Spyware 201

Barbara

Member
SoSH Member
Jul 14, 2005
3,126
Real Virginia
I spent 30 minutes reading this thread last night. Lots of good stuff.

Someone advised not to use a USB flash drive on a potentially infected computer as the flash drive could become infected and yadda yadda yadda. Well I have done that. As advised, I am going to load Malwarebytes, Avast, a new version of Mozilla, etc on a CD and load from there.

Is there a way to make sure my flash drive is not infected? I can use the possibly infected computer to delete everything on it if that would work.
 

InsideTheParker

persists in error
SoSH Member
Jul 15, 2005
40,371
Pioneer Valley
This morning my desktop wouldn't load and I therefore had no access to anything. The Dell tech speculated that I had gotten a virus masquerading as a Microsoft Update as I turned off my computer last night. He took remote control of the computer in safe networking mode and  moved the system back to 10/25 and it was fixed, He warned that it could recur, but that Microsoft must be working on a fix for this problem. I asked him if I should just disable Microsoft Update as an automatic feature, but he said that wouldn't help, since the virus would just line up with all the other updates and I wouldn't be able to recognize it whenever I decided to download the updates, which I ought to do. While this was going on, the McAfee shield came up and said I wasn't protected. I clicked on their updates and eventually it started coming up "Your system is secure."  So, how can I avoid this in future? And if it's unavoidable, how can I learn to do for myself whatever the techie was doing remotely (he did it so fast I couldn't learn anything)? He implied that it was really a software problem and he was doing it for me as a special favor which I mightn't get in future.

This may be the completely wrong thread for this query, but I am too stupid to know where it ought to go.
 

kneemoe

Member
SoSH Member
Dec 19, 2006
2,436
Glens Falls, NY
I spent 30 minutes reading this thread last night. Lots of good stuff.

Someone advised not to use a USB flash drive on a potentially infected computer as the flash drive could become infected and yadda yadda yadda. Well I have done that. As advised, I am going to load Malwarebytes, Avast, a new version of Mozilla, etc on a CD and load from there.

Is there a way to make sure my flash drive is not infected? I can use the possibly infected computer to delete everything on it if that would work.
There's no way to be sure anything is 100% infection free no matter how many different scans you do, wiping is the only guarantee. That said, unless the machine you connected it too had something really sneaky I would just scan it with an updated copy of malwarebytes and maybe double check it with something else like hitman pro if you want to be extra safe.
 

kneemoe

Member
SoSH Member
Dec 19, 2006
2,436
Glens Falls, NY
This morning my desktop wouldn't load and I therefore had no access to anything. The Dell tech speculated that I had gotten a virus masquerading as a Microsoft Update as I turned off my computer last night. He took remote control of the computer in safe networking mode and  moved the system back to 10/25 and it was fixed, He warned that it could recur, but that Microsoft must be working on a fix for this problem. I asked him if I should just disable Microsoft Update as an automatic feature, but he said that wouldn't help, since the virus would just line up with all the other updates and I wouldn't be able to recognize it whenever I decided to download the updates, which I ought to do. While this was going on, the McAfee shield came up and said I wasn't protected. I clicked on their updates and eventually it started coming up "Your system is secure."  So, how can I avoid this in future? And if it's unavoidable, how can I learn to do for myself whatever the techie was doing remotely (he did it so fast I couldn't learn anything)? He implied that it was really a software problem and he was doing it for me as a special favor which I mightn't get in future.

This may be the completely wrong thread for this query, but I am too stupid to know where it ought to go.
Its possible you downloaded an update that didn't agree with your system. Its also possible you were infected with a virus. Its very doubtful you installed a windows update that was a virus via something like a man-in-the-middle attack, so unless you went to some weird site and downloaded a file which claimed to be a windows update I'm not really buying what the Dell tech said (he may have just been taking the easy way out, saying whatever sounded sensible to make his life easier, it happens more than you think)

If you feel safer disabling the automatic update (I do) go for it, and then just go to http://www.update.microsoft.com/ every now and again.

As for what he did - I'd bet he just used the system restore. go to "Start"-> programs-> accessories -> system tools and click system restore and see if that looks familiar.
 

Burt Reynoldz

Member
SoSH Member
Dec 14, 2008
1,866
The Dub Dot Heezy.
I've been dealing with an odd, pain in the ass pop-up/virus problem over the past few days. I get these IE pop-up ads (which is weird, since I only use Firefox) for different/random ads and sites, the most common of which is something called Epic Video Arcade. I've run AdAware, Spybot S&D, and Malwarebytes multiples times each, along with CW Shredder. AdAware and Spybot will pick up a small handful of cookies they deem dangerous, and remove them, but nothing else. The weird thing is that I'll get these pop-ups in spurts; for instance, when I first got on my computer this morning, I got a series of 3-5 of them, then nothing all day. In the last 20 minutes, I've probably had another 6.

I'm going to try Hitman Pro now, and see what happens. Outside of that, anyone have any idea? This shit is baffling me.
 

InstantKarmma

Boomer Sympathizer
Lifetime Member
SoSH Member
I've been dealing with an odd, pain in the ass pop-up/virus problem over the past few days. I get these IE pop-up ads (which is weird, since I only use Firefox) for different/random ads and sites, the most common of which is something called Epic Video Arcade. I've run AdAware, Spybot S&D, and Malwarebytes multiples times each, along with CW Shredder. AdAware and Spybot will pick up a small handful of cookies they deem dangerous, and remove them, but nothing else. The weird thing is that I'll get these pop-ups in spurts; for instance, when I first got on my computer this morning, I got a series of 3-5 of them, then nothing all day. In the last 20 minutes, I've probably had another 6.

I'm going to try Hitman Pro now, and see what happens. Outside of that, anyone have any idea? This shit is baffling me.
Download HijackThis from CNET: http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

Run it, post the log here and I'll take a look at it.
 

Oil Can Dan

Well-Known Member
Lifetime Member
SoSH Member
Jul 31, 2003
8,014
0-3 to 4-3
So my bank called me to tell me that they are 100% certain that a known online thief has logged in to my bank account, so they temporarily disabled my account. I read this thread, installed MalwareBytes and AVG, and via a scan it found some things like "Hijack.ControlPanelStyle", "Backdoor.generic.13YXN" and "dropper.generic2.CKPW". I removed these via MalwareBytes and AVG, and now I want to go change all my passwords, etc. Am I good to do that now, or is there more I should do? It really freaks me out to know that someone, somewhere most likely has my passwords to all my accounts, etc. I have no idea how this could have happened as I don't surf shady sites on this computer, etc etc. I use mint.com and an ipad/iphone - maybe it's one of those things instead of this laptop? Or could it have happened had I logged in via a public wifi network (which I generally don't do, but perhaps I did inadvertently?).

* I did a little googling around on 'Hijack.ControlPanelStyle' and the other found virus's and I don't really know what to make of them. It seems they're less of a trojan horse type threat than I initially thought. Seems it may be something that a work administrator installed to prevent me from viewing certain things in my control panel, and/or just files associated with MalwareBytes or something.

I am very confused.
 

mabrowndog

Ask me about total zone...or paint
Lifetime Member
SoSH Member
Dec 23, 2003
39,676
Falmouth, MA
Just got a new Lenovo x120e notebook which I'm in the process of setting up. The OS is Win 7 pro 64. It came with Norton, but there's no way I'm subscribing to any updates beyond the trial period.

So I'm checking in to see what other (free) stuff I should install. Are HijackThis, Malwarebytes, and Windows Security Essentials still the gold standards? Anything else I should be considering?

Thanks in advance.
 

j44thor

Member
SoSH Member
Aug 1, 2006
10,961
Just got a new Lenovo x120e notebook which I'm in the process of setting up. The OS is Win 7 pro 64. It came with Norton, but there's no way I'm subscribing to any updates beyond the trial period.

So I'm checking in to see what other (free) stuff I should install. Are HijackThis, Malwarebytes, and Windows Security Essentials still the gold standards? Anything else I should be considering?

Thanks in advance.
Spybot Search & Destroy is one of my go to apps. Provides some decent registry protection and the browser immunization is good as well.
 

weeba

Member
SoSH Member
Jul 16, 2005
3,537
Lynn, MA
I just learned that Spybot treats vistaprint.com as a malware site when doing an immunization and puts it in the hostfile as a redirect to localhost.

Just something to keep in mind / repair if you use that site for anything.
 

DukeSox

absence hasn't made the heart grow fonder
SoSH Member
Dec 22, 2005
11,742
it appears Chrome was the problem. I uninstalled and have had no problmes.
 

savage362

Member
SoSH Member
Apr 16, 2003
1,389
Vermont
Parents computer has been real slow lately. Avast was showing in the taskbar as being unsecure, but when the program was opened it said it was secure.

I attempted to run the disk defragmenter and got a message saying "Disk Defragmenter has detected that Chkdsk is scheduled to run on the volume: (C:). Run Chkdsk /f." I checked the scheduled tasks and this is not scheduled.

Ran malwarebytes and found 21 infections including trojan.vundo. I removed all and ran HiJackThis but stuff still doesn't seem right. I'm assuming it's not entirely gone or there's something else that's being missed. Here's the log file. Any help?

"020 Winlogon Notify" seems suspicious to me.

Thanks

Code:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:36:30 PM, on 6/11/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Olympus\ib\olycamdetect.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gary\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5070103
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: (no name) - {907FB1A9-3EF2-45E8-910F-DB150D9B40D4} - C:\WINDOWS\system32\awvvt.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MDS_Menu] "C:\Program Files\Olympus\ib\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Olympus\ib" UpdateWithCreateOnce "Software\OLYMPUS\ib\1.0"
O4 - HKLM\..\Run: [Olympus ib] "C:\Program Files\Olympus\ib\olycamdetect.exe" /Startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKCU\..\Run: [Cyv] C:\WINDOWS\?ymbols\w?crtupd.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Olympus ib] "C:\Program Files\Olympus\ib\olycamdetect.exe" /Startup
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.comcast.com
O15 - Trusted Zone: *.intuit.com
O15 - Trusted Zone: http://www.msn.com
O15 - Trusted Zone: http://www.pogo.com
O15 - Trusted Zone: http://www.target.com
O15 - Trusted Zone: http://*.turbotax.com
O15 - Trusted Zone: http://www.webkinz.com
O16 - DPF: Garmin Communicator Plug-In - https://static.garmincdn.com/gcp/ie/2.9.3.0/GarminAxControl.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/1450/ftp.coupons.com/r3302/cpbrkpie.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/chuzzle/popcaploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5213/mcfscan.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: rqronop - Invalid registry found
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: TeamViewer 5 (TeamViewer5) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe

--
End of file - 10394 bytes
 

OCST

Sunny von Bulow
SoSH Member
Jan 10, 2004
24,483
The 718
So. . . anyone dealt with XP Antivirus 2102 yet?

This looks to be some really nasty shit. It's disabled Malwarebytes and taken over my browsers so I can't download anything.

I'm guessing that my best bet is to load Malwarebytes and Firefox on a CD from another computer, restart the infected computer in safe mode, reinstall Malwarebytes and Firefox, and go from there?
 

Harry Hooper

Well-Known Member
Lifetime Member
SoSH Member
Jan 4, 2002
34,367
You can try renaming the main Malwarebytes executable from mbam.exe to mbam.bat to see if it will run.

Otherwise, removal instructions HERE.
 

