Unoffical empeg BBS

Quick Links: Empeg FAQ | RioCar.Org | Hijack | BigDisk Builder | jEmplode | emphatic
Repairs: Repairs

Page 1 of 2 1 2 >
Topic Options
#271084 - 29/11/2005 16:57 I can't get rid of this!
CrackersMcCheese
pooh-bah

Registered: 14/01/2002
Posts: 2489
I don't know where this came from but I've ran all kinds of removal tools and nothing is found. Anyone know what it is?



Attachments
270930-gamble.jpg (103 downloads)



Edited by Phil. (29/11/2005 16:57)

Top
#271085 - 29/11/2005 17:16 Re: I can't get rid of this! [Re: CrackersMcCheese]
larry818
old hand

Registered: 01/10/2002
Posts: 1039
Loc: Fullerton, Calif.
Do they do anything?

Maybe it's just edited your background pic?

Top
#271086 - 29/11/2005 17:18 Re: I can't get rid of this! [Re: larry818]
CrackersMcCheese
pooh-bah

Registered: 14/01/2002
Posts: 2489
When i place the cursor over each block a pop-up appears to take me to a new website.

Top
#271087 - 29/11/2005 17:19 Re: I can't get rid of this! [Re: larry818]
tfabris
carpal tunnel

Registered: 20/12/1999
Posts: 31602
Loc: Seattle, WA
Wow, spyware that changes your wallpaper? That would be fricking NASTY.

Anyway, have you tried Ad-Aware and Spybot?
_________________________
Tony Fabris

Top
#271088 - 29/11/2005 17:21 Re: I can't get rid of this! [Re: CrackersMcCheese]
larry818
old hand

Registered: 01/10/2002
Posts: 1039
Loc: Fullerton, Calif.
Quote:
When i place the cursor over each block a pop-up appears to take me to a new website.


Does "Active Desktop" (right click on an open area) show anything?

You gotta stop using Internet Explorer...

Top
#271089 - 29/11/2005 17:21 Re: I can't get rid of this! [Re: tfabris]
CrackersMcCheese
pooh-bah

Registered: 14/01/2002
Posts: 2489
Tried both. Comes back as clean. I got the firewall to block the webpage that pops up but obviously something is running in the background that doesn't show in my processes list.

Top
#271090 - 29/11/2005 17:29 Re: I can't get rid of this! [Re: larry818]
CrackersMcCheese
pooh-bah

Registered: 14/01/2002
Posts: 2489
Nothing on active desktop either. Good suggestion though.

Top
#271091 - 29/11/2005 17:49 Re: I can't get rid of this! [Re: CrackersMcCheese]
larry818
old hand

Registered: 01/10/2002
Posts: 1039
Loc: Fullerton, Calif.
Quote:
Nothing on active desktop either. Good suggestion though.


Oh, well, that's all I got. Between Nat and Norton and not runnin' IE, I never have these problems.

Probably it's attached to one of the normal system services. Check these sites:

http://www.answersthatwork.com/Tasklist_pages/tasklist.htm

www.tasklist.org

http://www.newcastlebrown.com/

You might try the program from answers that work.

Top
#271092 - 29/11/2005 17:52 Re: I can't get rid of this! [Re: larry818]
CrackersMcCheese
pooh-bah

Registered: 14/01/2002
Posts: 2489
Newcastle Brown? For when I get so hacked off with it that I need a drink?

Top
#271093 - 29/11/2005 18:02 Re: I can't get rid of this! [Re: CrackersMcCheese]
larry818
old hand

Registered: 01/10/2002
Posts: 1039
Loc: Fullerton, Calif.
Quote:
Newcastle Brown? For when I get so hacked off with it that I need a drink?


I find it helps me with all my microsoft caused woes...

Top
#271094 - 29/11/2005 18:09 Re: I can't get rid of this! [Re: larry818]
CrackersMcCheese
pooh-bah

Registered: 14/01/2002
Posts: 2489
You regularly buy kegs at a time then?

Top
#271095 - 29/11/2005 18:21 Re: I can't get rid of this! [Re: CrackersMcCheese]
Attack
addict

Registered: 01/03/2002
Posts: 599
Loc: Florida
You might need to check for rootkits.

http://www.sysinternals.com/Utilities/RootkitRevealer.html

What tools have you tried? Some that I recommend are Spybot Seach and Destroy, AD-Aware SE, Hijack This, Microsofts Antispy.
As for a virus scanner NOD32 is more than 5 times fasters than any other scanner and it detects/cleans more than the others.

If you can't get it off I can ship you an ultimate boot cd.

Top
#271096 - 29/11/2005 23:25 Re: I can't get rid of this! [Re: CrackersMcCheese]
FireFox31
pooh-bah

Registered: 19/09/2002
Posts: 2494
Loc: East Coast, USA
Did you run your removal tools while booted to safemode without networking? All spyware cleaning should be done in safe mode.

Download HijackThis, which can scan for spyware and show running processes. While you're getting Rootkit Revealer, pick up Autoruns and Process Explorer. The latter will show which DLLs are associated with processes. Check the properties of these DLLs; recent creation date and missing meta-information are suspicious. Google searching the DLL names may also help.

Try using reged32.exe <regedt32? i forget> to browse your registry for malicious entries. I think that's the only program which can see the otherwise hidden overlong key names. Searching Google for the overlong key name invisibility bug may turn up more.

Maybe this is a Browser Helper Object (BHO) attached to your Active Desktop... which is just plain nasty. There is a good BHO remover, but I don't remember the name. You can find them in the reg key HKLM\Software\Microsoft\Windos\CurrentVersion\explorer\Browser Helper Objects. Their SIDs (long numeric names) are listed as subkeys. Copy the SID, go to the top of the registry, and run a search for the SID. Each should have an entry in HKLM\Software\CLASSES\CLID. Search your hard drive for the DLLs referenced in the subkey, and if they are suspiciousm delete the DLLs, CLSID key, and Browser Helper Object key.

Or, this could be very nasty, just above rootkit nasty, and be attaching itself to Winlogin or another early-loading service. Worst case, boot to safe mode with command prompt, run HijackThis (which loads in GUI), and use that to launch your other removal tools. As long as you don't run Explorer.exe, the hacked fundamental services won't load and you'll have full access to your own system.

And there are many spyware forums out there, so maybe someone has posted removal instructions. Good luck.
_________________________
-
FireFox31
110gig MKIIa (30+80), Eutronix lights, 32 meg stacked RAM, Filener orange gel lens, Greenlights Lit Buttons green set

Top
#271097 - 30/11/2005 03:47 Re: I can't get rid of this! [Re: FireFox31]
lectric
pooh-bah

Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
I am also having an issue with another spyware piece, Virtumundo. I can't even seem to delete it in safe mode, it says the file is in use. Apparently, it's attached itself to the login procedure, so since I still have to log in in safe mode, it gets launched. The only way I can think of is to remove the drive and pop it into a different machine. I was hoping for a more elegant solution though.

Top
#271098 - 30/11/2005 03:54 Re: I can't get rid of this! [Re: lectric]
canuckInOR
carpal tunnel

Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
Quote:
I was hoping for a more elegant solution though.

Knoppix?

Top
#271099 - 30/11/2005 03:59 Re: I can't get rid of this! [Re: canuckInOR]
lectric
pooh-bah

Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
Hmmm... Does knoppix support ntfs? If so I'll d/l it first thing tomorrow.

Top
#271100 - 30/11/2005 13:01 Re: I can't get rid of this! [Re: lectric]
wfaulk
carpal tunnel

Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
Command-line-only safe mode?
_________________________
Bitt Faulk

Top
#271101 - 30/11/2005 17:12 Re: I can't get rid of this! [Re: lectric]
Ezekiel
pooh-bah

Registered: 25/08/2000
Posts: 2413
Loc: NH USA
I nuked Virtumundo off a machine a few weeks ago. I found the procedure online someplace. It took a few minutes, involved some software, namely 'CleanUp40.exe' and 'VundoFix.exe'. I have the applications if you PM me an address (too big to attach) I'll send them to you. I don't recall keeping the instructions, so you'll have to google around.

