Hit with VERY BAD spyware today and irony involved

Discussion in 'Operating Systems' started by MrFace, Jan 12, 2009.

  1. MrFace

    MrFace 2[H]4U

    Messages:
    2,716
    Joined:
    Feb 23, 2003
    I never run antivirus at home...I run antivirus at work.

    My work computer is the one that got hit today and I have no idea how. I did not go to any websites other than Microsoft to get another Win7 key. Every thing was fine this morning until I stepped away for 20 minutes. I come back and my computer is FUBARED.

    Go to google.com, do a search. Every time I click on link that starts with "go.google.com", I get redirected to something like 64.117.xx.xxx, I forgot the full address.

    If I try to run Malwarebytes, SuperAntiSpyware, the apps start and then crash immediately. Likewise, I can not go to either website, I get forwarded to some fake anti spyware software site.

    Absolutely nothing in my running services, hosts file was untampered, nothing in startup...I couldn't find what the deal was at all.

    Searches for people with my problem came up with nothing useful that would help me resolve the issue. So, I had to back up my files and reinstall Windows(installed Win7 this time).

    What baffles me is how I got this and that there is little to no information on people experiencing the same issues. My computer was 100% up to date, antivirus was up to date, and I had not gone to any website different than normal, hell I wasn't even at my computer(which was locked when im afk).

    BTW: I'm using the most up to date version of Firefox, I thought it was impervious :rolleyes:
     
  2. Snowknight26

    Snowknight26 [H]ardness Supreme

    Messages:
    4,153
    Joined:
    May 8, 2005
    Had the same issue at work to. Apparnetly its a driver that redirects most search engines to the go subdomain. Go to your device manager, show hidden devices, and check under Non-Plug and Play Drivers for any driver that has a .sys on the end. Think it starts with Q or V. Disable, not uninstall, the driver. Once its disabled, restart, then uninstall it.

    Once its gone, try installing Malwarebyte's Anti-Spyware in safe mode. Try running it in safe mode too. Most of the rogue files that it removes that come with this driver are in the System32 directory.
     
  3. oscrogo

    oscrogo Limp Gawd

    Messages:
    240
    Joined:
    Nov 3, 2007
    Sounds like you got bit by the evil Vundo. Check your system32 directory and sort by date. You'll probably notice DLLs that have been added the last couple days that shouldn't be there.

    Google Vundo removal from another machine. It's a pain in the ass to get rid of and if you have an image of your HDD, might be easier and quicker to wipe your drive.
     
  4. heatlesssun

    heatlesssun [H]ard as it Gets

    Messages:
    44,157
    Joined:
    Nov 5, 2005
    As FF has gained momentum, it has also gained attacks. However I wouldn't necessarily blame FF as who's to say what the attack vector was.

    For the record, no OS, no application, be it Windows or OS X or a distro on Linux is impervious to attack. Period.

    Windows gets the bad rep because is such an overwheming part of the desktop market that malware devs spend most of there time on it.

    If Linix were widely deployed on the desktop I guarentee it would have as many security issues.
     
  5. MrFace

    MrFace 2[H]4U

    Messages:
    2,716
    Joined:
    Feb 23, 2003
    I did not try going in to Device Manager. I will keep this in mind. Even in safe mode I could not run any of those apps.

    I did this too but found nothing that was recent :eek:
     
  6. Snowknight26

    Snowknight26 [H]ardness Supreme

    Messages:
    4,153
    Joined:
    May 8, 2005
    Sometimes the files are masked as system files. Try unchecking hide protected system files/folders in explorer.
     
  7. LoStMaTt

    LoStMaTt 2[H]4U

    Messages:
    3,182
    Joined:
    Feb 26, 2003
    Download malwarebytes and try to install it. If you already have it installed then go directly to the mbam exe and right click on it and go to properties. (If you do it from the shortcut it doesn't work)

    Make it run in Windows 2000 Computability mode.

    For some reason this sometimes allows Malwarebytes to run. From there run the scan and hope that it cleans it all out.
     
  8. Azhar

    Azhar Fixing stupid since 1972

    Messages:
    18,875
    Joined:
    Jan 9, 2001
    You might also want to check your TCP/IP properties. Your DNS server address might be rerouted to a malicious server that's causing all of your redirects. Make sure "Obtain DNS server address automatically" is checked.
     
  9. SerpentSix

    SerpentSix [H]Lite

    Messages:
    108
    Joined:
    Jul 22, 2004
    Download Combofix, rename to something like 1combofix1.exe . Close all windows and run it. If it says anything about the repair console tell it no. Once it's done update malwarebytes and do a quick scan.

    Should be clean after that.
     
  10. number69

    number69 [H]ard|Gawd

    Messages:
    1,646
    Joined:
    Jan 8, 2003
    You've mentioned twice that you didn't go to any other sites besides MS and the normal ones you go to.

    So what malware riddled site did you go to that Firefox was supposed to be impervious to that infected your system? :p