What to do to clean geekhack trojans out of your computer

[captain]

I have no idea, but we need this thread to contain an answer. Anyone know?

[GH1391401]

First you should verify if you do have an infection. The only real way to do this is to scan your hard drive using some other environment (e.g. a linux live CD and something like ClamAV or a recovery CD like AVG Rescue CD).

[captain]

Well, I did find this helpful info pertaining to OSX and *one* particular trojan. I have no idea if this is the one that geekhack was installing, or not.

http://www.ijailbreak.com/how-to/how-to ... jan-virus/

First you should verify if you do have an infection. The only real way to do this is to scan your hard drive using some other environment (e.g. a linux live CD and something like ClamAV or a recovery CD like AVG Rescue CD).

Can Linux even read an HFS+ (or is Mac OS Extended/Journaled some new format?) partition?

[TexasFlood]

Well, specific to geekhack trojans, I would be very surprised if there was anything to clean. My take is this threat has been greatly blow out of proportion by a few folks for their own reasons. Based on my observations and what I read (and looked up in malware databases), whatever effected geekhack didn't permanently "infect" users. Many users probably saw nothing at all, those that did probably saw a redirect to a shady site with no lasting effects, assuming of course that they didn't click on anything there. I did read that for a brief period an old trojan was also on geekhack which could potentially leave stuff to clean up if you were running a really old version of IE but that probably effected few if anyone. And if you're running a really old version of IE this is the least of your problems, you're asking for trouble and going to get it eventually.

Having said that, it's always good to be careful and check. Where I used to work our saying was "in God we trust, everyone else we monitor". When I suspect a real infection, and I've seen some doozies, especially rootkits, I follow the procedure at Malware Removal Guide (incl. spyware, virus, trojan, hijacker) at Major Geeks. I've cleaned three really bad rootkit infections using this procedure and other less serious.

This is assuming you have some version of windows. If you don't have windows, that procedure won't work but also the chances of having any infection is extremely low.

[captain]

We don't do windoze here--except for a game machine that only plays a couple of games and runs linux off a separate drive most of the time. :-)

I read one thing somewhere about a Javascript trojan installing to tempspace and sending out keystrokes to the 'net, so I assume that means that removing geekhack from my scriptblocker's whitelist, and rebooting the whole computer to clear out all tempspaces (although I'm not sure about that with Lion now, as the damn BigCat restores all workspaces to the same place they were before... I'm less and less liking Apple since Steve died), I should totally eliminate any threats geekhack may have allowed. But not having the time to follow everything well, I thought it would be good to have a Q&D howto up here.

Also, someone mentioned his Linux systems getting infested, but he didn't clearly state how, or what with, nor how to get rid of the infestation.

[mkawa]

captain, my humble suggestion is to set your computer on fire*

*please don't set your computer on fire, but also please stop freaking out about a non-issue.

[TexasFlood]

Well, I did find this helpful info pertaining to OSX and *one* particular trojan. I have no idea if this is the one that geekhack was installing, or not.

I have yet to read any solid information indicating that geekhack was installing any trojan.

We don't do windoze here--except for a game machine that only plays a couple of games and runs linux off a separate drive most of the time.

I read one thing somewhere about a Javascript trojan installing to tempspace and sending out keystrokes to the 'net, so I assume that means that removing geekhack from my scriptblocker's whitelist, and rebooting the whole computer to clear out all tempspaces (although I'm not sure about that with Lion now, as the damn BigCat restores all workspaces to the same place they were before... I'm less and less liking Apple since Steve died), I should totally eliminate any threats geekhack may have allowed. But not having the time to follow everything well, I thought it would be good to have a Q&D howto up here.

Also, someone mentioned his Linux systems getting infested, but he didn't clearly state how, or what with, nor how to get rid of the infestation.

Ripster posted a message on deskthority earlier linking to this OCN post which did mention "Javascript trojan installing to tempspace and sending out keystrokes". Others, inlcuding myself, have failed to duplicate this. If you read on in that thread, other users indicate they scanned with no unusual results and asked for details on other infections.

So someone posts that they have this terrible trojan that "30 or so other AntiVirus and AntiMalware apps" failed to detect, even though Ripster seemed to have no problem detecting it with Microsoft Security Essentials which is freely available from Microsoft, and that he found it to be sending out keystrokes in a way not described or duplicated by anyone else. As captain states above, none of this is clear as to what was found, how it was found or how to mitigate. Forgive me if I don't bite. This sort of vague nonsense has no place in identifying issues and solving them and in fact is a great distraction.

Ripster is the only one I've seen post any supporting evidence and that turns out to be minor threat as indicated in the info/links in my reply here.

If anyone has real information indicating this please post the links here, please no baseless paranoid accusations.

[dorkvader]

Can Linux even read an HFS+ (or is Mac OS Extended/Journaled some new format?) partition?

Short answer: Yes. (You may run into permissions issues, though. Especially if you want to write)

Also: How to remove the trojans? Format your HDD and install pinguy OS or something. :p

At work, if a customer comes in with an infected computer, we normally just reload it. I would recommend that "to be sure". Just reload and restore data from the backups you were keeping (make sure the data is from before the infection). I normally reload my computer once every 6 months or so anyway, just "because".

If you want to get rid of the badware, you can maybe do it with one of the tools in this topic.
---
As Texasflood says: there may not have been anything, so check and see if you have had an infection first.

[silat]

Careful.
Not believing there is an infection emanating from GH is the kiss of death from the haters and the banned:)

[squarebox]

My hotmail have been locked due to spam...
Reformating is the best option in my mind but it's such a pain.

My friends have informed me of my spams.

[ripster]

SAME thing happened to ME last time!

Very embarrassing!

Ripster is the only one I've seen post any supporting evidence and that turns out to be minor threat as indicated in the info/links in my reply here.

TF and Dork, you believe me now?

captain, my humble suggestion is to set your computer on fire*

*please don't set your computer on fire, but also please stop freaking out about a non-issue.

Fuck you. You're not the one that had to go through the hassle of recovering stolen accounts and notifying friends wtf is going on.

Oh that's right, You HAVE NO FRIENDS!

And your fucking website looks like THIS!

Www.geekhack.org

[microsoft windows]

Well, at least I don't have to worry about the trojan since I use 16-bit Windows.

[7bit]

R00TW0RM.EXE failed to install.

Please upgrade your system to Windows 95 or higher!

[mkawa]

troll award goes to win3.11 as usual

[TexasFlood]

My hotmail have been locked due to spam...
Reformating is the best option in my mind but it's such a pain.

My friends have informed me of my spams.

A quick google shows this to be a fairly common issue with hotmail users.

According to this Windows Live ID Help & How-to, "we temporarily block Windows Live accounts when we detect spam-like activity. This activity could be in email, instant messages, or friend invitations", "your account might be blocked due to an issue on our end—this means that you haven't lost any email, but we'll need to get your account info to resolve the problem".

There is a Windows Live Account Recovery form that I think you'll need to fill out with details of your situation and send it in, find that here.

If you believe that there is a problem on your Windows box, before reformatting why not run a scan? A hotmail problem doesn't necessarily mean there is ANYTHING wrong with your PC so you might be going to a lot of pain for no reason. As I indicated earlier, I have used this malware removal procedure from majorgeeks many times with great success. If you don't feel up to that, at least try a scan with the free Malwarebytes Anti-Malware software and report back with what you see.

SAME thing happened to ME last time!

Very embarrassing!

Ripster is the only one I've seen post any supporting evidence and that turns out to be minor threat as indicated in the info/links in my reply here.

TF and Dork, you believe me now?

Do I believe you jump to conclusions? Yes.

[NEBUCHADNEZZAR]

The procedure I follow for cleaning/tuning most any infected/slow PC is as follows:

Start your PC in safe mode with networking. (Mash F8 at startup)

Run Malwarebytes full scan (http://www.malwarebytes.org)

Run Your AV, Full scan. (this may require a reboot in normal mode) IF you don't have an AV, Microsoft Security Essentials is a free, solid choice. (http://www.google.com/url?sa=t&rct=j&q= ... t97ElWNcjA)

Check up on any *serious* infections it finds (cookies don't count). A quick google search will often yield results on removal tools (norton sucks, but symantec's targeted removal tools often are highly effective) or specific removal instructions, and may let you know about any tricks that the infection might pull. (in the past I have thanked myself for checking up on a virus before attempted removal, for example one in particular was rather nasty and had created a 100mb separate partition to restore itself at boot if removed/reformatted.)

Open the RUN command, type MSCONFIG and hit Enter. Untick any items you do not want from the Services and Startup tabs. Restart the machine when done (In normal mode if it is not already).

Run HiJackTHIS. If you know what you're doing, great, remove any unwanted entries, if you do not, send the log file to the HiJackTHIS team for free analysis. (http://www.filehippo.com/download_hijackthis/)

Update Flash
Update Java
Update .NET
To streamline these updates, you can download a quick silent installer from Ninite (http://www.ninite.com

Reboot. Keep an eye out for any funky behavior. I have had very few instances where following these instructions properly and using a bit of intuition as to what is not wanted have not rectified the issues at hand.

[Input Nirvana]

Let's not worry that there is or isn't viruses/trojans that may/may not come from GH.

Let's do this for our communities:
With a matrix, offer an effective method for Mac, Windows, and Linux to address the A) recognition and B) the correction of potential problems. Then, we can stop all the shizz going back and forth, since no one really knows what is/isn't going on with the problems.

[ripster]

Dudes! Listen UP!

The answer, as always, is right there by clicking www.geekhack.org!

[dorkvader]

Open the RUN command, type MSCONFIG and hit Enter. Untick any items you do not want from the Services and Startup tabs. Restart the machine when done (In normal mode if it is not already).

Services.msc > msconfig.exe

(I would make sure I knew how to use these tools before utilizing them.)

[TexasFlood]

Let's not worry that there is or isn't viruses/trojans that may/may not come from GH.

Let's do this for our communities:
With a matrix, offer an effective method for Mac, Windows, and Linux to address the A) recognition and B) the correction of potential problems. Then, we can stop all the shizz going back and forth, since no one really knows what is/isn't going on with the problems.

Somebody else is going to have to address Mac

For Linux, I'd suggest the best thing you can do is keep your system & app software up to date and you should be fine.

For WIndows...

Obviously the same applies, keep the Windows OS and all products current. As NEBUCHADNEZZAR suggested, update flash, java and .NET. Those are some of the most vulnerable bits. But if that is all you do, you may leave vulnerabilities that someone will exploit. For example if you don't patch any SQL instances, Acrobat, Firefox, etc, you're vulnerable. I've personally seen SQL slammer take over an unpatched system sitting right in front of me. If memory serves this was a VERY new patch, it was like Wednesday morning and the patch had only come out the day before on patch Tuesday.

For virus protection I like Norton Internet Security. Pick your favorite but at least load Microsoft Security Essentials which is free.

For malware removal, I stick by the malware removal procedures from majorgeeks as it's worked for me. I wouldn't even want to try putting that into a matrix, it's a long and involved procedure with different forks depending on OS and issues.
Do a scan with the free Malwarebytes Anti-Malware at minimum.
As for Hijack This, I consider that a good but expert tool. Be careful if you use it or could easily mess up your system. Major geeks also has a Malware Removal FAQ which includes a Hijack This Tutorial should you want to try it.

[sth]

Somebody else is going to have to address Mac

Allow me

Generally, as long as you don't run strange programs or mount strange DMGs you are fine. There was a recent trojan found in the wild for OS X that is easily dealt with, although Apple does not respond to security vulnerabilities as quick as they should. By this time they have included the trojan removal tool in SWU but it took probably close to a month, during which time you had to manually remove the trojan (childs play for anybody on this forum but still not easy for casual users).
If it makes you feel better you can keep up with Mac sites to learn about new security threats. I usually find Reddit the best source of this info, not because it's a huge site, but because Win/Linux fanboys are quicker to discuss trojans on OS X than Apple is.

[Input Nirvana]

See? Now everyone can not hypothosize about whatever and just deal with it. The information is available...could be made into a sticky or something. If the questions come up the answer is "To be safe...go here..." and we're done with it.

Moving on.....thanks for asking the original question Captain!

Aaaaaaaand...we're done.

[TexasFlood]

That's kinda where I was headed, Input Nirvana. But you were right, cut to the chase. Agreed,

Thanks for the Mac input sth, your advice "If it makes you feel better you can keep up with {your Linux ditribution here} sites to learn about new security threats. I usually find Reddit the best source of this info" probably works for Linux as well.

[sth]

That's kinda where I was headed, Input Nirvana. But you were right, cut to the chase. Agreed,

Thanks for the Mac input sth, your advice "If it makes you feel better you can keep up with {your Linux ditribution here} sites to learn about new security threats. I usually find Reddit the best source of this info" probably works for Linux as well.

Yeah, you're probably right; however, it seems like most major distros are on their game when it comes to patching vulnerabilities in packages (unlike Apple, unfortunately!).

[TexasFlood]

And I should have added that major linux distros like Ubuntu have forums dedicated to them.

[Input Nirvana]

Thanks for putting the valuable info up....it should always be easily available on a tech forum
Captain asked the great question and some fingerprinting and cross-accusing was going on...so I decided for once to stay on topic and reiterate. It would have gotten here sooner or later, but sooner is better.

GH has lost tremendous momentum the last several months, and now with this stupid crap I'm curious what fallout (if any) there will be. I'm still thinking there should be another source.....