Virus Issue

Skulblaka · 02 Sep 2010

If he says "reinstalling" then perhaps he has no system image to restore from. Thus, wasting hours to do a clean install.

Hm, still no response on his progress...

Keiichi25 · 02 Sep 2010

FYI - The 'virus' he is referring to is actually Hijack-ware (A variation of Malware) which I know you all know this.

This particular one, though, doesn't really 'infest', so much as just hold your computer hostage and preys upon the less technically inclined.

It is possible to get it off your system without having to re-image your system (Again, not everyone will image or backup their system or have the ability to do so until this happens the first time to them)

From what I have seen in the past, these things also tend to make themselves hidden, inject Registry morphisms to help keep it 'alive' at times (Via - two hidden files, one executable, one fall back to put back the malware code if it has been removed)

The current, reasonable solution is to reboot into safe mode, access the machine through another, untouched account (As the account that originally got it will be sometimes execute the malware code, even under safe mode due to the registry modification, one of which has put in a .exe execution handling.

Using a program like Malwarebytes Anti-Malware or any good malware removing program should be able to isolate and remove the offending files.

You do, however, have to run it again after a reboot on the affected accounts, as the variants I have seen target the HKCR registry for exe entry to try and run the malware code, thus causing some new errors when you try to run programs. This is easily bypassed by just finding the malware removal program and re-running it, or by manually looking through the registry for the HKCR and I believe removing any other entry that is associated with .exe that isn't the Content Type, PersistentHandler. Although I lean more towards letting Malwarebytes Anti-Malware to clear it out.

For real viruses, I do agree it that trying to clean it off on an infected system is not the best way to go, but hijack-ware like this, it isn't nearly as nasty, just plain annoying.

Skulblaka · 02 Sep 2010

Then perhaps much easier to remove.

Corrine · 02 Sep 2010

Keiichi25 said:

FYI - The 'virus' he is referring to is actually Hijack-ware (A variation of Malware) which I know you all know this.

This particular one, though, doesn't really 'infest', so much as just hold your computer hostage and preys upon the less technically inclined.

That is true of some of the rogues but not all. Some are "ransom ware", others trojans and some are indeed rootkits. However, in this case, we only have very general information so don't know what it is that is on Gbsnpir's computer.

brianzion · 02 Sep 2010

i dont no if this will help they have most fake anti virus tool removers on softpedia:)
Download Red Cross Antivirus Removal Tool 1.0 Free - Remove fake Red Cross antivirus from your computer - Softpedia also have a look at my thread>Microsoft Security Essentials Alert Removal Tool 1.0

Skulblaka · 02 Sep 2010

brianzion said:

i dont no if this will help they have most fake anti virus tool removers on softpedia:)
Download Red Cross Antivirus Removal Tool 1.0 Free - Remove fake Red Cross antivirus from your computer - Softpedia also have a look at my thread>Microsoft Security Essentials Alert Removal Tool 1.0

Hah!

Anyway, we'll get nowhere if the "Thread Starter" doesn't respond.

Keiichi25 · 02 Sep 2010

Well, the problem is, the thread starter is probably too busy trying to deal with it and getting into other problems.

Corrine - What you say maybe true. So far, though, most of the ones I have seen that have taken this vector are conflicker type Hijackers or a variant where it takes it a step further, but I haven't seen a rootkit yet, or a trojan where it pushed itself to other computers nearby yet.

The ones posing as an Antivirus one (Under various names, but always saying the rough same thing of your computer having viruses that must be removed) generally sticks with the Hijack/Ransom ware method of rendering your computer unusable until you 'buy' the software. It doesn't go further to spreading to other computers or send trojans to other computers based off any information it gleans from the computer it hijacked.

Furthermore, from what I have seen in the numerous cases of those, they tend to be just a real pain to get rid of if you don't know what you are doing and rarely damage the system other than set you up for identity theft via paying the ransom just so you can use it again. Most true Viruses are self-propegating and detrimental.

I will admit I am not too familiar with rootkits other than a vague understanding that it allows literal universal access to your system.

Gbsnplr · 02 Sep 2010

Sorry guys my progress is no existent I am out of town. I will be back on Friday. I do have a backup, I currently use WHS and backup everyday. I was thinking about reinstalling windows them restore from my WHS backup

Jacee · 02 Sep 2010

Backing up Corrine's post ... Fake-Antivirus (Ransom ware) is now bundled with the latest TDSS Rootkit payload

Uber Philf · 02 Sep 2010

jimbo45 said:

Hi there.

I personally would NEVER trust a computer that had an infection on it that was "ostensibly" removed by AV software.

I might be in total disagreement with 99.99% of other members on the Forum -- but relying on an Infected OS to clean itself up is a bit like asking the Fox to guard the chickens in the henhouse.

If you have a decent UNINFECTED backup image of the OS -- restore that. If you don't then IMO the only SAFE option is to re-install the OS.

ALWAYS TAKE REGULAR BACKUPS and you can avoid these types of problems.

This also shows the need for REGULAR BACKUPS - which you can easily scan to ensure they are virus free.

Even a 70 GB Windows installation doesn't take more than around 25 mins to backup or restore on a modest laptop using good backup software -- I use Acronis but there are others.

Cheers
jimbo

Also +1, very much in full agreement here.