More Awesome Than You!
Welcome, Guest. Please login or register.
2024 November 21, 22:26:58

Login with username, password and session length
Search:     Advanced search
540287 Posts in 18067 Topics by 6545 Members
Latest Member: cincinancy
* Home Help Search Login Register
+  More Awesome Than You!
|-+  TS2: Burnination
| |-+  The Podium
| | |-+  Spyware removal: Halp?
0 Members and 1 Chinese Bot are viewing this topic. « previous next »
Pages: [1] THANKS THIS IS GREAT Print
Author Topic: Spyware removal: Halp?  (Read 9337 times)
rufio
Non-Standard
Uncouth Undesirable
****
Posts: 3030


More Nonstandard Than You


View Profile WWW
Spyware removal: Halp?
« on: 2009 May 28, 06:38:30 »
THANKS THIS IS GREAT

So apparently I can has some kind of TS3-related spyware - I guess I did something dumb while installing it and doing the external harddrive dance.  (Feel free to P&L - I know you want to.)  I do not believe it is SecuROM, because the SecuROM removal thread says that SecuROM will make a Documents and Settings\Administrator\Application Data\SecuROM folder and I see no such thing (yes, I know it's hidden, which is why I'm doing this from my linux partition - nothing is hidden from the eyes of root). 

Basically this seems to manifest itself as programs called things like 3289426892.exe in Documents and Settings\username\Local Settings\Temp, which mostly seem to be trying to access the internet (which is often turned off when I am in Windows, since I'm usually just there to sim) and being blocked by my anti-virus/spyware program.  Naturally, these files are all hidden and right-protected.  I attempted to solve this problem by going into linux, navigating to this folder and rm -fing those suckers.  I also looked all over the rest of the Documents and Settings folders, but didn't find anything suspicious anywhere else.

However, this seems not to have worked, as there were another batch of 123707932.exe-type files in there today, so there's obviously something else I have to nuke too, but I don't know Windows well enough to know where to look for it.  I've tried sorting the entire contents of my Windows partition by date and track down stuff that was changed since the 22nd (when I installed) but it did not reveal anything suspicious.  Can someone with some Windows savvy tell me a) where to find the stuff I have to delete, and b) what kinds of stuff I should definitely not delete?

Thanks in advance.
Logged

I was thinking about these things and I am a feminist.

morriganrant
Terrible Twerp
****
Posts: 2382



View Profile
Re: Spyware removal: Halp?
« Reply #1 on: 2009 May 28, 06:54:54 »
THANKS THIS IS GREAT

You would have to do it in safe mode to be able to delete things that aren't letting you, they may come back though. Looks like it keeps installing itself on you, so there is another couple of files somewhere. Personally I just use Avast and Malwarebytes for jobs like this. Avast should be able to install and work even if you have another anti-virus, use it's scan on boot option, keep an eye out and tell it to ignore any files from your other antivirus that it may improperly identify as a threat. Malwarebytes should be able to target and get rid of anything, even if you yourself are unable to delete it by hand. Malwarebytes isn't an anti-virus on it's own but a malware remover.
Try Makwarebytes first. Run it in safemode to be sure.

The best thing you can do when trying to locate infected files that may be running is to have another pc and google anything that seems odd. Files running from the Temp or Windows\system32 folder are suspicious. There are several files that are legitimately in system32 though, thus google.


......you do not have to wipe your machine yet. I've used nothing but manual work, google, Avast's "scan on boot", and malwarebytes to remove that Vundo crap and several other trojans and viruses from my friends machines. Wiping the system is an extreme step to take. Try other methods first.
« Last Edit: 2009 May 28, 07:29:51 by morriganrant » Logged

One day in college I was feeling very stupid. So I drove with Ben down to Maitland and toured EA Tiburon for an hour as an 'honorary intern'. I left feeling MUCH smarter. I recommend the experience to everyone.  -this is a quote from an Ex-boyfriend of mine..
http://www.mediafire.com/?ng20de0zmly
Celestard
Racist Stalker
Retardo Lander
*
Posts: 2151



