An encounter with something nasty

[greencreeper]

Had customer today with a spyware problem. Customer had run Spybot but no joy - spyware kept coming back. The problem was lots of pop-ups just appearing, and IE exception errors. I managed to find a few dodgy dlls, including one called "sd.dll" lurking in the Windows temp folder. They were also listed as BHOs in IE. The home page had been hijacked. I immunized the system and downloaded SpywareBlaster but it would not run - installation is damaged or something. I think the spyware was blocking it from running. Try as I might, everytime I killed the dodgy run32dll process that was using the dlls, deleted the files, and remove the startup entry, the damn thing would reappear again on reboot Spent an hour on it before giving up and advising the customer to speak to their Health Authority - see if an engineer could be sent out.

Any useful URLs or listed of spyware out there? No point searching Google - never know what you might catch

[Rob M]

This is quite a good site with a fairly comprehensive listing of running processes.

Not sure if it helps you here though.....

http://www.answersthatwork.com/Taskl...s/tasklist.htm

[iron25]

The dll or service is still running so despite what you do it recreates itself on startup. I had a similar experience not so long ago where I had identified the spyware, removed all traces of it in the registry and files but it still kept coming back and the virus checker kept reporting a file that did not exist, even a search in explorer could not find it. I was going to give up after about 1.5 hours until I remembered back to my DOS days and ran an attrib command to find the file and once I had done that I had it clean in under 10 minutes

I can't remember what one it was but I did a search in Google and all the so called solutions were as much help as used toilet roll. As long as you have removed all traces of the files from the hard disk and the registry, then a boot into safe mode and a check of the files using attrib can be very helpful because alot of spyware programs add the hidden attributes to the files so even a search in explorer won't, pick them up.

[AndrewJ]

If it is so badly infected and he removes such files, could there not be a chance some of the core Windows files could be corrupted?? would a format and total reinstallation of software with spyblaster/spybot/adaware se 1.05 be wise with a good av/firewall??

Start with a fresh slate and learn from the mistake?

[nffc]

Quote:

Originally Posted by Raistlin

This is quite a good site with a fairly comprehensive listing of running processes.

Not sure if it helps you here though.....

http://www.answersthatwork.com/Taskl...s/tasklist.htm

Crikey that's a link and a half. Rep time!

[Maggy J]

Quote:

Originally Posted by nffc

Crikey that's a link and a half. Rep time!

Worth a mention in the Helpful Post Thread for this month perhaps?

[nffc]

Quote:

Originally Posted by Incognitas

Quote:

Worth a mention in the Helpful Post Thread for this month perhaps?

Bribery. Yes OK then...

[purenuman]

Quote:

CWS is a robust infection that exhibits robust intelligence, technical prowess and a determination to survive removal attempts. CWS wants to live.

The difficulty of removing CWS from a user's system is significant. In the early variants, CWS was slightly tricky to remove, but it could be done, carefully, by a knowledgeable Windows user.

However, CWS has stepped up the battle and recent variants are virtually impossible to remove manually. Some CWS variants even use methods of hiding and running themselves that had never been used before in any other spyware strains.

The chronological order in which the CWS variants appeared is detailed here, along with the approximate dates when they appeared online.

http://www.softpedia.com/get/Interne...Shredder.shtml

[Millay]

I recently had a very similar situation, it eventually comes down to the amount of time its going to take to clean the infections and stabilise the system, to how long it would take to build the machine from the ground up, as AndrewJames mentiond.. I find sometimes this is the cheapest route for my customers. and it can be quite helpfull in the long run as you can set the machine up properly from the get go. rather than constantly trying to firefight.

[tkiely]

wipe and reload, only sensible way forward.

[ian@huth]

Quote:

Originally Posted by tkiely

wipe and reload, only sensible way forward.

Having first checked with the customer to see that there was nothing of vital importance that he wanted saving.

[AndrewJ]

Agreed, curious thought does your customer have system restore enabled?? if so could it be that this program is using a restore point to come back again and again..

I am sure I have heard of a malware program doing such a thing.

[greencreeper]

Ta for the input all. Rep fairy has visited, though she got carried away with the ctrl+v key and may have pasted half a comment here and there

I've got rid of this sort of thing before, but it's not something you can easily remove remotely and without Internet access to do research or download tools. It's the first time I've encountered something so stubborn and nasty though. My own system has various security measures so there's no chance of me getting anything nasty Shame that others are so complacent. Would an AV scanner pick up spyware? I know f-prot for DOS will flag up and clean keystroke loggers.

I have accidentally deleted user files before now, so I've learnt to exercise caution

edit:

The OS is good old Windows 98 SE, no doubt unpatched, so options are limited.

[Rob M]

I know that this is probably a silly question but did you try deleting it (or running your spyware prog's) through Safe Mode?

In Safe Mode (in theory at least) it shouldn't be running so you should be able to get shot of it easil enough. Also worth (as already suggested) deleting the restore points (turn system restore off and then back on) just in case.

Glad you liked the link BTW, it's in constant use I can assure you.

Oh, and you think you have problems. Imagine the look on the face of the guy who's computer I have just rebuilt when I told him:

"Sorry, this is gonna take longer than expected. The 789 Virus Infected Files (thank you Avast) and 389 Malicious Programs (thank you Ad-Aware) that were on your machine have corrupted the Windows install to such a degree that I'm going to have to rebuild it from scratch!"
__________________

Ah, just read the OS bit, ignore the system restore comments.

Safe Mode still stands, but if you're doing things remotely that could be.....tricky.....

[greencreeper]

Quote:

Originally Posted by Raistlin

"Sorry, this is gonna take longer than expected. The 789 Virus Infected Files (thank you Avast) and 389 Malicious Programs (thank you Ad-Aware) that were on your machine have corrupted the Windows install to such a degree that I'm going to have to rebuild it from scratch!"

You should have been on today's customer care course Communicating the problem to the user so that they understand that you're working with them to resolve the problem

Quote:

Originally Posted by Raistlin

Ah, just read the OS bit, ignore the system restore comments.

Safe Mode still stands, but if you're doing things remotely that could be.....tricky.....

F8. No F - F for foxtrot - at the top of the keyboard. Yes - that's it. Now hit that key repeatedly as soon as the computer starts - you've got to be quick. No - you've missed it. Let's try again but this time, hit the key much faster - like a woodpecker. HP restore utils? I think you've hit the F8 too soon. Let's try that again...