OCST

Sunny von Bulow
SoSH Member
Jan 10, 2004
24,483
The 718
Renaming the .exe worked. I was able to run Malwarebytes and it fixed the problem. Thanks.
 

aksoxfan

Member
SoSH Member
Jul 15, 2005
7,159
Southeast Alaska
Some how I picked up the latest variant "malware Detector" whle on SOSH Gamethread and MLB Gameday yesterday. Very wierd that it would come from one of these sites.
 

HomeBrew1901

Has Season 1 of "Manimal" on Blu Ray
SoSH Member
What THE fuck is going on with my computer??? We have an HP and have 4 log ons for each of us, everyone elses works great but mine keeps coming up with a virus scan for Vista 6 on Firefox. It doesn't happen for anyone elses side. Help...
 

amh03

Tippi Hedren
Lifetime Member
SoSH Member
Dec 27, 2003
6,637
I was infected with the XP antivirus 2012 last week too...what a pain in the ass!
 

DannyHeep

well trained post artisan
Lifetime Member
SoSH Member
Dec 15, 2003
17,398
Blacklick
QUOTE (Jnai @ Jul 10 2010, 09:55 AM) I have an odd google redirect that seems to happen once in a while, usually to sites like bargainmatch.com.

MalwareBytes is not picking up anything.

Any suggestions for the next step?

I had this problem at work. IT managed to clear the initial infection, but as soon as I rebooted IE and clicked on any links as a result of a google search, I was redirected to similar sites. Like you, Malwarebytes (or SpyBot S&D, for that matter) didn't pick up anything on my machine.

I did a little research and ended up downloading Hitman Pro and ran a scan during the day. Haven't had a problem since.

Hitman Pro Download (via CNET)
I just developed the same problem with google redirecting me to ad sites. I'm running this as I type. Looks like I have a shitload of errors according to this program.

Does anyone know why the google shit happens? Can I just fix all of these errors?
 

DannyHeep

well trained post artisan
Lifetime Member
SoSH Member
Dec 15, 2003
17,398
Blacklick
I just developed the same problem with google redirecting me to ad sites. I'm running this as I type. Looks like I have a shitload of errors according to this program.

Does anyone know why the google shit happens? Can I just fix all of these errors?
Shit I have to pay for this? Bummer...

My bad, I had the wrong software. Hitman fixed it. Thanks!
 

OCST

Sunny von Bulow
SoSH Member
Jan 10, 2004
24,483
The 718
I appear to have gotten some nasty trojans from SoSH last night (I guess it's the ads?) Among other things, it set me up to connect through a proxy server.

I ran Spybot and Hitman and both of them found and deleted stuff. But when I'm trying to run Malwarebytes, it tells me that I don't have the necessary permissions. It won't let me rename the .exe either. I've tried uninstalling/reinstalling, no success.

Am I fucked? What more can I do?

Thanks.
 

Harry Hooper

Well-Known Member
Lifetime Member
SoSH Member
Jan 4, 2002
34,367
If you can browse to the site, you can try the online scan at www.eset.com
 

OCST

Sunny von Bulow
SoSH Member
Jan 10, 2004
24,483
The 718
If you can browse to the site, you can try the online scan at www.eset.com
Thanks. I tried that, and it found and killed 5 objects (3 worms and 2 trojans).

I can now browse and use my computer somewhat normally, but it is still a little slow, AND it will not let me run either Microsoft Security Essentials or Malwarebytes - in both cases it says I don't have the correct permissions, which has never been a problem for me before.

So I think I still have something. I've already run Spybot, Hitman, and eset.com, and can't do Malwarebytes or MSE. Anything else I can try?
 

