Hit with VERY BAD spyware today and irony involved

M

MrFace

2[H]4U
Joined
Feb 23, 2003
Messages
2,716
I never run antivirus at home...I run antivirus at work.

My work computer is the one that got hit today and I have no idea how. I did not go to any websites other than Microsoft to get another Win7 key. Every thing was fine this morning until I stepped away for 20 minutes. I come back and my computer is FUBARED.

Go to google.com, do a search. Every time I click on link that starts with "go.google.com", I get redirected to something like 64.117.xx.xxx, I forgot the full address.

If I try to run Malwarebytes, SuperAntiSpyware, the apps start and then crash immediately. Likewise, I can not go to either website, I get forwarded to some fake anti spyware software site.

Absolutely nothing in my running services, hosts file was untampered, nothing in startup...I couldn't find what the deal was at all.

Searches for people with my problem came up with nothing useful that would help me resolve the issue. So, I had to back up my files and reinstall Windows(installed Win7 this time).

What baffles me is how I got this and that there is little to no information on people experiencing the same issues. My computer was 100% up to date, antivirus was up to date, and I had not gone to any website different than normal, hell I wasn't even at my computer(which was locked when im afk).

BTW: I'm using the most up to date version of Firefox, I thought it was impervious :rolleyes:
 
MrFace said:
Go to google.com, do a search. Every time I click on link that starts with "go.google.com", I get redirected to something like 64.117.xx.xxx, I forgot the full address.
Click to expand...

Had the same issue at work to. Apparnetly its a driver that redirects most search engines to the go subdomain. Go to your device manager, show hidden devices, and check under Non-Plug and Play Drivers for any driver that has a .sys on the end. Think it starts with Q or V. Disable, not uninstall, the driver. Once its disabled, restart, then uninstall it.

Once its gone, try installing Malwarebyte's Anti-Spyware in safe mode. Try running it in safe mode too. Most of the rogue files that it removes that come with this driver are in the System32 directory.
 
Sounds like you got bit by the evil Vundo. Check your system32 directory and sort by date. You'll probably notice DLLs that have been added the last couple days that shouldn't be there.

Google Vundo removal from another machine. It's a pain in the ass to get rid of and if you have an image of your HDD, might be easier and quicker to wipe your drive.
 
MrFace said:
BTW: I'm using the most up to date version of Firefox, I thought it was impervious :rolleyes:
Click to expand...

As FF has gained momentum, it has also gained attacks. However I wouldn't necessarily blame FF as who's to say what the attack vector was.

For the record, no OS, no application, be it Windows or OS X or a distro on Linux is impervious to attack. Period.

Windows gets the bad rep because is such an overwheming part of the desktop market that malware devs spend most of there time on it.

If Linix were widely deployed on the desktop I guarentee it would have as many security issues.
 
Snowknight26 said:
Had the same issue at work to. Apparnetly its a driver that redirects most search engines to the go subdomain. Go to your device manager, show hidden devices, and check under Non-Plug and Play Drivers for any driver that has a .sys on the end. Think it starts with Q or V. Disable, not uninstall, the driver. Once its disabled, restart, then uninstall it.

Once its gone, try installing Malwarebyte's Anti-Spyware in safe mode. Try running it in safe mode too. Most of the rogue files that it removes that come with this driver are in the System32 directory.
Click to expand...

I did not try going in to Device Manager. I will keep this in mind. Even in safe mode I could not run any of those apps.

oscrogo said:
Sounds like you got bit by the evil Vundo. Check your system32 directory and sort by date. You'll probably notice DLLs that have been added the last couple days that shouldn't be there.

Google Vundo removal from another machine. It's a pain in the ass to get rid of and if you have an image of your HDD, might be easier and quicker to wipe your drive.
Click to expand...

I did this too but found nothing that was recent :eek:
 
Download malwarebytes and try to install it. If you already have it installed then go directly to the mbam exe and right click on it and go to properties. (If you do it from the shortcut it doesn't work)

Make it run in Windows 2000 Computability mode.

For some reason this sometimes allows Malwarebytes to run. From there run the scan and hope that it cleans it all out.
 
You might also want to check your TCP/IP properties. Your DNS server address might be rerouted to a malicious server that's causing all of your redirects. Make sure "Obtain DNS server address automatically" is checked.
 
Download Combofix, rename to something like 1combofix1.exe . Close all windows and run it. If it says anything about the repair console tell it no. Once it's done update malwarebytes and do a quick scan.

Should be clean after that.
 
MrFace said:
I never run antivirus at home...I run antivirus at work.

My work computer is the one that got hit today and I have no idea how. I did not go to any websites other than Microsoft to get another Win7 key. Every thing was fine this morning until I stepped away for 20 minutes. I come back and my computer is FUBARED.


What baffles me is how I got this and that there is little to no information on people experiencing the same issues. My computer was 100% up to date, antivirus was up to date, and I had not gone to any website different than normal, hell I wasn't even at my computer(which was locked when im afk).

BTW: I'm using the most up to date version of Firefox, I thought it was impervious :rolleyes:
Click to expand...

You've mentioned twice that you didn't go to any other sites besides MS and the normal ones you go to.

So what malware riddled site did you go to that Firefox was supposed to be impervious to that infected your system? :p
 
You must log in or register to reply here.
Back
Top