Wednesday, January 28, 2009

One last step for the trojan

One last thing there are two exes in the system 32 directory. They look a lot like svchost but they are small variations and have an exe ending. Start in safe mode and delete these then use CCleaner to clean up the problems with the registry.

Finally looks like I beat this virus!

BEWARE of Spyware Protect 2009

The name of the malicious program I got today was Something like spyware protector 2009

This site helped alot
http://www.spywarevoid.com/spyware-protect-2009.html

Steps I took to resolve

1.) open regedit and find currentuser>software you should find two new entries one should begin with like a A(Sorry already deleted it) and another one is like protection suite

also look in currentuser>software>microsoft>windows>run and there should be an entry for a exe that begins with s. Note the location of the file and delete

2.) Open Task manager and make sure all processes related to the program are stopped.

3.) Edit your Host file to include
127.0.0.1 www.swp2009.com
127.0.0.1 www.spyprotect2009.com
127.0.0.1 www.sp-protect2009.com

4.) go to file location and delete files

I found...

sysguard.exe
ugobamom.dll
Vsizujuzesec.dll

names apear random so don't expect them to be the same on your system I just used date-time stamps to find all process added around the same time as the program

sorry if this is a little unorganized I am writing it as I go...

So now I am using process explorer to find out what the deal is with those dlls and how to kill everything using them.

I also did a search in the registry and under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

I find 3 entries to delete, the first two appear to start the DLLs and the last seems to make defender hide. So I am deleting those names for referance are
Xriwiwoniqi
Wfarawumifora
Windows Defender


Once again all appear to be random names and actually I just removed the hide flag to defender instead of deleting it

This appears to do it lets restart and see

Monday, January 5, 2009

Happy New Year Everyone!

Well today is a big day here in the capital city, our Buckeyes take on the Texas Longhorns. Hopefully this is a good game and OSU wins but we will see.

Also I saw a troubling article about how Microsoft plans to lay off 17% of their workforce. I am not sure if this is a sign of the economic times, or Microsoft's failed Vista Operating System, but we will see.

Personally the more I work with Linux and Mac I see the only way to save Windows is to reimagine it using a Unix/GNU instead of Win32 kernel.

Hope you All have a great 2009!

Article