nasty bug

[Baz]

WOW!!!!!!!!    just spent best part of 2 days trying to get rid of a virus I somehow managed to pick up, the computer type that is.

Dont know how/where I got it from but was a tricky thing to kill.

Was a ransomware,new one to me, saying from metroploitan police e crime   saying have locked my system and I meed to pay £100...blah blah.

shows a screen with warning on, wont restart in safe mode,any safe mode. I had to take out drive and fit it to another unit,run AV/Malware etc from there.Did find threats but when I tried to boot after it still wouldnt.

Then tried in a caddy so looking at an external drive,again it found stuff but would not but.Couldnt even do a manual removal as I needed to be in the registry and dont know if thats possible on a second drive

Then I found and AVG rescue disc download to burn as an ISO, stick it in and boot from there.Did that but that found it to be clean,good in a way I guess.

But still no boot, gets to same point and restarts,keeps on doing that.

Just out of eliminating options I tried re fitting drive to my tower and it booted up straight away 

fantastic   but a bit of a chew on and puzzler.


DAMN computers   

[FritzBox]

Malwarebytes run in safe mode would have probably shifted it

Edit, if it would have run in safe mode 

[Baz]

Malwarebytes run in safe mode would have probably shifted it

Edit, if it would have run in safe mode 

nice edit Fritz     no it wouldnt get to safe mode.but could run it while fitted as second drive in another system, just wouldnt boot afterwards 

[Glenn]

http://nakedsecurity.sophos.com/2012/02/13/metropolitan-police-malware-warning/

Malwarebytes doesn't touch it, or didn't on a PC someone brought in at work.

One of the best resources I have found for help in removing the malware is Bleeping Computers

[Glenn]

nice edit Fritz     no it wouldnt get to safe mode.but could run it while fitted as second drive in another system, just wouldnt boot afterwards 

The file runs from within the All Users profile on the system, so if you d boot from a 2nd drive, it won't load. 

[FritzBox]

One of the best resources I have found for help in removing the malware is Bleeping Computers

Yep, their Combofix is pretty good

Surprised Malwarebytes doesn't touch it, cures most ailments

[Simon]

Not the same thing, but I have a friend who managed to get one of those rogue 'anti-virus' viruses the other week, which just seemed to walk right through their fully updated security software.  MWB did remove the infection, but it makes you wonder what the point is of having computer security installed, if it does nothing to prevent malware such as this from getting through in the first place.

[Glenn]

A lot of AV products don't stop malware so it seems, as it's not seen as a threat.

[armadillo]

Baz, I thought you used Acronis True Image? The easiest thing to do is restore the OS from an Acronis backup, using the Acronis boot CD. It restores the boot sector, and the complete OS including the registry.

In your intermediate steps, at one point you had what seemed to be a clean OS on an external USB drive. Not all systems can boot from external USB. It depends on your BIOS settings, if they are available.

The way these bugs arrive in the first place is almost always due to the user clicking on something and explicitly giving it permission to install. That can be difficult to avoid when you are not the only user of your computer. No antimalware has a 100% detection rate, especially on new threats that have to be detected heuristically.

[zappaDPJ]

AV products seem to be particularly useless at the moment. I had an issue where my scheduled backup was failing and after a lot of hair pulling I finally traced the problem to the  JS/blacole virus which had found its way into a backup archive. At the time there was virtually no information on it and it had sailed past MSE. I was able to remove it after running a full MSE scan but it's returned and I've found we have multiple instances of it on every PC in the house.

I don't know if it's not being fully removed or if we are just visiting sites and being reinfected but I've given up trying to removing it for the time being. I've tried a number of popular AV products, none of which seem to block it and most won't detect or remove it.

[Simon]

If it's returning, could it be lodged in the System Restore folder, Zap?

[zappaDPJ]

Unfortunately no, I cleared it all out. It might be hooked into the registry though but I'm not really sure at this point what I'm looking for. There's not a great deal of information available on it as yet.

