2008-03-02, 02:37 | Link #1 |
Keine is moo.
Join Date: Oct 2007
Location: Ohio
Age: 42
|
Massive spyware/trojan/keylogger problem
First off, I have to mention that despite using IE, in 8 years I have never experienced any major issues with viruses or spyware, despite going about 5 of those years without even an antivirus program, just occasional scans with free programs (which never turned up any more than minor problems). I configure my settings properly and am careful what sites I visit (if I'm going someplace highly questionable I switch to Firefox).
But just tonight, when I tried to view Animesuki's page for the Kodomo no Jikan torrents, my Norton warned me that it blocked a browser exploit; this was the "MSIE ADODB.Stream Object File Installation Weakness" warning that I've gotten several times sporadically in the past on seemingly harmless websites (including AS before) and nothing ever happened afterwards. This time though, my computer got bombarded by a massive number of spyware programs installing (those ones that tell you that you have spyware and to install their bogus spyware removal program), changing my desktop, disabling Task Manager... Norton seemed to block them from connecting to the internet afterwards, but did nothing to stop them from installing, a quick scan wouldn't even reveal them. I installed and scanned with Spy Sweeper at my dad's advice, it turned up a bunch of crap including a keylogger (!!) which meant I sure as hell wasn't going to enter my credit card info to pay for Spy Sweeper to actually remove the stuff. So I downloaded Spybot and scanned and deleted, but it all just reinstalled itself. My dad ended up lending me his copy of Spy Sweeper and bought another license himself so I could use it... scanned and quarantined/deleted but again everything reinstalled itself. I went into the registry and re-enabled Task Manager (before the spyware disabled it again) but couldn't find any blatant spyware in the system processes. Right now the keylogger and a dialer (lol, not like that one affects me) are being repeatedly quarantined as they try to reinstall, but the other popup crap is still going on. I'm checking various help sites for this kind of thing, and found someone who posted a few hours ago with the exact same problem, so it sounds like it might be something brand-new that there's no defense against at the moment. I'm going to try checking around some more then I'll fire up a full system scan while I go to bed. I know this isn't exactly the ideal site to go to for help on this kind of thing, but I'm posting it here because the whole thing started with visiting one of the torrent listings here :/ |
2008-03-02, 03:28 | Link #2 |
Asuki-tan Kairin ↓
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
|
Animesuki is not responsible for the trackers, though if there is a malicious one, I bet the Animesuki staff would want to know. Since they are not interested in promoting such trackers.
Regarding your problem. If you can boot up in Safe Mode of Windows and do the scan there. After this you could use the following tool: hijackthis On this site there is also a bunch of other usefull tools, like the cws shredder. I'ld advice to run at least one further tool the CWS shredder. Hijackthis will give you a log. If you post the log here (in a spoiler). We could try to figure out whats wrong. Or you can use those sites that automatically analyse your Hijackthis log file if you don't feel like posting this here. I wish you much sucess on fixing your system.
__________________
|
2008-03-02, 04:31 | Link #3 |
Keine is moo.
Join Date: Oct 2007
Location: Ohio
Age: 42
|
Spywareinfo is actually where I just was, I had to download AVG first so I could get all the "before-you-post-your-problem" steps done before posting on the forums there, and just finished the scan with that.
And I never touched a tracker, it hit as soon as I went to AS's listing of episodes (with links to the torrents but I never clicked one). It doesn't make sense that I'd be getting something like that just by browsing AS, but that's what happened... and like I said it's not the first time Norton has given me warnings here (it's always on the series pages, never on the forums or anywhere else); it might be related to AS pulling info from the trackers on those pages, that's the only explantion I can think of. The difference between this time and all the others is my computer got bombarded by spyware this time, while before I just shrugged and assumed Norton was falsely detecting a threat. (I'm usually one of the first to laugh at people who go to website forums and complain "OMG your site gave me a virus because my antivirus said so!" because their security is set excessively high or something). |
2008-03-02, 05:30 | Link #4 |
Yummy, sweet and unyuu!!!
