Aces High Bulletin Board
General Forums => Hardware and Software => Topic started by: Dark on November 12, 2012, 06:40:34 AM
-
Well just a heads up. I have ran into this scam twice in month. 1 on a friends and just got it on my moms computer . It completely locks the computer and most user dnt know what to do. Task manager dsnt show up or anything. Nod, Microsoft essential didn't catch it (moms comp) avg,Norton, Microsoft essential (friends ). I was able to clean friends by booting in safe mode and running malawayer bytes. Tried same thing on moms but it has changed. Wouldn't let me launch explorer (yes I know about explorer ) so launched in safe with command prompt and launched that way. Ran malaware and found 3 bugs. Removed them and everything seems ok. Do u guys think if I roll it back say a month before it landed on the computer and rerun everything it should be good to go or do u think malaware did its job. Reading on Google they say go to registry and delete some stuff but I'm not no where near comfortable digging in there. Have them looking for CDs to reinstall windows but knowing them they wont find it so thought I asks here
-
Check your inbox. Solution provided.
-
Malwarebytes' AntiMalware in Safe Mode has done the trick in the four Finnish translated variations I've seen this year. Even the registry thing. You might want to double check with SuperAntiSpyware if you feel uncertain.
Why regular antivirus programs can't find this bad guy is because it actually isn't a virus. The FBI announcement is a saved website without frames and toolbars saved in Temporary Internet Files and is triggered by a ctfmon shortcut in the Startup folder of the Start menu or Orb, both legitimate Windows stuff. Even the registry hacks to prevent TaskManager and such are pure Microsoft admin stuff, available with a GUI in Windows professional versions.
After having removed all malware I'd remove all restore points to prevent rolling back to an infested state.
TD, I'd like to have your solution, too, if it's not too much asked.
-
Rich! How are you? Long time; no see. Good to see you back.
-
Nice to see you back Rich. How's things in Hotlanta?
-
Same here TD, my brother in laws computer just picked this one up as well.
-
how did they get it?
semp
-
I picked it up a month ago also. I got it from a javascript or flash exploit in an otherwise okay webpage. They load themselves that way.
-
Thanks guys. Might at well post the solution here. This works for 99% of those "Your Infected, you need to buy this software to Remove). You need two things to remove. RKill and Malwarebytes. You can get RKill.exe from Bleeping Computer here. http://www.bleepingcomputer.com/download/rkill/ (http://www.bleepingcomputer.com/download/rkill/) Most of these malwares will not allow you access to the internet or if they do they will not allow you to download. Use a USB Stick or another form to place both softwares on your desktop. If you do not have MalwareBytes installed this is what you need to do.
Restart PC in Safemode with networking
Start RKill
Run or Install MalwareBytes (try to update the database) DO NOT restart your PC if Malwarebytes asks you to.
Run MalwareBytes with an IN DEPT scan.
Again these programs attack the iExplorer.exe and RKill ends all non essential processes and keeps them stopped.
Hope this helps you guys
TD
-
Heya Rich,
they also might need to get "TDSSKiller" by kaspersky labs..... alot of those malware/rootkit viruses are showing up as using the "Alureon" rootkit and it inserts itself in the operating memory
( CCleaner ) can also clean it from the memory...... then they can use malwarebytes, etc to scan/clean their HD's
but yeah, what Tildeath posted :aok
TC
-
We'll on my moms I checked out what pages she was on the day it happened and the day before to see where she was at and the day it happened she was on walmarts page for the black Friday deals but someone (most likely the neice) was over there and they were trying to get on some Disney/Nick Jr website but she didn't type in the actual website name she Googled it. So I guessing she was not on the actual website. While I was over there noticed she was running ie7 and flash wasn't up to date. So got flash to date before I left and gonna up date anything else she hasn't yet. But all looks ok did the thing u sd rich and ran malaware for like the 4 time and nothing is showing up besides what I saw the first time it ran. Guess I will post up what it showed it found and removed. Maybe u guys can see which it actually was .
-
Thanks TD, just cleaned version #5 today, all it needed was AntiMalware run in SafeMode with networking. Of course, back in normal Windows, I ran Eset's Online Scanner for other nasties but that's another story. Funny thing with these Finnish versions is that they have been translated with some program. The results have been more or less hilarious: You know, "can" can be either a verb or a container for food... Another funny thing: They want the payment via Ukash, which they say would be available from a kiosk chain. Ukash.com doesn't show any partner names for Finland. My former boss tried to teach us a "qui bono" (who benefits) philosophy to find out reasons for customer behaviour. So, if no-one can get any money from here, I'd call it a lose-lose situation.
-
Hijackthis in safe mode may find some unwanted strings as well.
Deleting temporary internet files AKA Browser Cache is a must for all browsers.
The most important advice is to dump the Internet Exploder and use Alternatives like Firefox, Opera or Chrome - a lot less option to infiltrate them.
Keeping Windows up-to-date is a must, other programs like flash Adove Reader, Java, etc should be on autoupdate, If Java is installed disable the browser plugins.
-
Hijackthis in safe mode may find some unwanted strings as well.
Deleting temporary internet files AKA Browser Cache is a must for all browsers.
The most important advice is to dump the Internet Exploder and use Alternatives like Firefox, Opera or Chrome - a lot less option to infiltrate them.
Keeping Windows up-to-date is a must, other programs like flash Adove Reader, Java, etc should be on autoupdate, If Java is installed disable the browser plugins.
Adobe reader should not be installed at all. Foxit is faster and more secure.
-
Are adobe products the problem or are some ok?
I use foxit, the other day Adobe installed itself in my pc, my mrs ok'd it :old:
-
Adobe products are OK per se, but since they are widespread to the amount that they are considered somewhat of a standard it makes them more appealing to hackers than products with a more marginal marketing share.
-
Adobe products are OK per se, but since they are widespread to the amount that they are considered somewhat of a standard it makes them more appealing to hackers than products with a more marginal marketing share.
Actually Adobe products contain some of the worst security holes currently. The "top" performers in 10 worst security risks consist of Adobe products and Sun Java at the moment. No reason to keep either one enabled on the computer.
-
That's another way of saying it. I've learned that the so called "safe" products have security holes as well, but since they aren't as widespread as Adobe's, no one cares. Not the users nor the hackers... If the same amount of hacking hours were spent trying to find flaws in the "safe" products I bet they wouldn't be safe any more.
I'm not against using these safer alternatives. Some of them actually work better than their mainstream equivalents, like Foxit vs. Adobe Reader. My point is that "safety" doesn't necessarily mean "flawless", only "less scrutinized".
Take MrRipleys's advice.
-
The new readers 10/11 are indeed better with their sandbox but still open for attacks. Plus Adobe is rather reluctant to release out-of-shedule updates to fix known holes (Oracle is even worse in this, that's why Java got such a bad reputation). Plus the ever growing size of what was originally just a PDF Reader.
If you need Java for programs, disabling the Browser plugins is the first measure to increase system security (assuming you manually keep an eye on updated versions).
Foxit Reader is smaller but grows in size and fuctions as well but they offer faster reaction times to bugs (but lack at supporting updated language packs).
-
Thanks guys. Might at well post the solution here. This works for 99% of those "Your Infected, you need to buy this software to Remove). You need two things to remove. RKill and Malwarebytes. You can get RKill.exe from Bleeping Computer here. http://www.bleepingcomputer.com/download/rkill/ (http://www.bleepingcomputer.com/download/rkill/) Most of these malwares will not allow you access to the internet or if they do they will not allow you to download. Use a USB Stick or another form to place both softwares on your desktop. If you do not have MalwareBytes installed this is what you need to do.
Restart PC in Safemode with networking
Start RKill
Run or Install MalwareBytes (try to update the database) DO NOT restart your PC if Malwarebytes asks you to.
Run MalwareBytes with an IN DEPT scan.
Again these programs attack the iExplorer.exe and RKill ends all non essential processes and keeps them stopped.
Hope this helps you guys
TD
This.
Also good to note that occasionally you may need to run Rkill more then once. Not a big deal as it usually only takes a minute or two.
Rarely but occasionally I find that Rkill doesnt entirely work. In which case I sometimes resort to Combo fix which I find tends to work on some of the tougher stuff. Takes a bit longer but it works
http://www.bleepingcomputer.com/download/combofix/
-
Whenever one of my computers gets infected with something, I always suspect the worse and reformat the c: drive. Despite running malware this and that, if the infection dropped a rootkit on your computer chances are no tool will find it and you end up compromised regardless of any cleaning operations. Also you should keep in mind that even on regular viruses, the most advanced AV:s can only do 98% detection of _known_ viruses. That's literally thousands of well known viruses that slip past detection without even mentioning new and unknown versions.
If/when you take the habit of splitting your c: drive and d: data drive as a first thing during installation and then installing all your vital data to d: it makes it very simple to nuke the c: drive and start from scratch.
-
Nod32, Microsoft Security essentials didn't catch it (moms comp) avg,Norton, Microsoft essential (friends ). I was able to clean friends by booting in safe mode and running malawayer bytes Malwarebytes' AntiMalware. Tried same thing on moms but it has changed. Wouldn't let me launch explorer (yes I know about explorer ) so launched in safe with command prompt and launched that way. Ran malaware and found 3 bugs.
One thing to bear in mind is that many malware programs try to look like legitimate ones. I'm not trying to be a grammar nazi, but incorrect spelling can lead into more troubles. Also making you'll surf to the right website to find the real thing: anti-malware-bytes.com.fyxm.net for example is rated very unsafe.
Scammers like typos: Years ago I needed the address to a site advertising pens. Their brochures had the title "Pen House". The most search results suggested I had dropped a "t" from between...
-
One thing to bear in mind is that many malware programs try to look like legitimate ones. I'm not trying to be a grammar nazi, but incorrect spelling can lead into more troubles. Also making you'll surf to the right website to find the real thing: anti-malware-bytes.com.fyxm.net for example is rated very unsafe.
Scammers like typos: Years ago I needed the address to a site advertising pens. Their brochures had the title "Pen House". The most search results suggested I had dropped a "t" from between...
Oh, for a second I thought you were looking for a pen extender :ahand