Wholly Spyware

[marley1]

Anyone else battling with this last week and this week?

Calls from home users and businesses. Its the hard drive one that removes all the desktop and start menu. So far having less than 50% cleanup rate on this. Having to format machines when Combofix and TDS dont run, or can't restore start menu icons.

Lame!

 

[dashpuppy]

Anyone else battling with this last week and this week?

Calls from home users and businesses. Its the hard drive one that removes all the desktop and start menu. So far having less than 50% cleanup rate on this. Having to format machines when Combofix and TDS dont run, or can't restore start menu icons.

Lame!

ahem, untangle @ home

 

[RocketTech]

Un-hide the user's folders, change the start menu properties to display the desired shortcuts. It usually borks System Restore, but worth a shot. Reliance on 'fix-it' scripts will only get you so far.

 

[PanzerBoxb]

As I recall, these variants move the shortcuts to a hidden folder buried in the filesystem. There was a utility I found called "unhide.exe" that would scan the system and restore most of the hidden files.

 

[tangoseal]

GSMRI

I'll let you do the research.

 

[Electrofreak]

GSMRI

I'll let you do the research.

That's what I used to use when I was doing desktop service... worked pretty well!

 

[YeOldeStonecat]

Have had tons of 'em over past months...the hard drive one, and Security Fortress 2012.
Using Easeus partition manager to reload the MBR offline...and then TDSS will run, and then mop clean with MWB, and Eset or Panda gets the rest. Haven't had to format one yet.
The new Unhide.exe puts the backed up program menu's back. The trojan tucks them into <username>local settings \temp\smtmp\ Unhide produces a report which gives you details. So DON"T run CCleaner first (or manually blow out that temp directory).

 

[jkerr2]

On the 2 I ran into a work I found a code you can enter into the spyware that tells it you bought it
0973467457475070215340537432225
It then un-hides most of your files and allows you to then run MWB ect. Or at least that worked a couple of weeks ago. I assume that they change these things.

 

[YeOldeStonecat]

On the 2 I ran into a work I found a code you can enter into the spyware that tells it you bought it
0973467457475070215340537432225
It then un-hides most of your files and allows you to then run MWB ect. Or at least that worked a couple of weeks ago. I assume that they change these things.

I've seen some of those codes around BleepingComputers and other sites.......but always been afraid of entering it and kicking the rogue into a second mode and sinking deeper into the system. I figure just go balls out from the beginning in getting it out of there. Most are hitting systems via MBR now thus keep reloading after reboots. Whack the MBR first, and then hit the usual tools. Just remember...don't whack temp directories first like we used to in the past...because that's where the program files/menu and desktop and documents are now relocated by the rogue. If you whack the temp directory first...you ain't getting them back. Dirty trick by the malware writers eh?