-Zeke


Edited by Ezekiel (30/11/2005 17:14)
_________________________
WWFSMD?

Top
#271102 - 30/11/2005 18:25 Re: I can't get rid of this! [Re: lectric]
FireFox31
pooh-bah

Registered: 19/09/2002
Posts: 2494
Loc: East Coast, USA
Mentioned at the end of my previous rant, if the spyware loads in safe mode, you'll have to boot to "Safe mode with command prompt."

First, boot to regular GUI safemode and copy all of your spyware tools from a CD to the machine. Run HijackThis and see which malicious DLLs are attached to the fundamental services like Winlogin. Also HijackThis and Process Explorer will show you hidden processes that Task Manager can't, so make note of those.

Then reboot to safe mode command prompt, and start HijackThis. It loads graphically (like everything else will) so use its Run ability to browse directory trees to your other spyware tools.

My Winlogin cleaning notes are not on hand, but here's a start. Since you know the malicious DLL and EXE names, find and delete them. You may need to access the Services portion of the registry (I think it's triplicated, so check each one). Remove references to the bad files and, possibly, recreate good references to the real files by retyping the info from a known good computer.

Cleaning spyware by hand is fun. Too bad it's so well hidden that I don't see it anymore.
_________________________
-
FireFox31
110gig MKIIa (30+80), Eutronix lights, 32 meg stacked RAM, Filener orange gel lens, Greenlights Lit Buttons green set

Top
#271103 - 30/11/2005 20:06 Re: I can't get rid of this! [Re: FireFox31]
tman
carpal tunnel

Registered: 24/12/2001
Posts: 5528
Quote:
My Winlogin cleaning notes are not on hand, but here's a start. Since you know the malicious DLL and EXE names, find and delete them. You may need to access the Services portion of the registry (I think it's triplicated, so check each one). Remove references to the bad files and, possibly, recreate good references to the real files by retyping the info from a known good computer.

If it is that integrated into Windows then don't bother cleaning it and just reinstall Windows from scratch. You won't know for certain whether you've cleaned out all the spyware/adware/whatever. Do you want to take the risk that there is some extra component that you've not found that is logging your keystrokes?

Top
#271104 - 30/11/2005 21:24 Re: I can't get rid of this! [Re: lectric]
Ezekiel
pooh-bah

Registered: 25/08/2000
Posts: 2413
Loc: NH USA
I found the page I used when I got rid of the Virutomondo issue:

http://forum.tweakxp.com/forum/Topic181585-29-1.aspx

Please note that the file name they use in the example is NOT THE ONE YOU'LL SEE. Virutomondo randomly generates a file name and you have to look through your HiJackthis logs to find the name. Once you have that you can follow the instructions as posted in the link above.

-Zeke
_________________________
WWFSMD?

Top
#271105 - 01/12/2005 02:14 Re: I can't get rid of this! [Re: Ezekiel]
lectric
pooh-bah

Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
Kick Bootie... Thanks.

As far as nuking the machine, if it were mine, I would have long ago. Unfortunately, it's a local judge who has no compunction paying me $65 per hour to grind the spyware away and leave his data as intact as can be. I'm happy to oblige.

This morning I thought about command prompt mode, since the adware attaches itself to the logon script. Command mode requires no login - unless you run explore. I figured that was the next step but have't been back to his house to try it.

Top
#271106 - 01/12/2005 19:53 Re: I can't get rid of this! [Re: lectric]
canuckInOR
carpal tunnel

Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
Quote:
Hmmm... Does knoppix support ntfs? If so I'll d/l it first thing tomorrow.

It should.

Top
#271107 - 01/12/2005 19:59 Re: I can't get rid of this! [Re: canuckInOR]
tman
carpal tunnel

Registered: 24/12/2001
Posts: 5528
Quote:
Quote:
Hmmm... Does knoppix support ntfs? If so I'll d/l it first thing tomorrow.

It should.

