De system admin is nog bezig met zijn cursus "ik heb wat inelkaar gekloot maar hoe krijg ik mijn site eigenlijk online":

This is the placeholder for domain www.rfwnad.com. If you see this page after uploading site content you probably have not replaced the index.html file.

This page has been automatically generated by Plesk

Precies, dat soort vragen gaan gelijk naar /dev/null hij doet het niet, doet maf, doet raar, doet niets horen allemaal ergens anders thuis en niet op security.nl

Ktoto umejet po Ruski chitatj sdesj?

In case somebody has this one problem, ddmp.dll must look for the file and watch its location; to desregistrar the DLL with regsvr32 path+ddmp.dll/or and to eliminate the file or all the folder.

in win98 located in
c:program filesddm

the ddmp.dll is hidden

delete files and locate in registry to remove data or unregister in windows nt

remove

HKEY_CLASSES_ROOTCLSID{2BC43670-C0BD-4794-BB11-F60F3E001DC5}

or in regedit search of ddmp.dll

and remove class ID

also remove this

HKEY_CLASSES_ROOTTypeLib{B4525F3B-718D-49F1-833D-A9974F67AB97}

or seach all instance of ddmp.dll and remove

Hi there

I just found been inflected by this, thanks for the solution, it works.

But I still don't know why it can come into my computer, my PC installed with Symantec NAV Corp Ed 7.61 and our company have CP FW1 that nothing should come in.

Can anybody help in provide more info ...

Thanks

i think this is a new spybot/trojan not yet known to the antivirus/spubot world. i will report it now. i am the one who placed the solution here thanks

Joseph
Admin
Worldwideweb Hosting Networks
http://www.wwwhosting.net

[img]http://http.wwwhosting.net/sig/wwwhosting.jpg[/img]

I've got the same problem.
I'm french, i don't understand all the messages tou wrote so i don't know what kind of problem you have with this spy.

On my PC, i can't reach some web site, because i'm automatically redirected to the adress :
http://pop.rfwnad.com
and
http://fastcounter.bcentral.com
I try to reach these web sites, but it doesn't works ;-(

Other problem : i can't use the "windowsupdate" website, with my windows XP system.
I clean my PC and delete all spy or trojans I find with Ad-aware ou Ghostsurf ; Now, internet explorer works well, exept Windowsupdate website ??

Is it a new protection made by Microsoft, and used against illegal copy of windows ???

If you have any informations ...

Thanks

Laurent C.
[email]lc@sfr.net[/email]

Sinds twee dagen, bij gebruik van Internet Explorer 6 (met nieuwste updates) op een Windows XP Professional Systeem, als ik een willekeurige website probeer te openen wordt niet op de goede domein gezocht, maar het juiste adres zoekt hij op de domein "pop.rfwnad.com" ELKE pagina wordt hier dus gezocht, met als resultaat dat ik dus bijna geen enkele pagina meer kan openen (soms gebeurt dit niet). Daarbij geeft het systeem run-time error 13 aan als ik gewoon "Deze Computer" wil openen, vervolgens klik ik OKen werkt alles feilloos.
Is dit voor iemand een bekend probleem?!
Wie kan mij helpen?

Ik weet niet of deze klacht hier thuis hoort, maar dit is het enige forum waar iets te vinden is over "rfwnad" waar komt dit eigenlijk vandaan?

Groet Freestyler

Zelfde probleem hier. Heb infectie van spyware gevonden (zoek maar eens met Ad-aware), maar dat was te verwachten....

Winpup32 Object recognized!
Type : RegKey
Data :
Rootkey : HKEY_LOCAL_MACHINE
Object : SOFTWAREpup

Heb gisteren msbb.exe via Ad-aware verwijderd, dit is spyware die je internet gedrag doorstuurt naar degene die je computer heeft besmet (want dat is het), dit lijkt er erg veel op...

check http://www.pestpatrol.com/pestinfo/n/ncase.asp

for days now my internet explorer hasn't been working correctly, leaving pages blank when i went to sites, notices the pop.rfwnad.com redirecting the pages. searched the pc, went through my registry, used adware and i also have norton. none of these showed it up or deleted it. i think i've finally been able to delete any traces, but it still wont let me delete the directory and the file o, says access denied. even though i have deleted all traces of them in the registery.

what i want to know is how come no one knows about this, and where did it come from, how would i have got it from. i'm from ireland and when i went to get help for this problem. this was the only site on the web with reference to it. have the computer companies and anti software companies fell asleep......how do i know that it'll not happen again. if anyone knows where this came from i'd love to know. thanks maureen
contact [email]flojomo@yahoo.co.uk[/email]

I too have this annoying pest. Is there anyway to get rid of it? It seems to be taking up system resources or locked or something, and I'm also getting constant pop.rfwnad.com interruptions... I think some bastard is trying to screw up random people's computers...

