PDA

View Full Version : Spyware Protect 2009


Bullfighter
03-03-2009, 02:07 AM
Greetings all,

I'm hoping I can pick the brain of someone who has a little more experience with this little bugger. I've removed it twice in the last week but this scenario seems a bit different. Perhaps someone can help me with the inner workings of what's happening.

Got a call from a new client today, she brought her laptop from home and plugged it into the network at work to print something. As soon as she plugged it in she started getting bombarded by messages from Norton saying it blocked a hostile attach from "spywre attack 2009" from 195.245.119.131,80.

One of their systems had no antivirus so In installed antivir and ran a scan (clean) before they closed.
The other machine only had MS Live One Care on it (yeesh), unfortunately it has some critical app that runs and they won't let me mess with it till Saturday (in spite of my warnings).

On to my question, I have to assume something local is infected since they are behind a router. Is this standard behavior for this little cretin? Am I right to suspect that one of the local machines is infected? It's the first time I've seen it in an LAN environment.

Thanks in advance,
EP

geekhelp4u
03-03-2009, 02:27 AM
MBAM should kill this bugger but here is why you are seeing it across the network.. Like many of the newer spyware nasties it is probably installing p2p software and then using it to

1. Distribute itself across a network
2. Download additional nasties

make sure that IE has not added new connections
make sure that all P2P software is removed

by saying 195.245.119.131,80 it tells me that it is probably using port 80 which is the port used to transfer on the internet... due to this, it has most likely added all of the known nasty sites that it resides on into your trusted sites on IE. I would run the IE reset tool that is built in, then double check all trusted sites and make sure you delete them. It has probably also turned the infected machine(s) into its own server to host and distribute the nasties.

Bullfighter
03-03-2009, 04:07 AM
Thanks for responding GeekHelp, I'll be taking your advice!

==============================

And while I have the opportunity... Thank you for serving our country and protecting a country where we have the freedom to start our own businesses and express our own opinions, just to name a couple.

Sincerely,
EP

ASDCR
03-03-2009, 04:08 AM
yeah.. you run MBAM and it might get it off

they used to be my #1 "turn to" anti-vundo solution



i'm finding not even MBAM is killing vundo anymore though
:(




when i hear the tell-tale signs of vundo from a caller, i tell them they need to walk over - right now - and pull the chord out the back of the computer

just do it




the longer that thing stays on a computer, the more "nasties" (good word for it, btw) it brings onboard, and the longer it takes to get it off

if ever!





that vundo is getting pretty damn hairy

to the point that we've adopted a policy.. we'll work on a box for an hr, if at the end of an hour we're making headway, we'll keep going


but if we're just going in circles - spinning our wheels.. we need to take that HD out, hook it up via our USB/ATA connector to another computer, transfer over any important files... then, its time to find those orig CDs, repartition, reinstall the O/S, etc




seems that's the only way to get rid of that thing
:(






i think often that's the shortest path between two points - that's cuz its just plain not economically feasible to "go the mat" killing some virus

you pay my rate for a few hours and you're looking at 85% of a new computer - so... when you're all done, you've almost paid for a new computer - and you're left with this OLD computer that's going to die in 12-18months anyway!

TimeCode
03-03-2009, 07:58 AM
yeah.. you run MBAM and it might get it off

they used to be my #1 "turn to" anti-vundo solution



i'm finding not even MBAM is killing vundo anymore though
:(




when i hear the tell-tale signs of vundo from a caller, i tell them they need to walk over - right now - and pull the chord out the back of the computer

just do it




the longer that thing stays on a computer, the more "nasties" (good word for it, btw) it brings onboard, and the longer it takes to get it off

if ever!





that vundo is getting pretty damn hairy

to the point that we've adopted a policy.. we'll work on a box for an hr, if at the end of an hour we're making headway, we'll keep going


but if we're just going in circles - spinning our wheels.. we need to take that HD out, hook it up via our USB/ATA connector to another computer, transfer over any important files... then, its time to find those orig CDs, repartition, reinstall the O/S, etc




seems that's the only way to get rid of that thing
:(






i think often that's the shortest path between two points - that's cuz its just plain not economically feasible to "go the mat" killing some virus

you pay my rate for a few hours and you're looking at 85% of a new computer - so... when you're all done, you've almost paid for a new computer - and you're left with this OLD computer that's going to die in 12-18months anyway!

You're killing me with the extraneous line spacing... Please, don't sit on the "Enter" key. :rolleyes:

iladelf
03-03-2009, 09:24 PM
While MBAM and Superantispyware may be the current "defacto" spyware removers, I'm finding that running Combofix/Roguefix usually will smash the waddin' out of 99% of all these nasty spyware installs.

I've no problem with using MBAM and SAS afterwards, but only as a second opinion. If time is of the essence, Combofix and Roguefix together will usually nuke these bad boys.

ASDCR
03-04-2009, 03:08 AM
hmm..

can't never run combofix and roguefix - they always get shut down



i've given up on them - seems like the nasties are way ahead of them

??

geekhelp4u
03-04-2009, 03:17 PM
i would start by using a linux based boot anti-virus and see if it can pre-clean the machine

Spiderz
03-05-2009, 01:15 AM
I know you have not mentioned the exact OS but i have seen especially with Windows XP you might have to turn off System Restore so that it kills all the previous restore points that might be infected. Then after you are sure its clean turn it back on and create a restore.

I work for a Tech call center and we will get calls with infections coming back and back even after runing scan with everything under the sun. Killing the system restore, cleaning, then turning it back on after a confirmed clean seem to keep it sound.

--
--

Also if you cant get scanners to open rename them for example if you can install malware bytes but wont run. Rename mbam.exe to paint.exe and it will run (but has trouble updating sometimes). Or mbam.exe to mbam.bat and it will work.

Same principal applies to Combofix rename it to Awesome.exe and it will run. Hope this helps.

iladelf
03-05-2009, 10:35 PM
Thanks for the input, TechPros. Apparently I haven't run into any of the super nasties yet like you have.

All I knew (previously) was that by running a combo of Combofix/Roguefix, I'd never seen anything I couldn't kill.

Until now with what you're seeing. :(

ASDCR
03-14-2009, 12:43 AM
no worries bigguy!
;)

give it three months (heck! make that ONE month!) you'll see this stuff so much, nuthin will phase you!




and spiderz.. yep! disabling system restore should be SOP

unfortunately - i gotta admit... i forget!


haha

Galdorf
03-18-2009, 10:51 PM
I use ubcd4win on infected machines then i run through superantispware,spybot, then a-squared usually cleans vundo.

You need to update it before burning the iso.

nonchalant
03-19-2009, 09:08 AM
i'm finding not even MBAM is killing vundo anymore though
:(



The problem is as programs become more successful at virus removal (and hence more popular) they tend to be targeted by the virus makers for testing prior to release.

ASDCR
03-19-2009, 06:10 PM
yeah - i know

just saw another variant - AntiVirus360


smitfraudfix cleaned its clock

no muss - no fuss



it wouldn't let MBAM run or update once installed

but after SFF, i ran/updated MBAM and it found 30 more nasties - which were promptly dispatched


so yeah - just put the right tools on the job!
:)