VectorLinux
November 28, 2014, 07:25:22 am *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Visit our home page for VL info. To search the old message board go to http://vectorlinux.com/forum1. The first VL forum is temporarily offline until we can find a host for it. Thanks for your patience.
 
Now powered by KnowledgeDex.
   Home   Help Search Login Register  
Please support VectorLinux!
Pages: [1] 2
  Print  
Author Topic: [VICTORY!]Stubborn Spyware  (Read 15296 times)
Will
Vectorite
***
Posts: 175


« on: May 18, 2008, 10:53:06 am »

Ok. I've been wrestling with this since yesterday.

Background: Sometime yesterday somebody, and I'm unsure who specificly, did something that caused rouge anti-spyware, or as I like to call it, extortionware, onto my system. Keeps coming up with anti-spystorm 2008.

Resulting Complications:
Spybot will remove the offending objects, only to refind them again on a seconed scan immidiately after.
Task Manager disabled (even in admin accounts)
Active even when the computer is in safe mode.
Most 'helpful' websites such as symantic and other 'tool download' places, including spybot's forums, are blocked off by whatever this is.

The big things that spybot pulls up are Coolwww* variants, zlob trojans, webhanccer, and a few other miscilaniary items.



Oh and to add to the fun, no backup cd to work off of to reinstall windows from.


If this were MY computer I'd just install linux and call it a day, but as this is my parent's machine I don't know. Advice?
« Last Edit: June 03, 2008, 10:37:00 am by Will » Logged
rbistolfi
Packager
Vectorian
****
Posts: 2290


« Reply #1 on: May 18, 2008, 11:01:41 am »

Hi will, if the registry got messed, well, I dont know what to do. What I do is to find offending processes, google for the file names launching them and then boot a linux live cd, mount the partition, do a "find" to get the path to the files and rm them. Worked recently on my brother box and that pendrives virus.

HTH && Good luck.
Logged

"There is a concept which corrupts and upsets all others. I refer not to Evil, whose limited realm is that of ethics; I refer to the infinite."
Jorge Luis Borges, Avatars of the Tortoise.

--
Jumalauta!!
Will
Vectorite
***
Posts: 175


« Reply #2 on: May 18, 2008, 11:21:26 am »

*cough*

As I said, task manager is disabled, and I'm unsure on how to get it back up.
Logged
MikeCindi
Tester
Vectorian
****
Posts: 1073


« Reply #3 on: May 18, 2008, 11:41:17 am »

What version of Windows?
Have you tried Windows Defender?
You could try doing a manual search of the registry and removing all the entries for "anti-spystorm 2008". This is a tedious process but effective.
Another area to look at is the running services and startup programs (C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe in WinXP Pro) which may allow you "kill" it before it starts up.
HTH,
Mike
« Last Edit: May 18, 2008, 11:49:03 am by mikecindi » Logged

The plans of the diligent lead to profit...Pro. 21:5
VL64 7.1b3                                     RLU 486143
MikeCindi
Tester
Vectorian
****
Posts: 1073


« Reply #4 on: May 18, 2008, 11:42:40 am »

*cough*

As I said, task manager is disabled, and I'm unsure on how to get it back up.
ctrl-alt-del OR right click on the taskbar and select task manager.
Logged

The plans of the diligent lead to profit...Pro. 21:5
VL64 7.1b3                                     RLU 486143
exeterdad
Packager
Vectorian
****
Posts: 2046



« Reply #5 on: May 18, 2008, 11:43:12 am »

Will I feel for you.  I lost a very long battle a few weeks ago with my mother-inlaws laptop.
She picked up some trojan that installed just about everything under the sun.  Most annoying was some fake spyware detection/remover program that would pop up "scanning" the computer finding a insane amount of things.  And naturally it wouldn't remove any of what it "found" without you purchasing it.  Long long story about removing it, and all it's friends repeatedly only to have them all come back a couple boots later.

But I guess it wasn't a loss after all.  She's now happy using VL5.9 Standard and running faster then she ever has with that computer before.  She literally told me that it was just like she had gotten a new high performance laptop for free.

Just hope she doesn't make her way to the forum.  Cheesy

Good luck Will.  But if it kicks your butt....  they just might give VL a shot.
Logged
Will
Vectorite
***
Posts: 175


« Reply #6 on: May 18, 2008, 01:27:50 pm »

Raw Dump from Spybot.

