Spyware removal: Halp?
rufio:
So apparently I can has some kind of TS3-related spyware - I guess I did something dumb while installing it and doing the external harddrive dance. (Feel free to P&L - I know you want to.) I do not believe it is SecuROM, because the SecuROM removal thread says that SecuROM will make a Documents and Settings\Administrator\Application Data\SecuROM folder and I see no such thing (yes, I know it's hidden, which is why I'm doing this from my linux partition - nothing is hidden from the eyes of root).
Basically this seems to manifest itself as programs called things like 3289426892.exe in Documents and Settings\username\Local Settings\Temp, which mostly seem to be trying to access the internet (which is often turned off when I am in Windows, since I'm usually just there to sim) and being blocked by my anti-virus/spyware program. Naturally, these files are all hidden and right-protected. I attempted to solve this problem by going into linux, navigating to this folder and rm -fing those suckers. I also looked all over the rest of the Documents and Settings folders, but didn't find anything suspicious anywhere else.
However, this seems not to have worked, as there were another batch of 123707932.exe-type files in there today, so there's obviously something else I have to nuke too, but I don't know Windows well enough to know where to look for it. I've tried sorting the entire contents of my Windows partition by date and track down stuff that was changed since the 22nd (when I installed) but it did not reveal anything suspicious. Can someone with some Windows savvy tell me a) where to find the stuff I have to delete, and b) what kinds of stuff I should definitely not delete?
Thanks in advance.
morriganrant:
You would have to do it in safe mode to be able to delete things that aren't letting you, they may come back though. Looks like it keeps installing itself on you, so there is another couple of files somewhere. Personally I just use Avast and Malwarebytes for jobs like this. Avast should be able to install and work even if you have another anti-virus, use it's scan on boot option, keep an eye out and tell it to ignore any files from your other antivirus that it may improperly identify as a threat. Malwarebytes should be able to target and get rid of anything, even if you yourself are unable to delete it by hand. Malwarebytes isn't an anti-virus on it's own but a malware remover.
Try Makwarebytes first. Run it in safemode to be sure.
The best thing you can do when trying to locate infected files that may be running is to have another pc and google anything that seems odd. Files running from the Temp or Windows\system32 folder are suspicious. There are several files that are legitimately in system32 though, thus google.
......you do not have to wipe your machine yet. I've used nothing but manual work, google, Avast's "scan on boot", and malwarebytes to remove that Vundo crap and several other trojans and viruses from my friends machines. Wiping the system is an extreme step to take. Try other methods first.
Celestard:
I am assuming you have XP based on the directory you name. What happens with these trojans is they install something that reinstalls everything after you delete it and restart your computer. They can have any number of names so it's hard to say for sure. I can't find any information about this 3289426892.exe. Sometimes if you can google the name of the file you can find out what other files are associated with them, but I just did that and nothing by that file name shows up. So you got something weird. You could try scanning it with a good antivirus software or whatever you're using, but I think if I were you, rather than go through all that trouble and to be safe, I would just wipe my hard drive and reinstall my operating system.
rufio:
Quote from: morriganrant on 2009 May 28, 06:54:54
You would have to do it in safe mode to be able to delete things that aren't letting you, they may come back though. Looks like it keeps installing itself on you, so there is another couple of files somewhere. Personally I just use Avast and Malwarebytes for jobs like this. Avast should be able to install and work even if you have another anti-virus, use it's scan on boot option, keep an eye out and tell it to ignore any files from your other antivirus that it may improperly identify as a threat. Malwarebytes should be able to target and get rid of anything, even if you yourself are unable to delete it by hand. Malwarebytes isn't an anti-virus on it's own but a malware remover.
Try Makwarebytes first. Run it in safemode to be sure.
Thanks. I actually don't think I have ever used safe mode and no longer remember how to boot it, and I expect that I will have to figure it out on my own since I am using a linux boot manager to access multiple partitions. Would logging in as "Administrator" give Malwarebytes the permission to remove whatever it has to remove? I suppose even if it doesn't I can note where the files are that it's trying to delete and go into linux and remove them by hand.
Quote
The best thing you can do when trying to locate infected files that may be running is to have another pc and google anything that seems odd. Files running from the Temp or Windows32 folder are suspicious. There are several files that are legitimately in win32 though, thus google.
Now, I do see some weird-looking recently-modified .exes in WINDOWS\system32, though there are also a lot of weird-looking .dlls which I'm guessing are supposed to be there. I'm pretty sure nothing designed to infiltrate Windows will be able to mess up linux, so I'll google from here.
I'm not going to wipe anything unless I absolutely have to. If worst comes to worst, I suppose I could just never access the internet from Windows - linux is usually better at finding wireless connections anyway.
morriganrant:
I just remembered, in the same vein as odd files and legitimate files in Windows\System32, quite often some Trojans will have the name of a legitimate windows file but will not be in the correct folder. For instance. SVChost is a legitimate file in windows\system32. A friend of mine had several running in processes, this is normal, but decided to track them down anyway and discovered a False Svchost.exe file in a folder one tier away from system32. So make sure you take a look at where they are supposed to be found as well.
Changing above post. I should obviously be asleep right now and not doing tech support. It is System32 folder, not Windows32, it is in the Windows folder. There should have been a slash and one more word in there.
Navigation
[0] Message Index
[#] Next page