As a music producer with a lot of important files on my computer I have to say I've been kind of scared that this will spell yet another costly reformatting and upgrading phase. I may have to enter into rehab for internet use, because it seems that no matter how many times the internet screws up my computer, I'm always back for more ;)

Anyways, hope someone has an answer...

Erik, from Canada

Also need to remove nem214.dll references created at the same time as ddmp.dll

Cerials.NET have been working on this logger for at while now and I think this version only half works

i managed to "save" my com with the instructions given above.. phew and thanks to the guy who posted it

so anyway, where did we get it from...
i just got it today and i only did two things on my computer today:

1] download "White Flag" by Dido from Kazaa lite but the files were ALL corrupted...

2] download a crack

so i kinda figured it has to be either one of those...

My IE just started having problems as well. I had just downloaded Kazaa lite, and also had gone to look for a crack. What a coincidence. Anyway, I found all the files and deleted them, except I can't seem to get rid of ddmp.dll. I only speak english and am only semi-comp savy, so if someone could explain to me how to get rid of this thing, I'd much apreciate it.

Thanks.

go to START > RUN > type : REGEDIT > OK

then search for these files and delete...

HKEY_CLASSES_ROOTCLSID{2BC43670-C0BD-4794-BB11-F60F3E001DC5}

HKEY_CLASSES_ROOTTypeLib{B4525F3B-718D-49F1-833D-A9974F67AB97}


then reboot and remove the folder in C:Progran Files/dmp

that will solve it ;)

reboot - install linux - problem solved [and not the only problem]

Today (19.10) AdAware included this into their database and fix it automatically.

braindancer

Just wonder WHY the big AV companies still did not have any information of this in their patterns update nor libraries !!

TY for telling us about Ad-Awares update today...my pc was suffering and i thought it was the first time ad-aware was going to let me down

Hello, I was having the same problem here in Canada. My brother downloaded a crack and since then IExplorer was giving the message '(x) page can't be loaded. Operation aborted.' for most pages making it useless. Netscape worked fine.

I found the ddmp.dll file in ProgramFilesddm on Win2000nt but couldn't delete it until I had deleted pup from the SOFTWARE registry with regedit. I found out the ddm stands for Dynamic Desktop Media. If you go to their website they have an uninstaller help link at top of page. This is what the popup from pop.rfwnad.com was but I didn't want to run it because at the time I didn't know if it could be trusted.

Explorer seems to be working fine now. Thanks to the guys who posted the info.

I wrote the last post and the Internet is almost working fine. ddb.dll is gone, but pup is still in registry. I can't get rid of it. Now, the Internet keeps losing connection and whenever it does, pup shows up in Task Manager.

Can anyone tell me what pup is or where it comes from and how to get rid of it?

look for this file in your computer

winpup.exe

its part of the trojan ddm located in the

c:program filesddm

this is no dynamic desktop media but a hoax

Joseph

pls note this is not ncase this is a new trojan.

i tried writing to the abuse of the registrar, host, domain registration provider, but with false/no action

maybe it fou can write them also they will be forced to shut down the domain/hosting of this trojan

<admin@ev1.net>, <abuse@ev1.net>,abuse@domainsbyproxy.com
<abuse@godaddy.com>, <RFWNAD.COM@DOMAINSBYPROXY.COM>

im still coordinating with them but if you have time pls email them also so they see many people are affected. i have the archive of all the ddm files and tried to submit it to the antivirus sites but their script is in error

Joseph

pls note that you cannot delte the ddmp.dll while it is running you have to shutdown to MS DOS Prompt then delete it while in the dos prompt and then reboot

Joseph

i just checked, the url http://pop.rfwnad.com/
my call for action has been granted. they now have an uninstall executable on the site. just download it and everything should be gone now

Joseph

I downloaded a crack a few days ago and have been having the same problems ever since.


Seattle, Wa - USA

If it's the same problem, go to http://www.dynamicdesktopmedia.com and there's an 'uninstall help' link at the top. It works.

I tried to contact them through their website and complain but their contact link just leads to a blank page. I think they are a legitimate marketing company that made an error with their Adware that unintentionally ruins performance of IExplorer.

Jerks.

Hey guys,

just a BIG THANK YOU for helping me get rid of this tojan crap. It was doing my head in!! Neither Spybot nor Pest Patrol detected the problem. And I also didn't want to execute the "unistall.exe" as I feared it would just make things worse.

Jeff

PS: I got infected by the ddm while on the Cerials.net. website

LOL kijk al die buitenlanders hulp zoeken

One of those things where I looked everywhere and tried everything to figure it out. Low and behold all I had to do was type http://www.rfwnad.com into Yahoo and there you were. Now I can cancel my Vicadin prescription...mmm, maybe not. rfw"nad" the name fits...

Thanks again.

i had the same thing, i'd definitely say it was cerials.net

I've been fighting this same thing for about two weeks. I had difficulty functioning on-line long enough to try and find help.

Your fix worked perfectly, Thanks for the post.

R.Read

I too had something with that ddm, Dynamic Desktop Media, because my dad
accidentally clicked 'Yes' on cracks.am. I looked on the web and I found this
tpoic, and I tried the things that were explained here, but they didn't work. So I
started to find out myself. And I succeeded :D
This is what I did:
1. Go to "C:Program Filesddm", or, if that doesn't exist, search for sysu.exe.
2. Shift+Delete the ddm folder (kill it).
3. Run regedit and localize a key called ddm.
4. Kill it.

Now your system should be clean (it is with me now).
I'm running Windows XP Pro with SP1

FF

First of all, this crappy file came from, at least in my case, cracks.am

Second, Symantec has now also included that in a security response.

Wat is dit voor onzin?

got it at cracks. am too..... one more question. now that it is gone... i followed
the great steps above... when i start up, windows says it cannot find the
sysu.exe file. how do i get it to stop looking for it?

thanks for the help.

To make windows stop looking for sysu.exe: You go into start > run then type
in MSCONFIG. go under the right-most tab should be called "startup". Scroll
down the list and look for a checkbox that has no command line. it should be
the only one there. Uncheck it, press apply and reset your computer. On
restart, that message should be gone, and if a message comes up saying
you changed the system startup settings, just check the box and press OK.
Hope that helped.

I'm french. Got these problems after getting a crack on http://www.cracks.am (1st
time I was looking for a cracked soft and maybe last time !!!). Thanks to all
your precious hints, I think I'm about to get rid of this hoax. At every boot my
desktop is empty and the only way to launch a program is through the tasks
window... thank U again.
Arnaud.

At every boot, the desktop is empty ... UNTIL you

a) shut off the process sysu.exe
b) close the window from windows saying it can not locate sysu.exe

I am guessing that sysu.exe actually prevents the desktop from loading and
that the message from windows saying it can not locate sysu.exe simply
takes priority and must be tended to before anything else shows up in the b/g.

Let me summarize from beginning to end to remove this program... it is as
follows:

1) Ctrl+alt+delete and identify sysu.exe in the processes list.
2) Close it, and go to C:Program Files.
3) Locate the folder ddm and delete it.
4) Click on start > run and type in regedit.
5) Under HKEY_LOCAL_MACHINE > SOFTWARE remove the folder ddm.
6) Click on start > run and type in msconfig.
7) Click on the right-most tab labeled startup.
8) Scroll down and locate an entry with no command line.
9) Uncheck the box and apply all changes.
10) Reset your computer, check the checkbox for a window that comes up
saying you changed startup settings.
11) Enjoy, and spread the word.

thank you very much to evrybody from Italy!

ciao,

Mirko

I have the same! Also after visiting cracks.am (for the first time
and the last time!) Thanks for all tips and tricks i will try (and
spread) them!

Reaction to the preceeding one.
Well, hi from Belgium. I'm running Win98. When I start Win98 all
is running well till a point that the computer stop working. When I
look the processes on run (ctrl+alt+del) I've got sysu, ddm and
runonce. I've tried to kill each of them letting the 2 others running
but sysu is still running. It'd true that I've installed acrack for a
game. May I apply the same solution (If possible) on my
computer?

everything sounds fine except for the fact that i found no entry with no
command line.

Je ne sais plus
Nicolas

Nicolas: Reset your computer and check to make sure that sysu.exe is
either still being executed by windows, or windows is still trying to locate
that file. If so, go into msconfig and try to look for an unusual entry that you
dont remember ever seeing this program startup. Else, just post the entries
you get there and we can try to help you.

sysu.exe is fucked up man. Thankz to this site i can run my computer again!!
Thankz you guys!!!

Keep up the good work.

Greetz Fabian

Hello everybody!!.. Ive found tat freaking sysu.exe in my process list. I
looked around in internet for it because ive shut it down and i found
this perfect forum. Thanks!. We should organize some kind of sect i
order to stop this annoying sypeware cause they make me sick. Ad
Aware has proven to me that its real effective eliminating all kinds of
spyware.

Jesus Rivero
Venezuela

I too had Syso.exe in my process-list, after some search I found out it was this
file.....with your help I know what it is....

Thanks!

http://www.google.com/search?q=sysu.exe
Tjee, is dit nou nergens anders bekend?

Awesome forum, thanks for all the help. Fuck cracks.am!

Yup, same here, downloaded a crack from cracks.am, and got infected.
I removed everything called ddm from my registry, then i could remove the
folder ddmp in program files.

I also found a sysu.exe in my /sys32 folder btw, so look carefull.

Hope that will be all.

Yup, same here, downloaded a crack from cracks.am, and got infected.
I removed everything called ddm from my registry, then i could remove the
folder ddmp in program files.

I also found a sysu.exe in my /sys32 folder btw, so look carefull.

Hope that will be all.

THAnks Guys************************** got da same shit

Google helps! i found your site,
Now we are free?
Ron of Germany

thanx alot 4deinfo my homemiz i got rid that damn fuck on my pc!!!

Ik graak nog altij ni van da msconfig af,de computer start nu trug normaal op
want ik heb da verwijderd,ma ik graak ni van die foutmelding af bij het
opstarten,want ik weet ni waar die opstartcommand staat voor sysu

I got it just today also, from a crack site. I think it came under the guise of a IE
app that IE actually asked me if I wanted to run, couldn't get the crack without
allowing it so I did. Then about an hour after that I noticed this little program
box that just said "it's time" with the title "Project 1" and a ok button. Checked
process' to see where it was coming from and found sysu.exe.

What I did was end process on sysu.exe, winpup.exe, optimize.exe, and
msbb.exe. Then went thru all the Run and RunOnce folders in my reg (under
softwaremicrosoftwindowscurrent version in the hkey_current_user and
hkey_local_machine) and found a bunch of entries, think in the
Local_Machine folder, that should not of been there. I deleted the files that the
reg was pointing to and the entries themselves. Then searched for sysu.exe
and found this thread :)....Here's all the files I found to be related that were
new in my reg:
37473696.exe
ILDQXRTO.exe
optimize.exe
sysu.exe
msbb.exe
winpup.exe


I didn't however find the clsid or typlib entries in the classes_root section
mentioned earlier. Maybe the offending program didn't get that far
yet...possibly the RunOnce entry that I never let run (never rebooted till after I
deleted the reg entries)

Jash i erazed this mofo!!!
i got it at cerials.com

i followed some instructions on here which helped me alot!

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


files i detected & deleted:

-sysu.exe
-winpup.exe
-37473696.exe
-ddm (folders and files)
-msbb.exe
-optimize.exe

and i did that:

1) Ctrl+alt+delete and identify sysu.exe in the processes list.
2) Close it, and go to C:Program Files.
3) Locate the folder ddm and delete it.
4) Click on start > run and type in regedit.
5) Under HKEY_LOCAL_MACHINE > SOFTWARE remove the folder ddm.
6) Click on start > run and type in msconfig.
7) Click on the right-most tab labeled startup.
8) Scroll down and locate an entry with no command line.
9) Uncheck the box and apply all changes.
10) Reset your computer, check the checkbox for a window that comes up
saying you changed startup settings.
11) Enjoy, and spread the word.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


And i did that:


To make windows stop looking for sysu.exe: You go into start > run then type
in MSCONFIG. go under the right-most tab should be called "startup". Scroll
down the list and look for a checkbox that has no command line. it should be
the only one there. Uncheck it, press apply and reset your computer. On
restart, that message should be gone, and if a message comes up saying
you changed the system startup settings, just check the box and press OK.


hope i could help bringin it on a point!

cheers, Garry Potter ;)

I got the same thing with the Sysu.exe. I think that one of the best ways might
be to back up your stuff and re-install. What a pain in the ass. I am a
networking student, I have a firwall on my router, Norton 2003 and I don't
download anything much at all. I wish I knew how I got it.

Mike

My son and I (working remotely on the phone) just finished using the information here to clean up his laptop.
Our thanks to all for their contributions to this site.

Tom & Stephen
Canada

I just jused the programm "spybot s&d" read this carefully

I'm not sure how many of you've noticed, but the program winpup is able to
copy and rename itself. So look whether you have suspicious files in your
%systemroot%windowssystem32 -folder, such as 37473696.exe mentioned
before. To make sure whether the file is malicious check
=> Properties
=> Version
=>Original filename
if it's a bingo, just remove it. You might also want to remove all startup entries
referring to these files with msconfig (and the endless regkeys with
references to winpup or pup.

Tried it and it works like a charm . .thanks !

shuenlo kon mayo

Finally found this forum...but did the same to solve the problem...
Also Check:
http://securityresponse.symantec.com/avcenter/venc/data/adware.dynamicupd
ater.html

Greeting form Germany

Hey,

I took your advice and it worked. My sysu.exe process prevented me from
logging on and had to end the process before I could do anything at all.

This is indeed true. Had that problem with "sysu.exe" too and now it's solved.
Thank you for helping me out.

This thing is spreadiing like there's no tomorrow. I got it today as well. Thanks
for all the help guys.

Hmmm, too many people needing cracks and stuff like it, had the same issue,
thx!

Classification: IMPORTANT. READ IMMEDIATELY.
---------------------------------------------------------------------

Please NOTE: When ddm is installed it can/may install a plugin in your
browser.

go to your IE 6 browser
Then go to > Tools Menu
Then go to > Internet Options
Then go to > Settings (clickable button)
Then go to > View Objects
Then Locate the possible installed pesty little ddm. It will have ddm in its
header. If you dont have it, consider yourself lucky! Now if you visit cracks.am
or wherever you get infected, you wont get immediately infected again! it will
ask if you want to download some program, just keep clicking the [x] until it
goes away, it will after about 3 tries. then you can get whatever you need from
the site(s). if needed, please someone translate this to proper language.
Thank you
-odM

I had a similar problem with sysu.exe Although in my case I could not end the
process. Kill it and a new occurance would appear. I killed it at least 30 times
then just got frustrated. Maybe this was a newer version. I had to boot the
computer into safe mode (F8 Key) and manually delete occurances of
sysu.exe as well as the ddm folder. After rebooting again, Adaware and Spybot
S&D found and sucessfully removed the rest of the entries. Hope this helps
someone out.
Cheers

THANK YOU ALL VERY MUCH FOR HELPING SOLVE THIS PROBLEM!

sysu.exe

tja

lijkt me handig NIET op JA te KLIKKEN als ze vragen of je Dynamic Desktop
Media wilt downloaden en installeren.

Graag meer informatie over dit msbb.exe file naar [email]marc@bikelight.info[/email]!

Hartelijk dnk hiervoor!
Mvg,

Marc

Anoniem,

Thanks for your advice.

DDM was discovered on my computer by NAV during a full
system/file scan.

While NAV stated that the infected files were deleted (1) and
quarantined (1),

NAV didn't touch the registry, didn't mention the DDM folder in
program files and NAV certainly didn't do anything about the IE 6
plug-in.

Now that I think I fixed all of the above, THANKS TO YOUR
INSTRUCTIONS,

Thanks a lot!!!

Cheers,

Greg K.

hallo is er ook msbb.exe uninstall