Support NeoGAF

[Teddman]

Beware of this one, it sucks.

I had just hooked my laptop up to my new wireless network and somehow this wormed its way in. Even though I use Netscape, it got by the blocker somehow, installed, and now launches IE, tons of pop-ups, constant java prompts to download more crap, etc.

Here is a good descriptive blog entry on it:
http://glutter.typepad.com/glutter/2004/08/spyware_problem.html#comments

Whatever this thing is. It’s really nasty. Neither Ad-ware, Search and Destroy and any other spyware busting program out there works on it. Although I have swapped with Mozilla, it is able to open new tabs in that, as well as automatically opens my IE.

It’s called: pwnage Clans And hacks

In order to get rid of it, I have to go into my directory and delete files.

Here is a message board convo about it.

I am trying to follow the directions, but it’s difficult to run anything when browser windows keep popping up and crashing, and your computer is working at crawling speed.

I am very sulky about it, if anyone has any brigher ideas about this. I would so apreiciate it.

Anybody heard of this yet? It's a bitch and it seems that Spybot and Ad-Aware don't cover it yet so I have to root it out manually.

More info here: Check it out:
http://www.google.com/search?hl=en&ie=UTF-8&q="pwnage+clan+and+hacks"&btnG=Google+Search

 

[Korranator]

System restore.

 

[M3wThr33]

Seems pretty harsh. Does it still do it in safe mode?

 

[Nikashi]

I think I can fix this..

Go download the newest Hijackthis (http://www.thatcomputerguy.us/downloads-cat4.html) and then close all other windows, install the program into it's own folder, and run it.

Run the program by clicking 'Scan', and look for these entries:

O2 - BHO: (no name) - {4DAF3751-C612-28C1-8050-64550DA77B49} - C:\WINDOWS\System32\trss.dll
O4 - HKLM\..\Run: [Microsoft UMA Update] MSuma32.exe
O4 - HKLM\..\Run: [WindowsRegKey update] svchostc.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] windowsu.exe
O4 - HKLM\..\RunServices: [Microsoft UMA Update] MSuma32.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] svchostc.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] windowsu.exe
O4 - HKCU\..\Run: [Microsoft UMA Update] MSuma32.exe
O4 - HKCU\..\Run: [WindowsRegKey update] svchostc.exe

And check them all, then click "Fix Checked"


Next, reboot into safe mode, and make sure all hidden and system files are visible. Then find C:\WINDOWS\System32\svchostc.exe (NOT svchost.exe, make sure the c is at the end) and delete it.

Reboot, and do a virus scan, you SHOULD be clean.

(Note, this is for Windows XP, if you don't have XP, send me a PM and we'll see what we can do.)

 

[Teddman]

Thanks a lot, Nikashi. It seems that "pwnage" is a program that is in turn a matchmaker for spyware--it managed to get a load of usual suspects like VX2, Itbar or whatever, etc. onto my laptop. Ad Aware found almost 200 critical entries! There were also a ton of bogus sites in my "trusted hosts" listing in IE and the homepage there was hijaced (I don't usually use IE).

I fixed most of them with Ad Aware, and will run it again in safe mode to try and zap the remaining suspects, then I'll also run Spybot in safe mode. After that, I'll hit up any survivors with your list using Hijack This.

Any ideas on how I can prevent anything like this from happening again? I didn't even download anything this time by accident that I could tell, it just started when I loaded up Netscape. I did do some bandwidth speed tests at various places to check my wireless connection, but they all seemed trustworthy. Next time I booted up the laptop and loaded Netscape it happened.

Already I've disabled Microsoft Messenger, gotten the lastest Windows critical update, and will probably enable the WinXP built-in firewall. Any other suggestions?

 

[Nikashi]

I think just keeping your firewall up should be enough. But I HIGHLY recommend you do HijackThis first... think of it as taking out the monster generator in Gauntlet before you take out the monsters


Also, unless you're running SP2, go and get ZoneAlarm NOW. But make sure it's 4.5 and NOT 5.0, 5.0 has a TON of bad issues with P2P. It's also freeware (with a Pro version you can pay for but you don't need it). Also, don't upgrade it, because it will upgrade to 5.0 with said p2p issues.

 

[Teddman]

Right on, I'll do Hijack This first. Doesn't need to be in safe mode when I run it?

Zone Alarm 4.5, good tip. Do I need an active spyware preventer like Spyware Blaster? Or is reactive stuff like Adaware good enough?

I'm so taken aback by this, I have gone to all dark corners of the web with my desktop and rarely had a problem (and that's WinME with practially no security measures in place). Are there any more risks associated with wireless internet? Maybe it's just that the laptop is XP. Thanks!

 

[Nikashi]

Hijack this should NOT be run in safe mode, find the problems, fix them, THEN boot to safe mode so you can delete the svchostc.exe file (Like I said, if you see different stuff on your HijackThis entries, let me know and we'll go from there)

SOFTWARE YOU SHOULD HAVE:

A good AV, Norton, AVG, whatever you wanna use, most of them will do the job okay, although I personally recommend Norton from personal experience.

Spybot Search and Destroy - Awesome spyware program, catches some things that AdAware doesn't.

AdAware - You seem to have this already so good.

Zone Alarm 4.5 - Will log all connections to your PC. Once you have it running go check http://www.grc.com for something called "Shields Up" that will perform a port scan on you. With ZoneAlarm, you should be either completely secure, or the PnP port might be open, which is no biggie. You do have to give programs access to connect to the net, but this is accomplished with a dialog box that pops up when a program runs for the first time (or after you change that program).

 

[andthebeatgoeson]

I think just keeping your firewall up should be enough. But I HIGHLY recommend you do HijackThis first... think of it as taking out the monster generator in Gauntlet before you take out the monsters


Also, unless you're running SP2, go and get ZoneAlarm NOW. But make sure it's 4.5 and NOT 5.0, 5.0 has a TON of bad issues with P2P. It's also freeware (with a Pro version you can pay for but you don't need it). Also, don't upgrade it, because it will upgrade to 5.0 with said p2p issues.

Oh, fuck, I just upgraded to 5.1, new install. Am I screwed? It's just P2P programs?

Edit: I'm starting to hate knowing so much about computers compared to every lay person. I've fuckin installed spybot, adaware and zonealarm on at least 10 people's computer in the past year and I'm getting tired of trying to get their computer clean. A friend of mine has quite a bit of shit on her computer and she keeps d/l stupid lil games. Then I have to go thru the constant uninstall/update/reboot cycle now cuz she wants weatherbug and BOMBS AWAY!!!VER.3. :\

 

[carbonbased]

SOFTWARE YOU SHOULD HAVE:

A good AV, Norton, AVG, whatever you wanna use, most of them will do the job okay, although I personally recommend Norton from personal experience.

Norton is an awful bloated resource hog. Use either AVG or Symantec Corporate Edition, and stay away from the Norton line of Symantec antivirus programs.

 

[Nikashi]

Basically, if you use like BitTorrent with 5.x, it locks up your ENTIRE system. So yeah, downgrade.. it's easy, just uninstall 5, and reinstall 4.5

 

[Teddman]

These two links are great resources for learning how to diagnose your own HijackThis logs:

http://forums.majorgeeks.com/showthread.php?t=38752

And this datase lets you look up process GUID numbers and determine if they're spyware.

 

[andthebeatgoeson]

Basically, if you use like BitTorrent with 5.x, it locks up your ENTIRE system. So yeah, downgrade.. it's easy, just uninstall 5, and reinstall 4.5

Damn. Ok.

 

[Dragona Akehi]

When uninstalling 5.X MAKE SURE TO USE ZONEALARM'S UNINSTALL PROGRAM.

When you just let the generic windows program do it (from the control panel's add/remove programs) it doesn't get rid of everything and you'll still have a problem with P2P (and even just connecting to IRC!).

ZA 4.5 is the best.

 

[Teddman]

Thanks for all the help guys. The Major Geeks spyware forum has some informative stickied FAQ topics that were great too. Spyware and virus free now, with Spybot, Adaware, Hijackthis, Zonealarm at the ready...

It only took like 5-6 hours of work!

 

[andthebeatgoeson]

It only took like 5-6 hours of work!

I love computers. Totally got me aware from that waste of time, TV. I'm so much more productive with a computer. Why, look, only a few button presses and I have come up with a funny picture: