Malware

[WildCat]

So how would I install a program to a flash drive and enable the program to clean my computer?

Download malwarebytes and save it to your flash drive, the link is here: http://majorgeeks.com/download.php?det=5756

Then boot up your infected computer in safe mode (without networking). Plug in your flash drive, then open the file you downloaded, just follow the prompts to install. It will want to update, but because you don't have networking it won't be able to. Just run it without updating, restart your computer when done. Hopefully it will boot up normally now, and you can run malwarebytes again. It should be able to update now, restart your computer again when it's done.

Now's a good time to check your startup menu. Click the Windows icon and in the box type "msconfig", without the quotes and hit "enter". Go to the tab that says "starup". Look for any unusual items, just google it to see if it's a legit file or pat of the malware. If nothing comes up in google it's likely malware. Uncheck any such items you find, click "apply", and close the box and restart your computer. Run malwarebytes again, hopefully it wont find anything else.

 

[The Man]

Will just deleting the files if I find them be sufficient to remove them?

How else would you remove those files? As noted before you also need to delete the registry entries that call those files. In one case I had not too long ago one of the registry entries was a “shell” command that had to be deleted. An off the self or free solution that removes everything is always best but again the attackers are always ahead of the removal tools. As a particular variant is only know about after someone has found it. Sometimes manual removal is the only way short of a reformat and restore. Information on the manual removal of other variations can be very helpful and serve as a template.


Also deleting (if I recall correctly) just deletes the file name so the system can no longer associated the file name to data on the hard drive.


http://www.symantec.com/security_response/writeup.jsp?docid=2004-050614-0532-99

As part of their routine, many worms and Trojans make changes to the registry. Some of them change one or more of the shell\open\command keys. If these keys are changed, the worm or Trojan will run each time that you run certain files.

For example, if the \exefile\shell\open\command key is changed, the threat will run each time that you run any .exe file. This may also stop you from running the Registry Editor to try to fix this.

They may also change a registry value so that you cannot run the Registry Editor at all.

If the file (or just the name association to the file) isn’t there anymore it can’t run.

As noted by The Norseman different malware variants do different things so it is a good idea to have a number of tricks up your sleeve. No one thing system or tool is going to work everywhere, for everything all the time.

 

[Ranb]

I am back running in normal mode with everything working now. It was simply a matter of starting up in safe mode, updating the anti-virus then scanning then restrating in normal mode.

Ranb

 

[The Man]

I am back running in normal mode with everything working now. It was simply a matter of starting up in safe mode, updating the anti-virus then scanning then restrating in normal mode.

Ranb

Does your AV report that it found and corrected something? You should be able to check the log or scan history files.

 

[Ranb]

The report does not name anything found when I ran it yesterday. It does say there were 12 adware files detected, but no malware (I errored in my post above). Maybe I had a system glitch that was fixed with the safe mode reboot.

Ranb

 

[Dancing David]

Ranb, see if you can download this
http://technet.microsoft.com/en-us/sysinternals/bb963902
and then see what you can remove from starting automatically. It might help but I would not be too optimistic

Great tool but uninformed users should stick to the logon and internet startup files.

 

[Dancing David]

For the love of all that's holy, everyone, please back up your personal data.

Always good advice, and sometimes a clean install does wonders. Especially in the speed area. CDs and DVDs are good external drives are good, flash drives are good (as long as you mark them to not use).

 

[Dancing David]

“C:\Documents and Settings\All Users\Application Data\” or similar under a specific user (what you call your computer). You may need to be sure the “search hidden files and folders” option is clicked in the “More advanced options” portion of the search tool.

Sounds like that stupid Security Shield variant, I met it twice three weeks ago, once it came with a screen saver, another came with some video software.

 

[Dancing David]

Yeah, I'm putting that off. I've been using the stored files as I need them. I didn't want to copy all the files because it seemed like a good opportunity to clean out the old files I no longer need. But that means going through hundreds and hundreds of files one by one and deciding to keep or save them. It's like wanting to do a major house cleaning but getting sidetracked sorting through boxes of stuff that have been accumulating. So the major cleaning never gets done.



... Come to think of it, I have two older computers upstairs that I've kept for the same reason, never sure I have all the old files I want to save off them. One is actually still on a desk and connected to everything but the net, the other one doesn't have a monitor.

I have one I need to wipe and donate. Whatever files are on it, I haven't needed them for five years now.

Clean installs are often very effective at speeding up machines as well.