Join Date: Dec 2004
|
Hmmm unless the admin have cleaned it up, I'm not getting any hits from as/knj torrrent summary page. I'm running outpost fw 2008 with as, nod32 and avg as. I've still got a licence of spyware sweeper kicking around but I don't really want to bloat my xp machine any more then it is, as I use it for games more then anything else.
Is your pc fully patched? I wonder could you have been infected earlier just happened to get the warning when u browsed to that page?
__________________
|
2008-03-02, 06:00 | Link #5 |
Keine is moo.
Join Date: Oct 2007
Location: Ohio
Age: 42
|
I keep everything up-to-date, have ActiveX settings properly secure, etc. I was figuring it was most likely I picked up something earlier and it decided to install right then by coincidence, but the fact that it happened right after that browser exploit warning that I've gotten several times before on AS seemed rather odd.
I posted here: http://forums.spywareinfo.com/index....=0#entry620219 Someone else posted with the exact same problem like 15 minutes before I got that crap, I'm suspecting it's something new that none of the anti-spyware programs have updates for yet. As I said there, I'm going to bed now, leaving Norton scanning, see what happens tomorrow. So pissed, I've wasted nearly 8 hours on this crap (well, I finally had a reason to go play my PS2 that's been collecting dust while I was letting AVG scan, but most of the rest of the time was at my computer working on fixing this) |
2008-03-02, 06:20 | Link #6 |
Senior Member
Join Date: Mar 2007
|
Should turn off "system restore", if you haven't already, to make sure it doesn't come back through that route. Starting up in safe mode and then running your anti-virus/spyware removers/trojan scanners tends to work better, although it takes longer, since only the basics are loaded.
|
2008-03-02, 09:30 | Link #7 |
Asuki-tan Kairin ↓
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
|
In Windows save mode, delete the following files first in explorer. Then run HJT and delete these entries (better run HJT before, to check if there new such dll's that also need to be deleted):
C:\WINDOWS\system32\mgmrwmrv.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\mgmrwmrv.exe O2 - BHO: (no name) - {c12cc8ba-1dd1-11b2-bdc2-fd61f5c44c53} - C:\WINDOWS\pmjydmfm.dll O4 - HKLM\..\Run: [lutcvwdo] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\lutcvwdo.dll" nonsense which should also be deleted: O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file) O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file) O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file) O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file) O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file) O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file) O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file) O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file) O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file) O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file) O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file) O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file) O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file) O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file) O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file) O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file) O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file) O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file) O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file) O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file) O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file) O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file) O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file) You might also check for root kits with e.g. root kit revealer.
__________________
|
2008-03-02, 13:20 | Link #8 | ||
Love Yourself
Join Date: Mar 2003
Location: Northeast USA
Age: 38
|
Quote:
Spyware has also spawned its own industry of fake products and such. Be very wary of spyware software that will perform a scan and then require payment for removal - a large number of those programs are malware in and of themselves. grey_moon is familiar with Spyware Sweeper so it's fine. Quote:
Since you're still fixing your stuff I don't want to come off as scolding you, but please take computer security seriously. It's for your own protection and also for the rest of us - who knows if your system has been sending out spam emails to the world? My roommate's computer was overrun by something and in one night it sent out ~11,000 emails (the university gave us the exact number that were sent out before shutting his connection off). All of us here will gladly make recommendations for free security software and good computing practices (I can assure you that they extend beyond "use firefox").
__________________
|
||
2008-03-02, 13:52 | Link #9 |
Keine is moo.
Join Date: Oct 2007
Location: Ohio
Age: 42
|
I meant the first 5 of those 8 years were without an antivirus, during that time I still ran scans with anti-spyware programs, but I never had a constantly running prevention program; I've been running Norton the last few years, unfortunately this infection just blasted right past it. Mainly I was saying all that because I didn't want any snide "you're using IE, what do you expect?" comments
I deleted all that stuff in the HJT scan, but it just reappears instantly, I obviously need to find the source of the problem because everything just reinstalls itself as soon as I get rid of it. RootkitRevealer doesn't really show anything that looks like a related problem. |
2008-03-02, 15:42 | Link #11 |
Senior Member
Join Date: Mar 2004
|
I got something over Xmas that was indescribably hard to remove. Even after I managed to wipe out all the dlls, exes, registry entries and all the scanners marked my machine was clean it still had residual problem.
