VectorLinux
October 30, 2014, 09:25:41 pm *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Visit our home page for VL info. To search the old message board go to http://vectorlinux.com/forum1. The first VL forum is temporarily offline until we can find a host for it. Thanks for your patience.
 
Now powered by KnowledgeDex.
   Home   Help Search Login Register  
Please support VectorLinux!
Pages: 1 [2]
  Print  
Author Topic: [VICTORY!]Stubborn Spyware  (Read 15098 times)
BlueMage
Vectorite
***
Posts: 274



« Reply #15 on: May 19, 2008, 03:37:17 pm »

Ouch.  I've had similar on my laptop (the dual-boot with Vector) and I found that, when Spybot failed me, it came time to dig into C:\Windows\System32 and see what I could find.  A few odd files that had been modified or created recently didn't sit right, but were currently in use.

So, I did the first thing that came to mind - boot Vector, mount C: as read/write, and delete the little bastards.

Amazingly, they stopped cropping up in XP, and Spybot was able to fully clean the system.

If you can, list every folder in Detail mode, Date Created or Date Modified Descending, and go hunting.  Guaranteed you'll find it eventually, and before you delete anything, google the exact file name.
Logged

Acer Laptop:  Vector 5.8 SOHO Final & Windows XP Professional & USB (still alive!)
Compaq POS (almost dead): Vector 5.9 Light Beta 5
Quad-core BEAST: Win 7 Ultimate 64-bit & Vector 5.9 64-bit beta-2
Old 500MHz media box:  Vector 5.8 SOHO Final (dead)
701 EeePC:  Puppeee (based on Puppy 4.01)
Will
Vectorite
***
Posts: 175


« Reply #16 on: May 20, 2008, 09:02:54 am »

Well after a quick morning check it wouldappear I'm going to have to swap out the main optical drive for a backup unit as even on bootup it will not read burned disks. Sure i could clean it out, and I'll give that a try sometime down the road, but it'll simply be better to drop the spare in and get vector installed (then rebooting into vector using the cd so I don't mess up the MBR so I can reset everything.)


Oooor I could just burn a copy of knoppix (guy I loaned mine out to never gave it back) and go from there.
Logged
Will
Vectorite
***
Posts: 175


« Reply #17 on: May 26, 2008, 10:19:06 am »

I've done everything I can think of and I'm at a loss here.

MOST of the malware/extortionware is gone. My desktop quits reminding me my computer needs cleaning (due to unwanted 'anti spystorm' gunking things up (which i don't recall downloading, i blame my brother for now).

Still, notepad.exe closes out in normal operations (wont' bork when in safe mode though). AVG continuously detects a c:\bs.exe (says its killav.ar, yet I don't know how to kill that as none of the usual suspects appear to be popping up in the registry when I go to look where I'm told to) that regardless on being deleted keeps popping up. Oh and the best part? I can't go to any websites that deal with spyware removal so I know something's up regardless on spybot telling me I'm clean.


Quote from: Smitfraudfix.exe logfile
»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 68.87.68.162
DNS Server Search Order: 68.87.74.162

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2A526AAD-A545-4496-BBB9-DC6847C58B28}: DhcpNameServer=68.87.68.162 68.87.74.162
HKLM\SYSTEM\CCS\Services\Tcpip\..\{EA4B11F3-5AA8-4343-BD5F-3ECCD418070C}: DhcpNameServer=68.87.68.162 68.87.74.162


HALP!
Logged
nightflier
Administrator
Vectorian
*****
Posts: 4026



« Reply #18 on: May 26, 2008, 02:35:42 pm »

Seems like you have gone way above and beyond with respect to recovering the current install.

I think you need to bite the bullet, re-format and re-install.
Logged
hata_ph
Packager
Vectorian
****
Posts: 3258


-- Just being myself --


« Reply #19 on: May 26, 2008, 05:36:50 pm »

try combofix...it work great....

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Logged
Will
Vectorite
***
Posts: 175


« Reply #20 on: June 03, 2008, 10:36:23 am »

With the aid of knoppix...all is better again.


once I got rid of something loadingfrom the recycler folder on startup (srv32.exe) antivirus ended up nuking the rest.

Smiley
Logged
nightflier
Administrator
Vectorian
*****
Posts: 4026



« Reply #21 on: June 03, 2008, 11:10:00 am »

Excellent work  Grin

Now, wonder how long before your two weeks' worth of work is undone.  Roll Eyes
Logged
Will
Vectorite
***
Posts: 175


« Reply #22 on: June 03, 2008, 12:00:05 pm »

Given the fact my family STILL doesn't recognize the need for better security and responsible behavior, a week, tops.
Logged
BlueMage
Vectorite
***
Posts: 274



« Reply #23 on: June 17, 2008, 05:00:12 pm »

Which is exactly why I no longer maintain my parents' machines unless it is absolutely critical that I do so.
Logged

Acer Laptop:  Vector 5.8 SOHO Final & Windows XP Professional & USB (still alive!)
Compaq POS (almost dead): Vector 5.9 Light Beta 5
Quad-core BEAST: Win 7 Ultimate 64-bit & Vector 5.9 64-bit beta-2
Old 500MHz media box:  Vector 5.8 SOHO Final (dead)
701 EeePC:  Puppeee (based on Puppy 4.01)
kc1di
Packager
Vectorian
****
Posts: 1125


Morse Code Early digital mode. John 3:16


« Reply #24 on: June 26, 2008, 10:27:57 am »

You did a lot of hard wordk hope it last longer that a week.. I find spyware blaster works very well for me on my windows box.  it's a java tool runs in the background.  you may want to take a look at that.
might help keep the box from being reinfected.

http://www.javacoolsoftware.com/spywareblaster.html
Logged

Dave
( Living Somewhere in Maine USA)
Registered Linux User #462608
Xeon
Vectorite
***
Posts: 115


« Reply #25 on: July 01, 2008, 11:13:46 pm »

I have spywareblaster on every windows box here, kept them all clean for 2 years here, even my parents pc. Even when some guy brought in spyware during a lan party my own box was the only computer that was not infected afterwards.

Btw, Spybot used to be a great app but nowadays it dropped greatly in quality. 50% of the malware is undetected.
Logged
SuSE-Refugee
Ex-Officio
Vectorite
****
Posts: 205


Dude In The Snappy Hat


« Reply #26 on: July 05, 2008, 10:06:12 am »

I simply don't do Windows.
All problems solved.
Logged

<Lame sig>
Pages: 1 [2]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!