This .DLL extension had launched a HUGE assault on Internet websites on January 17th, friends. It's called The EgodKTF, and it's a dangerous little bugger. Not much more is known about it than the fact that it modifies your Internet toolbar. To add to that, the dangerous part comes from the fact that it opens your computer immediately to viruses (as in it disables your firewall and any currently running anti-virus utilities).

The good news is it's not too hard to remove. Just search your C:/ folder (all files and hidden folders) for the term: egod. The .DLL, if you're infected, should appear. Delete it, reboot, and it's completely gone. Your system is clean. I noticed that I had it on my system a few minutes ago and finally got rid of it (2 viruses detected on my PC, too; got them off with AVG).

On a side note, no known pattern of how it strikes (i.e. porn websites, P2P sites, etc.) has been acknowledged. Note however that it does cause a yellow strip to appear at the top of your website page with something about "Spyware Detected!" (rather long note). It's complete bogus. Ignore it. If you are infected, you WILL have this bar appear.

EDIT:

I've got more word and information on the .DLL file.

It seems that it is predominately spread through porn sites and/or pop-ups, although there are some exceptions in the case of P2P programs (and before you start wondering, mine was an exception; probably came from the music I downloaded off of LimeWire). It is currently being classified as a Spyware Trojan, and it seems that NO anti-virus/anti-spyware programs are going to spot it with real-time protection turned on (I had mine off; DAMN YOU, AVG!). The main way to remove this crap from your PC is to use a program known as SmitFraud (see my post, Post #9, for the link to the web thread that contains instructions and a download link).

Unfortunately, it seems that SmitFraud does not remove the yellow bar that appears when Internet Explorer is opened (at the top of a web page; it reads: "Warning: possible spyware or adware infection! Click here to scan your computer for spyware and adware..."). Once again, DO NOT CLICK THE "CLICK HERE" LINK. It seems that some of the infection is spread through that link. There is a way to remove the yellow bar, but I'm not sure if you want it or not (Google the text on the yellow bar and you should find a web page on the first page of search results that will contain info on how to remove it).

Also, please ignore any web pages that might appear with warnings concerning security on your system (you might have one appear that displays a list of errors; if it is a web page, ignore it). You will also be receiving desktop warnings (Windows Security Alerts), but you must always cancel these. They'll appear every 4 or 7 minutes. Please also note that this Trojan disables your task manager |to re-enable it: 1) Click "Start" 2) Click "Run" 3) Type in "gpedit.msc" [without the quotation marks] 4) Click "Administrative Templates" [the + button] 5) Click the + on "System" 6) CTRL+ALT+DELETE OPTIONS 7) Click the "Remove Task Manager" label and change it to "Disable"|

I'm still doing research into this bitchy thing, and I'll see what else I can find out on it.

EDIT: Found this for you guys:

The filename EGODKTF.DLL was first seen on Jan 17 2008 in The UNITED KINGDOM. It has also been seen in the following geographical regions of the Prevx community:


The UNITED STATES on Jan 17 2008
CANADA on Jan 20 2008
BELGIUM on Jan 20 2008
GERMANY on Jan 17 2008 The filename EGODKTF.DLL refers to many versions of a dynamic link library.


The most common file size is 200,704 bytes. But the following file sizes have also been seen:

172,032 bytes
176,128 bytes The unsafe files using this name are associated with the malware group Downloader.Zlob.SE.


These files have no vendor, product or version information specified in the file header.

EGODKTF.DLL has been seen to perform the following behavior(s):

Creates a Toolbar Extention for Internet Explorer
Enables an In Process Object/Server - Common with DLL Injections
Registers a Dynamic Link Libray (DLL) File EGODKTF.DLL has been the subject of the following behavior(s):

Enabled as an In Process Object/Server - Common with DLL Injections
Registered as a Dynamic Link Libray (DLL) File
Deleted as a process from disk
Created as a process on disk
Registered as a Dynamic Link Library File
Executed as a Process
Created as a Toolbar Extention for Internet Explorer EGODKTF.DLL can also use the following file names:


49039432.DLL
06419857.DLL
28964308.DLL
00028742.DLL
45607811.DLL ACHTUNG!

I believe I have finally found a way to defeat this irritating little bastard. You will need a tool known as "Unlocker" to do this. Search your C:/ folder for the following things:

-"dopfwrllwr" (should come up as a .DLL file) [Downloader.Zlob.SN]
-"bxsnvqt" (also a .DLL) [Generic.Malware]
-"fknxwqf" (also a .DLL) [Generic.Malware]

These files are protected with an "Access Denied" message. Use the Unlocker tool to open them. Click the "Unlock All" tab on the tool and then hit the delete key over the files. Remove them from your Recycle Bin, and that MIGHT cure the problem. Note that users in the United Kingdom are at the highest risk at the moment (due to the fact that the thing was first spotted there). I don't know if this will defeat the thing for good or if it will fail, but it's worth a shot. The messages and pop-ups might appear again, but so far, I've not had a problem.

BIG THANKS TO PREVX CSI TOOL WHICH HELPED ME LOCATE THE FILES AND ELABORATED IN GREAT DETAIL AS TO THEIR IDENTITY.