Code:
PID:    0 (   0) [System]
PID:  420 (   4) \SystemRoot\System32\smss.exe
 size: 50688
PID:  500 ( 420) \??\C:\WINDOWS\system32\csrss.exe
 size: 6144
PID:  528 ( 420) \??\C:\WINDOWS\system32\winlogon.exe
 size: 502272
PID:  576 ( 528) C:\WINDOWS\system32\services.exe
 size: 108032
  MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID:  588 ( 528) C:\WINDOWS\system32\lsass.exe
 size: 13312
  MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID:  740 ( 576) C:\WINDOWS\system32\Ati2evxx.exe
 size: 405504
  MD5: 1D4EDB435C59BA0193683739A95E59A6
PID:  756 ( 576) C:\WINDOWS\system32\svchost.exe
 size: 14336
  MD5: 8F078AE4ED187AAABC0A305146DE6716
PID:  840 ( 576) C:\WINDOWS\system32\svchost.exe
 size: 14336
  MD5: 8F078AE4ED187AAABC0A305146DE6716
PID:  912 ( 576) C:\WINDOWS\System32\svchost.exe
 size: 14336
  MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1040 ( 576) C:\WINDOWS\system32\svchost.exe
 size: 14336
  MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1128 ( 576) C:\WINDOWS\system32\svchost.exe
 size: 14336
  MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1264 ( 528) C:\WINDOWS\system32\Ati2evxx.exe
 size: 405504
  MD5: 1D4EDB435C59BA0193683739A95E59A6
PID: 1304 ( 528) C:\WINDOWS\system32\xwusuhzh.exe
 size: 87513
  MD5: CE8CB50CB96048C0471E598EC0DA152C
PID: 1384 ( 576) C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
 size: 607576
  MD5: 07AE10139D7713D69F57209FDF0425CC
PID: 1620 ( 576) C:\WINDOWS\system32\spoolsv.exe
 size: 57856
  MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1864 ( 576) C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
 size: 418816
  MD5: 3C7B93F947355E374A49564D0D017B7B
PID: 1888 ( 576) C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
 size: 49664
  MD5: 30A14F65DB477DC00A64A5A24E96919C
PID: 1952 ( 576) C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
 size: 406528
  MD5: FC0B2AE890BB0DC8C2306DABEDC8A4BA
PID: 1996 ( 576) C:\WINDOWS\system32\drivers\KodakCCS.exe
 size: 322104
  MD5: 4E1060D2F3B745931CF83B3649BE8A57
PID:  152 ( 576) C:\Program Files\CDBurnerXP\NMSAccessU.exe
 size: 71096
  MD5: FD306FBCCE7ADB1077B709742E7148E9
PID:  224 ( 576) C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
 size: 172032
  MD5: 33D7285F12D934268A34206DFC4AD1B3
PID:  372 ( 576) C:\WINDOWS\system32\svchost.exe
 size: 14336
  MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1316 ( 756) C:\WINDOWS\system32\wbem\wmiprvse.exe
 size: 218112
  MD5: 075EA6C849AB0FE416A3D6DD65C3CF41
PID: 1456 (1364) C:\Program Files\Grisoft\AVG7\avgcc.exe
 size: 579584
  MD5: 25A49E5BFF4E6424FA5E27C81269041D
PID: 1484 (1364) C:\WINDOWS\system32\ctfmon.exe
 size: 15360
  MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 1116 ( 576) C:\WINDOWS\System32\alg.exe
 size: 44544
  MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 1672 (1364) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
 size: 2097488
  MD5: A9A5DB6AC3721BE698B996913693D73F
PID: 1708 (1364) C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
 size: 757760
  MD5: 5849E088D0318421376E633018ABE6F9
PID: 2544 ( 756) C:\WINDOWS\system32\wbem\wmiprvse.exe
 size: 218112
  MD5: 075EA6C849AB0FE416A3D6DD65C3CF41
PID: 2620 (1364) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
 size: 5146448
  MD5: 2ECA8CDEED7C82F879E766DA92A3561A
PID: 2732 ( 576) C:\WINDOWS\System32\svchost.exe
 size: 14336
  MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 2812 ( 528) C:\WINDOWS\explorer.exe
 size: 1033216
  MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 3200 ( 912) C:\WINDOWS\system32\wuauclt.exe
 size: 53080
  MD5: F3E9065EB617A7E3A832A7976BFA021B
PID:    4 (   0) System

I'm hoping a bright bulb out there will know which of these I can safely kill (i BRIEFLY got task manager up and going after doing al ittle random process killing, so i KNOW i'm on the right track, going to see what I can do about this xwusuhzh thing).
Logged
nightflier
Administrator
Vectorian
*****
Posts: 4031



« Reply #7 on: May 18, 2008, 03:33:19 pm »

Oh how I've been there, done that many times.  Roll Eyes

Even if you manage to remove persistent malware, the system may remain seriously messed up. A re-install is the best way to go. I figured out how to do a hard drive install of WXP. This has rescued several systems without a restore/install disc. If there is a full i386 folder on the hard drive you have what you need. If not, you may be able to copy it from another computer. I found that XP Home is a lot more tolerant regarding activation than Pro is.

The procedure is somewhat involved, but if you or anyone else are interested I can write up a little howto.
Logged
Will
Vectorite
***
Posts: 175


« Reply #8 on: May 18, 2008, 05:39:55 pm »

Good news is I found where they hid the 'burn ONE(1) restore disc)' program. Bad news? I'm going to have to replace the factory cd drive as it was one of the first thigns that went screwy on this computer and won't read burned discs. Fortunately I always have a backup on hand.


And then there's the friendly neighborhood recycling center to scavenge from.
Logged
bigpaws
Vectorian
****
Posts: 1857


« Reply #9 on: May 18, 2008, 06:16:57 pm »

Your problem is probably not the cdrom device. Check by
using a live cd first. Your problem is usually a sign that the
registry has been borked. The same thing that drives the
devices.

In my opinion a reinstall is needed, format the drive first.

Logged
Will
Vectorite
***
Posts: 175


« Reply #10 on: May 18, 2008, 06:56:36 pm »

Always do whenever I do a reinstall, as often times 'ghost' data can be a real pain in the neck.


Query, as my family's picture collection and other assorted media is quite extensive, would I be safe at this point in repartitioning so I have storeage space for such things that can then be reintroduced back into windows after reinstall?
Logged
bigpaws
Vectorian
****
Posts: 1857


« Reply #11 on: May 18, 2008, 07:10:29 pm »

Creating a partition would be a good idea. Then you
can then keep that somewhat safe. That should not
be the only backup that needs to be done as well. A
second hard drive is safer since then a partition since
it is one more safe guard for disk failure.

Bigpaws
Logged
exeterdad
Packager
Vectorian
****
Posts: 2046



« Reply #12 on: May 19, 2008, 02:34:10 am »

Not to get sidetracked....  But about that CD drive.  It may not be over.  I recently received a used laptop from a friend. The drive would rarely read a burned CD.  And would never successfully burn a CD.  I feared the drive was too old for the media, or I needed some impossible to find firmware.  Turned out the optics inside the drive were dirty.  Not the lens part that you see when you open it.  But the prism (backside), and the backside of the lens.  If you can get at it, or are not afraid of taking apart teeny-tiny things.  You can blow that stuff out nicely with can of compressed air.  The PURE stuff that you get in cans at RadioShack for example.
After doing this, the drive was working perfectly.  Might be worth a try.
Logged
Will
Vectorite
***
Posts: 175


« Reply #13 on: May 19, 2008, 04:32:15 am »

Possible, but I've got a spare drive I can slide in that'll work for my purposes, good thing to note though.


Ok. I've managed to get the computer cleared up enough so it'll quit bombing me for spystorm ads and the task manager is freed up. HOWEVER it all comes back on reboot.


Winclam has helped me find where webhancer was hiding at so that's gone, as is xwusuhzh (in theory mind you, whatever's reinstalling the BHO's that keep popping back up with COOLWW* crudware could just reinstall that too I guess.)

Anyway the useful antivirus websites still seem to be blocked off and AVG seems to be as blind as a bat (and own't update right now because of the malware).
Logged
Will
Vectorite
***
Posts: 175


« Reply #14 on: May 19, 2008, 10:26:55 am »

I cleared the extortion-ware and browser extension things, however spybot still catches SOMETHING trying to open whenever i launch IE (known malicious URL). Unfortunately note pad's still unusable, so its not all clear, but its a damned sight better. It seems whatever blocked symantic, spybot, avg, ect, didn't block scourceforge, thus clamwin has been a big help in finding some of these problems. On the plus side it seems that I also cleared out where all the spyware was hiding between exit and reboot too as it doesn't seem to be coming back, and so I can enter task bar and the like from boot up without having to spend a half hour clearing malware out.
Logged
Pages: [1] 2
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!