If it's proving hard enough to remove, you may want to consider backing up your personal files and re-installing the whole OS. It's pretty drastic, and I don't recommend it if you haven't tried out all the available removal tools, but it will wipe out the problem in most cases.
__________________
|
2008-03-02, 15:43 | Link #12 |
Keine is moo.
Join Date: Oct 2007
Location: Ohio
Age: 42
|
it's essentially the same as before, except those gibberish .dll's that turned up no matches on google are gone now (pmjydmfm.dll, lutcvwdo.dll)
mgmrwmrv.exe seems to be the core of the problem, because it's continuously modifying my windows startup settings, according to Norton. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:32:25 PM, on 3/2/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\mgmrwmrv.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\stsystra.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\regsvr32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\Webroot\Spy Sweeper\SSU.EXE C:\HJT\HiJackThis.exe C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=5061213 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=5061213 F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDO WS\system32\mgmrwmrv.exe, O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file) O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file) O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file) O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file) O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file) O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file) O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file) O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file) O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file) O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file) O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file) O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file) O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe " -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe " /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE " /SYNC O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE " /IMEName O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe" O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O15 - Trusted Zone: *.adobe.com O15 - Trusted Zone: *.chaoticage.com O15 - Trusted Zone: *.go.com O15 - Trusted Zone: *.live.com O15 - Trusted Zone: *.msn.com O15 - Trusted Zone: *.tkdragon.com O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 9504 bytes |
2008-03-02, 16:26 | Link #13 | |||
Senior Member
Join Date: Nov 2003
|
Well, here is one semi-brute force method. Note that this is a lop.com infection according to google so you might want to look around for the most recent lop remover. (I don't remember the name of it, but it will be linked to or attached on a spyware removal site usually.) I don't see anything that could be calling regsvr32. You should be able to kill that processes without any adverse effects (and probably should do it).
*You may want to put these all in a simple folder so that they are easy to get to from the command prompt. 0) Grab pocket killbox from http://killbox.net and run it. 1) Make sure everything is closed when you start this: No running IE or explorer windows, even kill explorer.exe if you can. (use process explorer to manage everything if you can). If you can, just have hijackthis, killbox, and process explorer running as active (stuff in the tray is fine). 2) In killbox, select "replace on reboot" and "use dummy" 3) Add the following file(s) and click the (x) (after each file). Choose not to reboot. Quote:
Quote:
5) Go to C:\Windows\system32\ . Do a 'dir mgmrw*' and make sure the file is 0 bytes. 6) Use the prompt to access hijackthis 7) Remove the following with Hijackthis Quote:
9) Use the prompt to access process explorer and use process explorer to initiate a reboot. Now, it should be gone and/or heavily disabled. You should add any of the random name .dll's like "C:\WINDOWS\pmjydmfm.dll" to the killbox too if they still exist. Last edited by bayoab; 2008-03-02 at 16:39. Reason: Clarifying |
|||
2008-03-02, 19:34 | Link #14 |
Keine is moo.
Join Date: Oct 2007
Location: Ohio
Age: 42
|
your advice seems to have done the trick, although I couldn't get the mgmrwmrv.exe down to 0 bytes, it's still at 56 bytes. I meant to reboot to safe mode one last time, but windows boots so fast and I looked away for a moment and missed the opportunity to F8... however when it booted up the spyware wasn't loading. I ran Spybot, then Spy Sweeper, then AVG, now about to run Malwarebytes' Anti-Malware (I keep picking up stuff that the previous one failed to catch... the big one being Absolute Keylogger that only Spy Sweeper catches... apparently it's supposed to be a "legitimate" commercial program so that's probably why). Then I'm going to reboot one last time and run another scan with at least one program. Just need to manually re-enable Task Manager in the registry and fix my wallpaper and things should be back to normal, although I'll probably have some leftover garbage that won't do anything on it's own.
