Dismiss Notice
Guest, I have a big favor to ask you. We've been working very hard to establish ourselves on social media. If you like/follow our pages it would be a HUGE help to us. SoSH on Facebook and Inside the Pylon Thanks! Nip

Spyware 201

Discussion in 'BYTE ME: Technology discussion' started by Blacken, Jul 12, 2008.

  1. Barbara

    Barbara Member SoSH Member

    I spent 30 minutes reading this thread last night. Lots of good stuff.

    Someone advised not to use a USB flash drive on a potentially infected computer as the flash drive could become infected and yadda yadda yadda. Well I have done that. As advised, I am going to load Malwarebytes, Avast, a new version of Mozilla, etc on a CD and load from there.

    Is there a way to make sure my flash drive is not infected? I can use the possibly infected computer to delete everything on it if that would work.
  2. InsideTheParker

    InsideTheParker Member SoSH Member

    This morning my desktop wouldn't load and I therefore had no access to anything. The Dell tech speculated that I had gotten a virus masquerading as a Microsoft Update as I turned off my computer last night. He took remote control of the computer in safe networking mode and  moved the system back to 10/25 and it was fixed, He warned that it could recur, but that Microsoft must be working on a fix for this problem. I asked him if I should just disable Microsoft Update as an automatic feature, but he said that wouldn't help, since the virus would just line up with all the other updates and I wouldn't be able to recognize it whenever I decided to download the updates, which I ought to do. While this was going on, the McAfee shield came up and said I wasn't protected. I clicked on their updates and eventually it started coming up "Your system is secure."  So, how can I avoid this in future? And if it's unavoidable, how can I learn to do for myself whatever the techie was doing remotely (he did it so fast I couldn't learn anything)? He implied that it was really a software problem and he was doing it for me as a special favor which I mightn't get in future.

    This may be the completely wrong thread for this query, but I am too stupid to know where it ought to go.
  3. kneemoe

    kneemoe Member SoSH Member

    There's no way to be sure anything is 100% infection free no matter how many different scans you do, wiping is the only guarantee. That said, unless the machine you connected it too had something really sneaky I would just scan it with an updated copy of malwarebytes and maybe double check it with something else like hitman pro if you want to be extra safe.
  4. kneemoe

    kneemoe Member SoSH Member

    Its possible you downloaded an update that didn't agree with your system. Its also possible you were infected with a virus. Its very doubtful you installed a windows update that was a virus via something like a man-in-the-middle attack, so unless you went to some weird site and downloaded a file which claimed to be a windows update I'm not really buying what the Dell tech said (he may have just been taking the easy way out, saying whatever sounded sensible to make his life easier, it happens more than you think)

    If you feel safer disabling the automatic update (I do) go for it, and then just go to http://www.update.microsoft.com/ every now and again.

    As for what he did - I'd bet he just used the system restore. go to "Start"-> programs-> accessories -> system tools and click system restore and see if that looks familiar.
  5. Burt Reynoldz

    Burt Reynoldz Member SoSH Member

    I've been dealing with an odd, pain in the ass pop-up/virus problem over the past few days. I get these IE pop-up ads (which is weird, since I only use Firefox) for different/random ads and sites, the most common of which is something called Epic Video Arcade. I've run AdAware, Spybot S&D, and Malwarebytes multiples times each, along with CW Shredder. AdAware and Spybot will pick up a small handful of cookies they deem dangerous, and remove them, but nothing else. The weird thing is that I'll get these pop-ups in spurts; for instance, when I first got on my computer this morning, I got a series of 3-5 of them, then nothing all day. In the last 20 minutes, I've probably had another 6.

    I'm going to try Hitman Pro now, and see what happens. Outside of that, anyone have any idea? This shit is baffling me.
  6. InstantKarmma

    InstantKarmma Defender of Roadrunners Lifetime Member SoSH Member

    Download HijackThis from CNET: http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

    Run it, post the log here and I'll take a look at it.
  7. Oil Can Dan

    Oil Can Dan Well-Known Member Lifetime Member SoSH Member

    So my bank called me to tell me that they are 100% certain that a known online thief has logged in to my bank account, so they temporarily disabled my account. I read this thread, installed MalwareBytes and AVG, and via a scan it found some things like "Hijack.ControlPanelStyle", "Backdoor.generic.13YXN" and "dropper.generic2.CKPW". I removed these via MalwareBytes and AVG, and now I want to go change all my passwords, etc. Am I good to do that now, or is there more I should do? It really freaks me out to know that someone, somewhere most likely has my passwords to all my accounts, etc. I have no idea how this could have happened as I don't surf shady sites on this computer, etc etc. I use mint.com and an ipad/iphone - maybe it's one of those things instead of this laptop? Or could it have happened had I logged in via a public wifi network (which I generally don't do, but perhaps I did inadvertently?).

    * I did a little googling around on 'Hijack.ControlPanelStyle' and the other found virus's and I don't really know what to make of them. It seems they're less of a trojan horse type threat than I initially thought. Seems it may be something that a work administrator installed to prevent me from viewing certain things in my control panel, and/or just files associated with MalwareBytes or something.

    I am very confused.
  8. mabrowndog

    mabrowndog Ask me about total zone...or paint Lifetime Member SoSH Member

    Just got a new Lenovo x120e notebook which I'm in the process of setting up. The OS is Win 7 pro 64. It came with Norton, but there's no way I'm subscribing to any updates beyond the trial period.

    So I'm checking in to see what other (free) stuff I should install. Are HijackThis, Malwarebytes, and Windows Security Essentials still the gold standards? Anything else I should be considering?

    Thanks in advance.
  9. j44thor

    j44thor Member SoSH Member

    Spybot Search & Destroy is one of my go to apps. Provides some decent registry protection and the browser immunization is good as well.
  10. weeba

    weeba Member SoSH Member

    I just learned that Spybot treats vistaprint.com as a malware site when doing an immunization and puts it in the hostfile as a redirect to localhost.

    Just something to keep in mind / repair if you use that site for anything.
  11. DukeSox

    DukeSox Rick Derris SoSH Member

  12. DukeSox

    DukeSox Rick Derris SoSH Member

    it appears Chrome was the problem. I uninstalled and have had no problmes.
  13. savage362

    savage362 Member SoSH Member

    Parents computer has been real slow lately. Avast was showing in the taskbar as being unsecure, but when the program was opened it said it was secure.

    I attempted to run the disk defragmenter and got a message saying "Disk Defragmenter has detected that Chkdsk is scheduled to run on the volume: (C:). Run Chkdsk /f." I checked the scheduled tasks and this is not scheduled.

    Ran malwarebytes and found 21 infections including trojan.vundo. I removed all and ran HiJackThis but stuff still doesn't seem right. I'm assuming it's not entirely gone or there's something else that's being missed. Here's the log file. Any help?

    "020 Winlogon Notify" seems suspicious to me.


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:36:30 PM, on 6/11/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal
    Running processes:
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Olympus\ib\olycamdetect.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
    C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
    C:\Program Files\TeamViewer\Version5\TeamViewer.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Gary\Desktop\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070103
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
    O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O2 - BHO: (no name) - {907FB1A9-3EF2-45E8-910F-DB150D9B40D4} - C:\WINDOWS\system32\awvvt.dll (file missing)
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [MDS_Menu] "C:\Program Files\Olympus\ib\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Olympus\ib" UpdateWithCreateOnce "Software\OLYMPUS\ib\1.0"
    O4 - HKLM\..\Run: [Olympus ib] "C:\Program Files\Olympus\ib\olycamdetect.exe" /Startup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
    O4 - HKCU\..\Run: [Cyv] C:\WINDOWS\?ymbols\w?crtupd.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [Olympus ib] "C:\Program Files\Olympus\ib\olycamdetect.exe" /Startup
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Exif Launcher.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://www.comcast.com
    O15 - Trusted Zone: *.intuit.com
    O15 - Trusted Zone: http://www.msn.com
    O15 - Trusted Zone: http://www.pogo.com
    O15 - Trusted Zone: http://www.target.com
    O15 - Trusted Zone: http://*.turbotax.com
    O15 - Trusted Zone: http://www.webkinz.com
    O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1450/ftp.coupons.com/r3302/cpbrkpie.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5213/mcfscan.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O20 - Winlogon Notify: rqronop - Invalid registry found
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
    O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
    O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
    End of file - 10394 bytes
  14. Harry Hooper

    Harry Hooper Well-Known Member Lifetime Member SoSH Member

    You can try further cleaning with Vundo Fix and/or VirtumundoBegone. See HERE.
  15. OilCanShotTupac

    OilCanShotTupac Sunny von Bulow Gold Supporter SoSH Member

    So. . . anyone dealt with XP Antivirus 2102 yet?

    This looks to be some really nasty shit. It's disabled Malwarebytes and taken over my browsers so I can't download anything.

    I'm guessing that my best bet is to load Malwarebytes and Firefox on a CD from another computer, restart the infected computer in safe mode, reinstall Malwarebytes and Firefox, and go from there?
  16. Harry Hooper

    Harry Hooper Well-Known Member Lifetime Member SoSH Member

    You can try renaming the main Malwarebytes executable from mbam.exe to mbam.bat to see if it will run.

    Otherwise, removal instructions HERE.
  17. OilCanShotTupac

    OilCanShotTupac Sunny von Bulow Gold Supporter SoSH Member

    Renaming the .exe worked. I was able to run Malwarebytes and it fixed the problem. Thanks.
  18. aksoxfan

    aksoxfan Member SoSH Member

    Some how I picked up the latest variant "malware Detector" whle on SOSH Gamethread and MLB Gameday yesterday. Very wierd that it would come from one of these sites.
  19. kneemoe

    kneemoe Member SoSH Member

    FYI - it doesn't come from friendly sites, it gets in through the ad servers.
  20. HomeBrew1901

    HomeBrew1901 Has Season 1 of "Manimal" on Blu Ray SoSH Member

    What THE fuck is going on with my computer??? We have an HP and have 4 log ons for each of us, everyone elses works great but mine keeps coming up with a virus scan for Vista 6 on Firefox. It doesn't happen for anyone elses side. Help...
  21. amh03

    amh03 Tippi Hedren Lifetime Member SoSH Member

    I was infected with the XP antivirus 2012 last week too...what a pain in the ass!
  22. SemperFidelisSox

    SemperFidelisSox suzyn SoSH Member

    Does anyone know where I can download a safe Key Logger for my computer that will not be detected by spyware protection?
  23. DannyHeep

    DannyHeep well trained post artisan Lifetime Member SoSH Member

    I just developed the same problem with google redirecting me to ad sites. I'm running this as I type. Looks like I have a shitload of errors according to this program.

    Does anyone know why the google shit happens? Can I just fix all of these errors?
  24. DannyHeep

    DannyHeep well trained post artisan Lifetime Member SoSH Member

    Shit I have to pay for this? Bummer...

    My bad, I had the wrong software. Hitman fixed it. Thanks!
  25. OilCanShotTupac

    OilCanShotTupac Sunny von Bulow Gold Supporter SoSH Member

    I appear to have gotten some nasty trojans from SoSH last night (I guess it's the ads?) Among other things, it set me up to connect through a proxy server.

    I ran Spybot and Hitman and both of them found and deleted stuff. But when I'm trying to run Malwarebytes, it tells me that I don't have the necessary permissions. It won't let me rename the .exe either. I've tried uninstalling/reinstalling, no success.

    Am I fucked? What more can I do?

  26. Harry Hooper

    Harry Hooper Well-Known Member Lifetime Member SoSH Member

    If you can browse to the site, you can try the online scan at www.eset.com
  27. OilCanShotTupac

    OilCanShotTupac Sunny von Bulow Gold Supporter SoSH Member

    Thanks. I tried that, and it found and killed 5 objects (3 worms and 2 trojans).

