Page 4 of 4 FirstFirst ... 234
Results 31 to 37 of 37

Thread: Running out of options

  1. #31
    Senior Member
    Join Date
    Aug 2001
    Posts
    251
    Well, darn...

    I've been trying to adjust to my new job, so I haven't been hanging around here much lately (not that I was ever that verbal to begin with...)

    I wish I had seen this thread earlier, as I was reading it I instantly had flash backs to this computer I just wanted to kick until it went fizzle.

    It was this Win2k box, and I tried the full assalt on it, AVG, Lavasoft, S&D, HijackThis, etc...
    Which finally pointed me to where the files were, and since deleting them wouldn't get rid of them, I renamed them....

    Why it worked, I don't know, but it did. After renaming them, I deleted any registry reference and then rebooted. For some awful reason it worked... I think I just changed the extension from .dll or .exe to .crap or something else. It managed to waste most of my morning though.

    Nothing like spending 3 hours swearing at the boss's son's computer..., particularly when IT is only part of your job and there are documents piling up to read.

    Now I'm on a crusade to convert the office to Firefox, and the Fileserver is constantly scanning itself and the logs keep saying its defs are updating (thank goodness for AVG and the dazuko kernel module. Now I just gotta get qmail set up to scan incoming mail, I'm the first linux guy on the staff.... (You should see the mess that the Red Hat install is in..., but it works, so I just keep fixing what things I see...)

    Ciao,
    Dhej
    The owl of Minerva spreads its wings only with the falling of dusk. -Hegel

  2. #32
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    I'd love to, Hoggy... the customer already picked it up, though (needed it back urgently...) - and as Spyrus already indicated: I don't really know either what exactly was doing what... dll's disappearing and re-appearing,...

    Here's (in short) the symptoms, though:

    Added to the HOSTS file:

    69.20.16.183 auto.search.msn.com
    69.20.16.183 search.netscape.com
    69.20.16.183 ieautosearch

    I removed those entries, saved the HOSTS file (and saw the size go down from 2kb to 1kb), closed it, and it went immediately up to 2kb again (the values got added immediately). I set it to read-only: same thing. Only thing that seemed to help was removing ALL rights to it (I tried a couple different combo's with no avail).

    The pop-ups are page-wide... I noticed that as long as you're not connected to the 'Net, nothing happens... as soon as you connect, they start popping up (without having to open anything... just connecting seems to be enough).

    I found a bunch of other stuff on that computer (the most annoying being Trojano-something Virtumondo, which I believe is somehow related), so it's pretty hard to say what caused what...

    The dll that seemed to always come back was winupdak.dll (in system32)... renaming it didn't work... command line didn't work... safe mode didn't work... Knoppix didn't work... sometimes it was there, sometimes it wasn't (and sometimes AdAware gave me a hit for a resembling file-name in the same dir - windupdal.dll or something)...

  3. #33
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    Originally posted here by Spyrus
    thats the problem hogfly we cant really figure out what files are causing the root of this issue, some hidden file(s) are making these files come back without knowing what they are I dont know if we could really do anything for you... but when if i have time tomorrow at work i will grab whatever files I can for you
    spyrus, that's cool. Some files are better than none, and in fact, when torn down, they may tell you what files to look for.

    negative: I see things like this more and more. There are usually a few things happening..it's root-kit'esque spyware bundle. It will most likely do some form of sniffing, and reporting, maybe even open up an ssl proxy port on the machine to communicate via. It's obviously hooked in to the system startup, and you aren't seeing any strange things happen until it senses the network connection because it's polling so it can hijack your network connection. I'd consider throwing a sniffer between that box and the uplink. It's phoning home at some point, no doubt transmitting tracking info, or in the case of some nasty spyware I've gotten a hold of...sniffing ssl traffic and reporting on it.
    One other thing you may want to consider is deleting the user profile completely. Some spyware buries itself in the users profile and is a b**** to get out.

    When things like this occur it's a great idea to grab 3 programs, all from sysinternals.

    1. regmon
    2. filemon
    3. procexplorer

    load the first 2, heck get them to run at boot if you feel up to it(just add it to startup or even in the registry), Save the log files after about 2 minutes to a .txt file, then start parsing for known baddies. it will inevitably point you to what is being called. Process Explorer..well with that you can just go ahead and start it after the machine boots, to see what's running.

    While I realize this isn't your computer, it's a clients..you as the service agent should try to explain to the owner of the machine that nothing they ever do on the machine can be trusted until they reformat. Given the amount of infections that you have discovered, anything they do on that computer is at risk. They don't have the original disks..well that I can understand, so give them a linux distro instead and tell them the compilers are built in and borland can go to hell


    One last piece...I don't know if the other thread has this link in it yet, but someone seems to think this is the vx2 spyware bundle? try this: http://www.cexx.org/vx2.htm If that link was posted already..well blame me for not wanting to keep up with 2 identical threads.
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  4. #34
    Senior Member
    Join Date
    Feb 2004
    Posts
    201
    Yes this seems to be a new L2M variant that none of the standardized fixes is working on. Zupe at BBR has had some progress with this infection in this thread there: http://www.dslreports.com/forum/rema...flat~days=9999

    Also this fix from cryo at BleepingComputer: http://www.bleepingcomputer.com/foru...cx5917-15.html

    Interesting reading. There has been some debate about it hooking into the active desktop..


    EDIT: These seem to be the same links that Groovicus has pointed out in Spyrus's thread. Oops!

  5. #35
    Hi, Neg! Also, check the registry in HKEY_LOCAL_MACHINE, SOFTWARE, Microsoft, Windows, Current Version, Run. There are probably a couple keys there that launch apps at startup that re-infect the system. Also, look in RunOnce and RunOnceEx. I've found nasties there before, as well.

  6. #36
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    ****************************************************
    WARNING WARNING DONT OPEN WARNING WARNING
    ****************************************************


    Hogfly here are a couple of the files I could find. I did figure out that the ip address that it keeps connecting to has something to do with the look2me strain. Maybe a new variant?? I dont know

    NOONE should open or download this file unless they know what they are doing
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  7. #37
    Senior Member
    Join Date
    Oct 2001
    Posts
    131
    Just a quick maybe stupid question. At anytime durring the repair of this computer was it plugged into a network or internet connection?

    Some viruses/spyware I have sean come into the office seam to pull files from the net which then multiply. On severe cases I take the drive out, put it into another machine (usually linux based) then scan it with an anti-virus scanner designed to check fat/ntfs filesystems.

    Another thing to check out is partition image. A bootable cd that allows you to make back-ups of everything on the computer so you have a safe back-up copy in case something goes wrong. You can also extract single files form the archives.

    It would also probably make it easier on you if you gave yourself more time to work. Its my policy to let the customer know that jobs where data need to be preserved may take longer than regular cleaning/upgrades.

    Hopefully your next computer fix is much easier. We'd hate to hear on the news that a pc tech went nuts and beat the customer with their computer because they could'nt keep their anit-virus up-to-date.
    Whats a \"START\" button?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •