NASTY bit of spyware

Discussion in 'Computer Information' started by Thor, Jan 3, 2005.

  1. Thor

    Thor Guest

    I just had a knock-down drag-out fight with a nasty bit of spyware today.
    Started out with a Compaq notebook running XP home with SP2. As soon as XP
    got fully booted up, a screen would pop up saying that services.exe shut
    down unexpectedly, and as a result the windows NT\Authority was shutting
    down the system in 60 secs to prevent corruption etc. Well I immediately
    though "virus" since Mblaster caused a very similar symptom with the RPC
    flaw. However, the system was running Avast antivirus that was too new to be
    oblivious to Mblaster. I tried running the system in safe mode, which did
    allow the system to function without a sudden shutdown message. AHA!
    Progress, I thought. Well, not really. I configured Avast to do a boot-time
    full drive scan, and found nothing. I did notice that there were porn URLs
    showing up in the root directory. I would delete the files, and they would
    re-appear within seconds. Spyware started to become my #1 suspect. So I
    install Adaware first, and try to do a full system scan. This immediately
    results in another "system will shut down in 60 secs) message as soon as
    Adaware starts detecting rogue processes. At that point all you can do is
    let it shut down and reboot, because the system becomes practically unusable
    at that point.

    So I configured adaware to scan without detecting running processes, and
    that works, and I find and remove a boatload of various and sundry spyware
    files. Followup scan shows clean. Reboot, and try a regular full scan with
    process detection, and I still get the "system will shutdown" message (and
    adware finds several suspect processes right before that happens). Ok,
    adaware is evidently useless for this particular critter. ARGH! Next I try
    HijackThis! (all this in safe mode, mind you) and find some items that look
    suspicous. There is evidently numerous bits of spyware on this system. I had
    a particular interest in a line at the very top of the list that was
    evidently hooking into the WindowsXP userinit.exe command. I could find no
    rogue copies of userinit.exe on the system however, only the normal
    legitemate one and in the right place. Still I saw no reason for that entry
    to show up in hijackthis in that manner, so I went ahead and removed the
    startup entry to see the result. I rebooted and did a second sweep with
    hijackthis and the registry entry returned! Something bad was definitely
    creeping around on this system. Spybot would run ok, but found absolutely
    nothing, and niether did SpySweeper, or CWSShredder. I then ran AboutBuster
    because the customer also mentioned that he had an about:blank startup page
    that kept returning. AboutBuster found several rogue alternate data streams,
    and got rid of them. A full repeat scan showed no other ADS issues. Yet, the
    porn URLs would still re-appear in the root folder, and so would the
    userinit line in hijackThis, and adaware would still cause the system to
    shut down during a full scan.

    After fighting with the bug for awhile I thought of trying something
    unusual. I once again removed the userinit line in hijackThis!, and then
    immediately powered down the system using the power button override, not
    giving windows a chance to go through the shutdown process and thus prevent
    the sneaky malware from doing any last minute housekeeping, which is what I
    suspect was happening. This seemed to do the trick as the userinit.exe
    string stayed gone upon reboot, and so did the porn URLs. Furthermore, I
    could also run Adaware completely without incident, and which interstingly
    produced several more spyware files. All porn ad-related trojans, BTW, and I
    found a huge cache of porn ads located in a folder under the
    windows/system32 folder. At first I thought I may have stumbled upon the
    customer's hidden porn stash, but with the way the subfolders were labeled
    and organized along with several html files, and web graphics toolbar button
    graphics, etc. It looked like this was probably a cache of porn pop-up ads
    that were being stored locally and fed to the customer in pop-ups, or
    possibly sent on to other machines on the internet. Whew! finally got this
    sucker clean and running well. I haven't had a fight with spyware like that
    in quite awhile. It was quite refreshing to have one actually put up a
    decent fight. LOL!
    Thor, Jan 3, 2005
    #1
    1. Advertising

  2. Thor

    Robert Baer Guest

    Thor wrote:
    >
    > I just had a knock-down drag-out fight with a nasty bit of spyware today.
    > Started out with a Compaq notebook running XP home with SP2. As soon as XP
    > got fully booted up, a screen would pop up saying that services.exe shut
    > down unexpectedly, and as a result the windows NT\Authority was shutting
    > down the system in 60 secs to prevent corruption etc. Well I immediately
    > though "virus" since Mblaster caused a very similar symptom with the RPC
    > flaw. However, the system was running Avast antivirus that was too new to be
    > oblivious to Mblaster. I tried running the system in safe mode, which did
    > allow the system to function without a sudden shutdown message. AHA!
    > Progress, I thought. Well, not really. I configured Avast to do a boot-time
    > full drive scan, and found nothing. I did notice that there were porn URLs
    > showing up in the root directory. I would delete the files, and they would
    > re-appear within seconds. Spyware started to become my #1 suspect. So I
    > install Adaware first, and try to do a full system scan. This immediately
    > results in another "system will shut down in 60 secs) message as soon as
    > Adaware starts detecting rogue processes. At that point all you can do is
    > let it shut down and reboot, because the system becomes practically unusable
    > at that point.
    >
    > So I configured adaware to scan without detecting running processes, and
    > that works, and I find and remove a boatload of various and sundry spyware
    > files. Followup scan shows clean. Reboot, and try a regular full scan with
    > process detection, and I still get the "system will shutdown" message (and
    > adware finds several suspect processes right before that happens). Ok,
    > adaware is evidently useless for this particular critter. ARGH! Next I try
    > HijackThis! (all this in safe mode, mind you) and find some items that look
    > suspicous. There is evidently numerous bits of spyware on this system. I had
    > a particular interest in a line at the very top of the list that was
    > evidently hooking into the WindowsXP userinit.exe command. I could find no
    > rogue copies of userinit.exe on the system however, only the normal
    > legitemate one and in the right place. Still I saw no reason for that entry
    > to show up in hijackthis in that manner, so I went ahead and removed the
    > startup entry to see the result. I rebooted and did a second sweep with
    > hijackthis and the registry entry returned! Something bad was definitely
    > creeping around on this system. Spybot would run ok, but found absolutely
    > nothing, and niether did SpySweeper, or CWSShredder. I then ran AboutBuster
    > because the customer also mentioned that he had an about:blank startup page
    > that kept returning. AboutBuster found several rogue alternate data streams,
    > and got rid of them. A full repeat scan showed no other ADS issues. Yet, the
    > porn URLs would still re-appear in the root folder, and so would the
    > userinit line in hijackThis, and adaware would still cause the system to
    > shut down during a full scan.
    >
    > After fighting with the bug for awhile I thought of trying something
    > unusual. I once again removed the userinit line in hijackThis!, and then
    > immediately powered down the system using the power button override, not
    > giving windows a chance to go through the shutdown process and thus prevent
    > the sneaky malware from doing any last minute housekeeping, which is what I
    > suspect was happening. This seemed to do the trick as the userinit.exe
    > string stayed gone upon reboot, and so did the porn URLs. Furthermore, I
    > could also run Adaware completely without incident, and which interstingly
    > produced several more spyware files. All porn ad-related trojans, BTW, and I
    > found a huge cache of porn ads located in a folder under the
    > windows/system32 folder. At first I thought I may have stumbled upon the
    > customer's hidden porn stash, but with the way the subfolders were labeled
    > and organized along with several html files, and web graphics toolbar button
    > graphics, etc. It looked like this was probably a cache of porn pop-up ads
    > that were being stored locally and fed to the customer in pop-ups, or
    > possibly sent on to other machines on the internet. Whew! finally got this
    > sucker clean and running well. I haven't had a fight with spyware like that
    > in quite awhile. It was quite refreshing to have one actually put up a
    > decent fight. LOL!


    Yes; i have heard that the porn malware is *extremely* nasty, and if
    you had not persisted as well trying all of the tricks, it would have
    been a lost cause.
    I bet 1-7 daze afterwards, the user will be back in the same deep
    dodoo.
    I know of a certain Century 21 real-estate office in California that
    had recurring problems like that, because one of the real estate guys
    would use one of the machines to "get his kicks".
    My friend, who had to clean the mess up weekly, got a bit tired of it
    and quit that office and set up his own shop.
    Robert Baer, Jan 3, 2005
    #2
    1. Advertising

  3. Thor

    Plato Guest

    Thor wrote:
    >
    > in quite awhile. It was quite refreshing to have one actually put up a
    > decent fight. LOL!


    grin. I know what you mean. If you're not challenged now and then it can
    get boring. Personally I like finding and removing trojans/viruses that
    arent in the anti-virus data bases yet ie brand new ones.
    Plato, Jan 3, 2005
    #3
  4. Thor

    Plato Guest

    Robert Baer wrote:
    >
    > I bet 1-7 daze afterwards, the user will be back in the same deep
    > dodoo.


    Yep, then they call you to come back and say you never fixed the problem
    or they say "why should I pay you to fix the same thing again?" grin.

    > I know of a certain Century 21 real-estate office in California that
    > had recurring problems like that, because one of the real estate guys
    > would use one of the machines to "get his kicks".
    > My friend, who had to clean the mess up weekly, got a bit tired of it
    > and quit that office and set up his own shop.
    Plato, Jan 3, 2005
    #4
  5. Thor

    HonestJohn Guest

    "Plato" <|@|.|> wrote in message
    news:41d9ae8a$0$70558$...
    > Robert Baer wrote:
    >>
    >> I bet 1-7 daze afterwards, the user will be back in the same
    >> deep
    >> dodoo.

    >
    > Yep, then they call you to come back and say you never fixed the
    > problem
    > or they say "why should I pay you to fix the same thing again?"
    > grin.
    >

    Well, computer repair people in the UK are just above something
    you scrap of your shoe. Maybe it's because there are a great many
    organisations issuing 'qualifications' and certificates of varying
    merit. In fact anyone can set up a PC repair business, here. Most
    are rip-off merchants.
    HonestJohn, Jan 3, 2005
    #5
  6. Thor

    Guest

    wouldn't it have been quicker to just take a hammer to it. (format and
    reinstall winxp)

    How about a system restore - that restores the homepage and gets rid of
    any plugins, and removes start entries from the registry.
    I had a really vicious bit of broken spyware in the win98 days that
    caused me to be unable to access the web from any browser! After 2
    nights no sleep, I had even tried reinstalling windows over windows.
    In the end(still without sleep) I started to find solutions. One was
    to delete the registry files, then reinstall windows. (since just
    reinstalling windows didn't replace the registry!!!) That worked. So
    I decided to infect myself again to find a better solution. Turned out
    that it could be fixed in 2 minutes (rather than 2 nights of no sleep)
    with scanreg from dos.

    What I don't like about hijack this - and maybe they changed it since -
    is that you can't select loads of items at the same time and restore
    them. You have to restore them one at a time.

    I know that fixing it without reinstalling is more of a challenge, but
    there are other more intellectually interesting challenges to do.
    Fixing computers is the least pleasurable challenge to undertake.
    Programming is more fun. Or - I'd rather be investigating the 'kernel
    debugger' option in the XP startup menu. It's also a less stressful
    form of challenge, and less mind numbing.
    , Jan 4, 2005
    #6
  7. Thor

    Thor Guest

    <> wrote in message
    news:...
    > wouldn't it have been quicker to just take a hammer to it. (format and
    > reinstall winxp)


    not really. Too many apps to reinstall, and for some the customer no longer
    has the install CD, so he asked me to do what I could to get it working
    before resorting to that.

    >
    > How about a system restore - that restores the homepage and gets rid of
    > any plugins, and removes start entries from the registry.


    forgot to mention, system restore had been disabled by the customer, so no
    restore points to use.

    > I had a really vicious bit of broken spyware in the win98 days that
    > caused me to be unable to access the web from any browser! After 2
    > nights no sleep, I had even tried reinstalling windows over windows.
    > In the end(still without sleep) I started to find solutions. One was
    > to delete the registry files, then reinstall windows. (since just
    > reinstalling windows didn't replace the registry!!!) That worked. So
    > I decided to infect myself again to find a better solution. Turned out
    > that it could be fixed in 2 minutes (rather than 2 nights of no sleep)
    > with scanreg from dos.


    yep, and now there are winsock repair tools for just that problem. Makes it
    even simpler.

    >
    > What I don't like about hijack this - and maybe they changed it since -
    > is that you can't select loads of items at the same time and restore
    > them. You have to restore them one at a time.


    I've never needed to restore anything with it thus far, so I can't speak to
    that. Regardless it's an invaluable tool, and it's free, so I can't
    complain.

    >
    > I know that fixing it without reinstalling is more of a challenge, but
    > there are other more intellectually interesting challenges to do.
    > Fixing computers is the least pleasurable challenge to undertake.
    > Programming is more fun. Or - I'd rather be investigating the 'kernel


    not to me. I enjoy repairing PCs immensely. Programming OTOH, bores the hell
    out of me. But, to each his own. :)
    Thor, Jan 4, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Doug
    Replies:
    9
    Views:
    696
  2. Boz

    Nasty dialer

    Boz, Apr 7, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    493
  3. william en manon scheffer

    Nasty pop up

    william en manon scheffer, Jan 7, 2005, in forum: Computer Support
    Replies:
    8
    Views:
    717
    Eli Aran
    Jan 8, 2005
  4. william en manon scheffer

    Nasty Pop Up's

    william en manon scheffer, Jan 7, 2005, in forum: Computer Support
    Replies:
    1
    Views:
    545
    Annette Kurten
    Jan 7, 2005
  5. Alasdair Baxter

    The Bear Turns Nasty

    Alasdair Baxter, Mar 22, 2005, in forum: Computer Support
    Replies:
    4
    Views:
    469
Loading...

Share This Page