ATTACKED BY CHINESE SPYWARE!!!

[cypris]

I had a VERY VERY BAAD experience last night when I connected my USB thumbdrive to my PC. I've been using this thumbdrive to transport my college work and progress to and from college pcs to my home pc. Now, I normally scan my thumbdrive first but most of the time if it is infected, either norton or spyware doctor will immediately prompt me upon auto-running the thumbdrive that it is infected yadayadayada.

But because I was in a bit of a rush last night I accidentally opened the uUSB drive without scanning it first and as I permanently put my folder settings to view hidden files I saw two very-obviously-not-my-files and they're very obviously spyware/worms.

What I didn't expect was that none of the american anti virus / anti spyware programs could not detect / could not remove it. Worst still, it wasn't just ONE worm , it was several malicious keyloggers, trojans and browser hijackers all packed in one.

It spawned into all 5 of my drives!! You wouldn't even believe the number of keylogs it created! I could not even remove any of them, restarting and trying to go into safe mode only ended in getting the blue screen. The virus totally prevented me from going into safe mode.

The reason why none of the american antivirus/spyware products that I have did not respond to it is because the shit that was in my thumbdrive was written in Chinese and obviously by Chinese!! None of the softwares even have logs of this spyware/virus in their websites. And the stupidest thing is I happen to get infected by a very new virus that only launched on th 29th of 28th of May.

When I googled the names of the viruses, only chinese websites and forums turned up, and unfortunately for me, I can't bleeding read chinese if my life depended on it. So had to use the Alta-Vista Babelfish Translator and try to make sense of the direct and more often than not wrong translations.

Oh and another thing, it screwed up my time and sent it back to year 1899 or something like that and it renders the folder option to view hidden files useless. So can't see any of the hidden files at all.

This morning I ran norton antivirus and spyware doctor and lavasoft ad-aware and I found that I still had the Trojan viruses (89 hits on Spyware Doctor)

I'M GOING NUTS!! I NEED HELP!!!! ARGH!!!
Someone translate those instructions from chinese to english on how remove these evil things for my precious pc!

The names of the viruses are:
Trojan.PWS.QQRob.V
Trojan.Agent.ABF

mal-Files:
wocfiba.exe
gnkjkrl.exe

[zy]

u need to terminate a lot of suspicious processes first
then go through your autorun list to disable lots of suspicious stuffs
then run full system scan

i usually use Sysinternals Autorun & process explorer

[peaz]

Ouch this usually sucks. Hmmm

You'd definitely need to go into safe mode and try to kill/delete all the suspicious stuff. You'd also have to explore the registry to remove the suspicious looking startup apps. It helps to have a notebook or another PC to check the exes listed to see if they are legit or not.

[Adrian Wong]

Hmm.. IMHO, the best way would be to use a SECOND PC, one that's loaded with the latest antivirus definitions. Then use this PC to scan and clean your infected hard drives.

Loading your current operating system, even in safe mode, will not help. They will almost certainly still load up. Safest way would be to use another PC to do the cleaning job.

Alternatively, install another hard drive, install a new OS and antivirus software and then boot up using that hard drive to scan your infected hard drives. The point is to boot up with a clean OS and run an updated antivirus software to clean your infected hard drives.

[cypris]

Problem is, the trojan wont allow you to boot into safe mode. A blue screen will appear once Safe Mode is selected.

[sherwin]

For every attempt to kill it, it will add 30-40 registry entries.. and respawn itself. And this trojan will infect all your drives, it copies an autorun.inf & exe file with hidden attributes. After which it will then mess up your registry so that the Show or Hide all hidden files in XP is disabled.

Took an hour and a half to manually delete the registry entries, disable autoplay and ran a batch script to kill & force delete the exe file.

[Adrian Wong]

Quote:

Originally Posted by cypris

Problem is, the trojan wont allow you to boot into safe mode. A blue screen will appear once Safe Mode is selected.

EXACTLY. That's why you need a CLEAN PC.

[Adrian Wong]

Quote:

Originally Posted by sherwin

For every attempt to kill it, it will add 30-40 registry entries.. and respawn itself. And this trojan will infect all your drives, it copies an autorun.inf & exe file with hidden attributes. After which it will then mess up your registry so that the Show or Hide all hidden files in XP is disabled.

Took an hour and a half to manually delete the registry entries, disable autoplay and ran a batch script to kill & force delete the exe file.

Hmm.. Personally, I would just use a second PC to clean up the hard drive. The registry entries will still be there, but at least the infecting binaries will be removed. You can clean up the registry later on.

[jamotto]

Would it be possible to use a linux live cd or one of the many emergency boot CD's that one can find on the internet to clean the pc?

[ZuePhok]

ohh.. 完全被拥有

the best is follow the method suggested by adrian.
safer..