New
#11
If he says "reinstalling" then perhaps he has no system image to restore from. Thus, wasting hours to do a clean install.
Hm, still no response on his progress...
If he says "reinstalling" then perhaps he has no system image to restore from. Thus, wasting hours to do a clean install.
Hm, still no response on his progress...
FYI - The 'virus' he is referring to is actually Hijack-ware (A variation of Malware) which I know you all know this.
This particular one, though, doesn't really 'infest', so much as just hold your computer hostage and preys upon the less technically inclined.
It is possible to get it off your system without having to re-image your system (Again, not everyone will image or backup their system or have the ability to do so until this happens the first time to them)
From what I have seen in the past, these things also tend to make themselves hidden, inject Registry morphisms to help keep it 'alive' at times (Via - two hidden files, one executable, one fall back to put back the malware code if it has been removed)
The current, reasonable solution is to reboot into safe mode, access the machine through another, untouched account (As the account that originally got it will be sometimes execute the malware code, even under safe mode due to the registry modification, one of which has put in a .exe execution handling.
Using a program like Malwarebytes Anti-Malware or any good malware removing program should be able to isolate and remove the offending files.
You do, however, have to run it again after a reboot on the affected accounts, as the variants I have seen target the HKCR registry for exe entry to try and run the malware code, thus causing some new errors when you try to run programs. This is easily bypassed by just finding the malware removal program and re-running it, or by manually looking through the registry for the HKCR and I believe removing any other entry that is associated with .exe that isn't the Content Type, PersistentHandler. Although I lean more towards letting Malwarebytes Anti-Malware to clear it out.
For real viruses, I do agree it that trying to clean it off on an infected system is not the best way to go, but hijack-ware like this, it isn't nearly as nasty, just plain annoying.
i dont no if this will help they have most fake anti virus tool removers on softpedia:)
Download Red Cross Antivirus Removal Tool 1.0 Free - Remove fake Red Cross antivirus from your computer - Softpedia also have a look at my thread>Microsoft Security Essentials Alert Removal Tool 1.0
Last edited by brianzion; 02 Sep 2010 at 14:37. Reason: update
Well, the problem is, the thread starter is probably too busy trying to deal with it and getting into other problems.
Corrine - What you say maybe true. So far, though, most of the ones I have seen that have taken this vector are conflicker type Hijackers or a variant where it takes it a step further, but I haven't seen a rootkit yet, or a trojan where it pushed itself to other computers nearby yet.
The ones posing as an Antivirus one (Under various names, but always saying the rough same thing of your computer having viruses that must be removed) generally sticks with the Hijack/Ransom ware method of rendering your computer unusable until you 'buy' the software. It doesn't go further to spreading to other computers or send trojans to other computers based off any information it gleans from the computer it hijacked.
Furthermore, from what I have seen in the numerous cases of those, they tend to be just a real pain to get rid of if you don't know what you are doing and rarely damage the system other than set you up for identity theft via paying the ransom just so you can use it again. Most true Viruses are self-propegating and detrimental.
I will admit I am not too familiar with rootkits other than a vague understanding that it allows literal universal access to your system.
Sorry guys my progress is no existent I am out of town. I will be back on Friday. I do have a backup, I currently use WHS and backup everyday. I was thinking about reinstalling windows them restore from my WHS backup
Backing up Corrine's post ... Fake-Antivirus (Ransom ware) is now bundled with the latest TDSS Rootkit payload