NTFS read support in Linux works great. NTFS write however is another matter. The open source drivers are pretty much broken for writing. The captive one which uses the Windows libraries is okay and so are the commercial drivers.

Top
#271108 - 01/12/2005 20:45 Re: I can't get rid of this! [Re: lectric]
jarredduq
journeyman

Registered: 27/09/2000
Posts: 89
Loc: California, USA
Quote:
Kick Bootie... Thanks.

As far as nuking the machine, if it were mine, I would have long ago. Unfortunately, it's a local judge who has no compunction paying me $65 per hour to grind the spyware away and leave his data as intact as can be. I'm happy to oblige.

This morning I thought about command prompt mode, since the adware attaches itself to the logon script. Command mode requires no login - unless you run explore. I figured that was the next step but have't been back to his house to try it.


Here's another way: http://www.dslreports.com/forum/remark,14899050

Top
#271109 - 03/12/2005 01:13 Re: I can't get rid of this! [Re: jarredduq]
loren
carpal tunnel

Registered: 23/08/2000
Posts: 3826
Loc: SLC, UT, USA
I just need to vent. F-U-C-K WINDOWS. I pulled out an old laptop I'd shelved (because I got sick of wiping viruses and adware off of it for Kelly and made her get an iBook) and slapped XP on it for my brother. Put on Firefox. And it took him all of TWO DAYS to get a virus/adware on it that I've now spent 3 f'n hour trying to get off. I'm so sick of this bullshite. I don't know how the huge majority of the people that use windows and don't know jack about computers deal with this stuff. There must be MILLIONS of infected computers out there that people just deal with. Firefox is no longer immune apparently. AAAAAAAARRRRHHHHGHGHG.

[/vent]
_________________________
|| loren ||

Top
#271110 - 03/12/2005 02:43 Re: I can't get rid of this! [Re: loren]
Attack
addict

Registered: 01/03/2002
Posts: 599
Loc: Florida
I'd bet that it was installed after downloading. Get MyUninstaller and check out the list of installed programs. If it did get installed thru firefox I would suspect that it used javascript and would recommand installing NoScript. As for a virus scanner NOD32 is the best virus scanner I have ever used. It doesn't really get in the way unlike everything else I've tried. As an example start Azureus after booting up Windows. When running Mcafee Azureus can take 3 to 5 minutes to start and with NOD32 it takes less than 10 seconds.
_________________________
Chad

Top
#271111 - 03/12/2005 06:56 Re: I can't get rid of this! [Re: CrackersMcCheese]
SonicSnoop
addict

Registered: 29/06/2002
Posts: 531
Loc: Triangle, VA
Maybe see if you could restore it to a previous restore point and see if it gets rid of it? though that might cause you to loose some data but figured id mention it
_________________________
-D Modifying and Tweaking is a journey, not a destination................................ MKIIa : 60gig - 040103286 - Blue - v2 + PCATS tuner MKIIa : 20gig - 040103260 - Blue - v3a8 + Mark Lord Special Edition Cherry Dock

Top
#271112 - 03/12/2005 06:57 Re: I can't get rid of this! [Re: Attack]
loren
carpal tunnel

Registered: 23/08/2000
Posts: 3826
Loc: SLC, UT, USA
Thanks for the tips!

This is sort of exactly my point. I shouldn't have to do this. It never ceases to infuriate me and want to chuck all of my windows CDs out the window har har.
_________________________
|| loren ||

Top
#271113 - 03/12/2005 09:33 Re: I can't get rid of this! [Re: loren]
CrackersMcCheese
pooh-bah

Registered: 14/01/2002
Posts: 2489
Aaaaagh. I need to format and reinstall. 'Take off and nuke the site from orbit. Its the only way to be sure'.

Top
#271114 - 03/12/2005 19:37 Re: I can't get rid of this! [Re: CrackersMcCheese]
canuckInOR
carpal tunnel

Registered: 13/02/2002
Posts: 3212
Loc: Portland, OR
As long as you're re-installing... is there anything you really, really, really need Windows for? If you're starting over, now's a good time to reconsider your choices. One of the guys at work just went through the same issue with a non-removable virus. He installed SuSE 10, instead, and said that aside from needing to download a bit of extra stuff for playing videos (i.e. mplayer, and libdecss), it's done everything he needs right out of the box. The few Windows-only things he's needed have run a treat under Wine.

Top
#271115 - 08/12/2005 01:33 Re: I can't get rid of this! [Re: loren]
FireFox31
pooh-bah

Registered: 19/09/2002
Posts: 2494
Loc: East Coast, USA
Quote:
There must be MILLIONS of infected computers out there that people just deal with.

There ARE millions of infected comps out there, if the numbers reported by botnet researchers can be trusted (100k to 400k compromised in a botnet, typically).

Here's how people deal with it:
Home User: "My 6 month old computer is really slow. Must be time for a new one."
Computer Store Guy: "Your gigaflops and megajerks aren't good enough. Buy THIS one (with a 6 year extended warranty)."

Seriously though, there MUST be silver bullet to stop spyware from coming in. This spyware preventing software must be doing things that we can do ourselves. If I had a second life time, I would figure this out myself.

Some hypothesis:
Use Local or Group Policy to force AutoUpdates to download and patch every night, setting missed patchings to run at next login (with no ability to stop forced reboot? is that an option, i forget.)
In the registry, deny every user and system account write/modify permissions to the typical startup keys and spyware hiding places (even services?).
In the registry, deny all permissions to IE security (and other) settings so they can't get hijacked.
Deny every user and system account write/modify permissions to startup folders.
Write protect the host file and maybe even the local DNS cache....?

These are pretty restrictive. ie: you can't install or change anything while they're in place. So, write software that's a "switch", turning these features off for a few minutes (forcing the security back on after that time) when you need to install something or apply patches (so it'd need to play nice with AutoUpdates?).

So it's a pipe dream, but maybe not. There must be an elegant solution to stopping spyware; one that can be simplified to a "push this button to allow system modification" for every user on the internet. Maybe I should quit my life and create this.

Unfortunatly, social engineering can crush this instantly. One e-mail saying "Helo, pres unsecure button than clik attach picture. Its fun! Thanking you." and thousands of untrained users will get nailed. That's where heavy handed ISPs are needed. There must be a way for them to to block ports to all residential users unless they complete a simple online request. At least, couldn't they somehow deny SMTP outgoing (and secure variants) to block compromised spam sending machines? But... hm... then desktop e-mail clients couldn't send to their local servers... Regardless, it would require costly heavy hardware and would turn users away.

Alas, the only solution is, and always will be, cutting our collective ethernet cables.
_________________________
-
FireFox31
110gig MKIIa (30+80), Eutronix lights, 32 meg stacked RAM, Filener orange gel lens, Greenlights Lit Buttons green set

Top
#271116 - 08/12/2005 05:15 Re: I can't get rid of this! [Re: FireFox31]
drakino
carpal tunnel

Registered: 08/06/1999
Posts: 7868
Quote:
In the registry, deny every user and system account write/modify permissions to the typical startup keys and spyware hiding places (even services?).
Deny every user and system account write/modify permissions to startup folders.
Write protect the host file and maybe even the local DNS cache....?


The problem still always comes down to the fact that people on Windows machines are logged in with the second highest privileged account possible, with only "SYSTEM" having more power.

Fixing it is as simple as not logging in as an administrator. The problem is that this isn't the default like it should be (and aparently will be finally in Longhorn). If your not logged in as an admin, everything above in the quote is addressed. As far as IE, well, it needs to just be scrapped period. No web page should ever be able to try and set itsself as a home page, no web page should download a plugin first, then ask if it needs to be installed, and so on.

Beyond that, it's just a matter of teaching people to not type in their password when prompted by the system if they didn't do anything that should have. My grandmother for example understands that she should only type in her password if the system has the specific system update program running. Other then that, she knows to click cancel. While no malware exists in the wild for OS X, she is ready if any ever does come out, since it will trip the system password prompt to do anything damaging.