Thanks for the heads up :up:

Even though I havent gotten that yellow bar yet, I'm going to have a search anyway, just incase.

Hope it's not able to get past the better anti virus programmes such as Nod and Kasp etc.
Don't get me wrong, I also have a system using AVG, which seldom causes a problem.

Thanks for the warning SH :up:

No worries, I have Bean Raider covering my AV issues. :smug:

http://www.pozehaioase.ro/albums/personalitati/funny_pictures_beanraider.jpg

MAJOR PROBLEMS! I NEED HELP RIGHT NOW!

Task Manager has been disabled by the "System Administrator", the yellow bar is back, a bunch of bogus Windows Security Alerts pop up, several internet icons linking to protection magically appeared on my desktop, and I'm at the end of my rope.

I'm POSITIVE someone has gotten into my system and is still currently on it. I need help RIGHT NOW, PEOPLE. RIGHT NOW, GODDAMMIT!

I had similar virus few months back that restricted my access to any system management options. The whole control panel was missing from the start menu. I couldnt find it with Avast, AVG, search & destroy nor Ad-aware. So I had to format & do a clean reinstall. Hope it doesnt go to that on your end. :nope:

boot into safe mode, and run ad-aware and AVG. should clean it all up

There are doubtless many ways to sort it, I'd probably follow the info at www.majorgeeks.com (http://www.majorgeeks.com) - they are pretty good.

http://forums.majorgeeks.com/showthread.php?t=35407 (http://forums.majorgeeks.com/showthread.php?t=35407)

Think I nabbed it. There's this cool program called SmitFraud that I used. Here's a link to the site that hosts instructions and a download mirror:

http://www.bleepingcomputer.com/forums/topic17258.html (http://www.bleepingcomputer.com/forums/topic17258.html)

Still have that yellow bar popping up, though. Doesn't seem to be anything else, just the damned bar... Aw well. I can live with it. However, I'm going to be calling out AVG, CA, Avast, and Spywar Doc to at least attempt to clean up whatever MIGHT be left (in the very slim chance that anything actually survived the SmitFraud run.

boot into safe mode, and run ad-aware and AVG. should clean it all up

If the irritating little bastard decides to start up again, that's what I'll be doing.

No worries, I have Bean Raider covering my AV issues. :smug:

http://www.pozehaioase.ro/albums/personalitati/funny_pictures_beanraider.jpg

Wow, Bean Raider, where can I get me one of them ? :hmm:

Lol, I've just envisioned his head on the Terminator's body!:rotfl:

his .. you mean it's a man ! Jeez, must have eye-strain from looking for Convoys on the Bridge in the middle of the night
:rotfl:

It could be a man, it could be the ugliest woman we've ever seen, and it could be a beaver. Quite frankly, though, we don't know what the hell it is. This can only be said... in The Twilight Zone.

I much prefer...............ROBOBOBBY

http://img119.imageshack.us/img119/1299/robobobbyon3.jpg (http://imageshack.us)

Isn't he the bloke runnin' downtown in a lorry with the crimbo-gin-gin?

Well, it came back again. The bitch is toying with me...

I swear on my Subsim account that if I find the person who makes these things, I WILL (and I'm dead serious) kill them. So help me God, I will kill them... I'm not joking around anymore. If I meet them in person, I will kill them and end this crap (for the time being, anyway). This is so fecking annoying that it's just ridiculous!

At this point, it sounds like it'd just be easier do a re-format and start from scratch...look on the bright side...your system will be rid of all of the junk it's accumulated over time and it'll be like having a new fast computer again!

Hell no. I'm not letting this bastard win.

Have you tried running a system scan with something a little more potent than AVG :hmm:

disconnect your internet, then go into safe mode, run ad-aware, and avg (make sure they are updated to the latest version) , then reboot, then run again in normal mode (internet must still be disconnected) then reboot but go into safe mode and scan one more time. then reboot into normal mode and should be fine

Have you tried running a system scan with something a little more potent than AVG :hmm:

CA, Avast, Spyware Doctor, Prevx CSI, and that's about it.

EDIT:

Might I add that they were running all at the same time. No problems so far, though, after manually deleting those files. Not out of the woods yet! Keep your fingers crossed, gents!

Everything seems to be alright now. Pleased to say that not one error has occurred for me in the past hour or so. Not a single pop-up or anything like that. I'll wait a few more hours, and if nothing else turns up, then I want you guys to spread the word about how to kill off this pest (all the forums you might be registered on). This thing apparently has hit quite a few people very hard. I would appreciate it if you would help me in spreading the word.

when I have problems with a digital bugger that does not go away by the first run of dedicated scanners or removal tools (happened only once, several years ago), I loose all faith in following attempts and methods immediately and cannot trust any apparent positive outcome anymore. Thus I turn into Terminator mode, terminate the current installation, reformat the HD several times, switch on and off power between the runs, and then reboot with OLD safe discs (thus not affected by latest problems) and copy over an image from a separate HD (that's how I do it today), or reinstalled manually (that's whyt I did back then). that may be considered to be overkill, but the charming thing of overkill is that it's efficiency is irresistable.
You see, any backup of files you do after thinking to have removed a problem while it still is there in the hidden - gives you the risk of infected backup files that will be a constant sources of pleasure in the future. I do not accept that risk.

