Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: Hijacker letgohome

  1. #11
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    I can understand the reluctancy to shut off System Restore ( assuming it is ME or XP ) on a customer’s computer. I have not yet tried deleting specific restore points yet ( never thought of trying it to tell the truth ) but I have seen some maleware which apparently made their own restore files. Unusual thing about them, when System Restore was shut off ( which should to my understanding delete all the existing restore points ) the maleware restore points were still present, but the maleware in the restore point was not picked up when scanning! ( Stupid me, thinking only of how to clean the damn things, never thought to try and find out how they worked. )
    AND the restore point would load, even in safe mode!!!!!
    ( This reminds me of another post I responded too recently, though different maleware. Seems these things keep getting smarter trying to defeat the scanners. )
    Just a couple of questions, and I am in no way saying you saw what you say you saw, I am just trying to clarify. First, are you sure that malware was being called from the system restore folder in HJT? The reason I ask is becuase I have been doing malware removal for quite a while, and have never seen this behavior, even with some of the most sophisticated malware. I have done extensive testing, along with a few others, and we have never found a single case where this happens. We have seen malware create directories that 'look' like system restore directories, as well as masquerading as Panda, McAfee, and Sygate though.

    Also, HJT does not monitor registry keys having anything to do with system restore, so if anything like that had been showing up in logs, it would have created a bunch of commotion.

    It is not unusual for malware to start in safe mode anymore. That only makes it marginally harder to kill, but a pain nevertheless. Self monitoring malware is not all that unusual any more either. And it would neatly explain the behavior you are describing.

    Based on my understanding of System Restore, it is only a snapshot of a system at a given time. It is not designed to restore single files. WFP on the other hand does, and has been exploited by Bube, among others.

    I'm not saying it can't happen though, just that I have not seen it. Would you happen to remember the infection involved, or by any chance kept a copy of the log?

  2. #12
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    First, are you sure that malware was being called from the system restore folder in HJT?
    Yes, I’m sure. That is why I turned off system restore in the first place. It stuck out to me that HJT would have such an entry too. When I went to the restore folder it was there.

    As I said, my understanding of System Restore is that when you shut it off all the restore points are deleted, so that is what I did thinking this would be an easy fix. Rebooted into safe mode, all the restore points were gone but not the file that showed up in HJT, and it could not be deleted.

    I didn’t take notice of exactly where it was being called from but could watch the temp folder fill up with new processes while it reinstalled itself. Most of the files in the temp folder could be deleted except for the newest ones from the latest system reboot.

    As for the particular variant, I don’t remember, but it was one that removal tools from Symantic and others existed: none worked. My guess is someone found a new way to deliver and safeguard it, but the registry values that it left behind were the same as in the manual deletion instructions, so after I managed to remove it from the restore folder ( manually using a boot disk and Dosshell ) I was able to clean the registry. ( also searched registry for additional entries but found none. )

    I had never seen this before either. The computers where this was seen had no protection ( no maleware detection, no spyware detection, out-of-date anti-virus ) on a broadband connection : typical user!

    BTW, this was the last thing on the computers. Prior to this I did the normal; ran Adaware, SpyBot, and Sysclean, all with the latest definitions. The Sysclean picked up two virus, the others cleaned almost 200 instances of maleware including the one that could not be deleted but they made no mention of the restore file.

    If I come across it again believe me I will copy it before I do anything else!
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  3. #13
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    I know this situation is closed but I would like to point out the most painstakingly obvious comment as possible... if and when all these tools are run in safe mode, all temp files have been cleared including the prefetch folder which people always seem to forget.... Did you happen to change the website to something else or was the homepage still set letgohome.com?

    I have seen even advanced technical ppl accidently look over the obvious forgetting to check the basics.

    edit: did I mention to make sure at a minimum your client MUST have SP1 or else they will just get reinfected quicker than you can walk out the door
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  4. #14
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    I would like to point out the most painstakingly obvious comment as possible... Did you happen to change the website to something else or was the homepage still set letgohome.com?

    Good point.
    Many of the tools we take for granted will indicate a browser hijack attempt, but don’t necessarily indicate changes of the default.

    Example:
    none ( anymore ) balk at my IE homepage of about:blank
    None complain at all of my mozilla products custom home pages which were set by the user.

    It is always a good idea ( at least I do it ) to ask the owner of the computer a few questions like what home page they usually set up, do they use chat programs, etc., and check it before I’m done. But I always also insist on their original install disks just in case I can’t clean it.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  5. #15
    AO's Resident Redneck The Texan's Avatar
    Join Date
    Aug 2003
    Location
    Texas
    Posts
    1,539
    You know i might get negged just for posting this lol but im gonna anyway... i just downloaded and used microsoft's anti-spyware beta and it seems to work well... it removed alot of stuff... u might want to go to google and do a search for that sorry i dont have the link.
    Git R Dun - Ty
    A tribe is wanted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •