Results 1 to 12 of 12

Thread: No Router = MEGA SPYWARE/ADWARE/TROJANS

  1. #1
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,941

    No Router = MEGA SPYWARE/ADWARE/TROJANS

    I have had to go back to using ADSL and in that time, some how some way, my wife's PC has gotten infested with something.

    It keeps creating files with URL addresses in them. I do a system scan for the files, even searching hidden files, and they don't show up. I am pretty sure they are embedded in the system registry.

    I have ran spybot, adware, hijack this, windows Antispyware, Nod32, AVG free edition, panda and trendmicro's online scanners... and no matter what I do, it keeps coming back.

    One file in particular:

    Yaemu.exe located in C:/Windows/system32

    I cannot delete the file manually I get an access error, but hijack this supposedly fixes it.

    But it doesn't.

    And to beat everything, this is directly after a fresh clean install of XP. I wiped the entire hard drive because the computer suddenly started shutting itself down without notice and I was getting all kinds of .exe and .dll errors in the event viewer.

    I've run memtest, did a defrag, checked the disk for errors... even now I am getting threat detections with Nod32. I have hence set it to automatically terminate the files and quarantine them prior to termination. For the next 999 minutes LOL

    Whatever this is it's virulent and persistent... but so am I. I will defeat this cocksucker if it takes me the rest of my computing days. Eat shit spyware, adware, trojan and other viral makers of the internetting world!!!!

    Now take a look at my screen capture:

  2. #2
    The Beast Master TZ Veteran PIPER's Avatar
    Join Date
    May 2002
    Location
    Florida
    Posts
    1,180
    damn things anyway....I know it would be a pain, but u might consider a low level format and remove the battery for a day just to be certain....she is hidding somewhere in mem or so it seems....could be nvram, hell, it's hard to say. ....it would piss me off!!!

  3. #3
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    did you try to restore the IE settings using the Windows Antispyware? you might have the search and host files changed, so everytime the PC connects you download the spyware again. I have seen very similar cases. After updating the scanners, I unplugged the internet, run scans in safe mode, in order to avoid the real time proteccion restoring files in the fly (I saw that too). Before going into safe mode, I also disable all startup items but the needed, since there was one more case where the spyware would load at the beggining and I could not get rid of it.
    Finally, make sure none of the accounts in the PC have password. That is the main problem with the spyware cleaners, which cannot delete (or detect even sometimes) spyware in different accounts

  4. #4
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,941
    Quote Originally Posted by Dehcbad25
    did you try to restore the IE settings using the Windows Antispyware? you might have the search and host files changed, so everytime the PC connects you download the spyware again. I have seen very similar cases. After updating the scanners, I unplugged the internet, run scans in safe mode, in order to avoid the real time proteccion restoring files in the fly (I saw that too). Before going into safe mode, I also disable all startup items but the needed, since there was one more case where the spyware would load at the beggining and I could not get rid of it.
    Finally, make sure none of the accounts in the PC have password. That is the main problem with the spyware cleaners, which cannot delete (or detect even sometimes) spyware in different accounts
    Windows antispyware - Yep I ran the IE restore and put TZ has the home page and so on...

    I went into safe mode, and manually deleted a file that no matter what I used was not being totally deleted.

    C:\WINDOWS\SYSTEM\yaemu.exe

    That file, regardless of the tool used, kept coming back, even when system restore was completely shut off.

    Hijack this recognised it was a bad file, and attempted to delete it on several occassions but it just kept coming back.

    In safemode, I was able to physically and manually remove the file, along with a dos shortcut with the same name.

    So far NOD32 hasn't shown a single error... and that was 4 hours ago.

    Some good info there Dehc. I will take it into consideration the next time I have these whorish spyware troubles. It's such an aggrevation... I don't see how normal users who know jack shit about PCs can fix these kinds of troubles.. ????

  5. #5
    British Stud Muffin TZ Veteran GimieGimieGimie's Avatar
    Join Date
    Apr 2002
    Location
    UK, London
    Posts
    611
    /Install MAC OS

    j/k

    When ever i get a file i cannot delete, i simply boot from a Windows 98 bootdisk into DOS and remove it that way.

    Unless of course, it's a self replicating file, then you're ****ed

  6. #6
    Titanium Member efc's Avatar
    Join Date
    Sep 2002
    Location
    North Central Arkansas
    Posts
    2,329
    Try using one of the liinux distributions that you boot from CD. You can delete and move windows (NTFS) files in linux. I have done it so I can assure you that it works.
    Linux Mint Debian Edition

  7. #7
    Titanium Member efc's Avatar
    Join Date
    Sep 2002
    Location
    North Central Arkansas
    Posts
    2,329
    Quote Originally Posted by Big Booger
    ... I don't see how normal users who know jack shit about PCs can fix these kinds of troubles.. ????
    That is why I hate all kinds of information sent to your computor without your permission.
    Linux Mint Debian Edition

  8. #8
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,941
    Quote Originally Posted by efc
    Try using one of the liinux distributions that you boot from CD. You can delete and move windows (NTFS) files in linux. I have done it so I can assure you that it works.
    That is a brilliant idea. The next time one of these demonic spyware/virus type programs infilitrate my systems, I will do just that.

  9. #9
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    You can also use a bootable WinXP like BartPE which will be more familiar. But if you just formatted and re-installed, why not do it again now and make sure you are patched up before you connect to anything?

    Another technique you can use is to delete the file then create a dummy read-only file of the same name. Your problem is that the file is not the problem, something else is creating that file and it's the something else you need to find.

    If you post a hijackthis log we can look through it together.
    particularly look for this-
    O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\SYSTEM\NNDQK.DLL
    I'm using Windows 7 - you got a problem with that?

  10. #10
    Old and Cranky Super Moderator rik's Avatar
    Join Date
    Aug 2003
    Location
    Watching Your every move...
    Posts
    4,688
    Good to have you back Curio

  11. #11
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,546
    it's a long shot but you might want to keep this in mind:

    this article explains the existence of alternate data streams in Microsoft Windows NTFS anddemonstrates how to create them by compromising a machine using the Metasploit Framework, and then use freeware tools to easily discover these hidden files.

    http://www.securityfocus.com/infocus/1822

    What are the main dangers associated with NTFS streams?
    - Streams are only visible to specialised software such as TDS-3 that has the capability of enumerating streams from their parents.
    - Public awareness of streams is exceptionally low, especially compared to the awareness of other file-hiding techniques such as hidden file attributes.
    - Streams can not only attach themselves to files, they can also attach themselves to directories.
    - Streams can't actually be deleted. The parent they're attached to must be deleted in order for the stream to be removed. However,
    - Streams attached to the root directory of a drive, such as "C::MyStream" cannot be deleted.
    - "Available Disk Space" as shown by programs such as Windows Explorer do not take into account disk space consumed by streams.
    - A malicious program could continue writing to a stream, filling up the disk and make cleaning up very difficult.
    - Streams, as they are essentially still files, can be executed.
    - Executed streams do not have their filenames display correctly in Windows NT/2K/XP Task Manager, the utility commonly used to view running processes. For example, if the stream "c:\test.txt:mystream" was running, Task Manager would only show "test.txt".

    http://www.diamondcs.com.au/index.ph...d=ntfs-streams
    ------------------------------------------------------------



  12. #12
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    Since SP2 programs started from ntfs streams do show up in Task Manager with the notation
    nicefile.txt:naughty.exe

    Quick explanation of NTFS streams
    NTFS supports Apple Macintosh type files for compatibilty which are composed of a resource fork and a data fork. These forks contain the file type in one bit and the data in another bit - these are the streams so you can blame Apple Macintosh for them.
    Last edited by Curio; August 29th, 2005 at 21:23 PM.
    I'm using Windows 7 - you got a problem with that?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •