Go Back   Two Wheel Fix > General > Off Topic

Reply
 
Thread Tools Display Modes
Old 01-26-2011, 11:25 AM   #11
Papa_Complex
Nomadic Tribesman
 
Papa_Complex's Avatar
 
Join Date: Nov 2008
Location: Brampton, Canada
Moto: '09 ER-6n
Posts: 11,150
Default

Quote:
Originally Posted by tkevcu View Post
I haven't found a whole lot about this particular one on the web, but from what I have found, it doesn't look that bad.

What version of Windows is on the laptop?

Malwarebytes and Spybot are both good programs. You can also run HijackThis and post/attach the log, and we can read through that.
It's actually pretty bad, because it constantly pops up and blocks you from being able to use your computer. It masquerades as a legitimate virus scanner. Ultimately it takes you to a website in order to download their "virus remover", which is more spyware and viral files, after you've given them your credit card number.

All in all, that's pretty bad. It's also damned tough to remove, once it has gotten to a certain state of infection. I generally use either a Windows PBE boot CD or something like BART PE, in order to boot into the system and start a manual cleaning, before I move on to the utilities that I've mentioned. That gives me about a 95% positive result, but I still occasionally have to reinstall Windows.
__________________
"Everything's better with pirates." - Lodge, "Dorkness Rising"

http://www.morallyambiguous.net/
Papa_Complex is offline   Reply With Quote
Old 01-26-2011, 11:46 AM   #12
tkevcu
Trailer Queen
 
tkevcu's Avatar
 
Join Date: Aug 2010
Location: Richmond, VA
Moto: 919
Posts: 17
Default

I've removed 4 or 5 variants of this type of virus, some of which have been more embedded than others. 1 was really devious and took every skill and utility that I had to remove it.

From what I found on the web, this one consists of a single executable existing in the temp folder, and changes to the proxy settings in IE to block traffic. Removal should be fairly straightforward (kill running exe process or use other boot media; delete the executable from the machine, and correct the proxy settings via regedit or the IE menu itself)
tkevcu is offline   Reply With Quote
Old 01-26-2011, 12:01 PM   #13
Papa_Complex
Nomadic Tribesman
 
Papa_Complex's Avatar
 
Join Date: Nov 2008
Location: Brampton, Canada
Moto: '09 ER-6n
Posts: 11,150
Default

Quote:
Originally Posted by tkevcu View Post
I've removed 4 or 5 variants of this type of virus, some of which have been more embedded than others. 1 was really devious and took every skill and utility that I had to remove it.

From what I found on the web, this one consists of a single executable existing in the temp folder, and changes to the proxy settings in IE to block traffic. Removal should be fairly straightforward (kill running exe process or use other boot media; delete the executable from the machine, and correct the proxy settings via regedit or the IE menu itself)
Depends. The executable can be in the User\Temp, Windows\Temp, Windows\System32. It can set up a proxy. It can set hard coded URL references in the Hosts file. It can embed DNS override entries in the system registry. It can lock the Hosts file, so that it can't be edited. It can drop other infections. This has become the single largest part of my job, over the last 6 months; dealing with this infection and its variants.
__________________
"Everything's better with pirates." - Lodge, "Dorkness Rising"

http://www.morallyambiguous.net/
Papa_Complex is offline   Reply With Quote
Reply

Bookmarks


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 08:51 PM.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.