EDIT: Malwarebytes' only detected orphaned files from the spyware the other programs had removed, got rid of those and my computer appears to be clean. Thank you so much bayoab (now I just need to figure out what anti-spyware programs to keep around so I don't have a zillion programs hogging memory... both AVG and Spy Sweeper are being annoying by staying in the processes list even if I tell them not to start automatically and shut them down completely) I'm thinking it's highly likely I might have picked up something ahead of time (I had just run a full system scan with Norton on Friday morning though); at the time I got this infection I had just quit Utawarerumono to restart my computer because it kept slowing down massively and screwing up my combos. (It had been doing that briefly the night before too but that could have been stuff auto-updating in the background). I hadn't rebooted for quite a while so I figured I just needed to do that. Before restarting I briefly checked some websites and as soon as I hit http://www.animesuki.com/series.php/1084.html all the stuff bashed me at once. The three warnings Norton initially gave me (all of them High Risk and labeled "A browser exploit at www.animesuki.com was blocked." and the above URL for the KnJ torrents as the attacking URL) were: MSIE ADODB.Stream Object File Installation Weakness MSIE WebViewFolderIcon ActiveX Control BO MS XML Core Services XMLHTTP BO I've gotten that first one sporadically for no apparent reason and nothing bad ever happens, this time it got followed up by the other two then the attack began. Norton seems to have blocked everything from accessing network resources (High Risk) and detected/blocked multiple trojans, but when the spyware programs started modifying my startup settings and other system settings it inexplicably flagged those as low risk and let them proceed. Last edited by Lynx190; 2008-03-02 at 21:07. |
2008-03-02, 22:30 | Link #15 |
Arayashiki
Join Date: May 2003
Location: On the Internet
|
At your situation, I'd recommend to do a re-format of your computer . Start with a fresh install, then install anti-virust program like Avast, anti-malware program like Spybot and Adaware, enabled a firewall, run firefox with NoScript. That's pretty much my setup with Vista.
If you are still paranoid, you can browse from a public proxy server but that would affect the speed. |
2008-03-03, 05:46 | Link #16 | |||
Asuki-tan Kairin ↓
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
|
Quote:
Quote:
Quote:
__________________
|
|||
2008-03-03, 06:35 | Link #17 | |
Yummy, sweet and unyuu!!!
Join Date: Dec 2004
|
Quote:
http://www.sandboxie.com/
__________________
|
|
2008-03-03, 16:33 | Link #18 |
Keine is moo.
Join Date: Oct 2007
Location: Ohio
Age: 42
|
thanks for the continued advice, but as the first two paragraphs of my last post said, bayoab's directions got rid of the core problem and let me wipe out the lingering spyware without it reinstalling anymore. So everything is fine now
As for the ActiveX thing, I have it set to "Download unsigned ActiveX controls" > Disable, and "Download signed ActiveX controls" > Prompt, and "Initialize and script ActiveX controls not marked as safe" > Disable. I suppose it might have spoofed itself as a safe control, the scripting of which are set to Enable; however as I just said the two download options are on Disable and Prompt, so it shouldn't have been automatically downloading any ActiveX control to begin with. |
2008-03-03, 18:47 | Link #19 | |||
Senior Member
Join Date: Nov 2003
|
Quote:
Beside, if you don't have the right setup for reloading, you might get nailed by a virus while repatching. If you are worried, there are always tricks and tools you can run to monitor what is actually leaving your computer and warn you if you are still at risk. (Leaving the computer alone on a hub with wireshark watching the hub.) Quote:
Quote:
|
|||
2008-03-04, 03:04 | Link #20 | |
Asuki-tan Kairin ↓
Join Date: Feb 2004
Location: Fürth (GER)
Age: 43
|
Quote:
Its not the normal use of ActiveX that is dangerous, its exploits which usually override normal system behaviour (partial sandboxing could be overridden too)
__________________
|
|
|
|