An associate of mine at work asked for my help. He said someone had sent him a link, he clicked on it, when it got to the site the site said you don't have a Microsoft DLL installed, and to install it. He said that the second he clicked on it to install it he released he had made a huge mistake. The box is pretty horked up. SpyWare galore. He asked if I would take a look at it and see if I could get it fixed.
First thing I did was boot it without network access. It has been booting up for about 20 minutes. The processor is pegged, the disk is spinning like mad. I have been able to get task manager up. Lets see what is running and see if we can kill some things to get control of the box back.
Interestingly. As I was watching it churn a program called WinSpyControl has popped up It looks like a real spyware program. Can't get to it. So going back to killing processes.
With the little I have killed, gescw.exe has percolated to the top. Our first hit. I have also found about a dozen "spyware" programs running. I keep getting pop up's that there is spyware on the system and I need to click here to install a removal program. Umm Yeah right. Obviously my associate has clicked on these links and installed who knows waht.
I have gotten enough things to stop running that I can start windows defender. It warns its virus database is out of date, but I give it a shot. It does not do anything. Try to update the virus definitions and BAM, it can't update. Normal block for the trojan guys.
Going to www.pandasoftware.com. Their free on-line scanner has started. And is running. It found 14 spywares, which it was able to remove. It said there are 6 root kits that it can't remove.
I tried to run defender again. It can't upgrade its virus definitions. I found this link and tried it. Still no luck getting defender to run.
It has been a few years since I have had to help someone out in this situation. I just remembered one of the best programs is Spybot. I have downloaded and am running it. It is finding all sorts of nice stuff. 51 things to be exact. It has removed all but one of them. The last one is running in memory and SpyBot suggests a reboot to get. Rebooting. SpyBot ran another scan on reboot. It did not find anything. Things are starting to look better.
The system is up and running at this point and useable. I still can't get windows defender update nor windows update to run. I don't trust it. I am giving it back to my coworker so he can get his files off, and then we will wipe the drive and start over.
No comments:
Post a Comment