Porn bill. Can't get rid of.

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Yep, that's another way as well. I must admit that I find rootkits very scary.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

There are good free antispyware removers on the net.
Search and destroy is free and good.
Ad aware is an other one.
hitman pro is a collection of a number of free tools, run by a script in order.

 

Yeah, Hitman Pro's good!

 

What I think is more worrying is how quickly people came up with the solution. Speaking from experience are we?!

I think I'd rather try all the various free AV and Spyware stuff before format and re-install. try 3 or 4 different ones and it'll maximise the chance of you finding the problem.

 

Gonna take a look at hitman pro, never seen it before

 

The original site is in Dutch, but with a flag you can switch to English.

 

Depends on the exact situation, if you want to be 100% sure whats on the computer a restore from a backup before the incident or a complete reinstall is the way to go.

On the other hand if you are going to do this why not have some fun seeing what you can find beforehand ? If you disconnect it from a network it should be relatively safe to have a sniff around.

There loads free spyware and malware removal programs.

AdAware

AVG

Windows Defender

SysInternals - Various Useful tools, rootkit revealer, process onitoring, registry scannig etc

Get hold of these and burn them to a read only CD.

Theres some pretty devious software out there (esp rootkits) but some forms of the malware are surprisingly basic, it might be doing things like running a process with a name that looks like a windows process but isn't. It may have written to the run on startup part of the registry. Looks for clues like this, they will generally lead to filenames and paths. Get all the info you can then do a search using another computer on the internet.
This will hopefully tell you the details of the baddie and provide a removal stratergy.

These skills will serve you well when a new virus hits your corp network and the patch isn't out yet ! As for your friend, to be honest sounds like he will prob break his computer again anyway...

 

Unless I missed it, no one's mentioned Ewido yet (now under the AVG umbrella). I find that in conjunction with Adaware and Spybot Search&Destroy a pretty awesome triumvirate ( I demand word-of-the-day for that one !!! )

However, I do agree with the majority of opinion up till now - the risks and timescale of trying to cleanse the system are far outweighed by the simpler option of format and rebuild.


...cos yer man does have a backup of key data, doesn't he ??

 

Ive been using Ewido for a couple of years. It was the best free malware/AV ive come across (loads of tools). Since its gone to AVG ive tried to update it but it asks you to buy. Funnily enough though, it sometimes STILL outperforms other malware programs I use.

 

I can't believe what I'm reading! What are you like?

Format and re-install is rubbish advice - sorry, it really is...

And I absolutely agree that compared with some of you people I am an absolute novice, but I just cannot believe you have come up with this as a serious option.

Whatever was put on his PC is very likely to be an easy removal. If it isn't easy, it may take a little bit of digging around to sort it, but it shouldn't take too long. The chances of it being a rootkit is really slim.

Starting the computer in safe mode to see if the thing runs then is a good move - at least you'll know how deep in it is. msconfig might hold some clues. 'HJT' is good advice. Once you know what you are looking at, you might see what you need to do. Microsoft's 'Process Explorer' is another useful tool for looking at what is running.

No, hang on, I get it... You Guys! This is a spoof post, isn't it?

 

Depends on your level of expertese, and the nastiness of the malware.

I found it interesting that a Microsoft exec said not too long ago that 'nuke and pave' was often the best way to go in today's environment.

Personaly I prefer to try and winkle the nasties out - but sometime this can take so long that it is quicker to start again.

Harry.

 

I agree that you should usually try to remove it... but it also depends on whether there's one nasty on there or twenty, or if the one nasty is firmly entrenched in your OS. AV/AS apps are quite poor in removal and cleanup of malware (many defend themselves specifically from the major AV players), but as you already know, you can usually pry them free manually. But not always.

Have you ever seen a rootkit in action? It's not detectable, normally - it hides itself from the OS so that most AVs can't even see it. You scan for it, and it doesn't look like it's there. Thus, I'd not assume so quickly that the chances it's a rootkit are slim. I had a couple of highly intelligent doctors at my last company get severely infected by rootkits simply from uncontrolled browsing habits.

 

OK

 

All I'm saying really is that the best advice given the information you have (which isn't a great deal) is investigate.

Whatever is going on will leave a trail to give itself away - even rootkits are detectable if you use the correct procedures, although I agree that under normal circumstances they are invisible to the OS, and can be very difficult to sort out without taking some fairly dramatic action.

It's interesting that a Microsoft exec would suggest that the nuke option is often the way to go - he'd know I guess, because it's his company have put us in this situation, by selling operating systems that are just too easy to break in all sorts of subtle and dangerous ways and need all sorts of things added to them to make them even close to safe for a normal user to rely on...

 

Headache, did u ever get to the bottom of this? I think I know what the root of the problem is!!

 

Format the pc, and partition the C drive to 10Gb and keep all important documents on the other drives then you won't lose nothing of importance whe you refort.

On another note, tell ur mate to use the free sites in the future. Well that's what I've been told people do

 

Sadly even if you do scan and remove repeatedly you'll never 100% remove virus/m,alware infection - from my experience. I work with alot of different AV solutions and we've tried everything to fix problems like this. I would concour that flatten and rebuild WITH AV/Spyware solution is the best option.

Prevention is always easier than cure. Education is the key.

 

I really must be missing something here...

There is a good chance that the 'porn bill' is a jpg or gif image sitting in a folder somewhere on the PC. The instruction to display the image over the desktop is in the registry.There's a really good chance that finding the name of the image and its location is possible by simply rightclicking on it. You may need to be in safe mode to do this, and you may need to kill any malware processes that disable your ability to click. First step would be to delete the image and the folder, probably in safe mode, because it will be locked by the running process. Then a search of the registry for keys that share the same name as the image/image folder, and delete. Obviously, you'll make a backup... I would be really surprised if this is going to be difficult. The people who design this sort of trap are bright, but not superhuman!

I have come across a couple of examples of this kind of problem, and the fix is never too difficult. Usually, the PC will be crawling in other nasties as well...

Nuke and start again is not a good solution because no matter how much security you add to the system, it will always be vulnerable to this sort of user error. It can take hours and hours to restore a PC by re-installing everything - you'll get it perfectly clean, fix the security, and a week later it will be full of crap again. You can't fix stupidity (both user and microsoft's).

By attempting a repair, you are increasing your knowledge and building experience - with experience, you might find that it is easier to repair than nuke, and much better for the user's data...

Or am I really not getting it?

 

You get it... and for an isolated bug (or two or three), that's exactly what you'd do. But if there's nasties all over the system, there's likely some *really* evil nasties (rootkits) that aren't detectable... and you're not gonna be able to fix what you can't detect.

I wouldn't have believed how nasty rootkits were, myself, if I hadn't seen a doctor's PC become heavily infected. Ran a malware check to see what I could see... and the AV software would sorta-kinda *see* the threat (though a file search would come back EMPTY!), and pause while it was figuring out what to do with it or how to deal with it... then move to the next threat without taking any action. So I knew the computer was compromised, but I couldn't do anything about it.

In an attempt to remove it, I used another AV program... and it didn't even know a threat was present. I even tried a malware remover that was *specifically* designed to remove rootkits... and it found *nothing*. I had no choice but to wipe and reinstall.

That said, you can't fix stupidity. Whether you clean it manually or nuke/rebuild, an incautious user will simply fill it back up again... as did the doctor in question, when he got his computer back. We then purchased Websense in an attempt to save him from himself (though he wasn't the only offender).

 

I guess the thing with rootkits is that finding them is one thing (I have tried 'rootkit revealer', 'blacklight' and a bart pe registry checker - never found a thing, ever... maybe I'm just not seeing them), getting rid of them is another.

My understanding is that there are two components - the rootkit part which hides the payload, and the payload itself, which might be quite easy to fix if you can see it.

I think there might be some quite specific fixes for specific rootkits - but I agree - if I thought a rootkit was present, I'd probably want to start again because I don't know enough to make a sensible decision.