[Baz]

Baz, I thought you used Acronis True Image? The easiest thing to do is restore the OS from an Acronis backup, using the Acronis boot CD. It restores the boot sector, and the complete OS including the registry.

In your intermediate steps, at one point you had what seemed to be a clean OS on an external USB drive. Not all systems can boot from external USB. It depends on your BIOS settings, if they are available.

The way these bugs arrive in the first place is almost always due to the user clicking on something and explicitly giving it permission to install. That can be difficult to avoid when you are not the only user of your computer. No antimalware has a 100% detection rate, especially on new threats that have to be detected heuristically.

Hi Armadillo,

well I have to admit thats where I let myself down I know and was kicking my self for obvious reasons...I didnt back up regular enough to have a recent one that would have helped      I know, slap wrist time

Yes I was using Acronis but I now use EaseUS Todo Backup which seems good but havent had a chance to actually re-install one....apart from this week 

I was getting a bit bother with Acronis,cant remember what but it was just niggly stuff, wouldnt boot from disc I think, dont know.So I looked about and found this.

Might give Acronis another try,I found it a tad complicated to use

[Baz]

On another thing do you recommend or do you have windows firewall enabled.This keeps cropping up and I never know whats best.

At the moment I dont but this recent bother makes me wonder

[pctech]

Worth looking at the run key in the registry via Regedit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

[Simon]

A firewall won't protect you from malware, Baz, but something like the paid for version of Malwarebytes would offer real-time protection.

[Gary]

On another thing do you recommend or do you have windows firewall enabled.This keeps cropping up and I never know whats best.

At the moment I dont but this recent bother makes me wonder

Your router is a firewall too baz but using the Windows one does not hurt. What you really need is a  firewall that would block the ransomewares outgoing communication. Prevx might have been a good clean up option if its still going.

[Gary]

A firewall won't protect you from malware, Baz, but something like the paid for version of Malwarebytes would offer real-time protection.

If its a new infection it can take hours if not days for updates to come out to products, unless you have heuristics set on paranoia mode in your av  and don't mind lots of false positives many things slip though it seems.

[Simon]

Yes indeed, it seems that nothing is 100% secure these days. 

[Gary]

Yes indeed, it seems that nothing is 100% secure these days. 

The baddies will always be one step ahead Simon 

[john]

I got this a few months ago and Malaware Bytes and similar apps did not remove it.
Whenever I logged in it opened up my browser and locked the machine. It only affected my account though and I was able to log in as admin, create another account and  find some info which wasn't a great help.

I then managed to find some files in my folders with the approximate date and time that it first happened and deleted them and was able to at least minimize the window and use the machine.

In the end the only way I managed to resolve it was to do a restore from a previous restore point and it's been fine since.

If that didn't work I'd have tried saving the documents in my previous account and then deleting and recreating the account and restoring the files from backup.

[Ray]

Baz, download and install a trial version of Webroot SecureAnywhere Complete or Essentials and see what it finds, from here: -

http://www.webroot.co.uk/En_GB/consumer-trials.html

This is the product line that is replacing Prevx since Webroot took them over, it's very good and very light on resources, I've been running the complete version on my 2 desktops and Laptop for several months now and had no issues with it. It also works with any other security software without causing any conflicts.

[Simon]

Webroot can also be found very cheaply on eBay. 

[Baz]

thanks all 

will look at that link Ray thanks and also Gary I have heard good stuff about Prevx but if its no more thats a shame.I used a long time back Outpost but was getting conflicts with something and as soon as I uninstalled it they stopped so didnt use it again, pity as it was ok.

So I keep going back to the good old windows firewall then not using it and relying on router one but when you get a tester like I just had it makes you more alert again.

[Technical Ben]

Baz, I thought you used Acronis True Image? The easiest thing to do is restore the OS from an Acronis backup, using the Acronis boot CD. It restores the boot sector, and the complete OS including the registry.

In your intermediate steps, at one point you had what seemed to be a clean OS on an external USB drive. Not all systems can boot from external USB. It depends on your BIOS settings, if they are available.

The way these bugs arrive in the first place is almost always due to the user clicking on something and explicitly giving it permission to install. That can be difficult to avoid when you are not the only user of your computer. No antimalware has a 100% detection rate, especially on new threats that have to be detected heuristically.

That and everyone (including virus scanners and a driver installer CD this week!!!) want's to add in "toolbars". It's not hard for one of those toolbars to have an advert or part to play in these things. I don't know if it's done in error, or if the download sites hijack the installer (I only follow the owners recommended links for download, so it's still strange). But after seeing the motherboard driver CD ask to install a toolbar this week, I don't trust anyone now. 

[D-Dan]

Ahem: Penguins offer a pretty good form of protection against malware 

[Technical Ben]

Well, it still leaves the weakest link on the seat... 

[armadillo]

Hi Armadillo,

well I have to admit thats where I let myself down I know and was kicking my self for obvious reasons...I didnt back up regular enough to have a recent one that would have helped      I know, slap wrist time

Yes I was using Acronis but I now use EaseUS Todo Backup which seems good but havent had a chance to actually re-install one....apart from this week 

I was getting a bit bother with Acronis,cant remember what but it was just niggly stuff, wouldnt boot from disc I think, dont know.So I looked about and found this.

Might give Acronis another try,I found it a tad complicated to use

I can understand why you kicked yourself.

Acronis does have an unnecessarily complicated interface but it does the job once you get used to using only the features you need.

The big test of any Backup/recovery software is whether the recovery works. I hope EaseUS does.

[armadillo]

A firewall won't protect you from malware, Baz, but something like the paid for version of Malwarebytes would offer real-time protection.

Malwarebytes real-time protection has a conflict with NOD32, which Baz uses.

[armadillo]

thanks all 

I used a long time back Outpost but was getting conflicts with something and as soon as I uninstalled it they stopped so didnt use it again, pity as it was ok.

So I keep going back to the good old windows firewall then not using it and relying on router one but when you get a tester like I just had it makes you more alert again.

There is still a conflict between NOD32 and Outpost.

I agree that a firewall will not protect against instrusions such as these. As Gary says, heuristics are your best hope but they do not help if a user explicitly gives permission to the malware.

[armadillo]

That and everyone (including virus scanners and a driver installer CD this week!!!) want's to add in "toolbars".

Those toolbar offers are a real pest. Shame on AV vendors for offering them. The installs are often pre-ticked too.

[armadillo]

... Webroot SecureAnywhere Complete or Essentials and see what it finds, from here: - It also works with any other security software without causing any conflicts.

Or so they say.

I know a lot of people like it but I would be very, very cautious about installing more than one real-time protection software. And definitely only after taking a full backup from which the OS can be restored without recourse to Windows Restore. Kernel mode drivers can get into a terrific tangle which a simple uninstall cannot fix.

I prefer to carry out regular secondary scans with products that do not offer real-time protection, such as Trend Micro Housecall and Emsisoft, though the latter gives plenty of false positives.

[Ray]

Or so they say.

I know a lot of people like it but I would be very, very cautious about installing more than one real-time protection software. And definitely only after taking a full backup from which the OS can be restored without recourse to Windows Restore. Kernel mode drivers can get into a terrific tangle which a simple uninstall cannot fix.

Webroot SecureAnywhere is designed to work with other AV Security software, and I can confirm from my own experience that it will work without causing problems, I've been running it on 3 machine with KIS 2012 installed on them for over 5 months with no problems.
Webroot does most of it's work in the Cloud and installs very little on your PC the main executable is only around 680k and the service driver is 111k.

[armadillo]

Webroot SecureAnywhere is designed to work with other AV Security software, and I can confirm from my own experience that it will work without causing problems, I've been running it on 3 machine with KIS 2012 installed on them for over 5 months with no problems.
Webroot does most of it's work in the Cloud and installs very little on your PC the main executable is only around 680k and the service driver is 111k.

