Aces High Bulletin Board
General Forums => The O' Club => Topic started by: CAP1 on January 16, 2010, 08:01:51 AM
-
anyone heard of it? just moments ago, i was cruising these boards, and had photobucket opened also.
warning came up, about something hitting/installing itself......i turned off immediatly, but it was too late. when i rebooted, i got blue backround with yellow box saying system infected.
it's constantly popping warnings.........right now, i',m running norton, which states it found "coreguard antivirus2009", and cleaned.
will be needing to do anything else?
-
anyone heard of it? just moments ago, i was cruising these boards, and had photobucket opened also.
warning came up, about something hitting/installing itself......i turned off immediatly, but it was too late. when i rebooted, i got blue backround with yellow box saying system infected.
it's constantly popping warnings.........right now, i',m running norton, which states it found "coreguard antivirus2009", and cleaned.
will be needing to do anything else?
Yes, a full system reinstall. You have two viruses installed, Norton and that other one. :)
You have no way of knowing if Norton really managed to remove that malware. Then take a lesson and stop using IE for browsing. Install firefox and noscript to use it.
-
Yes, a full system reinstall. You have two viruses installed, Norton and that other one. :)
You have no way of knowing if Norton really managed to remove that malware. Then take a lesson and stop using IE for browsing. Install firefox and noscript to use it.
i already don't use ie.
-
Malwarebytes is good at removing most of those rogues.
It doesn't do anything about Norton, though.
-
Malwarebytes is good at removing most of those rogues.
It doesn't do anything about Norton, though.
i may have mis-stated.......i have symantec. is that the same or different than norton?
right now, symantec and superantispyware are running on that machine. superantispyware has found 22 things, including one of the vundo things, and a bunch of trojans...and the antivirus2010.rogue. symantec has found coreguard antivirus2009.
both tools are running right now.
what gets me, is i ran superantispyweare last week, and nothing came up, outside of a few tracking cookies.
i don't need this first thing in the morning.....especially on my work computer.
-
STAY AWAY FROM TEH PRON!!1!1!
-
run combofix after malwarebytes. it usually finds a few extra things
-
Agreed, my wife got this one (antivirus 2010) for me about a week ago... malwarebytes cleaned it right up.
Sol
-
i may have mis-stated.......i have symantec. is that the same or different than norton?
right now, symantec and superantispyware are running on that machine. superantispyware has found 22 things, including one of the vundo things, and a bunch of trojans...and the antivirus2010.rogue. symantec has found coreguard antivirus2009.
both tools are running right now.
what gets me, is i ran superantispyweare last week, and nothing came up, outside of a few tracking cookies.
i don't need this first thing in the morning.....especially on my work computer.
Symantec is the Company that makes Norton.
-
Why do people buy viruses? AKA, Symantec products... As most have said, Malwarebytes Anti-Malware (http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol) will clean it up.
-
STAY AWAY FROM TEH PRON!!1!1!
this is my work machine. i go to this bbs(which is where i was when the hit happened), and flamewarriors. then it's work related sites like alldata, napafix, etc
-
Why do people buy viruses? AKA, Symantec products... As most have said, Malwarebytes Anti-Malware (http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol) will clean it up.
i'll update and run that as soon as superantispyware finishes. it's first bass, it found 30 something things......it cleaned them, and it's running again. it found 1 so far in the registry......antispyware2010 .rogue again.
after i put this up, i called a buddy of mine(he runs GEM Enterprises)....a computer dude. he said to do the superantispyware thing at least 2x, and if there was still anything there to call him back, and he'd come over.
thanks dudes!
oo...masher....i thought they were, but didn't/don't understand why it's labeled symantec, rather than norton.
-
Well, I would like to know which dodo at your office decided Symantec products were the best option for productivity security.
EDIT: If that system registry line continues coming back, you might also consider running AVG Anti-Rootkit Free (http://www.softpedia.com/get/Antivirus/AVG-Anti-Rootkit.shtml). The tool has worked miracles for me considering neither Malwarebytes, Spyware Doctor, Spybot, or ESET products found rootkits that the small application managed to pick up.
-
I am a firm believer in Combo Fix but be carefull they had a message a couple of months ago stating not to use the newest version as they were having some sort of problem with it.
Just double checked Combofix.net or BleepingComputer.com looks like they have the latest latest version with a warning not to use older versions.
-
Well, I would like to know which dodo at your office decided Symantec products were the best option for productivity security.
EDIT: If that system registry line continues coming back, you might also consider running AVG Anti-Rootkit Free (http://www.softpedia.com/get/Antivirus/AVG-Anti-Rootkit.shtml). The tool has worked miracles for me considering neither Malwarebytes, Spyware Doctor, Spybot, or ESET products found rootkits that the small application managed to pick up.
3rd run, it didn't come back.
problem now, is that machine will not go onto the net now. firefox is just a blank page, regardless of the address i type in.
also, i cannot get into task manager. it says "task manager disabled by administrator". but i AM the administrator.
and finally, although i got my original backround back, i also have a white backround around each one, which i cannot change....nor can i change the backround picture.
-
See if Malwarebytes picks up anything. If it does and afterward you don't experience any troubles, great! Otherwise try a scan with AVG Anti-Rootkit. If it finds any hidden drivers (rootkits) remove them, if that fixes the problem, great! Otherwise run one more scan using Spybot Search & Destroy (http://download.cnet.com/Spybot-Search-amp-Destroy/3000-8022_4-10122137.html?tag=mncol). If it finds anything, fix it. If this resolves all remaining issues, great! Otherwise get the IT department on the phone. It's time to reformat the computer (which would be safer to do in the first place).
-
See if Malwarebytes picks up anything. If it does and afterward you don't experience any troubles, great! Otherwise try a scan with AVG Anti-Rootkit. If it finds any hidden drivers (rootkits) remove them, if that fixes the problem, great! Otherwise run one more scan using Spybot Search & Destroy (http://download.cnet.com/Spybot-Search-amp-Destroy/3000-8022_4-10122137.html?tag=mncol). If it finds anything, fix it. If this resolves all remaining issues, great! Otherwise get the IT department on the phone. It's time to reformat the computer (which would be safer to do in the first place).
i may end up doing that. i just used my thumb drive to put malewarebytres over there....it;s found 6 items so far.......this is pissin me off bad enough i'm havin trouble concetrating on working on cars right now......
thanks sirs!
ooo.....i'm the dodo.....symantec came on the computer in question, and for almost 2 years there hasn't been a problem. now there's a big enough problem(in my mind) to make up for the lack of problems.
-
If you still cant connect try LSPFix, pulling out the virus may have pulled something else out as well. This offers to rebuild your Layered Stack Protocol I think thats what it is (your connection)
-
Great suggestion since I've dealt with some programs who decided to gut the registry before passing on. It took me three hours to track down the problem and re-write the registry keys... :mad:
CAP1, I figured perhaps someone at your workplace made the decision that all office computers should be "protected" by Symantec products. If that were the case, the individual would be a dodo for associating Symantec with Security.
-
Great suggestion since I've dealt with some programs who decided to gut the registry before passing on. It took me three hours to track down the problem and re-write the registry keys... :mad:
CAP1, I figured perhaps someone at your workplace made the decision that all office computers should be "protected" by Symantec products. If that were the case, the individual would be a dodo for associating Symantec with Security.
the problem computer is the office computer in my shop. i'm the king of my kingdom of me, myself and i. :D
the symantec came on the machine, and is/has been kept updated, but for some reason was turned off. i'm the only person that touches that machine. if a customer needs internet access, i let them use the machine i'm typing on right now...or if they;re someone i've dealt with before, i give them the password for the wireless network.
i've been lax in scanning, and maintaining my system, so i guess it's kinda my own fault.
i tend to turn the office computer off every night, so i'm gonna set it up to scan mid day every 2 or 3 days, at a time i'm most likely top be out in the shop working.
i hate when i do something stupid like this........
-
That antivirus 2010 thing is a massive pile of viruses stacked into one self installing junkpile...if malwarebytes can't remove everything it stuck on your system, system reload time. I'd be surprised if your system32 directory doesn't get horked up.
It's nothing you could have prevented unless you had noscript installed on firefox...or Spybot Search and Destroy with tea timer active.
-
Usually if you get a pop-up stating that "your system is infected" or something, the pop-up is the "door" to the virus.
DO NOT click anything on the pop-up.
Don't hit "cancel" or "no" do not click on anything!
Just reach down and manually shut the computer off.
The moment you click on the pop-up "warning" its all over. :old:
-
Be careful shutting down. A lot of times these virus don't kick in until the system reboots. And yes, that includes if you hard shut down.
If it were IE, I'd say to make sure the rogue didn't set any sort of Proxy in the browser (some of them do that) but I don't think Firefox does that.
-
Don't feel bad Cap, it darn near got me just now. :P
Went to my squad page and it re-directed to something that popped up saying "You need ------ 2009" (can't remember the exact name), got up and reset the computer without hitting anything, no problems so far, running PCTools scans for anything.
-
FINALLY back online with the office machine. got to the point where superantispyware, malewarebytes, and symantec found nothing.
the lsp fixer thingie found two things, that it removed, and had to add back 11 things.
as i type this, spybot search and destroy is running...and it's found win32agent.pz, and win32agent.chh
sheesh..........
oo......i guess this is me getting lax too.......windoze firewall was off(i generally leaveit on), as was spybots teatimer, and symantec. i never turned any of them off, but they all were.
thanks guys!!
-
First run Malwarebytes anti Maleware
http://www.malwarebytes.org/
Then get rid of Nortons and install NOD32
http://www.eset.com/download/
Then for Firefox install the "Noscript" add-on
https://addons.mozilla.org/en-US/firefox/addon/722
-
FINALLY back online with the office machine. got to the point where superantispyware, malewarebytes, and symantec found nothing.
the lsp fixer thingie found two things, that it removed, and had to add back 11 things.
as i type this, spybot search and destroy is running...and it's found win32agent.pz, and win32agent.chh
sheesh..........
oo......i guess this is me getting lax too.......windoze firewall was off(i generally leaveit on), as was spybots teatimer, and symantec. i never turned any of them off, but they all were.
thanks guys!!
Sounds great! As Drediock mentioned, swap Norton for ESET NOD32 (http://www.jdoqocy.com/click-3751820-10483907) (or Smart Security).
-
Sounds great! As Drediock mentioned, swap Norton for ESET NOD32 (http://www.jdoqocy.com/click-3751820-10483907) (or Smart Security).
that brings me to a question.
i'm at home now...just got here. running malewarebytes, and superantispywayr as i type this.
i had a trial version of eset on this computer, but it's been close to a year since i had that. how do i upgrade it now, as the password that i saved(and forgot) has expired.
also, this machine has vista.....and the windows defender? is on. what's your opinion on that? i'm paranoid now, as i don't want that crap happening here.....
thanks again all of yas!
john
-
I'd just go to ESET's ordering page (http://www.jdoqocy.com/click-3751820-10483907) and buy one of their license packs. They're running a special right now for 25% off. Most here will recommend ESET Smart Security. However, it's up to you since the only difference between Smart Security and NOD32 is the loss of the anti-spam and firewall modules.
When you buy the product you can either insert the registration code into your current installation of ESET. Or you can uninstall your current installation of ESET, download the one provided in the registration e-mail, then install ESET. Depending on which version of the software you currently have, I'd opt for the second method.
-
i hate when i do something stupid like this........
If it's a task critical computer do not wait, FORMAT and reinstall. Then install a good antivirus and firefox with noscript addon. Do not use the computer for anything else except work related tasks. Do not visit UBB's, video or picture sites etc.
But first of all, FORMAT. You're risking your whole business by continuing to use a compromised system.
Your box may be already DNS poisoned so your banking site is replaced with a criminal copy - they'll empty your account while you pay your bills.
-
Malwarebytes is good at removing most of those rogues.
It doesn't do anything about Norton, though.
+1 Malwarebytes helped me. I have it on a flash drive just in case
-
I'd just go to ESET's ordering page (http://www.jdoqocy.com/click-3751820-10483907) and buy one of their license packs. They're running a special right now for 25% off. Most here will recommend ESET Smart Security. However, it's up to you since the only difference between Smart Security and NOD32 is the loss of the anti-spam and firewall modules.
When you buy the product you can either insert the registration code into your current installation of ESET. Or you can uninstall your current installation of ESET, download the one provided in the registration e-mail, then install ESET. Depending on which version of the software you currently have, I'd opt for the second method.
Denny explained it well CAP. ESET is painless to "upgrade" from the Trial Version.
-
I'd like to give my recommendation to ESET also. You can get a discount for multiple machines too.
-
Denny explained it well CAP. ESET is painless to "upgrade" from the Trial Version.
on this machine(at home) i had installed the trial version like i mentioned earlier.......but my in laziness, i never upgraded....and since i never touched it, i don't remember that password.
i think he mentioned un-installing it, then go to their purchase page....which is my plan.
last night, was spent running pretty much everything on this machine...superantispyware, malewarebytes, and spybot search and destroy. thankfully, the only things showing up on this machine were tracking cookies.
tomorrow, i'm going to talk to gary, and more than likely listen to the suggestion from someone here, and have that machine re-formatted. the only thing on that one that;s important, is my invoicing program, as it has all of my customer files. i back up that program every 3 or 4 days, so once the reformat is done, it'll be easy to reinstall.
thank ALL of you guys for your advice and help with this!!!
it seems i got off somewhat easy, compared to what some others have suffered.
john
-
Once again I want to stress that once you get infected you can _not_ trust that system again before you reinstall.
You have no way of knowing if the antiviruses missed something or if your hosts file has been replaced with one linking directly to hacked pages - or if your key system files have been rootkited.
You're a fool if you continue using the computer relying on disinfection. Trust me. Gaming computer you could still maybe allow that but business? Really.
-
Once again I want to stress that once you get infected you can _not_ trust that system again before you reinstall.
You have no way of knowing if the antiviruses missed something or if your hosts file has been replaced with one linking directly to hacked pages - or if your key system files have been rootkited.
You're a fool if you continue using the computer relying on disinfection. Trust me. Gaming computer you could still maybe allow that but business? Really.
that's why i'll be on the phone to gary tomorrow.....to get the thing taken care of.
and i DO appreciate your advice sir!!
john
-
...the only thing on that one that;s important, is my invoicing program, as it has all of my customer files. i back up that program every 3 or 4 days, so once the reformat is done, it'll be easy to reinstall...
Good man! :aok
-
run combofix after malwarebytes. it usually finds a few extra things
Run Combofix as a last ditch effort, prior to wiping the hard drive.
I had a very similar attack to my system as you did, CAP, and combofix worked in the end. I used spyware and malware from a few different outlets, all of which worked initially, but the infection invariably came back after a week or two.
Look into it (ComboFix) if you have the same issue and it comes back: it saved me a reformat.
-
If it finds its way back even after all the scans he's performed, a reformat is definitely necessary. Not just to eradicate the bug, but to keep the business safe.
-
If it finds its way back even after all the scans he's performed, a reformat is definitely necessary. Not just to eradicate the bug, but to keep the business safe.
the business is what's most important to me. getting my own business, although a thousand times harder than i had imagined it would be, has put the enjoyment back into my job. i was at a point that i didn't care about much, as long as i got my paycheck every week. now it's fun again, and i need to stay in business in order to keep it that way. i cannot risk my customers stuff, nor can i risk finding my bank account empty one day.
it'll probably be a small pain in the ass, but i'm gonna go with the reformat route.
-
2 programs, malwarebytes:
http://www.malwarebytes.org/mbam.php
SmitFraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Problem solved. ;)
Well, minus the symantec crap.
-
Pretty funny. My wife calls me at work and reports that our laptop has the exact problem. I Was trying to fix it after i got home got frustrated and browsed the boards and found this post. I downloaded malewarebytes and I believe it is fixed. Anyone know how this one is being spread?
-
Pretty funny. My wife calls me at work and reports that our laptop has the exact problem. I Was trying to fix it after i got home got frustrated and browsed the boards and found this post. I downloaded malewarebytes and I believe it is fixed. Anyone know how this one is being spread?
on sat. night, after superantispyware, and malewarebytes both reported nothing, i needed to run the lsp.fix that someone told me about here.
once i did that, i updated my spybot search and destroy, and ran that. that found about 6 more things.
after that, it seemed good.
this morning, i ran malewarebytes again....and once again, it found one thing. it was trojan.fake.
superantispyware found nothiung.
my computer dude's coming on wed. to pick up the computer, and he's gonna reload everything.....
as for how it's gettin spread, i've no clue. when it hit me, i was here on this bbs, and in my photobucket account, in 2 seperate windows.
-
on sat. night, after superantispyware, and malewarebytes both reported nothing, i needed to run the lsp.fix that someone told me about here. once i did that, i updated my spybot search and destroy, and ran that. that found about 6 more things. after that, it seemed good.
this morning, i ran malewarebytes again....and once again, it found one thing. it was trojan.fake.
superantispyware found nothiung.
my computer dude's coming on wed. to pick up the computer, and he's gonna reload everything.....
as for how it's gettin spread, i've no clue. when it hit me, i was here on this bbs, and in my photobucket account, in 2 seperate windows.
More than likely from a friend's address book or a previously visited site.
-
Don't you know my girlfriend's laptop got gobbled today by this "windows 2010 " root kit? Probably the same one that got you.
Combofix killed it within 5 mins of the first sign of infection....of course this was done through window after window of bad grammatical "your computer is infected..." windows. Actually forced an image onto her background (same horrible grammar lol)....dunno if i've seen that before. It also wouldn't let any of her spyware or malware finish their scans, which i found interesting as well.
There's nothing important on her computer (just lesson plans,she's a teacher) so I made her change any passwords for external stuff. I don't think a full wipe is in order, in this case.
Anyway, Combofix killed it. Just FYI.
-
Update.
Dont count on ESET to stop it. My daughter walking into the room last night.
"Daddy. I think mommies computer has a virus...."
Sure enough "Antivirus 2010" is running asking for updates,warning that the computer is infected, popup afer popup comming up
Malwarebyes anti maleware got rid of it easy enough. But ESET Smart Security did NOT stop it.
Interestingly enough. It was listed in the quarantine (along with 20 other things it did stop or prevent in the last couple weeks) though even though it didnt stop Antivirus 2010 from running or installing itself.
-
STAY AWAY FROM TEH PRON!!1!1!
Actually most of the dangers these days seem to be from site kids tend to visit rather then the adult oriented sites.
Not saying pron sites dont sometimes have viruses. But most of the viruses/trojans/maleware I've come across have been from kids sites my daughter or her friends have visited and not mine or their parents.
-
Update.
Dont count on ESET to stop it. My daughter walking into the room last night.
"Daddy. I think mommies computer has a virus...."
Sure enough "Antivirus 2010" is running asking for updates,warning that the computer is infected, popup afer popup comming up
Malwarebyes anti maleware got rid of it easy enough. But ESET Smart Security did NOT stop it.
Interestingly enough. It was listed in the quarantine (along with 20 other things it did stop or prevent in the last couple weeks) though even though it didnt stop Antivirus 2010 from running or installing itself.
run superantispyware, and spybot search and destroy too. they both found things that malewarebytes didn't......just like malewarebytes found things the others didn't.
below is the log from lalewarebytes.......
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13
1/16/2010 1:53:14 PM
mbam-log-2010-01-16 (13-53-14).txt
Scan type: Full Scan (C:\|)
Objects scanned: 226609
Time elapsed: 38 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
this was the first pass with malewarebytes....after superantispyware said it was clean.
-
Don't you know my girlfriend's laptop got gobbled today by this "windows 2010 " root kit? Probably the same one that got you.
Combofix killed it within 5 mins of the first sign of infection....of course this was done through window after window of bad grammatical "your computer is infected..." windows. Actually forced an image onto her background (same horrible grammar lol)....dunno if i've seen that before. It also wouldn't let any of her spyware or malware finish their scans, which i found interesting as well.
There's nothing important on her computer (just lesson plans,she's a teacher) so I made her change any passwords for external stuff. I don't think a full wipe is in order, in this case.
Anyway, Combofix killed it. Just FYI.
you wouldn't have a link to the combofix would you?
i googled it yesterday, and there's about 10 pages of results.........
-
Update.
Dont count on ESET to stop it. My daughter walking into the room last night.
"Daddy. I think mommies computer has a virus...."
Sure enough "Antivirus 2010" is running asking for updates,warning that the computer is infected, popup afer popup comming up
Malwarebyes anti maleware got rid of it easy enough. But ESET Smart Security did NOT stop it.
Interestingly enough. It was listed in the quarantine (along with 20 other things it did stop or prevent in the last couple weeks) though even though it didnt stop Antivirus 2010 from running or installing itself.
TilDeath put it in simple terms for me, I'll share the same information with you...
ESET products are better at preventing the initial infection than removing the infection itself. If you download the virus and open it, it's too late.
-
TilDeath put it in simple terms for me, I'll share the same information with you...
ESET products are better at preventing the initial infection than removing the infection itself. If you download the virus and open it, it's too late.
den...the problem.......i didn't download anything. the wndow popped up in the middle of my screen..i clicked nothing, just hit the reset button.....but that fast it was in my machine.
-
You don't have to these days. With ActiveX and Java around, all you have to do is look at a picture.
-
You don't have to these days. With ActiveX and Java around, all you have to do is look at a picture.
hhmm/....is it possible that some of the pictures i loaded onto photobucket couldve gotten infected?
-
you wouldn't have a link to the combofix would you?
i googled it yesterday, and there's about 10 pages of results.........
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
The download site is "bleepingcomputer.com" which is kind of hidden. There is a warning about how powerful it is, etc. When you use it, if you don't have "windows recovery console" installed, make sure you let it put it on.
Do not download it from any site that asks for money.
If you decide to use it... have patience.... it will take about 25 minutes to a half hour with this "Windows 2010" rootkit. (At least that's how long it took for my GF's computer) It found it within the first 2 minutes of scan and determined it was a rootkit, which required a clean reboot, which it will do itself.
The only time you should have to touch it is after any reboot, as you may have to select your user in the windows startup ("Welcome") screen again. There are long pauses in activity, just let it go. It is especially long when you are waiting for the log,( although my GF's computer was heavily fragmented).
As well, please speak with someone who knows how powerful this program is. It seems that all the tech forums like it for exactly this infection, though.
Good luck. (All of what I said is on the first page of the link I provided as well.)
-
run superantispyware, and spybot search and destroy too. they both found things that malewarebytes didn't......just like malewarebytes found things the others didn't.
below is the log from lalewarebytes.......
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13
1/16/2010 1:53:14 PM
mbam-log-2010-01-16 (13-53-14).txt
Scan type: Full Scan (C:\|)
Objects scanned: 226609
Time elapsed: 38 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
this was the first pass with malewarebytes....after superantispyware said it was clean.
Honestly, I'm worried that Malwarebytes got the symptoms here and not the sickness. It seems to have found all the things the root was doing..... but not the "windows 2010" virus.
-
Honestly, I'm worried that Malwarebytes got the symptoms here and not the sickness. It seems to have found all the things the root was doing..... but not the "windows 2010" virus.
THAT SCAN WAS THE third thing i ran. i ran symantec first, along with superantispyware. symantec found antivirus2009.rogue(i think) in 2 places.
superantispyware found something like 70 things....about 20 were just cookies, the rest were trojans, antivirus2010.rogue, trojan.fake, and some others........
i've been running superantispyware, and malewarebytes every day now.......till my computer guy comes to get this machine.
-
THAT SCAN WAS THE third thing i ran. i ran symantec first, along with superantispyware. symantec found antivirus2009.rogue(i think) in 2 places.
superantispyware found something like 70 things....about 20 were just cookies, the rest were trojans, antivirus2010.rogue, trojan.fake, and some others........
i've been running superantispyware, and malewarebytes every day now.......till my computer guy comes to get this machine.
Like I said, try Combofix after you back everything up. It really is a last ditch attempt prior to a full wipe.
I wish I could show you the report from her computer last night, but I deleted it accidentally while cleaning the C: drive.
It had all the things you posted, plus another whole file that said "Windows Antivirus 2010" or something like that.
Repair Tool of the Week: Combofix
Combofix is a freeware, portable application designed to scan a computer for known malware and, if found, attempt to remove it. I personally use this application very frequently in conjunction with SmitFraudFix to remove Win Antivirus 2008 and its variants. In addition to removing many different rogueware products, it also shows you a log of files that were created or modified in the last month to help you locate potential malware it didnt detect. For example, if there is a randomly named .dll file in the system32 folder that was created on the day of the infection but all other files are dated years ago when Windows was installed, its probably something to do with the virus.
from
http://www.technibble.com/repair-tool-of-the-week-combofix/ (http://www.technibble.com/repair-tool-of-the-week-combofix/)
-
AVG Anti-Rootkit Free will probably pick up the initial infection (rootkit). That's why I recommended to use it if the infections came back. In regards to your photos on photobucket... I doubt they were infected. However, I know some of the advertisements on mediafire have attempted to wedge a port open on my system. Therefore its completely logical to assume other websites also have such advertisements (whether they know it or not) infecting computers.
Additionally, Flash and ActiveScript are a great combination when it comes to delivering spyware, malware, and even viruses.
-
my mom's computer got that one. I booted to safe mode (winxp) and did the Restore to a previous date.......3 days ago. Then did a virus scan in safe mode. It found 3 viruses, but not the antivirus 2010. I also did a boot scan and an
extensive scan. I suspect I will eventually have to format the hard drive and re install everything......I hope not. Before running the Windows Restore I could not access any windows programs other than control panel. None of the programs in control panel would boot up. Good luck out there!
<S>
Mano
-
Give AVG Anti-Rootkit Free (http://www.softpedia.com/get/Antivirus/AVG-Anti-Rootkit.shtml) a go. See if it resolves any of your troubles.
-
this may have been posted already.....I did not read them all.
This link explains how to get rid of it and how it got onto your 'puter in the first place.
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010 (http://www.bleepingcomputer.com/virus-removal/remove-antivirus-2010)
<S>
Mano
-
hhmm/....is it possible that some of the pictures i loaded onto photobucket couldve gotten infected?
Doubtful, you UPload to photobucket, not download, you give info, not get. Plus, Denholm was doing a bit of exaggeration. ;) Most of the time, you have to give it permission to download, but it's usually something as innocent looking as "we need to run this add-on." Then shizam! You're infected.
~Trig
-
Just like to say that Symantec USED to have a good product. Back in the old days Symantec Corporate Antivirus was great, and the central management was awseome. Then they started with their end-point protection and it was all downhill from there.
I'd also like to throw in a vote for a newer anti-virus software called Vipre. Made by sunbelt software it has served me well so far and their rescue disk has helped me recover numerous computers that have shown up at my office with rogue spyware and viruses.
-
here's a new thing.....
i use microsoft outlook schedule for my scheduling.
i' ve been letting windows updates get caught up.
well.....today, about 15 minutes ago, it did another update, rebooted itself, and now i have no outlook in microsoft. i still have system restore turned off after the virus crap too, so now i think i'm screwed.
-
Ever wonder who writes these viruses and malware?
It has turned into a billion dollar industry, especially when you have to
buy a new subscription every year.
<S>
Mano
:mad: :mad:
-
Doubtful, you UPload to photobucket, not download, you give info, not get. Plus, Denholm was doing a bit of exaggeration. ;) Most of the time, you have to give it permission to download, but it's usually something as innocent looking as "we need to run this add-on." Then shizam! You're infected.
~Trig
I was not exaggerating on the images part. I've found infected .gif images before.
-
I was not exaggerating on the images part. I've found infected .gif images before.
.GIF is a layer, picture on picture put into movement. I'd like to see the infected GIF as I don't think it possible as an image doesn't have the rights needed to install software or change system settings.
-
That file is long since gone... I'm really wondering if it was a show for purpose by AVG, though... That was back when I surfed the web just to see what would happen.
-
it just pisses me off, that this kind of stuff keeps happening. i read about others that have these problems, and often don't respond......because i have nothign useful to help with....and it pisses me off just as bad as it does now that one got me.........
-
What bothers me about this is the talent wasted on destruction. If half of the ability being used to program this irremovable software was targeted at something more productive, we would probably already be working on light-speed transportation.
-
What bothers me about this is the talent wasted on destruction. If half of the ability being used to program this irremovable software was targeted at something more productive, we would probably already be working on light-speed transportation.
ya know?
i hadn't thought of it that way...and you're right.
-
Ever wonder who writes these viruses and malware?
It has turned into a billion dollar industry, especially when you have to
buy a new subscription every year.
<S>
Mano
:mad: :mad:
Im still rather unconvinced that the AV companies or people involved with them arent putting out at least some of this stuff themselves.
They are the ones who stand to gain the most from their existence. And loose the most if they ceased to exist.
-
i had to remove it from my comp 2 this week, what a bug!
first time was while trying to view someones flight vid here.
second was while at photobucket.
ive got it off my comp i think but firefox no longer runs an AH is screwed up too, even if i keep uninstall an installin em'
-
i had to remove it from my comp 2 this week, what a bug!
first time was while trying to view someones flight vid here.
second was while at photobucket.
ive got it off my comp i think but firefox no longer runs an AH is screwed up too, even if i keep uninstall an installin em'
i thought i had it beat///////////
i don't....it's going to the shop this weekend....was supposed to bne today, but they're pretty busy