Saturday, July 03, 2010

Bugger.

I haven't fallen off the face of the earth. I'd like to get the code monkey who wrote the antivirus 2010 virus someplace where I could get my paws on a blowtorch and two hours headstart on the local gardai. Hopefully back up tomorrow.

LawDog


- Posted using BlogPress from my iPhone

22 comments:

Groundhog said...

LD,

Try MalwareBytes http://www.malwarebytes.org/
It works pretty durn good.

Anonymous said...

I second that,malwarebytes works well on this nasty virus. Might need a second computer to d/l to a stick then put it on the infected computer.

Anonymous said...

Yup Malwarebytes and don't for get to turn of use of proxies in you internet options. Flush it several times until it come up clean more than once.

jecook said...

You will have a long line of people wanting either to add their own personal touch, or at least get a video of it when you do get your paws on the folks to wrote it. It's a nasty bug ya got there.

-Long time reader, first time commenter.

Chris M said...

A friend caught that a couple of months ago and called me for help removing it. It was challenging. As others have said, Malwarebytes downloaded to a stick using another computer will do it but you still have to be able to run Malwarebytes. To do that, I had to reboot my friend's machine in Safe Mode so that the virus wouldn't intercept when I tried to run Malwarebytes. Run Malwarebytes in safe mode, then reboot and run it again. Then run download and run AVG to get whatever crumbs Malwarebytes may have missed. Reboot between each effort. Running CCleaner registry cleaner at the end of the effort won't hurt a bit, either.

Irishdoh said...

Sir, as an Desktop Support tech suffering from a long list of "Educated Professionals" working in the computer industry who have all managed to be infected with this item, I feel for you. I agree with the previous posters on Malwarebytes, as it has been my primary tool for this vile piece of dung. On the other hand, I have also taken great pleasure in paving over hard drives that will take too long to correct. I hope you will not have to go that route. Good luck!

Jack said...

Be careful - a lot of those infections are through outdated copies of Adobe Acrobat (either Reader or Professional) which allows the attacking program to run code through the handy-dandy PDF reader plugin Acrobat loads into Internet Explorer and Firefox. All a page has to do is throw your browser a PDF just for a second and bang. Make sure you're fully patched up and you should be able to prevent a reinfection.

tpmoney said...

Another vote for malwarebytes with a few suggestions.

1) Make sure you grab the latest manual virus update for it (http://forums.malwarebytes.org/index.php?showtopic=3436)

2) If the virtual critter is giving you problems with installing and or running malwarebytes, usually booting into safe mode (no networking) and renaming the executable from mbam.exe to mbam.com is sufficient, but you may have to launch it from the command line (Run-> cmd)

3) Make sure you disable system restore checkpoints, lots of times the virus likes to hide in there (right click My Computer -> Properties -> System Restore -> Turn Off System Restore.

4) Be sure you let us know when the beatings will commence.

Nick42 said...

FYI - the FTC has been going after Innovative Marketing (responsible for one of these scams) for a few years and the DOJ just piled on criminal charges.

Unfortunately, FakeAv type scams are widespread, profitable, and likely to continue for the foreseeable future. In other good news, they are often installed by other malware. The underground economy is now sophisticated enough that bad guys have complex referer and pay per install arrangements.

If you don't know the infection vector, it may be wise to reformat. This is really critical if the machine in question has done any online banking for a business. While individuals who have their money stolen are usually made whole by the bank, businesses are not so lucky. Small and medium businesses are being targeted for ACH fraud (wire transfers) via credentials stolen from infected computers.


If you are doing Internet banking for a business, it's a very good idea to have a computer dedicated to doing banking, that you do not use for any purpose, including browsing other webs sites or email.

Steve said...

Definitely do what tpmoney suggests and disable system restore. The bugger digs itself in deep there. Besides Malware bytes I've been having really good results with Microsoft Security Essentials. Download it and the latest update manually and let it rip. If that doesn't get it the only thing else that works is TDSS Killer from Kaspersky (free).

And as others have said check your internet settings if you can't get back online.

106727746031306826017 said...

a few suggestions
1 try doing the trick of downloading malwarebytes to a portable drive
or use one of the many live cd antivirus things

2 if you need to do a nuke and pave get your paws on a portable hard drive and download an AutoPatcher patch set (and any other installers you need)

3 DO NOT CONNECT THE NETWORK CABLE UNTIL YOU HAVE GOTTEN THINGS PATCHED

KD5NRH said...

You need a serious virus removal tool: http://www.nextdaypc.com/main/products/details.aspx?PID=4129905&rsmainid=ND0130014

Bonus; by destroying the read/write heads, it prevents reinfection.

Pops said...

Friend of mine called yesterday with that one. He had no second computer to DL another copy of MalWareBytes and AVG and was off in another state when he called. I sent him to a shop. It is indeed a very nasty one.

Pops

Mark Horning said...

I know which one this is, I had it a couple months ago. I was running Google Chrome and it entered via a flash exploit. (no more Chrome, back to Firefox)

As above, Malwarebytes WILL take care of this one, but it's nasty, and you may have to manually copy over the malwarebytes exe from another machine.

Hyjack This is another good tool, and AVG will keep it from returning once purged.

Jim March said...

I haven't caught another virus since a nasty hit in Sept. '06. I did the smartest thing I've ever done:

http://ubuntu.com

Linux - a South African flavor, oddly enough.

BryanP said...

I've had to clean that POS off several friend's computers. If you have the same obnoxious variety I've been seeing of late, here's the hoops I have to jump through to get rid of it:

MBAM forum post on how to clean this nastiness.

Erik said...

If you're using Firefox, I'd suggest adding Adblock Plus! as an add-on. I used to get hit with this every few months myself until I did so. It blocks the in-page ads that seem to help spread this thing.

Mike Van Pelt said...

Yeah, my thoughts towards the perps responsible for this bit of malware tend to run towards the "lingering but amusing", too. They've been around peddling this scam for far too long - I cleaned an earlier version off a friend's computer.

Jeff Miller said...

First go into your task menu to shut down the virus temporarily. Then do a file search for .exe files and then .* files that have a creation date/time from the indecent of infection. Then delete them.

That could get your computer up and running so you can do a real scan.

Old NFO said...

You, my daughter, and three co-workers are all off line for the same crap...

Rorschach said...

I have a pair of pliers, a nail gun, a branding iron, a gutting knife, and a wicked evil mind I could lend to the fracas...

Anonymous said...

I work in computer support, and spend way too much time removing various malware crap. I have proposed starting a new TV "reality" show. In the show, when we catch the perps who write malware, who send spam, and who just generally muck up other folks computers for fun, well, we turn the tables on them and we have some fun with the perps.

Each new episode would feature someone whose computer had been fouled up coming up with a new exquisite torture for the perp.

I would do this to a malware author: Tie him to a hockey goal in a hockey rink, spread-eagle fashion. Give him a little "wiggle room" to try to dodge incoming pucks, which of course I'd be shooting at him. Of course, at first I'd actually shoot some foam-rubber pucks that wouldn't hurt him, then I'd switch to the real vulcanized-rubber pucks, delivered with high-velocity slap shots!

I'll bet that would be a popular show!

Now, some folks have said that what I propose is illegal. I tell them it's no more illegal than what the malware perps are doing. And besides, if I get a few computer users on the jury who have suffered from malware I'd never get convicted!

chicopanther