    I can now browse and use my computer somewhat normally, but it is still a little slow, AND it will not let me run either Microsoft Security Essentials or Malwarebytes - in both cases it says I don't have the correct permissions, which has never been a problem for me before.

    So I think I still have something. I've already run Spybot, Hitman, and eset.com, and can't do Malwarebytes or MSE. Anything else I can try?
  28. Harry Hooper

    Harry Hooper Well-Known Member Lifetime Member SoSH Member

    I'd go with the 30-day trial full version (free) of Kasperky:

  29. OilCanShotTupac

    OilCanShotTupac Sunny von Bulow Gold Supporter SoSH Member

    I installed it, but it won't start.

    I think I'm fucked.

    Edit: just navigated in Windows Explorer to try to start the .exe manually, and again, it told me I didn't have permission. Something is preventing me from starting any kind of antivirus software because I don't have permission (I am able to start other programs fine).
  30. Harry Hooper

    Harry Hooper Well-Known Member Lifetime Member SoSH Member


    Looks like you'll need ComboFix.

    You can try using it solo, or follow instructions from one of the folks at bleepingcomputer.com
  31. OilCanShotTupac

    OilCanShotTupac Sunny von Bulow Gold Supporter SoSH Member

    I ran ComboFix. That's some serious shit.

    It *looks like* I'm OK.

    Thanks, Harry. I owe you a beer or three.
  32. LoweTek

    LoweTek Well-Known Member Lifetime Member SoSH Member

    Has anyone purchased the Pro version of Malwarebytes and run it regularly? Is it worth it?

    I have spent time in the last couple of days cleaning the "Windows Recovery" malware from a friends Vista SP2 machine. Malwarebytes seems to have cleared most of it.

    This thing was nasty - blocked Malwarebytes, blocked rkill, hid all kinds of files, etc. I got a clean Malwarebytes run (39 hours) which caught and cleaned 9 various issues.

    They are running Windows Defender and Iolo System Shield (which detected and killed part of it but not all).

    I'm still short one windows update which keeps reverting supposedly due to "interference." Windows update will not start in Safe Mode.

    MSFT suggests running SFC (System File Checker) because it's also still getting the occasional "Explorer.exe has failed" error, which is fun too as it gives you a cursor and a blank screen after startup and login. Rstarting seems to give back a normal desktop. I am concerned the explorer.exe error is in fact some kind of reinfection occurring.

    Any thoughts on any of the above, next steps or other suggestions?
  33. IpswichSox

    IpswichSox Well-Known Member Gold Supporter SoSH Member

    The family computer got hit with this today -- and then I remembered seeing it referenced in this thread with a link to bleepingcomputer.com's removal instructions. I followed the instructions; downloaded FixNCR.reg and Rkill; was then able to run Malwarebytes, which found five files; then tried running MSE but it had been disabled and it wouldn't let me re-enable, so had to uninstall and then reinstall MSE, which ran a full scan and came back clean. Scanning with Malwarebytes again now.
  34. bosoxsue

    bosoxsue Well-Known Member Lifetime Member SoSH Member

    I was going to go to this site to see if my computer is affected. But then the conspiracy theorist commenters made me nervous. Has anyone else tried out the FBI link contained in this story?

  35. jose melendez

    jose melendez Earl of Acie Lifetime Member SoSH Member

    According to the FBI site, it seems legit

    For stories like that, I recommend going directly, not via link, to the original site.
  36. Chico Walker and the Man

    Chico Walker and the Man Member SoSH Member

    I have a trojan on my computer (Trojan horse Patched_c.LYU) which AVG Free is detecting but can not delete. Malware Bytes doesn't see it. I looked for the registry keys typically associated with this file to delete them, but none of the files names on various webpages are in my registry.

    Is there a trojan removal program that people would recommend? Or, an updated list of registry files I might look for to delete?
  37. Harry Hooper

    Harry Hooper Well-Known Member Lifetime Member SoSH Member

    You can try the free Rootkit Buster tool from Trend Micro:


    or eset's rogue application remover tool:

  38. cgori

    cgori Well-Known Member Silver Supporter SoSH Member

    Everyone should force-update to Java7 Update10, then use the control panel security tab to disable Java, for the moment: http://www.csmonitor.com/Business/2013/0112/Disable-Java-Here-s-how-after-US-agency-warns-of-software-vulnerability. -- there are some nasty vulnerabilities out there in Java (again).

    EDIT: fix broken link
  39. InstantKarmma

    InstantKarmma Defender of Roadrunners Lifetime Member SoSH Member

  40. kneemoe

    kneemoe Member SoSH Member

    Remember folks, its Java. Sit back and have a cup, you'll be waiting a while if you expect it to be secure.

  41. OttoC

    OttoC Member SoSH Member

    You should also be certain that you have removed all previous version of Java from your system. Oracle doesn't/didn't bother to do that.
  42. Koufax

    Koufax Well-Known Member Lifetime Member SoSH Member

    I recently purchased a new computer with Windows 8. As far as I can tell, Java has never been installed on it (at least there is no trace of it when I fiddle with the browser options in Explorer). But I am not sure how to really know that, because the old familar control panel is either missing or hard to find on Windows 8. Any recommendations on how to deterimine if I have JAVA and how to uninstall it?
  43. SoxFanInCali

    SoxFanInCali has the rich, deep voice of a god and the penis of Lifetime Member SoSH Member

    Go to java.com and click on the "Do I Have Java?" link.
  44. Koufax

    Koufax Well-Known Member Lifetime Member SoSH Member

    Well that was easy. I have no JAVA. Thanks!
  45. mabrowndog

    mabrowndog Ask me about total zone...or paint Lifetime Member SoSH Member

    I ran across some articles on CNET dating back to Thanksgiving that indicate MSE now sucks ass:
    Security Essentials fails latest AV-Test
    Microsoft bombs another security test
    Microsoft challenges poor grade for Security Essentials
    What led me to the above was yesterday's article touting the built-in anti-virus functions of Windows 8. It mentions that adding third-party anti-virus will boost security even further. Specifically:
    I currently run Windows 7 and have no plans (or apparent need) to upgrade to Win8. I also have MSE installed and run a scheduled full scan every Sunday at 2 AM. With previous versions of Windows, I've run both AVG and Avast. I've never paid for a security suite, and every time I've had a full-blown suite pre-installed on a new PC or laptop (Norton, McAfee, etc.) they've caused major issues in terms of interruptions, unwanted integration and bloated use of system resources. So I always just uninstalled them and went with one of the freebies while also running other utilities (malwarebytes, firewall, spyware, etc.)
    So I'm hoping to get some thoughts on whether Microsoft has adequately addressed the reported deficiencies, or whether I should be ditching it for either AVG or Avast. Thanks in advance.
  46. SoxJox

    SoxJox Member SoSH Member

    Anyone have experiencing with the free version of BitDefender 13.  Does it suffice, or is it worth purchasing the "full" version (anywhere from $39-60)?
  47. Boston Brawler

    Boston Brawler Member SoSH Member

    I ran Super Anti Spyware just now and it flagged this as a possible Trojan.
    Anyone know what this is, or have a suggestion on what to do?
    Edit: Spelling
  48. kneemoe

    kneemoe Member SoSH Member

    you'll probably have to say/lookup what that entry actually shows in regedit, maybe its calling an executable or a dll?  Then you look at that file to see if it should be run automatically, if you know it shouldn't you simply delete the entry in regedit (or use your malware detector which should let you quarantine it or something similar)
  49. glasspusher

    glasspusher Member SoSH Member

    Wow, all the stuff I miss using Macs and Linux. Thanks for taking it all for us, windows users!
    BTW, yes, we still have watch out for phishing.
  50. Bleedred

    Bleedred Member SoSH Member

    I have a new Lenovo T440s (purchased a month ago).  My Norton Anti-virus runs out tomorrow.   I have historically only purchased one anti-virus product, as I do nothing exotic with my machine.  What do you all recommend (link if possible) to provide basic protection?

Share This Page