I do not doubt this at all. This is your experience. But it is anecdotal evidence. All it confirms is that you have encountered no conflicts between Webroot SecureAnywhere and KIS on your three machines. There is a difference between "designed to work with..." and "proven to work with all security software in any possible environment".

I have recently been involved with an ESET problem, requiring memory dumps from various users over a period of some 9 months for its resolution. Conflicts arose only with certain service packs of certain versions of Windows and only when certain software drivers, not necessarily from security software, were present.

All I am saying is that it is virtually impossible for any vendor to test for conflicts with everything in all possible OSs with all possible combinations of drivers present. Hence, a vendor who claims that their product works with all security software is making an untested and untestable claim. Though the claim of "designed to work with all..." is a less extravagant claim. Even a 111k driver could cause havoc in some circumstances. And security software operates in very difficult regions of the OS.

Things that might be affected by conflicts include accessing external drives, printing, scanning, accessing cameras, internet access, joysticks, sound settings, defragmenting, writing to CDs and DVDs: in fact virtually anything that needs a driver.

I am not saying that carefully designed products cannot run in parallel. Just that it is prudent to have a full OS backup before installing any additional security software so that there is a regression path if it is needed. And after installation, as much functionality as possible should be immediately tested, not simply related to the performance of security software.

I was a beta tester for KAV. I lost count of the number of times I had to restore my OS from a backup after it reached about 50.

[Baz]

The big test of any Backup/recovery software is whether the recovery works. I hope EaseUS does.

   ooooeerrrrrr  you speak as though you doubt it will work Armadillo,  I hope it does too.I could have found out if id been more thorough with my back ups 

I know youve helped me many times in the past with problems like this  so I wouldnt question what you say about it, but you got me even more worried now that it doesnt work 

[Baz]

after this  recent virus I had my computer is now,just today any way, running a chkdsk on start up which is making me think its dying 

so I was wondering what would be the best way to install another HD which I already have, it has XP on it already with loads of software/documents/music etc.its just my sons old system that he doesnt need.

I want to use this second drive to replace mine so need everything that is on mine now putting on this other drive.Do I need to format and just install a backup that I now have of my original system or does it require a full OS re installing.

or any other way which I dont know.

[pctech]

Ahem: Penguins offer a pretty good form of protection against malware 

They taste nice with a cup of tea but I wouldn't use one to protect me against malware. 

[Gary]

I do not doubt this at all. This is your experience. But it is anecdotal evidence. All it confirms is that you have encountered no conflicts between Webroot SecureAnywhere and KIS on your three machines. There is a difference between "designed to work with..." and "proven to work with all security software in any possible environment".

I have recently been involved with an ESET problem, requiring memory dumps from various users over a period of some 9 months for its resolution. Conflicts arose only with certain service packs of certain versions of Windows and only when certain software drivers, not necessarily from security software, were present.

All I am saying is that it is virtually impossible for any vendor to test for conflicts with everything in all possible OSs with all possible combinations of drivers present. Hence, a vendor who claims that their product works with all security software is making an untested and untestable claim. Though the claim of "designed to work with all..." is a less extravagant claim. Even a 111k driver could cause havoc in some circumstances. And security software operates in very difficult regions of the OS.

Things that might be affected by conflicts include accessing external drives, printing, scanning, accessing cameras, internet access, joysticks, sound settings, defragmenting, writing to CDs and DVDs: in fact virtually anything that needs a driver.

I am not saying that carefully designed products cannot run in parallel. Just that it is prudent to have a full OS backup before installing any additional security software so that there is a regression path if it is needed. And after installation, as much functionality as possible should be immediately tested, not simply related to the performance of security software.

I was a beta tester for KAV. I lost count of the number of times I had to restore my OS from a backup after it reached about 50.

I used to use Prevx as well and it did indeed work with two of my computers, they had a very active forum and released new versions to deal with issues in days at points if something arose, I used it because of Esets poor detection of malware and spyware, which is still a problem, yes having 100% VB is great but in the wild is where it counts and sadly it let me down, and the new version is not receiving glowing reports on detection and clean up either