 

[Skeptic Ginger]

For the love of all that's holy, everyone, please back up your personal data.

Sometimes (and I stress the sometimes) it's far better to completely raze the OS and start from scratch and the only way you can realistically do that is to FIRST have your important files backed up on separate media. An external hard drive or flash drive is better than nothing, though not Best Practices. A burned DVD is probably better.


Skeptic Ginger,

If you have someone who is computer savvy, ask them to make a boot CD for you with a live Linux or Windows image. You'll be bypassing the installed OS and all the headaches involved with what could possibly be a difficult and time-consuming issue to resolve.

Once you boot up with a live CD, you can browse the file folders and then begin to sort through your files to decide which you want to keep.

Once that's done, you can reformat the hard drive and install a fresh OS and use it for a media server in your home, an extra desktop for your kid(s) or even donate it to families whose children may need a basic computer for school.

I have a boot disk. And I can boot up in safe mode.

The thing is, I went out and bought a new computer when the malware hit. I was thinking of upgrading anyway and I need the computer to do my work. If I have a policy that is due, I can't be fussing around for a couple days fixing my computer.

So the infected computer is sitting there undealt with. I do want to fix it.

 

[Skeptic Ginger]

How else would you remove those files? ....

There are some programs that actually remove the files and some that just take them out of the loop so to speak. I have a program that can recover deleted files so I know they are still there. But some programs are advertised as really cleaning a file.


Thanks for all the information everyone.

 

[gnome]

Another good tool is firefox's add-on Web Of Trust.

https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/

It is community based and rates websites against various threats. It can let you know if a site has a poor reputation and keep you from clicking on it in the first place. Be sure to configure it to only show the rating of bad sites, otherwise the constant green rings will drive you crazy.

Also if you see a rating you don't expect, read the comments. Or even rate and make comments of your own if you know that a valid site is rated badly.

 

[Tiktaalik]

I got the Security Shield Virus (the one a lot of people are talking about here) today I got it while searching a site for .tub files. When the "anti-virus" (fake) screen popped up I immediately noticed a mis-spelled word and didn't click on it, but it downloaded something anyway. It took me $99 and 5 hours on the phone with a tech support dude to get it cleared; it was a real bugger and would not let me open their site or software (apparently the Russian creators of this malware figured out how to circumvent the mbam software). Fortunately I was able to download files on one computer (laptop) and thumb-drive them to the desktop to get things started.

What a pain. And AVG did not pick it up. It also did not pick it up when I ran a full scan, with today's updates.

 

[mikeyx]

Just the other day a piece of malware got past my up to date virus protection and completely disabled the computer by not allowing me to open executable files. It demanded that I buy a virus protection package.

My son, who is a IT professional came around and fixed it by running an anti-malware program. His point, though, was that standard virus protection software does not always block malware and that I should purchase additional malware protection. Is he right?

BTW, he also said it was the most sophisticated piece of malware he's seen.

L is for Linux, use it and move on with your life.

 

[gnome]

Unless you like flash video and PC gaming. *duck*

 

[thrombus29]

I got the Security Shield Virus (the one a lot of people are talking about here) today I got it while searching a site for .tub files. When the "anti-virus" (fake) screen popped up I immediately noticed a mis-spelled word and didn't click on it, but it downloaded something anyway. It took me $99 and 5 hours on the phone with a tech support dude to get it cleared; it was a real bugger and would not let me open their site or software (apparently the Russian creators of this malware figured out how to circumvent the mbam software). Fortunately I was able to download files on one computer (laptop) and thumb-drive them to the desktop to get things started.

What a pain. And AVG did not pick it up. It also did not pick it up when I ran a full scan, with today's updates.

Combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

[mikeyx]

Unless you like flash video and PC gaming. *duck*

convertors for flv files and Half life among others ran better under emulation than on windoze in the day. As I dont game as much anymore

POINT DENIED

 

[TheL8Elvis]

Don't worry, I hear 2012 will be the year of the linux desktop.

 

[commandlinegamer]

It took me $99 and 5 hours on the phone with a tech support dude to get it cleared

Just hoping this was a genuine technician and not some number which the infection popped up you called.

 

[gnome]

convertors for flv files and Half life among others ran better under emulation than on windoze in the day. As I dont game as much anymore

POINT DENIED

Coverters, as in save the file and put it into another program?

How about embedded FLV, has that been solved? I'm not snarking this time, I honestly haven't looked into it in a while.