Top
#271117 - 08/12/2005 05:53 Re: I can't get rid of this! [Re: FireFox31]
frog51
pooh-bah

Registered: 09/08/2000
Posts: 2091
Loc: Edinburgh, Scotland
There is a silver bullet - but it is aimed at the users:)

As Drakino pointed out, a lot of it comes from the way users of MS Windows have not been educated - yes, computing has been brought to the masses, but there has been little sign of the teaching of sensible practices.

If home users are going to run windows PCs, they should at a minimum install straight from XP Service Pack 2, not install XP then download the SP, as they are likely to be compromised before they get it.

They should have a hardware firewall as well as a good software firewall (not XP's own thing - bleh)

They should create an admin account at startup, and leave it well alone - using only user level accounts for everything.

Jeez - there is a wee list of technical things that can help, but really - it is mostly a user education problem...which means it will never be fixed.
_________________________
Rory
MkIIa, blue lit buttons, memory upgrade, 1Tb in Subaru Forester STi
MkII, 240Gb in Mark Lord dock
MkII, 80Gb SSD in dock

Top
#271118 - 10/12/2005 02:33 Re: I can't get rid of this! [Re: frog51]
FireFox31
pooh-bah

Registered: 19/09/2002
Posts: 2494
Loc: East Coast, USA
Some parts of user education are tough; notably, viewing malicious websites. All Windows web browsers have vulnerabilities and websites posing as legitimate, even innocent, will compromise them. Google spamming sucks in users like a bug zapper. It takes a whole new level of education to teach users to avoid these websites without even visiting them.

I constantly try to share my URL and domain name paranoia with my coworkers so they can avoid unsavory sites. Avoid domain names with:
More than one dash
Stupid letter replacement (z for s, 1 for l, etc)
Overly long
Random characters
Prefix or suffix on a popular domain name (ie: linksysinfo.com)
Wrong top level domain, and NEVER .biz or .info
etc
etc

And teaching them to preview the two line Google page excerpt. Avoid:
Keyword repeated 6 times among random words.
"Best deals on ____. Find all your ____."
"Coming Soon", "This Domain is available", etc.
etc
etc

This leads back to my "trusted sites" idea. Just like the pre-search-engine days when people posted link directories, there should be directories of trusted sites. Maybe a web of trust, tightly controlled by the members of the web (not infinitely expanding like the PGP key model). Display only known legitimate sites, accept link requests from the outside, post those links after through review, swiftly remove sites turned bad.

Think of how easy it would be to find trustworthy product reviews, legitimate online retailers, non-popup'ed lyrics sites, REAL information. Yes, it's labor intensive, but that's how I do things. Maybe there's a way to make this work.
_________________________
-
FireFox31
110gig MKIIa (30+80), Eutronix lights, 32 meg stacked RAM, Filener orange gel lens, Greenlights Lit Buttons green set

Top
#271119 - 10/12/2005 10:51 Re: I can't get rid of this! [Re: FireFox31]
sein
old hand

Registered: 07/01/2005
Posts: 893
Loc: Sector ZZ9pZa
Quote:
This leads back to my "trusted sites" idea. Just like the pre-search-engine days when people posted link directories, there should be directories of trusted sites. Maybe a web of trust, tightly controlled by the members of the web (not infinitely expanding like the PGP key model). Display only known legitimate sites, accept link requests from the outside, post those links after through review, swiftly remove sites turned bad.

Think of how easy it would be to find trustworthy product reviews, legitimate online retailers, non-popup'ed lyrics sites, REAL information. Yes, it's labor intensive, but that's how I do things. Maybe there's a way to make this work.


Reminds me of the Open Directory Project.

Really though, I'm not sure about the future of that system. For example, search for empeg on Dmoz, and boom... 3 results. Its not exactly comprehensive, and the sheer manpower required to make it so just blows my mind.

On the flipside, I'm getting into del.icio.us. Search for empeg on that, and you get good results, you can quickly see whats popular and there is no junk. Its also good to see whats related by following people's tags. A nice side-effect to social bookmarking.


Edited by sein (10/12/2005 16:38)
_________________________
Hussein

Top
Page 1 of 2 1 2 >