Malware that renames itself on reboot

[jjans]

I am trying to get rid of some vicious spyware on a buddy's PC, running Windows ME, that was infected with over 300 Viruses that I removed with AVG (Grisoft), and with over 400 malware/spyware, detected by both SpyBot and AddAware. The kids love to download from all the freeware, play online Java Games, and download music, and naturally, there was no firewall, virus, or antispy protection installed.

AddAware chokes during the attempted deletion of detected critical objects, and Spybot's Resident IE monitoring gives constant warning prompts ( 1 per minute on average) to re-direction/browser web page changes to constantly changing addresses: ie http:// www .nuwprnbyqrybznfdkaarbuwpx. net/.(spaces added to address to disable hyperlink).

I was able to track one of the little buggers to WINDOWS\TEMP\ and found a 240 KB executable called oozwexsb.exe, and a lib called ladHide.dll(16KB). Both of these little buggers could not be deleted due to "the specified file is being used by Windows" message.

So I rebooted to Safe-Mode, and was able to successfully delete the file and the dll.

However, on each reboot, the exe and dll, are recopied from somewhere(??),  back to the WINDOWS\TEMP folder, and the exe renames itself.

Anyone else encountered these little riggin's?

The interesting question, is how do I get rid of them, (aside from a flame thrower...).

I do have the OS restore CD (if needbe), but am not yet able to declare defeat by re-formatting the drive.

[Ilwrath]

I've actually been quite impressed by the scanning capabilities of a program called "GIANT Anti-Spyware."  It recently got a good review from Gibson's site.  (Not that Gibson's site is exactly the end-all of honesty and disclosure, but it's usually an interesting place to glance over.)

Anyhow, I'd never heard of "GIANT" software before, so I decided to see what it was all about on a friend's hosed up PC earlier today.  After a couple runs through with the free download version, the machine was quite a bit better off.  I don't know if I'd bother to buy it, but for a quick clean-up it seemed to fare quite well.

http://www.giantcompany.com/

[jjans]

@Ilwrath: Thanks for the tip. I'll give it a go.

BTW ·   Research of ladHide.dll(16KB) pointed to BackWeb (an Auto Update program bundled with HP) as a possible variant of spyware, Program not needed due to Windows Update already  on MSN, and articles critical of resource usage, and privacy concerns. (see: http://www.pestpatrol.com/PestInfo/B/Backweb.asp
      http://forums.techguy.org/archive/index.php/t-183700.html).

Not sure what the other one is yet...

[ShadesOfGrey]

Most likely you have another trojan horse that's running during Windows startup.  You might want to take a look at HiJackThis, it pretty much shows you all the stuff that's being started at startup (plus has some basic browser hijack prevention).  Keep in mind that this app lists all 'startup' program, the good (legit) as well as the bad.  But usually it's pretty easy to determine what's legit and what's not...  You can also try using MSConfig (run it, MSCONFIG" from the Run dialog or the command prompt), which can disable many of the items that run at startup.

Also, take a look at SpyWareBlaster...  It's a spyware blocker, not scanner...  Think of it in terms of SpyBot's Immuniziation.  Anyway, it catches something that SpyBot doesn't...  In fact SpyBot's author recommends SpyWareBlaster as a supplementary tool.

Beyond that, given your friends situation (using Windows and ME at that), I'd recommend a dual boot system.  One boot for potentially dangerous surfing and the other for serious work.

[adz]

You might also want to have a look at CWShredder as well. In the end it is probably better to "format c: /u" and start again.

[ShadesOfGrey]

Kill BackWeb!!!  Not only is it Corporate Spyware, it Corporate Spyware at its worse.  It's buggy, resource hungry, and I've never seen it actually do what it claims to.  For example, my brother has a Logitech MX wireless mouse and the driver update software is BackWeb based.  Even when manually forcing the software to check for updates it never finds any, so he or I have to go to Logitech's web site to d/l driver updates instead.

Now I remove or block all BackWeb software.

[ShadesOfGrey]

adz wrote:
You might also want to have a look at CWShredder as well. In the end it is probably better to "format c: /u" and start again.

I knew I was forgetting something!!!

[whabang]

is how do I get rid of them

Run Ad-aware and AVG in Safe-mode. That should do it.

[Ni72ous]

Try Hijack This, its available here
It will create a log file that you can copy & paste to the above web site, the web site then tells you which registry keys, programs etc are bad, it then allows you to delete them.

[dbalaski]

Agreed --

I use combinations of things to clean up my computer.
Keep pest-patrol running all the time  as well as webroot's winder washer .   This combination keeps my computer pretty clean.
Here is the suggestion to clean it up

1) Clean all your browsers's cache, etc
  (I use Windows Washer for this)

2) restart your computer in Safe Mode with Networking

3)  run pest-patrol (or spybot search and destroy)
   clean up all objects found

4) then run Lavasoft's Ad-Aware  --  full deep system scan mode.   delete all critical and non-critical items

5) reboot -- back into Safe Mode w/networking
   run steps 3 & 4 again
   if you are still detecting spyware -- then you need to use the tool of last restort --  Hijack This!
Highjack this  is a tool that allows you to manually go thru each startup entry  -- and clean it up .   My advice here is be careful and do not assume anything.
Some of these malicious programs clone themselves with Legit Program names and place startup entries for them (but  note in their location and ordering sequence is different).
DOUBLE CHECK EVERYTHING.

reboot and cross your fingers.


--------------------------------

General notes:
1) Don't accept or download any toolbar  (BHO entry )
   great delivery mechanism for this crap
2) Change your default browser to  anything but Internet Exploder (pun intended) -- I prefer foxfire & netscape myself.

3) If you cannot get the kids a seperate computer, then Setup a Dual boot on your system --
One partition for your kids to use,  one for your use.
At least you can isolate the damage they do .
(A friend at work uses  VMWARE to run a second instance of XP in an isolated window when he browses -- this has worked out very well ) ...


People wonder why I like an Alternative OS --
 Solaris/Linux -- soon maybe OS4   :-D
Solaris 9 mostly laughs at spyware ...
(hoping the same experience will be there with OS4)

anyways good luck

darryl dB

[jjans]

Great input guys-Thanks! I'll give all suggestions a go.

By the way, how current are Amiga viruses these days? I'm talking OS 3.5 and less on the classics, not OS 4. I haven't heard of anyu since the days of VirusZ.