View Profile WWW
Re: Spyware removal: Halp?
« Reply #2 on: 2009 May 28, 06:56:16 »
THANKS THIS IS GREAT

I am assuming you have XP based on the directory you name.  What happens with these trojans is they install something that reinstalls everything after you delete it and restart your computer.  They can have any number of names so it's hard to say for sure.  I can't find any information about this 3289426892.exe.   Sometimes if you can google the name of the file you can find out what other files are associated with them, but I just did that and nothing by that file name shows up.  So you got something weird.  You could try scanning it with a good antivirus software or whatever you're using, but I think if I were you, rather than go through all that trouble and to be safe, I would just wipe my hard drive and reinstall my operating system.  
« Last Edit: 2009 May 28, 07:03:24 by Celestard » Logged

Proof MATY schticks are a LIE!
Quote from: J. M. Pescado
It doesn't have to be TRUE to be funny. All we need is to take some minor thing you said, blow it up out of context, multiply by over 9000, and voila, you have a schtick. Sims are all about caricature, after all.
rufio
Non-Standard
Uncouth Undesirable
****
Posts: 3030


More Nonstandard Than You


View Profile WWW
Re: Spyware removal: Halp?
« Reply #3 on: 2009 May 28, 07:18:35 »
THANKS THIS IS GREAT

You would have to do it in safe mode to be able to delete things that aren't letting you, they may come back though. Looks like it keeps installing itself on you, so there is another couple of files somewhere. Personally I just use Avast and Malwarebytes for jobs like this. Avast should be able to install and work even if you have another anti-virus, use it's scan on boot option, keep an eye out and tell it to ignore any files from your other antivirus that it may improperly identify as a threat. Malwarebytes should be able to target and get rid of anything, even if you yourself are unable to delete it by hand. Malwarebytes isn't an anti-virus on it's own but a malware remover.
Try Makwarebytes first. Run it in safemode to be sure.

Thanks.  I actually don't think I have ever used safe mode and no longer remember how to boot it, and I expect that I will have to figure it out on my own since I am using a linux boot manager to access multiple partitions.  Would logging in as "Administrator" give Malwarebytes the permission to remove whatever it has to remove?  I suppose even if it doesn't I can note where the files are that it's trying to delete and go into linux and remove them by hand.

Quote
The best thing you can do when trying to locate infected files that may be running is to have another pc and google anything that seems odd. Files running from the Temp or Windows32 folder are suspicious. There are several files that are legitimately in win32 though, thus google.

Now, I do see some weird-looking recently-modified .exes in WINDOWS\system32, though there are also a lot of weird-looking .dlls which I'm guessing are supposed to be there.  I'm pretty sure nothing designed to infiltrate Windows will be able to mess up linux, so I'll google from here.

I'm not going to wipe anything unless I absolutely have to.  If worst comes to worst, I suppose I could just never access the internet from Windows - linux is usually better at finding wireless connections anyway.
Logged

I was thinking about these things and I am a feminist.

morriganrant
Terrible Twerp
****
Posts: 2382



View Profile
Re: Spyware removal: Halp?
« Reply #4 on: 2009 May 28, 07:27:38 »
THANKS THIS IS GREAT

I just remembered, in the same vein as odd files and legitimate files in Windows\System32, quite often some Trojans will have the name of a legitimate windows file but will not be in the correct folder. For instance. SVChost is a legitimate file in windows\system32. A friend of mine had several running in processes, this is normal, but decided to track them down anyway and discovered a False Svchost.exe file in a folder one tier away from system32. So make sure you take a look at where they are supposed to be found as well.

Changing above post. I should obviously be asleep right now and not doing tech support. It is System32 folder, not Windows32, it is in the Windows folder. There should have been a slash and one more word in there.
Logged

One day in college I was feeling very stupid. So I drove with Ben down to Maitland and toured EA Tiburon for an hour as an 'honorary intern'. I left feeling MUCH smarter. I recommend the experience to everyone.  -this is a quote from an Ex-boyfriend of mine..
http://www.mediafire.com/?ng20de0zmly
rufio
Non-Standard
Uncouth Undesirable
****
Posts: 3030


More Nonstandard Than You


View Profile WWW
Re: Spyware removal: Halp?
« Reply #5 on: 2009 May 28, 08:06:51 »
THANKS THIS IS GREAT

Yes, I figured out what you meant.  I did search for some of the .exes and .dlls that were modified since the 22nd, and some of them are listed as malware on various sites, so I deleted them.  There are a bunch that seem to start with names that are identified as malware, but aren't exact matches, specifically:

gxvxcxbxmcpsasfrndpmulccdcrmbwienduef.dll and gxvxcboygubitlrsnkgnldgyybeudklkmqipt.dll - I guess apparently there are some dlls starting with gxvxc* that cause browser redirections, or something, but I have not had such problems in the past few days and I'm not 100% convinced from googling that everything with gxvxc* is a virus.
Similarly, there is a gxvxccounter which seems to be associated with viruses and browser hijacks, but the file itself is not listed anywhere as definitely being a virus.  As I said, I have had no problems whatsoever with my browser when I used it from Windows.

ssqpqrQk.dll - ssqpq.dll appears to be malware, but I can find no mention of ssqpqrQk.dll anywhere.

opnonMeD.dll - same deal, with opnon.dll.

The ones I deleted were
kdfapi.dll
kdfhok.dll
kdfinj.dll
kdfmgr.exe
kdfvmgr.exe
There seems to be some controversy over whether theses are trojans or some part of Trend Micro's keystroke encryption.  I do use Trend Micro, but I don't use the keystroke encryption, so I won't be sad if I accidentally nuke it.
Also
khfGxYOE.dll
and maybe one or two others that I can't remember but were listed as being trojans in various places.

There is also
nvModes.dat
nvModes.001
but googling reveals that these may be nvidia related?  The pages I found seem to talk about also removing a lot of other dlls that I do not have.

Everything else that was modified since the 22nd turns up no google results, or at least nothing terribly useful.  Just in case it means something to anyone, though:
kungsftyyxlnia.dll
kungsfmaedklfo.dat
ddcywTJD.dll
urqNFuvs.dll
urqrRICU.dll
xxyWpnKD.dll
Logged

I was thinking about these things and I am a feminist.

phyllis_p
Stupid Schlemiel
****
Posts: 1789


ISFJ - a tasty phyllis snack?


View Profile
Re: Spyware removal: Halp?
« Reply #6 on: 2009 May 28, 15:56:50 »
THANKS THIS IS GREAT

My best friend for spyware removal of late has been malwarebytes.
Logged

Vita brevis, Ars longa.                
                        
"And so goest thy butthurt n00bs whosoever cannot have accolades and benes heaped upon them, as in the manner of vomit from a sorority girl, to which they are accustomed." lemmiwinks 1:1
Zazazu
Fuzzy Pumpkin
Whiny Wussy
*****
Posts: 8583


Potiron flou


View Profile
Re: Spyware removal: Halp?
« Reply #7 on: 2009 May 28, 16:08:45 »
THANKS THIS IS GREAT

I just used McAfee for my infection. It labelled the three problem files, but could only quarantine. I then used DelInvFile to delete them on restart. Another scan by McAfee as well as Panda came up clean.

Scratch that. Tried MalwareBytes. 1000% times better, and caught 18 other problem files (from the same trojan, by the looks of it). Get ye some.
« Last Edit: 2009 May 28, 16:30:05 by Zazazu » Logged

Capitalism, Ho!
"Continue to beat it in masturbatory ecstasy if you like, but only Pescado can make it go away." - Lemmiwinks
My Urinal
morriganrant
Terrible Twerp
****
Posts: 2382



View Profile
Re: Spyware removal: Halp?
« Reply #8 on: 2009 May 28, 20:57:06 »
THANKS THIS IS GREAT

I love malwarebytes. It is king. At least a couple of those .dlls and .exe will probably be infections. I can't say for sure because I don't know what all is on your machine, and what all they may have to do with, but many trojans and the like will generate .exes with odd, seemingly random, named files. Sometimes, once you remove the offending file, it will create a new one with the same name or similar, sometimes it will be another number or letter jumble. The browser redirect files will often keep you from going to sites that can help you remove such things, like bleepingcomputers forums or majorgeeks, sometimes keeping your browser from returning anything negative about the file you are looking up, thus why it's sometimes better to use a second computer for the net during removal. Use Malwarebytes to get anything else. If it leaves anything behind you can be sure that it's more then likly benign and non-functional since you've removed all of it's other files. If your Anti-virus has a scan on boot then use that, if not run your spyware and anti-virus after malwarebytes is done just to make sure.

