My PC just got exploited... Wow.

Corrine · 10 Dec 2011

jds.exe is identified as "cloaked malware". Please do not attach infected files to your posts!

If this is the same Win 7 Antispyware 2012 that you showed in your initial post, you need to do the following:

1) Please download the following two files to the desktop. In the event you are blocked by the malware from downloading, it will be necessary to go to an uninfected computer and then transfer the files to the infected computer via CD/DVD, external drive, or USB flash drive.

It may also be possible to download the files in Select Safe Mode with Networking. (To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. Windows will now boot into safe mode with networking and prompt you to login as a user.)

FixNCR.reg
Bleeping Computer Downloads: RKill

2) If downloaded to the desktop, double-click the FixNCR.reg file. If transported to the infected computer, insert the removable device into the infected computer and open the folder the drive letter associated with it. Double-click the FixNCR.reg file to fix the Registry on your infected computer.

3) Again, if downloaded to the desktop, proceed as shown below. Otherwise, copy the downloaded RKill file to the desktop of the infected computer and proceed:

Double-click rkill to run.
A command window will open then disappear upon completion, this is normal.
Please leave rkill on the Desktop until otherwise advised.
Do NOT restart your computer after running rkill as the malware program(s) will start again.

Notes: If you you receive security warnings about rkill, please ignore and allow the download to continue.

4) Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
Update Malwarebytes' Anti-Malware and
Launch Malwarebytes' Anti-Malware
Click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, be sure Quick scan is selected, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
Click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Please post contents of that file in your next reply.

** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Jacee · 10 Dec 2011

You might also try flushflash "cookie deleter" By Bobbi Flekman
Flash cookie deleter by Flush Flash - A Program To Get Rid Of Flash Cookies

The program has three modes of operation:

Everything: this simply gets rid of everything there is
Everything but Site settings: With the Adobe manager you can set pereferences for each site you visit. You can tell Flash how much space is alloted, what privacy conditions are valid, etc. This choice only deletes the cookies, not the Site settings.
Everything but Adobe settings: Most people will not have configured the settings per site, but you may have changed the settings for Flash itself. So this choice, which is selected on startup, will get rid of all cookies and website settings but leave the settings for Adobe Flash itself.

jimbo45 · 11 Dec 2011

Hi there
after that type of warning --wipe the partition and re-install from a good known backup image.

If IE is infected so will Windows explorer be as well --this means that ANY navigation on that computer will be unreliable --so even if you were to try and cleanse the machine you certainly could NOT be sure what you were running.

It's like getting totally lost and the relying on a Sat Nav to get you out of trouble after the Sat nav data has been corrupted - whether directly from the satellite or from data stored in the receiver.

I certainly wouldn't trust a computer if it's main task manager and User interface (windows Explorer / Internet Explorer) had got "contaminated".

Also shows the importance of REGULAR backups.

Cheers
jimbo

logicearth · 11 Dec 2011

Jimbo, that is a bit extreme and not required here. Unless the virus has gotten administrative power it is limited to the single user account. Meaning creating a new user would not be infected.

mikenmar · 11 Dec 2011

arkhi said:

I manage to eventually open Task Manager, and I noticed that all the warnings came from an exe in %appdata%/Local. My desktop looked like this:

[...]

What really baffled me was how it managed to close MSE without even ticking it off. It also managed to somehow associate all .exe files such that it passes through the malicous exe. Deleting the said exe would cause any executable to pop up an "open with" dialog except my computer. That even baffled me even more because last I checked, you need admin privilages to do that and it STILL did it without elevating!

YES. I'm experiencing the exact same thing. See my neighboring thread.

MSE got shut down, can't run .exe's without hitting "Properties" and "Start".

arkhi · 22 Dec 2011

logicearth said:

Jimbo, that is a bit extreme and not required here. Unless the virus has gotten administrative power it is limited to the single user account. Meaning creating a new user would not be infected.

Yup. I did some research and noticed the malware in question infects the HKCU part of HKCR, where HKCU doesn't need elevation to be modified. This realization made me realize how retarded Microsoft can be by allowing any user-power program to modify the extension properties for .exe files. It's kinda tricky doing an offline repair of the HKCR registry since it's a merger of two, but Corrine's registry files does the trick if you can somehow download it to desktop and run it within the infected user account.

@mikenmar, download Corrines regitry file. If you can't open it because of .exe errors, just press Ctrl+alt+del, open task manager, and on task manager, go to File->New Task... and select the .reg file. that should fix it. Also make sure to clean your system just to be safe.

logicearth · 22 Dec 2011

arkhi said:

how retarded Microsoft can be by allowing any user-power program to modify the extension properties for .exe files.

Umm...if a user could not change file-properties for there own account, opening HTML and links in different browsers from another user, would not be possible. However, if that area is compromised one can just DELETE it (The one in HKCU) and the defaults will be used. So, your assessment of Microsoft being retarded including this is rather WRONG. Its a feature not a bug.[/QUOTE]

arkhi · 22 Dec 2011

Modifying extensions other than *.exe files would be fine. I don't see a need why a user would want to modify the extension properties of *.exe files. *.exe files are executables, not child objects of executables where you're supposed to choose a default parent to open it with.

Don't forget it's not that easy to mess with the user-registry hive when you can't open regedit on your user account. I tried messing with the C:\Users\%username%\ntuser.dat using an offline regedit (WinPE) to find the compromised .exe registry key but I can't for some reason. The only way to fix it was to download it and transfer to the infected system and run it under the infected user. HKCR is suppose to reference both HKLM and HKCU, but manually messing with HKCU doesn't work so might as well run it while the user is active. And even that it's very tricky because pretty much every single .exe file would file to open. Even a .reg file would fail to open unless run by task manager via ctrl+alt+del.

logicearth · 22 Dec 2011

arkhi said:

Modifying extensions other than *.exe files would be fine. I don't see a need why a user would want to modify the extension properties of *.exe files. *.exe files are executables, not child objects of executables where you're supposed to choose a default parent to open it with.

The registry is just a data store, it is not an enforcer. Stop thinking that it is.

Don't forget it's not that easy to mess with the user-registry hive when you can't open regedit on your user account. I tried messing with the C:\Users\%username%\ntuser.dat...

Well there is your problem. You opened the wrong file. The one that holds all the user file associations is "UsrClass.dat" which can be found at: "AppData\Local\Microsoft\Windows" The file can be deleted, the worst outcome is you have to re-establish your file associations.

arkhi · 23 Dec 2011

logicearth said:

Don't forget it's not that easy to mess with the user-registry hive when you can't open regedit on your user account. I tried messing with the C:\Users\%username%\ntuser.dat...

Well there is your problem. You opened the wrong file. The one that holds all the user file associations is "UsrClass.dat" which can be found at: "AppData\Local\Microsoft\Windows" The file can be deleted, the worst outcome is you have to re-establish your file associations.

Not bad. No wonder I couldn't find the HKCU\Software\Classes key. I've done reasearch where the hives are located and I admit that particular piece of information is hard to find. Guess I need to practice refining Google search terms more.