Harry Hooper

Well-Known Member
Lifetime Member
SoSH Member
Jan 4, 2002
34,367
I'd go with the 30-day trial full version (free) of Kasperky:

http://usa.kaspersky.com/downloads/free-home-trials/anti-virus
 

OCST

Sunny von Bulow
SoSH Member
Jan 10, 2004
24,483
The 718
I'd go with the 30-day trial full version (free) of Kasperky:

http://usa.kaspersky.com/downloads/free-home-trials/anti-virus
I installed it, but it won't start.

I think I'm fucked.

Edit: just navigated in Windows Explorer to try to start the .exe manually, and again, it told me I didn't have permission. Something is preventing me from starting any kind of antivirus software because I don't have permission (I am able to start other programs fine).
 

Harry Hooper

Well-Known Member
Lifetime Member
SoSH Member
Jan 4, 2002
34,367
I installed it, but it won't start.

I think I'm fucked.

Edit: just navigated in Windows Explorer to try to start the .exe manually, and again, it told me I didn't have permission. Something is preventing me from starting any kind of antivirus software because I don't have permission (I am able to start other programs fine).

Looks like you'll need ComboFix.

You can try using it solo, or follow instructions from one of the folks at bleepingcomputer.com
 

OCST

Sunny von Bulow
SoSH Member
Jan 10, 2004
24,483
The 718
I ran ComboFix. That's some serious shit.

It *looks like* I'm OK.

Thanks, Harry. I owe you a beer or three.
 

LoweTek

Well-Known Member
Lifetime Member
SoSH Member
May 30, 2005
2,183
Central Florida
Has anyone purchased the Pro version of Malwarebytes and run it regularly? Is it worth it?

I have spent time in the last couple of days cleaning the "Windows Recovery" malware from a friends Vista SP2 machine. Malwarebytes seems to have cleared most of it.

This thing was nasty - blocked Malwarebytes, blocked rkill, hid all kinds of files, etc. I got a clean Malwarebytes run (39 hours) which caught and cleaned 9 various issues.

They are running Windows Defender and Iolo System Shield (which detected and killed part of it but not all).

I'm still short one windows update which keeps reverting supposedly due to "interference." Windows update will not start in Safe Mode.

MSFT suggests running SFC (System File Checker) because it's also still getting the occasional "Explorer.exe has failed" error, which is fun too as it gives you a cursor and a blank screen after startup and login. Rstarting seems to give back a normal desktop. I am concerned the explorer.exe error is in fact some kind of reinfection occurring.

Any thoughts on any of the above, next steps or other suggestions?
 

IpswichSox

Member
SoSH Member
Jul 14, 2005
2,792
Suburbs of Washington, DC
So. . . anyone dealt with XP Antivirus 2102 yet?

This looks to be some really nasty shit. It's disabled Malwarebytes and taken over my browsers so I can't download anything.

I'm guessing that my best bet is to load Malwarebytes and Firefox on a CD from another computer, restart the infected computer in safe mode, reinstall Malwarebytes and Firefox, and go from there?
The family computer got hit with this today -- and then I remembered seeing it referenced in this thread with a link to bleepingcomputer.com's removal instructions. I followed the instructions; downloaded FixNCR.reg and Rkill; was then able to run Malwarebytes, which found five files; then tried running MSE but it had been disabled and it wouldn't let me re-enable, so had to uninstall and then reinstall MSE, which ran a full scan and came back clean. Scanning with Malwarebytes again now.
 
I have a trojan on my computer (Trojan horse Patched_c.LYU) which AVG Free is detecting but can not delete. Malware Bytes doesn't see it. I looked for the registry keys typically associated with this file to delete them, but none of the files names on various webpages are in my registry.

Is there a trojan removal program that people would recommend? Or, an updated list of registry files I might look for to delete?
 

cgori

Member
SoSH Member
Oct 2, 2004
3,999
SF, CA
Everyone should force-update to Java7 Update10, then use the control panel security tab to disable Java, for the moment: http://www.csmonitor.com/Business/2013/0112/Disable-Java-Here-s-how-after-US-agency-warns-of-software-vulnerability. -- there are some nasty vulnerabilities out there in Java (again).

EDIT: fix broken link
 

kneemoe

Member
SoSH Member
Dec 19, 2006
2,436
Glens Falls, NY
Remember folks, its Java. Sit back and have a cup, you'll be waiting a while if you expect it to be secure.

http://www.networkworld.com/community/blog/oracle-releases-emergency-java-patch-experts-warn-flaws-may-take-2-years-fix
 

OttoC

Member
SoSH Member
Dec 2, 2003
7,353
You should also be certain that you have removed all previous version of Java from your system. Oracle doesn't/didn't bother to do that.
 

Koufax

Well-Known Member
Lifetime Member
SoSH Member
Jul 15, 2005
5,936
I recently purchased a new computer with Windows 8. As far as I can tell, Java has never been installed on it (at least there is no trace of it when I fiddle with the browser options in Explorer). But I am not sure how to really know that, because the old familar control panel is either missing or hard to find on Windows 8. Any recommendations on how to deterimine if I have JAVA and how to uninstall it?
 

mabrowndog

Ask me about total zone...or paint
Lifetime Member
SoSH Member
Dec 23, 2003
39,676
Falmouth, MA
I ran across some articles on CNET dating back to Thanksgiving that indicate MSE now sucks ass:
 
Security Essentials fails latest AV-Test
Microsoft bombs another security test
Microsoft challenges poor grade for Security Essentials
 
What led me to the above was yesterday's article touting the built-in anti-virus functions of Windows 8. It mentions that adding third-party anti-virus will boost security even further. Specifically:
 
Several suites tested notably well. Bitdefender Internet Security 2013 (review) topped the paid suites, with a score of 17 out of 18. BullGuard Internet Security 13.0 and Kaspersky Internet Security 2013 (review) scored 16.5 and 16.0, respectively. Both of their weaknesses came during January's testing of zero-day threats but had corrected those misses in February.
 
On the free suite side, the best-performing software were AVG AntiVirus Free 2013 (review) with 15.5, and Avast Free Antivirus 7 (review) at 15.0. Avast's major-point upgrade to version 8 wasn't released until late February.
 
I currently run Windows 7 and have no plans (or apparent need) to upgrade to Win8. I also have MSE installed and run a scheduled full scan every Sunday at 2 AM. With previous versions of Windows, I've run both AVG and Avast. I've never paid for a security suite, and every time I've had a full-blown suite pre-installed on a new PC or laptop (Norton, McAfee, etc.) they've caused major issues in terms of interruptions, unwanted integration and bloated use of system resources. So I always just uninstalled them and went with one of the freebies while also running other utilities (malwarebytes, firewall, spyware, etc.)
 
So I'm hoping to get some thoughts on whether Microsoft has adequately addressed the reported deficiencies, or whether I should be ditching it for either AVG or Avast. Thanks in advance.
 

Boston Brawler

Member
SoSH Member
Jan 17, 2011
9,757
I ran Super Anti Spyware just now and it flagged this as a possible Trojan.
 
(x86) HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#20131121
 
Anyone know what this is, or have a suggestion on what to do?
 
Edit: Spelling
 

kneemoe

Member
SoSH Member
Dec 19, 2006
2,436
Glens Falls, NY
you'll probably have to say/lookup what that entry actually shows in regedit, maybe its calling an executable or a dll?  Then you look at that file to see if it should be run automatically, if you know it shouldn't you simply delete the entry in regedit (or use your malware detector which should let you quarantine it or something similar)
 

Bleedred

Member
SoSH Member
Feb 21, 2001
9,963
Boston, MA
I have a new Lenovo T440s (purchased a month ago).  My Norton Anti-virus runs out tomorrow.   I have historically only purchased one anti-virus product, as I do nothing exotic with my machine.  What do you all recommend (link if possible) to provide basic protection?
 
Thanks