Home
Friday, September 22, 2017
2:37:12 PM
Users online: 0   You are here >> Home > Security

Forums | Security Forums search
Forum FAQ
   
  1 | 2 Next Page 
Need help cleaning this pc! It's character building.....
justo316 
31/7/08 7:46:39 PM
Champion

Looking at a clients computer right now.

Their desktop wallpaper is taken over with a blue background with "Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer.".

Display propertes is missing the Desktop and Screensaver tabs.

It has Trend Micro installed.

I've managed to install AVG, Adaware, ccleaner and SuperAntiSpyware. Anything else seems to refuse to install at all (eg. spybot, Malwarebytes cleaner).

I cannot update anything! Internet connection is working, firewall is off. Actually, I think only SuperAntiSpyware managed to update....

I can google stuff, but almost every link is hijacked and opens a pop up linking to pcprivacycleaner. I tried using Kaspersky online scan but I can't get to the site. I found it available for download somewhere else where the site actually managed to open up, but it refused to download for me.

Some links that don't do that instead don't show up at all and bring up the page asking me to diagnose connection problems.

Same applies to safe mode.

I've used hijackthis and msconfig to get rid of everything dodgy looking that I can. I've run that work (even though they won't update).

** Edit **
Oh, and opening anything up in Notepad (eg. host file) invokes DEP and the program shutsdown.

** Edit 2 **
And I just noticed it has the virus/spyware that puts up a pretend blue screen error and makes it look like your pc is rebooting. This is triggered by the screensaver I think. You can press Esc to get back to what ever you were doing.
Edited by justo316: 31/7/2008 7:49:14 PM


Edited by justo316: 31/7/2008 8:10:20 PM

-----
Core 2 Quad Q6600, ASUS P5B-E Plus, Noctua NH-U12F cooler, 2GB Corsair TWIN2X DDR2, Corsair HX620W PSU, 3TB HD Space, Inno3D 8800GTS 640MB OC, X-Fi Fatality Champ Ed., Pioneer 111D, Antec P180B case.

lew~ 
31/7/08 8:12:11 PM
Titan

Format, waste of your life even bothering to get it to an as-new state IMO.

Gl :p

-----

justo316 
31/7/08 8:39:14 PM
Champion

yeah was thinking the same thing...i just thought it might be a decent challenge to clean it, but only if I could managed to sort it out eventually :P

-----
Core 2 Quad Q6600, ASUS P5B-E Plus, Noctua NH-U12F cooler, 2GB Corsair TWIN2X DDR2, Corsair HX620W PSU, 3TB HD Space, Inno3D 8800GTS 640MB OC, X-Fi Fatality Champ Ed., Pioneer 111D, Antec P180B case.

TheSecret 
31/7/08 10:45:40 PM
Master
Grab the system internals toolkit, and monitor exactly what is running and what it is doing, with procmon and procexp. Trash Superantispyware and avg, and grab avast and spybot(install and run from a usb drive if need be). If using internet explorer 7, use the reset option. This should at least get you started.

-----
Part of the inhumanity of the computer is that, once it is competently programmed and working smoothly, it is completely honest.

justo316 
1/8/08 2:32:30 AM
Champion

wow....ok, I have no idea what to look for using procmon and procexp. At least, to me, nothing looks out of place in procexp, but procmon has so much going on I don't know where to start.

Spybot won't run at all. I copied the program directory from my working computer (it's supposed to be able to run direct from a usb drive). Flashes up a command window for a split second then does nothing else.

Im running a portable version of avast right now.

-----
Core 2 Quad Q6600, ASUS P5B-E Plus, Noctua NH-U12F cooler, 2GB Corsair TWIN2X DDR2, Corsair HX620W PSU, 3TB HD Space, Inno3D 8800GTS 640MB OC, X-Fi Fatality Champ Ed., Pioneer 111D, Antec P180B case.

justo316 
1/8/08 3:49:44 AM
Champion

submitted to bleepingcomputer.com to see if they can make any sense of it.

-----
Core 2 Quad Q6600, ASUS P5B-E Plus, Noctua NH-U12F cooler, 2GB Corsair TWIN2X DDR2, Corsair HX620W PSU, 3TB HD Space, Inno3D 8800GTS 640MB OC, X-Fi Fatality Champ Ed., Pioneer 111D, Antec P180B case.

TheSecret 
1/8/08 10:09:21 AM
Master
Using procmon, put in a filter to see what spybot is doing, and what causes it to fail.

-----
Part of the inhumanity of the computer is that, once it is competently programmed and working smoothly, it is completely honest.

Jeruselem 
1/8/08 11:50:17 AM
Champion

It's pretty bad when it gets to that stage.

-----
PC 1: XP Home SP2, Opty 165@1.8Ghz, GEIL 1GB PC3200, 320GB SATA Cuda ES,XFX 9600GSO 580/700x2/1450, Seasonic S12+ 550W
PC 2: XP Home SP2, XP 3000+@2.24 Ghz, 1GB PC3200, 80GB IDE,ASUS nVidia 6800 512MB, Antec PlanetWatts 380W

justo316 
1/8/08 12:37:44 PM
Champion

Quote by TheSecret
Using procmon, put in a filter to see what spybot is doing, and what causes it to fail.



....and i end up with 2000+ entries.

sorting through now. Any tips on what Im looking for?

-----
Core 2 Quad Q6600, ASUS P5B-E Plus, Noctua NH-U12F cooler, 2GB Corsair TWIN2X DDR2, Corsair HX620W PSU, 3TB HD Space, Inno3D 8800GTS 640MB OC, X-Fi Fatality Champ Ed., Pioneer 111D, Antec P180B case.

justo316 
1/8/08 12:39:25 PM
Champion

Quote by Jeruselem
It's pretty bad when it gets to that stage.



no shit....

;)

the funny thing is it is running perfectly fine. It's not crammed with random pop ups coming form nowhere. You can still access your regular stuff. It's not running particularly slow either.

-----
Core 2 Quad Q6600, ASUS P5B-E Plus, Noctua NH-U12F cooler, 2GB Corsair TWIN2X DDR2, Corsair HX620W PSU, 3TB HD Space, Inno3D 8800GTS 640MB OC, X-Fi Fatality Champ Ed., Pioneer 111D, Antec P180B case.

CptnChrysler 
1/8/08 1:28:48 PM
Master

I'd reccomend backing up any important data.
Scan the backups for virus/malware etc on another machine.
Clean install and reload the data files.
Install an effective firewall, malware and antivirus packages.

Even if you spend the time to get the system functional you can never trust the existing install again. You'll never know if you've got everything and if you're responible for the machine I wouldn't take the risk.

-----
Everyone is entitled to my opinion - I've got the T-Shirt to prove it!

TheSecret 
1/8/08 11:35:03 PM
Master
Well, you are lookinf for anything unusual. You can stop filtering temporarily, and use pgdn and skip quite a lot of it. It should be making certain system calls, and writing to particular files. If it is trying to access something which doesnt makes sense, or something is blocking it, that would be a pointer in the direction of the problem.

-----
Part of the inhumanity of the computer is that, once it is competently programmed and working smoothly, it is completely honest.

SquallStrife 
2/8/08 11:15:17 PM
Titan

Before you try anything, you should really disconnect the hard disk, plug it into a Linux/Mac box and run a virus/malware scanner over it...

Alternatively, build a BartPE disk, and run a virus/malware scan from there.

Scanning an infected PC from within the infected OS is inherently problematic.

-----
Q6600 @ 3.6GHz | 8800GTS | XP x64 | Vista HP x64 | OSX 10.5.4

Quote by TinBane
The ONLY fuel saving benefit of this product, is that the car expends less energy to accelerate, because your wallet is lighter.[/quote

TheSecret 
3/8/08 12:33:07 PM
Master
If you run a virus scanner that runs before the operating system has loaded, such as avast, then no, it's not.

-----
Part of the inhumanity of the computer is that, once it is competently programmed and working smoothly, it is completely honest.

SquallStrife 
3/8/08 10:00:57 PM
Titan

Quote by TheSecret
If you run a virus scanner that runs before the operating system has loaded, such as avast, then no, it's not.



Ah, yeah, it is.

