IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New Couldn't clean this one . . .
Got in a Windows XP machine just dripping with trojan downloaders. Cleaned it up but there was one infection left that kept doing autio pop-ups and a visual pop-up from the desktop.

Tried every scanner and analyzer I could get my hands on but none could find anything at all, even when the pop-ups were active. Did a repair reinstall of Windows XP and updates from Microsoft - no effect, but I watched as the scum ordered a new download of Macromedia Flash and then started playing audio pop-up ads for a casino.

I booted to the recovery console, renamed the Windows directory to Zindows and did a full reinstall to get rid of the bastard. Had one hell of a time getting the Flash player deleted from the Zindows directory structure - don't think that's normal but it fought tooth and nail to stay.

Anyway, this whole Windows scumware situation is getting completely intolerable. There's now so much money behind scumware the perpetrators can hire the best programmers and as many of them as they want.
[link|http://www.aaxnet.com|AAx]
New I don't even bother cleaning any more.
I just back up any documents to CD or over the network, then blast the entire drive away and reload. It's quicker, and my blood pressure stays lower.

Of course, I always leave a partition big enough to dump a ghost image of the software state when I'm done reinstalling the apps, before I restore data files. This way, the next time it gets hosed, I can just roll back to that point and continue on.
When somebody asks you to trade your freedoms for security, it isn't your security they're talking about.
New Where is the tipping point?
Without being facetious, isn't it just easier (i.e. quicker and cheaper) to recover the user's data and wipe the box?


Peter
[link|http://www.no2id.net/|Don't Let The Terrorists Win]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
New He services multiple small business clients.
I ASSUME that there are many systems he
is partially respnsible for. Years
of end-users doing crap with them,
no such thing as a standard system.


So the client says: Fix THAT box.
New I know what he does.
Which is why I asked the question.


Peter
[link|http://www.no2id.net/|Don't Let The Terrorists Win]
[link|http://www.kuro5hin.org|There is no K5 Cabal]
[link|http://guildenstern.dyndns.org|Home]
Use P2P for legitimate purposes!
New That depends.
In no case have I had to wipe data, but as in this case I sometimes have to wipe Windows which can mean hours of software reinstallation and sometimes it is not possible to find the original media which makes for more difficulties.

If it's something new I haven't seen before I'll spend quite a few hours trying to beat it. I proabably spent 10 hours on this machine. This is a "continuing education" cost and if I can beat it, it'll be easy next time. Very seldom have I had to call it quits.

If a machine is absurdly infected (many home computers) I'll just wipe Windows right then and there. If it's a business machine it's usually not that bad - unless, as in this case, it's been used to play music.


If I do a machine in the field, which I strongly discourage, I charge by the hour. If it's brought to the shop I charge a flat fee which may be anywhere from $40 to $160 depending on severity. If I pick up and deliver there's a travel charge. Any work for reinstalling software, setting up the network, etc. is hourly. It can get pretty expensive.

The Los Angeles Times did an article a few months back about people who no longer use the Internet because they can't afford the cost of cleaning out the scum. Apparently the stores around here charge about $300 to $350 to just wipe the disk and reinstall Windows - all data lost.
[link|http://www.aaxnet.com|AAx]
New I was shocked when I heard that...
stores around here charge about $300 to $350 to just wipe the disk and reinstall Windows - all data lost.

and this isn't the first time I've heard it. I met a guy last summer who has a full time job as a baker. He has a side business cleaning up Windows infested machines. He charges $300 per machine to pickup, clean and deliver. He makes more money than at his "real" job. Sheesh.
Have fun,
Carl Forde
New Did you try using Ewido?
I talked about it [link|http://z.iwethey.org/forums/render/content/show?contentid=247425|here]. That was my only experience in cleaning crap out, but I was impressed.
Alex

When fascism comes to America, it'll be wrapped in a flag and carrying a cross. -- Sinclair Lewis
New No, I'll look at it next time around.
The tool that found the most stuff was AVG Pro (the "paid" version of AVG Antivirus) but it didn't find that one item nobody else could find.
[link|http://www.aaxnet.com|AAx]
New Ewido just sold out to AVG . . .
. . and will become part of the AVG Pro scanning engine. As I mentioned, AVG already found more trojans than anything else but they say they'll be able to do better in the future.
[link|http://www.aaxnet.com|AAx]
New Since you're here...
What do you know about the malware "Wild Tangent". Seems my mom's machine got it. It lives in a directory called C:\\windows\\wt, which is completely invisible (yes, I turned on the "show hidden" and "how system directories", tolerating the Windows nagware that "exposing these directories and files is not a good idea, yadda, yadda, yadda...")

Spybot S&D finds it and attempts to neutralize it, but it keeps coming back, which indicates some kind of stealth object that Spybot cannot find. My main question is, how do you expose the directory so I can nuke it? Also, is there a good freeware/shareware shredder that I can use after I nuke it, to scramble up the leftovers?

[edit: tyops]

thanx-
jb4
"Every Repbulican who wants to defend Bush on [the expansion of Presidential powers], should be forced to say, 'I wouldn't hesitate to see President Hillary Rodham Clinton have the same authority'."
&mdash an unidentified letter writer to Newsweek on the expansion of executive powers under the Bush administration
Expand Edited by jb4 April 20, 2006, 01:11:28 PM EDT
New Not Andrew, but...
It seems to be part of a Java game.

[link|http://hoogervorst.freehosting.net/net_wildtangent.htm|Wild Tangent: too bad]. Getting rid of it involves some registry hacking, according to the article. I haven't tried it myself. Caveat emptor.

HTH.

[edit:] Whoops, you asked about deleting the directory. You should be able to do it once the process has been killed. See [link|http://www.pchell.com/support/wildtangent.shtml|this] writeup too.

Cheers,
Scott.
Expand Edited by Another Scott April 20, 2006, 01:35:24 PM EDT
New Thanks, Another Scott!
That's the ticket. If she's still having trouble with it, I'll know how to kill it. Great link!
jb4
"Every Repbulican who wants to defend Bush on [the expansion of Presidential powers], should be forced to say, 'I wouldn't hesitate to see President Hillary Rodham Clinton have the same authority'."
&mdash an unidentified letter writer to Newsweek on the expansion of executive powers under the Bush administration
New Can you boot with knoppix and access it that way?
New Didn't try...
...she's in FL; I was there visiting my dad after his stroke, and spent most of the time htere fixing up their 'puters. Didn't have my Knoppix disk there...and now I back up here is Chi-town.
jb4
"Every Repbulican who wants to defend Bush on [the expansion of Presidential powers], should be forced to say, 'I wouldn't hesitate to see President Hillary Rodham Clinton have the same authority'."
&mdash an unidentified letter writer to Newsweek on the expansion of executive powers under the Bush administration
New Might have come in as part of AOL IM.
Version 5.5 included it in the install.

[link|http://www.pcmag.com/article2/0,1759,1601598,00.asp|http://www.pcmag.com...59,1601598,00.asp]

From [link|http://www.dslreports.com/shownews/39958|http://www.dslreports.com/shownews/39958]

Yes many people have, and I think the consensus is that it isn't doing anything other than sending usage statistics that are pertinent to their games. Which is listed in their licensing agreement

However, I think what keeps WT listed as spyware is that:

1. a long time ago they hid a text file deep in it's directory structure (somewhere where most people wouldn't look) that explained what it collected. While it seemed honest, people wondered why it was hidden. It was a dumb decision on WT's part.

and

2. It apparently is installed with AIM, without telling anyone or allowing them to view the licensing agreement. Another dumb decision on both WT's and AOL's part.

Finally I think that over the past few years the label of spyware has been expanded to mean Adware as well. Spyware originally meant software that sent back statistics that wasn't up front about what they were doing, meaning that as long as they told you they were going to do it and gave you the option to not install the software, then it wasn't spyware. Now it seems any software that sends back statistics at all is considered spyware. Hell, even software that has the audacity to include an autoupdate feature is considered spyware now.
When somebody asks you to trade your freedoms for security, it isn't your security they're talking about.
New Explains why...
...it's on my mom's computer and not on my dad's (my mom downloaded AOL's IM, for reasons that are not entirely clear...). Thanx, Thane.
jb4
"Every Repbulican who wants to defend Bush on [the expansion of Presidential powers], should be forced to say, 'I wouldn't hesitate to see President Hillary Rodham Clinton have the same authority'."
&mdash an unidentified letter writer to Newsweek on the expansion of executive powers under the Bush administration
New ICLRPD (new thread)
Created as new thread #252804 titled [link|/forums/render/content/show?contentid=252804|ICLRPD]
===

Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
New OT: Check the mdash in your sig
Needs a trailing semil-colon.
===

Purveyor of Doc Hope's [link|http://DocHope.com|fresh-baked dog biscuits and pet treats].
[link|http://DocHope.com|http://DocHope.com]
New erm...huh? Oh....I see now...
Funny, it rendered OK...more magic from our resident ad-ministers who can probabaly cure a common cold if they felt particularly charitable one day.

(The funny thing is that nobody noticed the tyop on the second word....)

Thanx, drook
jb4
"Every Repbulican who wants to defend Bush on [the expansion of Presidential powers], should be forced to say, 'I wouldn't hesitate to see President Hillary Rodham Clinton have the same authority'."
&mdash an unidentified letter writer to Newsweek on the expansion of executive powers under the Bush administration
New It's just that we know all Repo's are
fscked up!

LOL!
Amy

Stop looking at my signature!
Expand Edited by imqwerky April 20, 2006, 04:00:39 PM EDT
New It's not that...
It's just that they don't fsck enough...

Imric's Tips for Living
  • Paranoia Is a Survival Trait
  • Pessimists are never disappointed - but sometimes, if they are very lucky, they can be pleasantly surprised...
  • Even though everyone is out to get you, it doesn't matter unless you let them win.


Nothing is as simple as it seems in the beginning,
As hopeless as it seems in the middle,
Or as finished as it seems in the end.
 
 
New I see it less lately, but . . .
. . the versions I have encountered so far seem to uninstall cleanly from Install / Uninstall programs. Next time I'll have a more detailed look to see if there's any lingering stuff.
[link|http://www.aaxnet.com|AAx]
     Couldn't clean this one . . . - (Andrew Grygus) - (22)
         I don't even bother cleaning any more. - (inthane-chan)
         Where is the tipping point? - (pwhysall) - (4)
             He services multiple small business clients. - (broomberg) - (1)
                 I know what he does. - (pwhysall)
             That depends. - (Andrew Grygus) - (1)
                 I was shocked when I heard that... - (cforde)
         Did you try using Ewido? - (a6l6e6x) - (2)
             No, I'll look at it next time around. - (Andrew Grygus) - (1)
                 Ewido just sold out to AVG . . . - (Andrew Grygus)
         Since you're here... - (jb4) - (12)
             Not Andrew, but... - (Another Scott) - (1)
                 Thanks, Another Scott! - (jb4)
             Can you boot with knoppix and access it that way? -NT - (broomberg) - (1)
                 Didn't try... - (jb4)
             Might have come in as part of AOL IM. - (inthane-chan) - (6)
                 Explains why... - (jb4) - (5)
                     ICLRPD (new thread) - (drewk)
                     OT: Check the mdash in your sig - (drewk) - (3)
                         erm...huh? Oh....I see now... - (jb4) - (2)
                             It's just that we know all Repo's are - (imqwerky) - (1)
                                 It's not that... - (imric)
             I see it less lately, but . . . - (Andrew Grygus)

Blessed are those who expect nothing, for never shall they be disappointed.
81 ms