Author Topic: Spyware help (Read 34622 times)

krez · « **Reply #30 on:** May 31, 2007, 12:42:46 PM »

Ok well, I tried to use the recovery console thing quadz posted and I ended up fucking up my computer because I was clicking things I wasnt sure what they did. It like wanted me to re install windows and I did, but it kept freezing. So I installed a 2nd copy of windows in C:\windows2\ folder. Im gonna back up all my shit on c: drive to my d: drive, then format c: and start over fresh. At least the spyware will be gone.

I didnt want to format but I have to now because my computer is royally fucked as I have windows installed twice on the same drive. I will be back to ace some more newbies in q2 probably tomorrow. Thanks for the help all, I just dont know much about computers and ended up screwing mine up. I actually knew alot back in the win95/98 days, but I havent kept up with technology and dont like not having a dos prompt available to fix whatever is broke.

Whirlingdervish · « **Reply #31 on:** May 31, 2007, 12:54:20 PM »

Quote from: krez on May 31, 2007, 12:42:46 PM

dont like not having a dos prompt available to fix whatever is broke.

Amen to that!

Good luck with the re-install. make sure to do a full format on the partition if you aren't going to wipe the HD and make a new one.. I've had a couple comps that had way more problems than they should have had, due to old shit that lingered from an earlier windows install.

Once you've got it all set up like you like it, and all your shit reinstalled, you should just ghost a copy of the HD to your backup HD so you can easily fix your comp next time..
Doing this has made my job so much easier, cause if someone trashes their workstation, I can just wipe it and ghost the backup over it..

I recommend Symantec Ghost.. you just make a shnazzy 3.5" floppy boot disk and pop it into the comp, to bring up the ghost console before windows loads any of it's shit.
It'll allow you to copy whole partitions from one drive to another with ease.

reaper · « **Reply #32 on:** May 31, 2007, 01:23:30 PM »

fyi, you could of put in a linux bootable cd, and deleted the files you wanted as well.

DWxchzrles · « **Reply #33 on:** May 31, 2007, 07:39:24 PM »

krez stay away from the porn sites

that is usually where that stuff comes from

or opening up email

Whirlingdervish · « **Reply #34 on:** June 19, 2007, 11:01:14 AM »

I found my very first instance of this godforsaken virtumonde (java exploit / fucking pain) this morning on a co-workers comp.
I ran spybot and it managed to clean off the 75 other bullshit adware/spyware/malware progs, but it seems to be unable to touch this virtumonde bullshit.

I'm DL'ing the little prog that quadz plugged earlier in the thread, but if I find another way to fix it, I'll post it.

console · « **Reply #35 on:** June 19, 2007, 12:00:22 PM »

I'd be interested to know if vundofix even works for you. For me, it definitely detected it, but couldn't successfully remove it, even with the hardcore "remove on reboot" option. So I had to go with the "recovery console" approach, ultimately...

The thing is so tenacious it's almost impressive... I'd like to find whoever wrote it and say, "Haha, good job." ... and then push them in front of an oncoming truck.

jägermonsta · « **Reply #36 on:** June 19, 2007, 12:19:39 PM »

Quote from: Whirlingdervish(Q2C) on June 19, 2007, 11:01:14 AM

on a co-workers comp.

Don't you love that?

"uhh hey, my computer is wicked slow. it's hard for me to get things done." (in a tone of voice as if it's your fault their computer is slow)

well fuck?! if you didn't spend your whole day surfing malicious web sites you wouldn't have a problem getting things done?!!!?!

Now I have to waste my time cleaning out your computer. It's like washing somebody else's dishes after they eat. God I hate removing SpyWare at work, better things to do.

Whirlingdervish · « **Reply #37 on:** June 19, 2007, 02:40:01 PM »

well, it didn't get it.

krez · « **Reply #38 on:** June 19, 2007, 07:33:03 PM »

Yo, it didnt work for me I had to format. I probably could have deleted the files manually in recovery console if I didnt fuck up first and void that option. Id like to get my hands on the guy who made it. I would strangle him for about 3minutes, then I would stop so he could regain his breath, then I would strangle him some more. This would continue for about 20minutes until I finally got tired of it and I would then crush his skill with a sledge hammer.

Fucking punks writing those programs with the sole intent to mess peoples computers up.

BTW dervish, the popups stopped for me when I installed firefox, but I still wanted to get rid of the spyware

DeanRW · « **Reply #39 on:** June 20, 2007, 08:19:24 PM »

I cannot see why you cannot remove the registry entries while in safe mode, reboot and then manually delete the files. Always worked for me with any type of malware.

console · « **Reply #40 on:** June 20, 2007, 09:32:53 PM »

Quote from: DeanRW on June 20, 2007, 08:19:24 PM

I cannot see why you cannot remove the registry entries while in safe mode, reboot and then manually delete the files. Always worked for me with any type of malware.

Virtumonde is more hardcore than that. First of all, it's hooked into the winlogon process, so you can't kill the process. Second, it sits there rewriting all its registry keys about 10 times per second. (I watched it with regmon.)

R1CH pointed out that it might be possible to make the registry keys READ-ONLY to thwart it, but I didn't have a chance to try that. First, it seems plausible vundo could be changing the keys back to READ-WRITE anyway... and second, since it's changing them like 10 times a second, it would be hard to quickly change it to what I wanted, and then make it READ-ONLY before it got changed back. (I assume. Like I said, I didn't actually try that approach.)

Anyway...

vundo is evil.

Regards,

quadz

Edit: It occurs to me I never actually tried booting into "safe" mode. So I don't know whether vundo would have still managed to get hooks into winlogon in safe mode or not. If it didn't, then, yeah, deleting the keys then should have worked.

krez · « **Reply #41 on:** June 21, 2007, 12:08:52 PM »

I did try booting into safemode. It doesnt help, you still cant kill the winlogin.exe process and its still tied into it

Whirlingdervish · « **Reply #42 on:** June 21, 2007, 02:02:44 PM »

I tried that too. same result: still fucked.

The only way I could make it stop was to stick in my Xp pro cd, boot from it, enter the recovery console, and then manually navigate my c:\windows\system32\ directory to find the offending file (a randomly named .dll) and wipe it out.

Luckily spybot S&D was able to give me the exact filenames and paths.
(the vundofix util got like 10 instances of it that I assume were backups, but not the one that was loaded into memory)

Carnage · « **Reply #43 on:** June 21, 2007, 06:21:48 PM »

I've been pushing CounterSpy from Sunbelt Software across my enterprise (600 workstations) and have run into Virtumonde a bunch. Thankfully, with a few exceptions (6 out of 600) CounterSpy got rid of it with no problems.

Commercial version is very good. I've been using it for a couple of years at home and haven't had any problems at all.

http://www.sunbelt-software.com/Home-Home-Office/CounterSpy/

DWxchzrles · « **Reply #44 on:** June 21, 2007, 07:25:58 PM »

Virtumonde is a sob to remove
like to shoot the jerk that wrote it

Author Topic: Spyware help (Read 34622 times)

El Box de Shoutamente