How would you know that avast isn't infected (which there's a good chance of if it didn't pick the virus up before it did any damage)?

What if you can't get in to the OS to install said scanner, or you can but the virus is stopping you from installing said scanner somehow?

My point still stands, if you're going to do it, don't take shortcuts. Mount the disk from an alternate OS, and scan it while it's not "active".

Edit: Removed redundant point.


Edited by SquallStrife: 3/8/2008 10:01:37 PM

-----
Q6600 @ 3.6GHz | 8800GTS | XP x64 | Vista HP x64 | OSX 10.5.4

Quote by TinBane
The ONLY fuel saving benefit of this product, is that the car expends less energy to accelerate, because your wallet is lighter.

TheSecret 
4/8/08 12:05:41 AM
Master
Checksums.

Also, I have not yet heard of a virus targeting a particular virus scanner for such a specific purpose. There is no reason that you could not install a program that you could not fix, and even it it would not run in windows, you can set it to do a boot time scan.

I see what you're saying, but sometimes you need to monitor the active system to remove the threat, and scanning before the operating system has loaded eliminates the need to swap disks etc.

-----
Part of the inhumanity of the computer is that, once it is competently programmed and working smoothly, it is completely honest.

justo316 
4/8/08 4:22:55 PM
Champion

ok, finally something worth updating!

Scanned the hard drive from another computer using Kaspersky which picked up 2 things of interest.

Rootkit.Win32.Clbd.ey in file c:\Windows\system32\clbdll.dll
Adware.Win32.SuperJuan.bwj in file c:\Windows\system32\hytpyy.dll

Deleted those 2 files, and now the PC can install Malwarebytes AntiMalware and Spybot. Also, AVG, spybot, AntiMalware all updated correctly. Internet browsing to all pages seems to have been restored. Notepad doesn't crash anymore.

Looks like it's on its way to being cleaned now! Thanks everyone for the help. To be honest, from my experience, cleaning an infected harddrive from a clean system usually isn't needed, which is why I didn't do it straightaway, but in this case it made all the difference.

-----
Core 2 Quad Q6600, ASUS P5B-E Plus, Noctua NH-U12F cooler, 2GB Corsair TWIN2X DDR2, Corsair HX620W PSU, 3TB HD Space, Inno3D 8800GTS 640MB OC, X-Fi Fatality Champ Ed., Pioneer 111D, Antec P180B case.

Redhatter 
4/8/08 5:39:45 PM
Hero
Titan


This is a good reason why Microsoft should consider producing a LiveCD of Windows. Actually... I wonder if the antivirus packages could be made to run on ReactOS ( http://www.reactos.org ) booted from a CD?

Good to see you managed to get it sorted out though.

-----
Stuart Longland (aka. Redhatter, VK4FSJL)
I haven't lost my mind it's backed up on a tape somewhere...
http://atomicdoc.yi.org <-- AtomicDOC Wiki
Resident Coolie-hatted Gentoo geek. (Gentoo MIPS & Mozilla herd member)

TheSecret 
4/8/08 6:24:32 PM
Master
I think the closest they have is recovery console, which while limited is normally useful enough. Do you think it would be possible to have windows, and it's interface run from a cd?

-----
Part of the inhumanity of the computer is that, once it is competently programmed and working smoothly, it is completely honest.

SquallStrife 
4/8/08 10:10:10 PM
Titan

Redhatter, TheSecret, there are two options.

1. Microsoft's official "live" environment, Windows PE.

http://en.wikipedia.org/wiki/Windows_Preinstallation_Environment

2. Unofficial, but way more flexible 3rd party solution, using your own copy of Windows as a seed, BartPE

http://www.nu2.nu/pebuilder/

Both give you a run-from-CD full Windows environment.

I have one of the latter with a set of tools slipstreamed in for virus/spyware removal, it even has tools to mount the registry hives from the "installed" Windows OS to perform maintenance like this.

-----
Q6600 @ 3.6GHz | 8800GTS | XP x64 | Vista HP x64 | OSX 10.5.4

Quote by TinBane
The ONLY fuel saving benefit of this product, is that the car expends less energy to accelerate, because your wallet is lighter.

  1 | 2  | Next Page 
Forums | Security