Removing "Gemini" type Restoration?
Results 1 to 7 of 7

Thread: Removing "Gemini" type Restoration?

  1. #1
    Junior Member
    Join Date
    Oct 2005
    Posts
    4

    Removing "Gemini" type Restoration?

    Ok, so install LOP and you'll get two iexplore.exes - now, if you remove anything, it will be restored. If you kill one, it will be restored by the other.

    Thus they mutually look after each other - the only way of getting rid of this effectively is to use their uninstaller. How would it be done the manual way?

    Thanks <3
    Rawrr!

  2. #2
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    This is one of the better explanations of LOP and it's removal.

    http://www.doxdesk.com/parasite/lop.html
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  3. #3
    Junior Member
    Join Date
    Oct 2005
    Posts
    4
    Thank you for the link, however, with the LOP varient installed by a program such as MSG+, there is a dual IEXPLORE.EXE process which instantly restores any component that is deleted etc etc.
    Rawrr!

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Download process explorer from systernals.

    You can kill multiple processes at one time.

    http://www.sysinternals.com/Utilitie...sExplorer.html

    BTW: Does it still load in safe mode? If not, then install all the necessary tools (and update them) and then remove it in safe mode.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Have you tried using Adaware SE http://www.lavasoftusa.com/software/adaware/ this will clean out a lot of the LOP variants garbage, actually you should try to do a complete clean of your PC with Ccleaner as well http://www.ccleaner.com/ and then use Spybot S & D http://www.safer-networking.org/en/

    If after you have tried these and you still have the problem, maybe you can submit a HJT log to http://forums.tomcoyote.org/index.php?showforum=27

    To get the HJT app go to http://www.tomcoyote.org/hjt/ follow the instructions and someone there will help you get rid of the problem.
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    This sounds rather like the classic "Robin hood and friar tuck" attack.

    I created a Windows program that did this (experimentally; it had no detrimental effect, wasn't intended for any malicious purpose, wasn't distributed and I didn't publish the source) about 6 years ago.

    I discovered that in order to be effective, I attach debuggers to both processes, suspending them. Then I get the debuggers to kill both the (now-suspended) processes, in any order I want (they won't restart as they're both suspended).

    That worked fine.

    Slarty

  7. #7
    Junior Member
    Join Date
    Oct 2005
    Posts
    4
    Ooh that sounds cool, I have little compiled programming experience so would you be so kind as to recommend the debuggers?
    Rawrr!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides