Debate, and discuss, just dont Bore me.
But still not perfect
Published on April 22, 2011 By Dr Guy In Personal Computing

Those damn malware writers are getting better,.   I had the unfortunate opportunity to run into the latest.  You know the ones - "Your computer is infected!!!" and the infection is the warning.  This one defied all tricks that I have learned and even some picked up from here!

1, It infected the "all user" profile, so no booting with a different account.

2. It polluted the registry with tons of launch points and actually replaced windows launch points so simple deletion would not work (then windows would not).

3.It also prevented access to USB devices!  That one was clever (I Thought at first my memory stick was bad - nope!  It just said it was). 

4. It disabled System restore

It seemed to have all the bases covered!  But again it forgot one.  I was able to extract all data from it (even though it kept infecting any USB device I installed on it - but I do not allow autorun period.

The one thing it forgot is the same one another one forgot - the command line.  I am not going to try to repair the computer (it is one of mine, but a friend's son was using it).  Once I got my data off of it, reformat and re-install!  So no new tips on getting rid of this one.  just the details of what it was doing.  Nasty bastards!  I hope there is a special place in hell for these jerks.

 


Comments (Page 1)
on Apr 22, 2011

Always have a Linux live disk handy.

on Apr 22, 2011

Life is but a game, some players win some players lose.   

The rest of us are looking for the damn basters so we can hang them from a tree and watch their legs kick. 

on Apr 22, 2011

Good suggestion, 2of3. 

@ Dr Guy:

Where/how did you catch it, what program? Did it give any specific "hostage" message? 

Consider a free program like Sandboxie to isolate your OS from any "New Program" or executable. 

Hope you have a clean backup.

Sorry this happened to you! 

You can install the 30 day trial of Kaspersky even on an infected computer.

 

 

on Apr 22, 2011

How about cutting off their fingers and shoving them where the sun don't shine. Them hang 'em from a very long rope off the Golden Gate bridge with a bag full of bull ants in their underwear.

on Apr 22, 2011

How about cutting off their fingers and shoving them where the sun don't shine. Them hang 'em from a very long rope off the Golden Gate bridge with a bag full of bull ants in their underwear.

 

That would be too kind.

on Apr 22, 2011

Always have a Linux live disk handy.

Got to rewrite mine - the CD expired (they do after a time, but this one was only 4 years old).

Philly0381
Life is but a game, some players win some players lose.   

The rest of us are looking for the damn basters so we can hang them from a tree and watch their legs kick. 

And toast marshmellows?

DrJBHL
Good suggestion, 2of3. 

@ Dr Guy:

Where/how did you catch it, what program? Did it give any specific "hostage" message? 

Consider a free program like Sandboxie to isolate your OS from any "New Program" or executable. 

Hope you have a clean backup.

Sorry this happened to you! 

You can install the 30 day trial of Kaspersky even on an infected computer.

I will look into sandbox.  But this one was my son's (away at college), so not a lot on it except his music and movies.  I got everything saved (xcopy is your friend).  As for the name, once the kid told me I had "viruses", I unplugged it from the network and started working on it.  I found the file (another one of those number and letter things), and the name was AntiVirusSuper 2011 (it actually had several names) - I have the silent runner log saved so I can go back and look at it.

If I had the time (family reunion this weekend), I would have tried to dissect it before reformatting.  But once I figured out how bad it waws, I just saved all the data and started the reformat.  I figure that will only take a day (versus perhaps days the other way).

on Apr 22, 2011

How about cutting off their fingers and shoving them where the sun don't shine. Them hang 'em from a very long rope off the Golden Gate bridge with a bag full of bull ants in their underwear.

I heard making them slide down a razor blade into a vat of vinegar is fun to watch!

LightStar
That would be too kind.

Well - as long as it is not hanging them by the neck - I would go for it! (The neck is too quick - but I like the bull ants touch).

on Apr 22, 2011

Here are the list of names I found in the registry.  I guess it was try one and see if it snookered?

AlphaAV.exe
Anti-Virus Professional.exe
AntispywarXP2009.exe
AntivirusPlus.exe
AntivirusPro_2010.exe
AntivirusXP.exe
antivirusxppro2009.exe
AntiVirus_Pro.exe
av360.exe
AVCare.exe

on Apr 22, 2011

Dr Guy
If I had the time (family reunion this weekend), I would have tried to dissect it before reformatting. But once I figured out how bad it waws, I just saved all the data and started the reformat. I figure that will only take a day (versus perhaps days the other way).

I honor your choice.... get an ext. drive and Acronis. You'll never be sorry.

on Apr 25, 2011

DrJBHL
I honor your choice.... get an ext. drive and Acronis. You'll never be sorry.

Got the exterior drive.  Will look into acronis.  I finally got it reconfigured last night upon my return.  And promptly (I know!  Do not have to say it should have been done before) set the user account to restricted (actually Power user, but at least they cannot get to the system or the admin).

on Apr 26, 2011

That sounds like XP Total Security 2011, which I caught yesterday from the Witcher Wiki.

It is one %*(($ to get rid of, too! It totally screwed my primary user profile, even blocking me from getting on the internet.

I created a second user (in secure mode), got Malwarebytes (using another computer and a flash drive), and eradicated it.

My old user ID is still trashed, so I had to recreate my old desktop using the new user ID.

This thing slipped right past my Mcafee Internet Security (which is now uninstalled in favor of MWB and AVG).

All in all: 6 to 8 hours of gaming time lost! Waaaahhhhhhhh!

on Apr 26, 2011

blank

on Apr 27, 2011

Snarkotamus
That sounds like XP Total Security 2011, which I caught yesterday from the Witcher Wiki.

Thanks!

Snarkotamus
It is one %*(($ to get rid of, too! It totally screwed my primary user profile, even blocking me from getting on the internet.

Yep!

Snarkotamus
I created a second user (in secure mode), got Malwarebytes (using another computer and a flash drive), and eradicated it.

After I found the infection in the All user profile, I did not think to try that.  Another quiver in the arsenal!

Snarkotamus
This thing slipped right past my Mcafee Internet Security (which is now uninstalled in favor of MWB and AVG).

I was running AVG on the computer - but I have found it slips by all of them.  As I told the kid - AV does not work when you invite it in.

 

on Apr 27, 2011

the_Monk
Don't only use restricted user profiles, teach yourself to use the "local security policy" (in administrative tools).

Great suggestion!  I have been too lazy to do that, but given the time expended, it was lazy time wasted.

on Apr 27, 2011

Dr Guy

Always have a Linux live disk handy.

Got to rewrite mine - the CD expired (they do after a time, but this one was only 4 years old).

For a Linux live disk, related to security, i use Knoppix STD for repair ( kubuntu/Win xp pro x64/opensolaris for normal use )... a list of the tools can be found at http://s-t-d.org/tools.html ... if you don't like Knoppix STD, take a look at http://www.knoppix.net/wiki/Security_Live_CD , you have several choice... Helix3 pro is very good but at 239$ by year, it is more a tool for people in the security business...

Usual Linux live disk have not always the needed tools for repair... only a security live CD/DVD can maybe have all the tools you need...

 

Meta
Views
» 4458
Comments
» 23
Sponsored Links