Another fresh XP install - and a WARNING

[WolfeMacleod]

Yay. A month ago I did a fresh XP install when something went haywire. Now I get to do it again, thanks to a bit of MALWARE called "XP Internet Security 2010"

I had downloaded a trial of Kaspersky Internet Security 2010 about a month ago when I did the fresh install.
It ran out tonight before I could purchase a license key.
IMMEDIATELY on it's runout, I was hit with a bogus Malware warning from "XP Internet Security 2010" It performed a fake scan, saying I was loaded with virrii. I saw it for what it was....
I was surfing a less than desireable site when Kaspersky ran out.

No attempt to remove it proved successfull.
It blocked attempts to install the Anti-malware program that was suggested to remove it, save one. After cleaning, any .exe program access was blocked...
Regedit was blocked so I could not manually remove reg entries.

So yeah, I get to reinstall XP again.

Be on the lookout for XP Internet Security 2010. It's nasty. A family member reports that a friends got it a couple months ago and had to have his system wiped. Even the pros coulnd't get rid of it...

[drew1]

"less than desirable site" you can even run into this on good sites. Once something like this pops up, best you can do is Crtl Alt Delete, & don't go back to site.

If I was a hacker, I would take the offensive & shut down those sites spreading this stuff.

[Joeaksa]

What do you mean "I was hit?"

How did it come? In an email, link you opened or ???

Have seen lots of this crap sent around in emails and they ALL are virus crap. MS is not going to send things like this out...

Joe A

[emcon5]

Most professionals aren't. Unless your hard drive is encrypted, they are all cleanable.

Once infected it's a little late, but here is a recipe that had served me well for years, including ~15 years working in IT.

Make sure Windows automatic updates is on, set to install critical updates automatically. Let the PC phone home and patch itself.

Don't use Internet Explorer. It is a lot better than it was, but it is still has the most market share, therefore more malware targets vulnerabilities in it.

Instead of IE, use the latest version of Firefox, and let it check for updates. Install the Adblock plus firefox extension.

As added protection, install Spybot Search and destroy and run the "Immunize" tool. Update and re-immunize once a month.

Use anti-virus software, and keep it updated. In reality, it doesn't matter which one, they are only as good as their current virus definitions, and since they come out pretty much daily, who is best is a moving target. I am a fan of AVG free., it is free, with no subscription required.

And last, install Malwarebytes anti malware and update and run it periodically. Malwarebytes is the best removal tool out there at the moment, in fact a lot of malware knows this and includes code to prevent the installer for Malwarebytes from running.

This should cover 99.9% of problems, assuming you aren't regularly surfing/downloading from Russian porn/warez sites, and of course, practice smart browsing.

[Jesset100]

Get this
http://www.microsoft.com/Security_Essentials/

[m21sniper]

Wolfe that sounds like something malwate bytes would eat for a living.

You just have to change the .exe name to something else, to fool the virus.

[exitwound]

MSE is by far the best one I've ever used. It's caught a few malformed .jpgs which were trojans and doesn't slow the system down at all. Using it on Win7. Don't think there's an XP version. Perhaps I'm wrong.

[onewhippedpuppy]

Just stay away from the donkey porn.

[RANDY P]

Hell I tried to remove that stuff and couldn't - it even protected the registry so I couldn't erase the registry link that started the trojan.

next time, start a seperate admin profile - that can install just for installing programs and updates and change your current profile to User only so next time you surf your porn the malware can't execute..

rjp

[dtw]

As long as you can boot into safe mode, this crap can be defeated.

I had in infection of the same thing you had, two weeks ago. The only non-work related thing I had open was a music lyrics site. It had to have spawned from there.

Only problem: I was at work WAYYYY after hours (IT guys gone) and am unable to boot into safe mode. Nonetheless, I still managed to beat the sucker. Using my iPhone, I surfed for some information on the plague and found the locations of the executables. I have an emergency utility called "RemoveOnReboot" which adds a "Remove on Reboot" (duh) option to the context menu. The trojan tried hard to keep me from selecting the executables for deletion - it blocks all other .exes from running. However, after a couple tries, the two major trojan executables were flagged for deletion.

I rebooted and kept on eye on process manager; the offenders did not load into memory. Then I ran CCleaner, then ran a full scan with MalwareBytes. By the time I got done with the manual deletions and the CCleaner wipe, there wasn't even anything left for MWB to clean, but I ran it just in case.

If you still have this going on and want to try the RemoveOnReboot tool, pm me and I'll email you the install file (it is only 35kb). If you can somehow get it onto the zombie system, you can fight the thing off.

In my case, a re-image wasn't an option since I had way too much going on at work. I had to clean it out of the existing image. That, and I consider it a failure as a techno-geek if I succumb to the urge to re-image.

[dtw]

Some other notes - this infection is extremely aggressive and attacks on multiple fronts. There are reports of it doing keylogging and password attacks, then 'phoning home' with the information. As soon as I knew I was zombied, I unplugged my network cable.

Your IE session, while seemingly functional, is hacked using a malicious proxy server. It re-routes you to all sorts of nasty sites. You can cancel the proxy server usage, but the trojan will just re-route it immediately afterward.

Chrome and Safari are of no use, as the trojan will not let them load. Best as I could tell, the only exe allowed to run is IE, and that is useless due to the malicious proxy.

[porsche4life]

Quote:

Originally Posted by m21sniper

Wolfe that sounds like something malwate bytes would eat for a living.

You just have to change the .exe name to something else, to fool the virus.

Malwarebytes ain't that great either.... I've got a pc that about to get wiped b/c malwarebytes can't find the virus.... The windows onecare scanner finds something... and the locks down the computer.....

[m21sniper]

MW Bytes won't find everything, but it's the best thing going right now. And i'd bet that whatever it is that it won't find right now, after a few more updates, it would.

It's a great product.

[m21sniper]

Quote:

Originally Posted by dtw

As long as you can boot into safe mode, this crap can be defeated.

I had in infection of the same thing you had, two weeks ago. The only non-work related thing I had open was a music lyrics site. It had to have spawned from there.

Only problem: I was at work WAYYYY after hours (IT guys gone) and am unable to boot into safe mode. Nonetheless, I still managed to beat the sucker. Using my iPhone, I surfed for some information on the plague and found the locations of the executables. I have an emergency utility called "RemoveOnReboot" which adds a "Remove on Reboot" (duh) option to the context menu. The trojan tried hard to keep me from selecting the executables for deletion - it blocks all other .exes from running. However, after a couple tries, the two major trojan executables were flagged for deletion.

I rebooted and kept on eye on process manager; the offenders did not load into memory. Then I ran CCleaner, then ran a full scan with MalwareBytes. By the time I got done with the manual deletions and the CCleaner wipe, there wasn't even anything left for MWB to clean, but I ran it just in case.

If you still have this going on and want to try the RemoveOnReboot tool, pm me and I'll email you the install file (it is only 35kb). If you can somehow get it onto the zombie system, you can fight the thing off.

In my case, a re-image wasn't an option since I had way too much going on at work. I had to clean it out of the existing image. That, and I consider it a failure as a techno-geek if I succumb to the urge to re-image.

Hey bro, i'd love that file. Where can i get it?

[dtw]

Quote:

Originally Posted by m21sniper

Hey bro, i'd love that file. Where can i get it?

Let me google that for you!

[slodave]

Quote:

Originally Posted by m21sniper

MW Bytes won't find everything, but it's the best thing going right now. And i'd bet that whatever it is that it won't find right now, after a few more updates, it would.

It's a great product.

Sidney's pc has a boot sector virus. It will be a long time before Malwarebytes can fix these issues. The only ones that can, are true virus detection programs and they are having a hard time with it. This type of situation is better for a format and clean install anyway. Any virus that can modify the bootstrap/MBR has done real damage.

Most malware is aggravating, not really destructive to the OS or boot records.

[ruf-porsche]

Quote:

Originally Posted by onewhippedpuppy

Just stay away from the donkey porn.

Oh you mean YouTube? LMFAO

[WolfeMacleod]

Quote:

Originally Posted by dtw

As long as you can boot into safe mode, this crap can be defeated.
.

No safe mode, either!

Quote:

Originally Posted by RANDY P

Hell I tried to remove that stuff and couldn't - it even protected the registry so I couldn't erase the registry link that started the trojan.

rjp

Yep, same here. No regedit access.

Quote:

Originally Posted by m21sniper

Wolfe that sounds like something malwate bytes would eat for a living.

You just have to change the .exe name to something else, to fool the virus.

Tried that. Didn't work.

[slodave]

Here's a link that deals with Wolf's issue...

How to remove XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010

[jmaxwell]

Slo Dave, if you're ever in Tulsa, I'll buy you at least a beer. That site worked so well that my son was able to clean his computer without having to bring it home (a 240 mile round trip). And his computer knowledge is limited to browsing and Microsoft office. Thanks a bunch!

Jack