suspicious in these areas? Tell us what you did see even if you don't think it's suspicious. Remember, real men don't use antivirus software. Ever. Antivirus software = worse than crying.

10 Name: 4n0n4ym0u5 h4xx0r : 2008-09-16 16:00 ID:6s7fYHgW

>>9
OP here.

I looked in the Run, RunOnce, RunServices, and RunServicesOnce keys, and found this; RunServices and RunServicesOnce are empty, RunOnce has a string named FFTI, and Run has lots of strings, but they're all for programs I recognize (e.g. Google, BitComet, Vidalia, etc).

11 Name: 4n0n4ym0u5 h4xx0r : 2008-09-16 16:14 ID:6s7fYHgW

>>10
For the record, no, I do not use BitComet anymore (and haven't for a while now). I use uTorrent.

12 Name: 4n0n4ym0u5 h4xx0r : 2008-09-16 21:26 ID:D23ZhjI1

FFTI is likely legit. You use skype, yes? If not, write down what it says in case you need it and then delete it.

Did you check appinits? Also what version of windows are you using exactly?

Is the symptom that you kill the process, delete program, restart the computer, and it's there again?

Check all instances in the registry (local_machine, etc.) where there's a software/microsoft/windows/run* for a reference to this program. Check to make sure it's not something really stupid like the startup section on the start menu.

All popups are IE, right? Did you check to make sure that you don't have any IE add-ons that might be causing it?

13 Name: 4n0n4ym0u5 h4xx0r : 2008-09-16 21:37 ID:D23ZhjI1

>>12 here

You really need to check appinit_dlls. This is important. There may be a gibberish.dll to match your gibberish.exe. This may be how it's respawning.

14 Name: 4n0n4ym0u5 h4xx0r : 2008-09-16 22:29 ID:Heaven

Malwarebytes' Anti Malware
Spybot search and destroy
Hijack this

If none of the above report anything, your operating system is no longer under your control and it needs to be wiped. You're probably part of a botnet as well.

If you can find the actual file, scan it to see what it is:
http://virusscan.jotti.org/
http://www.virustotal.com/

15 Name: 4n0n4ym0u5 h4xx0r : 2008-09-17 06:44 ID:Heaven

>>14 Garbage. Everything can be saved. Also, read the thread.

16 Name: 4n0n4ym0u5 h4xx0r : 2008-09-17 10:36 ID:Heaven

>>15
yes, it can be saved by overwriting it with a clean copy of windows.

just like on unix/linux/whatever, if someone gains full control of the system, you should start over from scratch, because any executable on the system could potentially let the bad guys back in.

17 Name: 4n0n4ym0u5 h4xx0r : 2008-09-17 11:29 ID:Heaven

>>16 Whatever.

This is probably like the most recent one I came across. It's especially evil. It loads itself as part of explorer using appinit_dlls. You can't delete the DLL because it's always in use (no, always, even in command line use, you can't delete it using an alternate operating system because linux sucks when dealing with NTFS). Its main purpose in life is to continually rewrite itself into the registry, so you can't just delete the reference and restart. In order to get rid of it, you have to make a looping batch file that tries to delete it (it won't, but wait). Run the batch file, kill all processes except it, shut down windows... in the dying gasps of shutdown, the DLL will briefly not be in use and will be deleted thanks to the batch file. Clean up any remaining references to the DLL and any executables it may have spawned.

18 Name: 4n0n4ym0u5 h4xx0r : 2008-09-17 15:08 ID:Heaven

>>15
With kernel mode rootkit, all bets are off.

19 Name: 4n0n4ym0u5 h4xx0r : 2008-09-17 19:52 ID:Heaven

Eh... he hasn't posted in awhile, so no telling. Probably messed up his system trying to fix it.

This thread has been closed. You cannot post in this thread any longer.