Guys, invest into a second HD that is not regularly attached to your computer, but is stored away in a hidden place, and into according software like Acronis, and make regular updates of your important files and save games once every ten days or so to USB stick or disc. Manually install your system and all you wanted software, and then make an image of it, hide it and declare it holy and untouchable. After the first infection troubles you were in you will agree that this probably is the best investement into your PC system that you ever can do. It is also nice to reinstall your system easily this way once in a year, to get rid of all the unwanted ballast that has acucmulated and messed up the structure of files on your HD. all ypou manually have to adjust is updates, and changed working files, save games, etc. the rest is time consuming, but works all by itself, no need for you to monitor the PC working.

Re-Format young Jedi...and get over it.

A few things to add...


Reformat
Stop going to the porn! ;)
Be weary of anything from P2P!
Use Firefox or Opera!

I'm back, and no problems have been encountered (well there was one, but that's because I forgot to delete two files; otherwise, no more pop-ups).

4. Use Firefox . . .

http://www.pandapassport.com/wp-content/uploads/2007/02/hamlet-recommends-mozilla-firefox-web-browser.gif

As a computer tech who's spent YEARS dealing with computer that have been hacked into, smithfrauded, virused, etc...
This is my list of suggestions:

1. ALWAYS use a good, reputable internet security suite including firewall and a spam/phishing mail blocker. McAffee Internet Security Suite is my favorite (Stay away from Norton this time around... between the two, McAffee has gotten the better reviews and it handles add/spyware much better.)

2.Along with the security suite, use a spyware, addware blocker/cleaner. Spybot Seach & Destroy is my favorite because it allows you to blacklist every bit of add/spyware in it's database. Be wary.. some idiots out there put out spyware/addware/viruses under the guises of spyware/addware removal programs. I've even seen hacked versions of pretty much every popular add/spyware remover that actually fill your computer with viruses and add/spyware. If you decide to do Spybot Search and Destroy, get it from www.Download.com (http://www.Download.com).

3. If you do ANYTHING P2P, make sure you scan the file with your virus scanner before you even touch it. (Make sure your virus scanner can open and look inside of archive files... McAffee does).

4. Keep the above programs updated !!!! Check for updates once a week !!!

5. Do a FULL SCAN of ALL files in your system including archive files at least once a week. Do this with the virus scanner AND the spy/addware program.

6. If you have a wireless router, make sure you have a WEP passcode to get in. Do not leave the router open so your neighbor can hop on your connection.

7. Be wary of where you web surf . Use common sense. :yep:

Follow the above steps and you should be pretty darn safe.:up:

Some dweeb in Singapore owns your root files. Sounds like you've picked up FakeAlert-D
http://vil.nai.com/vil/content/v_140346.htm (http://vil.nai.com/vil/content/v_140346.htm)



Why not simply do a System Restore back a week? Start/Programs/Accessories/System Tools/System Restore. Pick a restore point a couple days before your know infection date, and restore. Done.

^^
only one issue with a system restore I encountered a while back: some viruses store themselves in the system restore area which is off limits to your virus scanner. So whilst you get it off your hd with conventional means, as soon as you roll back to a previous restore point guess who's back?

It was desperately annoying until I discovered that this was what was happening. Since then I have disabled system restore on both of my active hard drives.

If you're looking for a decent AV software, have a go with NOD32. They do a months free trial I believe and after that it's about 25 quid for a years subscription. Well worth it in my opinion.

^^
only one issue with a system restore I encountered a while back: some viruses store themselves in the system restore area which is off limits to your virus scanner. So whilst you get it off your hd with conventional means, as soon as you roll back to a previous restore point guess who's back?

It was desperately annoying until I discovered that this was what was happening. Since then I have disabled system restore on both of my active hard drives.

If you're looking for a decent AV software, have a go with NOD32. They do a months free trial I believe and after that it's about 25 quid for a years subscription. Well worth it in my opinion.

#3 :yep:

Pleased your sorted SH :up:

^^
only one issue with a system restore I encountered a while back: some viruses store themselves in the system restore area which is off limits to your virus scanner. So whilst you get it off your hd with conventional means, as soon as you roll back to a previous restore point guess who's back?

It was desperately annoying until I discovered that this was what was happening. Since then I have disabled system restore on both of my active hard drives.

If you're looking for a decent AV software, have a go with NOD32. They do a months free trial I believe and after that it's about 25 quid for a years subscription. Well worth it in my opinion.

Yes, but you can go into your Control Panel/System/System Restore and check "Turn off System Restore for all drives"; then reboot and turn it back on. That will clear out all old restore points.

Well, I've had not one problem since the event, one week ago today. I'm 99% sure now that it's entirely gone. I'll just need to remember to enable my firewall settings at a bit of a higher level next time (and possibly turn on real-time protection on AVG, too).