nasty bug

Started by Baz, Jul 21, 2012, 08:21:17

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Baz

WOW!!!!!!!!    just spent best part of 2 days trying to get rid of a virus I somehow managed to pick up, the computer type that is.

Dont know how/where I got it from but was a tricky thing to kill.

Was a ransomware,new one to me, saying from metroploitan police e crime   saying have locked my system and I meed to pay £100...blah blah.

shows a screen with warning on, wont restart in safe mode,any safe mode. I had to take out drive and fit it to another unit,run AV/Malware etc from there.Did find threats but when I tried to boot after it still wouldnt.

Then tried in a caddy so looking at an external drive,again it found stuff but would not but.Couldnt even do a manual removal as I needed to be in the registry and dont know if thats possible on a second drive

Then I found and AVG rescue disc download to burn as an ISO, stick it in and boot from there.Did that but that found it to be clean,good in a way I guess.

But still no boot, gets to same point and restarts,keeps on doing that.

Just out of eliminating options I tried re fitting drive to my tower and it booted up straight away  ???

fantastic   but a bit of a chew on and puzzler.


DAMN computers   ;D ;D

FritzBox

Malwarebytes run in safe mode would have probably shifted it

Edit, if it would have run in safe mode  :whistle:

Baz

Quote from: FritzBox on Jul 21, 2012, 08:52:35
Malwarebytes run in safe mode would have probably shifted it

Edit, if it would have run in safe mode  :whistle:


nice edit Fritz  ;)   no it wouldnt get to safe mode.but could run it while fitted as second drive in another system, just wouldnt boot afterwards  :dunno:

Glenn

http://nakedsecurity.sophos.com/2012/02/13/metropolitan-police-malware-warning/

Malwarebytes doesn't touch it, or didn't on a PC someone brought in at work.

One of the best resources I have found for help in removing the malware is Bleeping Computers
Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Glenn

Quote from: Baz on Jul 21, 2012, 09:26:25

nice edit Fritz  ;)   no it wouldnt get to safe mode.but could run it while fitted as second drive in another system, just wouldnt boot afterwards  :dunno:

The file runs from within the All Users profile on the system, so if you d boot from a 2nd drive, it won't load. 
Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

FritzBox

Quote from: Glenn on Jul 21, 2012, 09:34:27


One of the best resources I have found for help in removing the malware is Bleeping Computers

Yep, their Combofix is pretty good

Surprised Malwarebytes doesn't touch it, cures most ailments

Simon

Not the same thing, but I have a friend who managed to get one of those rogue 'anti-virus' viruses the other week, which just seemed to walk right through their fully updated security software.  MWB did remove the infection, but it makes you wonder what the point is of having computer security installed, if it does nothing to prevent malware such as this from getting through in the first place.
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Glenn

A lot of AV products don't stop malware so it seems, as it's not seen as a threat.
Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

armadillo

Baz, I thought you used Acronis True Image? The easiest thing to do is restore the OS from an Acronis backup, using the Acronis boot CD. It restores the boot sector, and the complete OS including the registry.

In your intermediate steps, at one point you had what seemed to be a clean OS on an external USB drive. Not all systems can boot from external USB. It depends on your BIOS settings, if they are available.

The way these bugs arrive in the first place is almost always due to the user clicking on something and explicitly giving it permission to install. That can be difficult to avoid when you are not the only user of your computer. No antimalware has a 100% detection rate, especially on new threats that have to be detected heuristically.

zappaDPJ

AV products seem to be particularly useless at the moment. I had an issue where my scheduled backup was failing and after a lot of hair pulling I finally traced the problem to the  JS/blacole virus which had found its way into a backup archive. At the time there was virtually no information on it and it had sailed past MSE. I was able to remove it after running a full MSE scan but it's returned and I've found we have multiple instances of it on every PC in the house.

I don't know if it's not being fully removed or if we are just visiting sites and being reinfected but I've given up trying to removing it for the time being. I've tried a number of popular AV products, none of which seem to block it and most won't detect or remove it.
zap
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Simon

If it's returning, could it be lodged in the System Restore folder, Zap?
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

zappaDPJ

Unfortunately no, I cleared it all out. It might be hooked into the registry though but I'm not really sure at this point what I'm looking for. There's not a great deal of information available on it as yet.
zap
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Baz

Quote from: armadillo on Jul 21, 2012, 12:02:49
Baz, I thought you used Acronis True Image? The easiest thing to do is restore the OS from an Acronis backup, using the Acronis boot CD. It restores the boot sector, and the complete OS including the registry.

In your intermediate steps, at one point you had what seemed to be a clean OS on an external USB drive. Not all systems can boot from external USB. It depends on your BIOS settings, if they are available.

The way these bugs arrive in the first place is almost always due to the user clicking on something and explicitly giving it permission to install. That can be difficult to avoid when you are not the only user of your computer. No antimalware has a 100% detection rate, especially on new threats that have to be detected heuristically.

Hi Armadillo,

well I have to admit thats where I let myself down I know and was kicking my self for obvious reasons...I didnt back up regular enough to have a recent one that would have helped  :red:    I know, slap wrist time

Yes I was using Acronis but I now use EaseUS Todo Backup which seems good but havent had a chance to actually re-install one....apart from this week  :D

I was getting a bit bother with Acronis,cant remember what but it was just niggly stuff, wouldnt boot from disc I think, dont know.So I looked about and found this.

Might give Acronis another try,I found it a tad complicated to use

Baz

On another thing do you recommend or do you have windows firewall enabled.This keeps cropping up and I never know whats best.

At the moment I dont but this recent bother makes me wonder

pctech

Worth looking at the run key in the registry via Regedit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Simon

A firewall won't protect you from malware, Baz, but something like the paid for version of Malwarebytes would offer real-time protection.
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Quote from: Baz on Jul 21, 2012, 13:33:18
On another thing do you recommend or do you have windows firewall enabled.This keeps cropping up and I never know whats best.

At the moment I dont but this recent bother makes me wonder
Your router is a firewall too baz but using the Windows one does not hurt. What you really need is a  firewall that would block the ransomewares outgoing communication. Prevx might have been a good clean up option if its still going.
Damned, if you do damned if you don't

Gary

Quote from: Simon on Jul 21, 2012, 15:57:31
A firewall won't protect you from malware, Baz, but something like the paid for version of Malwarebytes would offer real-time protection.
If its a new infection it can take hours if not days for updates to come out to products, unless you have heuristics set on paranoia mode in your av  and don't mind lots of false positives many things slip though it seems.
Damned, if you do damned if you don't

Simon

Yes indeed, it seems that nothing is 100% secure these days.  :(
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Quote from: Simon on Jul 21, 2012, 16:08:36
Yes indeed, it seems that nothing is 100% secure these days.  :(
The baddies will always be one step ahead Simon  :(
Damned, if you do damned if you don't

john

I got this a few months ago and Malaware Bytes and similar apps did not remove it.
Whenever I logged in it opened up my browser and locked the machine. It only affected my account though and I was able to log in as admin, create another account and  find some info which wasn't a great help.

I then managed to find some files in my folders with the approximate date and time that it first happened and deleted them and was able to at least minimize the window and use the machine.

In the end the only way I managed to resolve it was to do a restore from a previous restore point and it's been fine since.

If that didn't work I'd have tried saving the documents in my previous account and then deleting and recreating the account and restoring the files from backup.

Ray

#21
Baz, download and install a trial version of Webroot SecureAnywhere Complete or Essentials and see what it finds, from here: -

http://www.webroot.co.uk/En_GB/consumer-trials.html

This is the product line that is replacing Prevx since Webroot took them over, it's very good and very light on resources, I've been running the complete version on my 2 desktops and Laptop for several months now and had no issues with it. It also works with any other security software without causing any conflicts.
Ray
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Simon

Webroot can also be found very cheaply on eBay.  ;)
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Baz

thanks all  :thumb:

will look at that link Ray thanks and also Gary I have heard good stuff about Prevx but if its no more thats a shame.I used a long time back Outpost but was getting conflicts with something and as soon as I uninstalled it they stopped so didnt use it again, pity as it was ok.

So I keep going back to the good old windows firewall then not using it and relying on router one but when you get a tester like I just had it makes you more alert again.

Technical Ben

Quote from: armadillo on Jul 21, 2012, 12:02:49
Baz, I thought you used Acronis True Image? The easiest thing to do is restore the OS from an Acronis backup, using the Acronis boot CD. It restores the boot sector, and the complete OS including the registry.

In your intermediate steps, at one point you had what seemed to be a clean OS on an external USB drive. Not all systems can boot from external USB. It depends on your BIOS settings, if they are available.

The way these bugs arrive in the first place is almost always due to the user clicking on something and explicitly giving it permission to install. That can be difficult to avoid when you are not the only user of your computer. No antimalware has a 100% detection rate, especially on new threats that have to be detected heuristically.

That and everyone (including virus scanners and a driver installer CD this week!!!) want's to add in "toolbars". It's not hard for one of those toolbars to have an advert or part to play in these things. I don't know if it's done in error, or if the download sites hijack the installer (I only follow the owners recommended links for download, so it's still strange). But after seeing the motherboard driver CD ask to install a toolbar this week, I don't trust anyone now.  :shake:
I use to have a signature, then it all changed to chip and pin.