PDA

View Full Version : Malware Infection



Sean Malone
02-12-10, 02:18 PM
Got a nasty sucker first thing yesterday morning on my Windows laptop called Antivirus Soft, a malware app that poses as antivirus software, locks all of your apps, including the ability to open control panel etc. It generates warning dialog boxes faster than you can close them. I had a 100 open before I was able to shut it down and restart in safe mode.
AVG full scan came up with nothing. Used a recommended program called Malwarebytes that found and removed 9 items. I believe HiJack This will find them too but you have to know what you are looking at in order to remove them.
The only website I went to before this thing popped up was Facebook. That place has more damn virus's and malware it's ridiculous.

Just a heads up.

Kiwifan
02-12-10, 02:37 PM
Hi Sean, hope you have it sorted by now. I have used HyJack before but it is pretty powerful. There is an analyser for it at http://www.hijackthis.de/ As it states at the site it only does an online analysis so any deletions are still done by the user at their own risk.

Another good site is http://www.dslreports.com/forum/cleanup

Good luck!

Rusty.

WickerBill
02-12-10, 02:45 PM
Run MalwareBytes *and* Spybot Search and Destroy in Safe Mode. You will have to download Spybot and its updates so it doesn't try to go to the web to download them from safe mode. But between the two of them, they should get you reasonably clean.

dando
02-12-10, 04:18 PM
The only website I went to before this thing popped up was Facebook. That place has more damn virus's and malware it's ridiculous.

Just a heads up.

One thing that bugs me about FB and Twitter is the use of Tiny URLs (a necessity with Twitter, tho). I really like to see the URL I'm clicking on before I get there and chance being infected. :saywhat:

-Kevin

TKGAngel
02-12-10, 04:20 PM
One thing that bugs me about FB and Twitter is the use of Tiny URLs (a necessity with Twitter, tho). I really like to see the URL I'm clicking on before I get there and chance being infected. :saywhat:

-Kevin

If you use something like Twitter Gadget on an iGoogle page, you can hover over the URL to see whether it's friend or foe. Haven't figured out what other apps that works on yet, though.

Elmo T
02-12-10, 04:31 PM
One thing that bugs me about FB and Twitter is the use of Tiny URLs (a necessity with Twitter, tho).
-Kevin

I avoid the FB links - anyone that really wants me to see something will have to send it direct.

I had the MalwareBytes program on the old laptop. I've been using Verizon's Security System and Spybot on the new one. Any techie opinions of the Verizon package?

datachicane
02-12-10, 05:45 PM
I did a cleanup of the same malware on my moonlighting support gig a few weeks back. Pretty clever + nasty, it had been lurking for over a month before it went active. I'd started supporting the AVG-installed box after it was infected, installed malwarebytes + adaware, both of which found other culprits but not this one. Turns out it allows them to install, but alters the install, forces a definitions update and substitutes its own bogus definitions file which curiously :saywhat: omits all references to itself.

Locked out task manager and the command window, so I wrote a string that launched 50+ command windows and ran it. The malware shut down the first 40 or so, but left me enough to do the job. Multiple rkill executions, uninstalled and reinstalled malwarebytes (but didn't run). Malwarebytes provides a download of the core .exe with a random generated filename to hide it from the malware, download and execute that instead of the regular (now malware altered) .exe, and you're home free. A total pain in the ass.

G.
02-12-10, 09:05 PM
Computers are a PITA.

One of my 3 always seem to be down.
Latest adventure is my main box with a driver issue, or somesuch. The file rdbss.sys causes BSOD upon shutdown. Near as I can find, it's a HW thing, either RAM or HD fail. It can startup fine, but there is no internet, even though I'm connected.

Pisses me off. :flame: I'm not smart enough to do that fancy stuff like datachicane. :( I have to go straight to the install disk.

Last few months I've learned more than I should have to know about the damn things.

WickerBill
02-13-10, 01:03 AM
You haven't lived until you've cleaned malware off of a Mac. The tools to help with malware removal on MacOS are poor, because Macs don't get nasties, right?? :rolleyes:

oddlycalm
02-13-10, 05:13 AM
Early on there should have been seriously midievil punishments for hackers and malware creators. Cut off their hands and they won't do it again. :\ Too late to do it now that it's become a sport and an instrument of foreign policy. :saywhat:

oc

cameraman
02-13-10, 05:38 PM
You haven't lived until you've cleaned malware off of a Mac. The tools to help with malware removal on MacOS are poor, because Macs don't get nasties, right?? :rolleyes:

What on earth was on your Mac that MacScan or McAfee couldn't immediately find & remove in a few minutes? Seriously, boot from the CD and scan, you're done. There is currently no malware that will damage OSX. The antivirus apps will find & clear any known Windows malware at the same time. For all intents and purposes that is all that they are looking for anyway.

WickerBill
02-13-10, 05:55 PM
I don't own a Mac, I'm just asked to fix them. This lawyer got, basically, a zero-day exploit of Tored-F last summer, and of course it was days before the MacScan definitions were updated enough to fix it. It was emailing everyone in his address book and acting as a member of a botnet anytime it was turned on and connected to the internet. And you can imagine how big a lawyer's address book is.

You get something like that on a PC, you have HiJackThis and other registry tools that, if you know what you're doing, you can find and neuter the malware until a cleaner comes out.

cameraman
02-13-10, 06:28 PM
So your lawyer was fooled by the Mac/ToredA email? :eek::eek::eek:

Oh my word.

That's the first person I've ever heard of who got that for real.:shakehead

WickerBill
02-13-10, 07:33 PM
So your lawyer was fooled by the Mac/ToredA email? :eek::eek::eek:

Oh my word.

That's the first person I've ever heard of who got that for real.:shakehead


Not even CLOSE to the dumbest computing-related incident in that office. Not...even...close.

Sean Malone
02-13-10, 09:59 PM
So your lawyer was fooled by the Mac/ToredA email? :eek::eek::eek:

Oh my word.

That's the first person I've ever heard of who got that for real.:shakehead

Puleeze. The higher up the pay scale food chain, the less computer savvy they are. Hell, I'd wager $100 Bill Gates/Steve Jobs doesn't know how to frickin' turn one on!

Hard Driver
02-14-10, 01:53 AM
Try to get it with Malwarebytes or Spybot search and destroy, both can be downloaded at download.com

If the malware still starts when in safe mode you are dealing with a nasty rootkit. (To get to safe mode, press F8 during startup)

To get rid of a rootkit can be really nasty. I have done it with Sophos Anti-Rootkit, which will identify possible files, but then you need to select which ones to delete.
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

I also had one nasty that had to be deleted with TDSSKiller.exe detailed here:
http://support.kaspersky.com/viruses/solutions?qid=208280684

TrueBrit
02-14-10, 09:57 PM
I am a complete putey luddite so when something nasty rears it's ugly head I go to www.cybertechhelp.com They have been very helpful giving step-by-step advice on how to clean things up...

WickerBill
02-15-10, 09:22 AM
Sean, you get it cleaned up?

Sean Malone
02-15-10, 10:14 AM
Sean, you get it cleaned up?

Yep...finally! It took quite a few full scans with Malwarebytes and Scanbot, but everthing is coming up clean now and no trace of the bugger for 24 hours.

Thanks for the tips everyone! What a PITA!!!!