Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unremovable Spyware, Nothing Will Detect It


  • Please log in to reply
2 replies to this topic

#1 PancakeofMassDeliciousness

PancakeofMassDeliciousness

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:59 PM

Posted 18 June 2007 - 10:38 AM

Downloaded a supposed 'trainer' for a new game, scanned with AVG and got all clear, clicked file - nothing happened, file magically disappears off desktop.

I knew immediately it was crap I certainly didn't want on my PC. I found exactly what it was the next day when playing CS:S I get a freaking pop-up in Internet Explorer that boots me to desktop and crashes my game(while I was in the lead too, no less). Not only would I not have anything open while playing, I haven't used IE in weeks - Firefox is my default browser.

I ran a full scan with AVG 7.5.472(latest) with latest definition updates released yesterday the 17th and found nothing relevant.
Downloaded and ran Spyware Nuker XT and cleared a few funky cookie's and registry entries, did not find the hook
Downloaded and ran Windows Defender, completely clean.
Downloaded newest version of HiJack This(1.99) and didn't find jack except a few questionable cookies which I deleted and startup entries which I checked and are in tip top shape.

I checked my processes and there was absolutely nothing running that shouldn't have been. I keep a low background process overhead and I'm familiar with everything running on my rig.

I waited till the little bleep popped open another browser window then ran Process Explorer and found out it's launching IE as a child process under the svchost.exe for DCOM services(DCom Server Process Launcher). The command line for it is "C:\WINDOWS\system32\svchost -k DcomLaunch" and I checked under my services administrative tool and that is the real DCOM svchost, not a clone or anything - Something is hijacking it and is using it to launch IE.

I think this a new one, and a clever one at that, I don't know much about XP's svchost call's or how to tell what is calling upon svchost to spawn another process either, any help greatly appreciated. I kept the dropper/install file of the adware in a zip file in case I should send it to be analyzed and added to a database.


MORE INFO about the malicious program.

The pop-up's are not entirely random and will often display the same thing, occasionally it will point IE to a dead link which the URL look's alot like it's trying to report back to a machine regarding my information but I defiantly recognize that it's trying to send some type of information because of the URL format, also - the machine it's pointing me to doesn't have a domain - just an IP address.

The most interesting thing is, and I think this is very relevant - I say this due to the high frequency of the following pop-up and the nature of the product advertised in the pop-up as they are obviously the makers of this spyware/adware - It most commonly opens IE and try's to get me to download that fake System Tools spyware scanner bleep and ask me to scan my computer. It alway's pop's up an IE dialog first that tell's me my computer is unsecure and that I should scan now. I repeat, I DO NOT have System Tools installed on my machine and I have never pressed the scan or installed any component's for the scan or anything related to System Tools so please don't send me the link on how to remove System Tool's as I've already seen it and will not help.

It will also point me to another program called WinVirusPro 2007 or some crap like that I can't remember exactly.

bleeping bleep bleep bleeeeeeep blepp bleep bleep! So here I am now, anybody have an idea how to squash this thing or what I should do?

Edited by PancakeofMassDeliciousness, 18 June 2007 - 10:39 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:59 AM

Posted 18 June 2007 - 09:20 PM

Please try these instructions to remove this. Let us know how you make out or if you've any further questions.
http://www.bleepingcomputer.com/forums/ind...amp;hl=VundoFix
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 bluecoal

bluecoal

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 18 June 2007 - 10:12 PM

After you get the vundo fixed, you also ought to run a rootkit scan, I used avg antirootkit beta.
A different type of file, but the disappearing symptoms like you talked about, I wound up with both problems.

bc




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users