January 21st, 2005, 06:35 PM
I recently (yesterday) dealt with the worst spyware infestation I've ever seen. I visited my uncle's place and he asked me to take a look at his computer, which had major IE problems. I booted it up and took a look at the infestation and it was horrible. Here was a computer with no firewall, XP with no Service Pack, and no antivirus. IE was totally unusable and nothing could be downloaded from the net. My first reaction was to format and do a complete reinstall. But my uncle didn't have a CD for XP. So, I had to fix everything by hand.
Luckily, last time I was there, I had downloaded HijackThis! and Spybot S&D. So, I ran HijackThis!. It came up with a bunch of BHO's but the moment I removed them, they were back. Spybot spotted a few things and removed them. The combined efforts of Spybot and HJT were enough to fix IE enough to allow me to download Firefox. This computer literally had layers of spyware!! I remove one hijacker, only to find another one below it!
After this, I managed to download CWShredder, Adaware and AVG. After about 6 hours, the whole computer was as clean as automated tools can get it. After that, all that remained was to tie up some loose ends (System Restore, some leftover executables).
After that, I turned on XP's firewall and taught my uncle how to use Firefox, even downloading an IE skin for it (bleargh!). I turned on the resident guard for everything and left hoping that he won't do it all over again.
All in all, there were about 160 odd individual pieces of spyware on that computer.
So, anyone else seen computers infected as badly as this?
January 21st, 2005, 06:37 PM
That's it?! I checked my work machine (I think the admins when they do updates go surfing).. I was in around 200. My aunt's machine -- over 500. I'm sure there are some with even worse horror stories.
January 21st, 2005, 06:48 PM
So IE was installed, eh? That's a problem all right.
..had major IE problems...
My in-law's have two PC's, once each. Dad has an old AMD T-bird 900MHz on an Asus A7V (256 MB of VC-Ram) that used to be my old gaming rig; we patched it all together, built the OS, I tuned it, and we talked a bit about spyware and such. Mom has an off-the-shelf factory refurbished (the case had some blemishes) Dell P4 2GHz with all the bells and whistles and 756MB of ram. No discussion on anything because "she's worked in IT and knows that stuff".
After 3 months, her computer ran at about 1/4 the speed of his. I installed Spybot S-D and the initial window came up with "Just give up now." Ok, that's an exageration, but it wasn't pretty. I had to convince her (after several discussion) that the only way to really fix the situation was to save her data (a few meg's worth, it was trivial) and reformat/reinstall the system.
The count was well over 300 when the scan was done. And she "know's what she's doing".
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
January 21st, 2005, 07:25 PM
I'm not so sure the quantity of pieces of spyware is the most important factor. More the type of infection and how it affects a box. A couple of hundred tracking cookies is not going to present that much of a problem, yet they will regester as spyware during a scan and so they should.
It's the malware that creats registry entries, attaches to system processes and uses alterate data streams, etc. That is more important, well IMO anyway.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
January 21st, 2005, 07:27 PM
i have found some that adaware alone has found over a thousand. I have ran into a couple where the user had like 5 or 6 search bars.... talk about a mess, the spyware was actually fighting eachother when you would type in an address. blah Its a wonder how ppl think nothing of all these new popups and such
Duct tape.....A whole lot of Duct Tape
Spyware/Adaware problem click
January 21st, 2005, 07:42 PM
OK, maybe I should have specified, but this was around 160 pieces of actual spyware programs. Not tracking cookies and the like. I counted.
January 22nd, 2005, 04:07 PM
I am a domain admin for a medical facility that has 6 remote offices in its domain. The staff is made up of approximately 200 women, and six men. (All of us guys are in the corp. office.)
Recently we had a case in which an unknown user at a remote office had brought in a CD that contained small XXX mpegs that she had burned to disk. Apparently these mpegs contained a few trojans, and tons of spyware. We know this because of the files named in the history list, and the file location. Of coarse no-one admitted to it!
We use Trend Officescan, and we were notified instantly of the infection. But, for some reason, Trend couldn't remove the infected files so it renamed them instead. It was a nitemare! We were trying to clean this system through a VPN connection so that we wouldn't have to drive out to that office and physically clean the machine. That battle lasted two days...we lost. The trojan kept reinstalling itself, Trend kept renaming it.
January 23rd, 2005, 12:26 AM
15 trojans - incluting beast and optix
14 versions of Cool web search
45 mixed virus, inc 12 versions of gaobot, nachi..
62 mixed parasites..
in all some 2500 files were removed that is of course including cookies, much more impressive when you quote that number to the customer.. prolly about 1500 or more were cookies..
removal involved ..initial "oh F##K - spybot isn't on this CD Anymore discovery" and the "Oh S##t HJT wont run" realisation.
Live cd (bart pe), do a initial scan with Stinger, then Adaware.
empty Win Temp, temp internet, prefetch,.
Safemode boot (no network), hjt log, to find a "shell=" entry that needed to be fixed..
restart- another Stinger run (yep found more)
CWshreeder.. found a few versions
spybot (yeppers it is here on the Cd now-funny that..)- and updated from jump-drive- removed some more ****
Adaware now had a play-updated from jumpdrive - more crap (funny this it found cookies that didn't delete when I cleaned all of the users cookies folder..)
The cleaner installed- removed more crap including more..CWS.
AVG - was installed and updated from jumpdrive
restart to safemode with network again repeated the above twice- except cleaner updated this time -
boot to normal mode, hjt log to see how it was going, AVG, spybot, adaware, the Cleaner showed more crap (mainly registry entries and a few odd files- oh and more bloody cookies-I was certain I emptied that bloody folder I had even gone in under safemode used command prompt to delet the remaining crap.. used attrib for files that may be hidden or marked as system, and cleaned every users folder)..
oh yes at this point I was able to start installing win -patches/updates
needless to say.. yes it is a layered clean.. these infections are like peeling onions, a layer at a time.. many Adware parasites seem to aid the installation of other viruses and trojans by disabling certain functionality of the Anti Virus, and manage to Block the installation of some of the Adware tools. As one such infection did recently.. it deleted the installation files for adaware from my jump-drive (that is why I only have the Update files on my Jump drive now)..
I think Malware is to kind a description for adware/spyware.. ****ware would be more apt. and the ppl who write it and those who allow it to spread need to be treated more severly than the Virus and trojan writters.
Clp727, it is a pisser attacking a a trojan over a VPN connection.. there is only so much you can do in normal and even in safe mode.. some times you just need to be at the local keyboard...with a hammer..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
January 23rd, 2005, 04:55 AM
1200 misc occurences of adware not to cout the 13 viruses and the numerous occurences of spyware. i found all of this on my parents computer when i went home for thanksgiving. it took me about 6 hours to get rid of at all. that was a pain in the ass
January 23rd, 2005, 05:45 AM
My worst was my friends computer, it had like a total of 400 things of spyware on it, including cookies. When you opened IE about half of the monitor was instantly covered in search bars. He had no AV, no anti-malware programs, no firewall... It was a mess. In a half hour, about 50 pop ups would pop up even without IE being opened. It took me like 5 hours to clean everything out because he had some pretty resistant crap on his PC, and then what do you know? The tcp/ip settings are now all screwed up because I must have deleted something that would mess it up. So I had to go back to my house to downlaod winsockfix, came back to his house and ran it to get him connected to the internet again.
...it's stressing me out just thinking about it, it was just a mess...