If you want to be positive that you've gotten everything, visit the bleepingcomputers forum or Majorgeeks, they will walk you through every step of removal if you need it.
Logged

One day in college I was feeling very stupid. So I drove with Ben down to Maitland and toured EA Tiburon for an hour as an 'honorary intern'. I left feeling MUCH smarter. I recommend the experience to everyone.  -this is a quote from an Ex-boyfriend of mine..
http://www.mediafire.com/?ng20de0zmly
maxon
Obtuse Oaf
***
Posts: 929

Unrepentant Inteenimator User - Kitten Killer.


View Profile
Re: Spyware removal: Halp?
« Reply #9 on: 2009 May 28, 21:30:56 »
THANKS THIS IS GREAT

I can recommend Malwarebytes too - I got it about a year ago and it removed a really naasty trojan for me that nothing else would touch.
Logged

Inteen for AL, yay!
Chain_Reaction
Dimwitted Dunce
*
Posts: 159


View Profile
Re: Spyware removal: Halp?
« Reply #10 on: 2009 May 28, 22:05:56 »
THANKS THIS IS GREAT

Malwarebytes is great... if the virus doesn't disable it. I got a massive trojan a few months ago and it wouldn't let Malwarebytes install. In fact, I had to have a friend send them to me via MSN because I couldn't get any sites related to them to load, it even redirected google! Ad-aware would install but then wouldn't run (its a piece of crap but I was desperate). It basically crippled my entire PC and if I didn't have system restore enabled then a format would have been required. And yes, I did have an antivirus installed, Mcafee ftl.

rufio, did you see if your sims 3 installer had that codec wrapper thing? That could be what you got.
Logged
morriganrant
Terrible Twerp
****
Posts: 2382



View Profile
Re: Spyware removal: Halp?
« Reply #11 on: 2009 May 28, 22:37:55 »
THANKS THIS IS GREAT

One of the strains of Vundo will actually cause BSOD if you run Malwarebytes before removing some bits of it. Thus, for me, a little manual removal and Avast "scan on boot" has been used before I let Malwarebytes start. Malwarebytes then finishes it off. I have luckily ...and surprisingly, never had it on my PC ...but four friends of mine managed it somehow, each with a different variation.

Edit: I'm hoping Rufio didn't delete something that he shouldn't have, he hasn't shown up again to report on success or lack there of.
« Last Edit: 2009 May 29, 00:23:46 by morriganrant » Logged

One day in college I was feeling very stupid. So I drove with Ben down to Maitland and toured EA Tiburon for an hour as an 'honorary intern'. I left feeling MUCH smarter. I recommend the experience to everyone.  -this is a quote from an Ex-boyfriend of mine..
http://www.mediafire.com/?ng20de0zmly
rufio
Non-Standard
Uncouth Undesirable
****
Posts: 3030


More Nonstandard Than You


View Profile WWW
Re: Spyware removal: Halp?
« Reply #12 on: 2009 May 29, 00:53:42 »
THANKS THIS IS GREAT

rufio, did you see if your sims 3 installer had that codec wrapper thing? That could be what you got.

Yes, it did, but that was the point at which I started running out of disk space for copying the DVD contents and replacing the installer, etc., so I could have accidentally run something incorrectly at that point.

Edit: I'm hoping Rufio didn't delete something that he shouldn't have, he hasn't shown up again to report on success or lack there of.

Actually, I just slept way late today.   Roll Eyes  In any case, I'm still in linux and haven't tried rebooting Windows yet, so it remains to be seen - I just downloaded malwarebytes and am going to try it in a minute.  In any case, I do have a backup in the form of a complete disk image saved sometime in April, so the worst that will happen is that I'll lose my TS3 saves.
Logged

I was thinking about these things and I am a feminist.

morriganrant
Terrible Twerp
****
Posts: 2382



View Profile
Re: Spyware removal: Halp?
« Reply #13 on: 2009 May 29, 01:08:22 »
THANKS THIS IS GREAT

Actually, I just slept way late today.   Roll Eyes  In any case, I'm still in linux and haven't tried rebooting Windows yet, so it remains to be seen - I just downloaded malwarebytes and am going to try it in a minute.  In any case, I do have a backup in the form of a complete disk image saved sometime in April, so the worst that will happen is that I'll lose my TS3 saves.

Good to know! Oh, if after removal you end up with an error message at Windows StartUp, saying something along the lines of missing file, with the name of the Trojan .exe or one of the files associated with it, you will have to go to Start>Run>Msconfig. Then go into Startup programs and disable them from start up. If the Trojan is the kind I think that it is, it likly added itself to the programs that open at Windows Startup. Windows will throw an error when it tries to open the file that isn't there anymore. I have yet to figure out how to completely remove programs from that list, although, I haven't put a lot of effort into looking. Just disabling them will stop the error messages.
Logged

One day in college I was feeling very stupid. So I drove with Ben down to Maitland and toured EA Tiburon for an hour as an 'honorary intern'. I left feeling MUCH smarter. I recommend the experience to everyone.  -this is a quote from an Ex-boyfriend of mine..
http://www.mediafire.com/?ng20de0zmly
Rhayden
Retarded Reprobate
****
Posts: 1368


WaffleCat's ambassador to the Artichoke Kingdom


View Profile
Re: Spyware removal: Halp?
« Reply #14 on: 2009 May 29, 03:21:05 »
THANKS THIS IS GREAT

Just stopping by to P&L at you, rufio, for being a complete idiot. Way to go!
Logged

What, are you dense? Are you retarded or something? Who the hell do you think I am? I'm the goddamn Rhayden.
rufio
Non-Standard
Uncouth Undesirable
****
Posts: 3030


More Nonstandard Than You


View Profile WWW
Re: Spyware removal: Halp?
« Reply #15 on: 2009 May 29, 04:44:45 »
THANKS THIS IS GREAT

Ok, so I logged into Windows as Administrator and tried to install malwarebytes, but it kept claiming that "the application failed to initialize."  On the other hand, I went back and logged in as myself, have had no alerts from my anti-virus, and upon going back to linux discovered no new unexpected .exes or .dlls in Documents and Settings folders or in system32.  Did I kill it?

Good to know! Oh, if after removal you end up with an error message at Windows StartUp, saying something along the lines of missing file, with the name of the Trojan .exe or one of the files associated with it, you will have to go to Start>Run>Msconfig. Then go into Startup programs and disable them from start up. If the Trojan is the kind I think that it is, it likly added itself to the programs that open at Windows Startup. Windows will throw an error when it tries to open the file that isn't there anymore. I have yet to figure out how to completely remove programs from that list, although, I haven't put a lot of effort into looking. Just disabling them will stop the error messages.

I had no problems or weirdnesses starting Windows, though I have had a couple of alerts from my anti-virus about some program trying to insinuate itself into Windows startup, which was then blocked.  Yay, anti-virus?

Just stopping by to P&L at you, rufio, for being a complete idiot. Way to go!

How are you, Rhayden?  Enjoying your new pee shtick?
Logged

I was thinking about these things and I am a feminist.

morriganrant
Terrible Twerp
****
Posts: 2382



View Profile
Re: Spyware removal: Halp?
« Reply #16 on: 2009 May 29, 05:33:16 »
THANKS THIS IS GREAT

Ok, so I logged into Windows as Administrator and tried to install malwarebytes, but it kept claiming that "the application failed to initialize."  On the other hand, I went back and logged in as myself, have had no alerts from my anti-virus, and upon going back to linux discovered no new unexpected .exes or .dlls in Documents and Settings folders or in system32.  Did I kill it?

Good to know! Oh, if after removal you end up with an error message at Windows StartUp, saying something along the lines of missing file, with the name of the Trojan .exe or one of the files associated with it, you will have to go to Start>Run>Msconfig. Then go into Startup programs and disable them from start up. If the Trojan is the kind I think that it is, it likly added itself to the programs that open at Windows Startup. Windows will throw an error when it tries to open the file that isn't there anymore. I have yet to figure out how to completely remove programs from that list, although, I haven't put a lot of effort into looking. Just disabling them will stop the error messages.

I had no problems or weirdnesses starting Windows, though I have had a couple of alerts from my anti-virus about some program trying to insinuate itself into Windows startup, which was then blocked.  Yay, anti-virus?

Sounds like at least one of the files may still be there somewhere, that is, if that is what was trying to set itself up as a startup program. They do that so that they can keep installing themselves and to hinder removal because windows rejects your trying to delete files that are "in use". Malwarebytes not installing may be cause by the Trojan ...or there could be another problem. It would have given you an error code along with the "Failed to initialize" message. I know that Windows Defender gives an similar error when something has gone wrong with an update, usually it will need reinstalling.
Without Malwarebytes I would go along to bleepingcomputers. They have another program that they use, HijackThis, and another that is SmitFraudFix. They will walk you through if you need help.

http://www.bleepingcomputer.com/forums/forum103.html
http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
http://siri.geekstogo.com/SmitfraudFix.php
Logged

One day in college I was feeling very stupid. So I drove with Ben down to Maitland and toured EA Tiburon for an hour as an 'honorary intern'. I left feeling MUCH smarter. I recommend the experience to everyone.  -this is a quote from an Ex-boyfriend of mine..
http://www.mediafire.com/?ng20de0zmly
rufio
Non-Standard
Uncouth Undesirable
****
Posts: 3030


More Nonstandard Than You


View Profile WWW
Re: Spyware removal: Halp?
« Reply #17 on: 2009 May 29, 06:25:47 »
THANKS THIS IS GREAT

Well, I tried installing it again to you get you the error code (I am logged in as me, not as the Administrator) and it worked this time.  I guess Windoze just sucks, or something.  I'll try running it in a minute and see if it comes up with anything.

Just to clarify, the message about a program trying to set itself up as a startup program happened several days ago, not after I removed all those files.  I believe it was one of the Local Settings\Temp exes, which are now all gone.

ETA:  Ran malwarebytes - nothing happened, does not show up in task manager.  Uninstalled and reinstalled; no change.  Fail program is fail.
Logged

I was thinking about these things and I am a feminist.

morriganrant
Terrible Twerp
****
Posts: 2382



View Profile
Re: Spyware removal: Halp?
« Reply #18 on: 2009 May 29, 06:34:29 »
THANKS THIS IS GREAT

Well, I tried installing it again to you get you the error code (I am logged in as me, not as the Administrator) and it worked this time.  I guess Windoze just sucks, or something.  I'll try running it in a minute and see if it comes up with anything.

Just to clarify, the message about a program trying to set itself up as a startup program happened several days ago, not after I removed all those files.  I believe it was one of the Local Settings\Temp exes, which are now all gone.

ETA:  Ran malwarebytes - nothing happened, does not show up in task manager.  Uninstalled and reinstalled; no change.  Fail program is fail.

Maybe it has issues with your partition setup? Eh, you may have gotten everything if nothing else has shown. Run anti-virus as usual, any anti-spyware programs you may have, and keep an eye on your processes for the next few days.
Logged

One day in college I was feeling very stupid. So I drove with Ben down to Maitland and toured EA Tiburon for an hour as an 'honorary intern'. I left feeling MUCH smarter. I recommend the experience to everyone.  -this is a quote from an Ex-boyfriend of mine..
http://www.mediafire.com/?ng20de0zmly
Pages: [1] Print 
« previous next »
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.21 | SMF © 2015, Simple Machines Valid XHTML 1.0! Valid CSS!
Page created in 0.12 seconds with 20 queries.