nasty bug

Started by Baz, Jul 21, 2012, 08:21:17

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Baz

WOW!!!!!!!!    just spent best part of 2 days trying to get rid of a virus I somehow managed to pick up, the computer type that is.

Dont know how/where I got it from but was a tricky thing to kill.

Was a ransomware,new one to me, saying from metroploitan police e crime   saying have locked my system and I meed to pay £100...blah blah.

shows a screen with warning on, wont restart in safe mode,any safe mode. I had to take out drive and fit it to another unit,run AV/Malware etc from there.Did find threats but when I tried to boot after it still wouldnt.

Then tried in a caddy so looking at an external drive,again it found stuff but would not but.Couldnt even do a manual removal as I needed to be in the registry and dont know if thats possible on a second drive

Then I found and AVG rescue disc download to burn as an ISO, stick it in and boot from there.Did that but that found it to be clean,good in a way I guess.

But still no boot, gets to same point and restarts,keeps on doing that.

Just out of eliminating options I tried re fitting drive to my tower and it booted up straight away  ???

fantastic   but a bit of a chew on and puzzler.


DAMN computers   ;D ;D

FritzBox

Malwarebytes run in safe mode would have probably shifted it

Edit, if it would have run in safe mode  :whistle:

Baz

Quote from: FritzBox on Jul 21, 2012, 08:52:35
Malwarebytes run in safe mode would have probably shifted it

Edit, if it would have run in safe mode  :whistle:


nice edit Fritz  ;)   no it wouldnt get to safe mode.but could run it while fitted as second drive in another system, just wouldnt boot afterwards  :dunno:

Glenn

http://nakedsecurity.sophos.com/2012/02/13/metropolitan-police-malware-warning/

Malwarebytes doesn't touch it, or didn't on a PC someone brought in at work.

One of the best resources I have found for help in removing the malware is Bleeping Computers
Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Glenn

Quote from: Baz on Jul 21, 2012, 09:26:25

nice edit Fritz  ;)   no it wouldnt get to safe mode.but could run it while fitted as second drive in another system, just wouldnt boot afterwards  :dunno:

The file runs from within the All Users profile on the system, so if you d boot from a 2nd drive, it won't load. 
Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

FritzBox

Quote from: Glenn on Jul 21, 2012, 09:34:27


One of the best resources I have found for help in removing the malware is Bleeping Computers

Yep, their Combofix is pretty good

Surprised Malwarebytes doesn't touch it, cures most ailments

Simon

Not the same thing, but I have a friend who managed to get one of those rogue 'anti-virus' viruses the other week, which just seemed to walk right through their fully updated security software.  MWB did remove the infection, but it makes you wonder what the point is of having computer security installed, if it does nothing to prevent malware such as this from getting through in the first place.
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Glenn

A lot of AV products don't stop malware so it seems, as it's not seen as a threat.
Glenn
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

armadillo

Baz, I thought you used Acronis True Image? The easiest thing to do is restore the OS from an Acronis backup, using the Acronis boot CD. It restores the boot sector, and the complete OS including the registry.

In your intermediate steps, at one point you had what seemed to be a clean OS on an external USB drive. Not all systems can boot from external USB. It depends on your BIOS settings, if they are available.

The way these bugs arrive in the first place is almost always due to the user clicking on something and explicitly giving it permission to install. That can be difficult to avoid when you are not the only user of your computer. No antimalware has a 100% detection rate, especially on new threats that have to be detected heuristically.

zappaDPJ

AV products seem to be particularly useless at the moment. I had an issue where my scheduled backup was failing and after a lot of hair pulling I finally traced the problem to the  JS/blacole virus which had found its way into a backup archive. At the time there was virtually no information on it and it had sailed past MSE. I was able to remove it after running a full MSE scan but it's returned and I've found we have multiple instances of it on every PC in the house.

I don't know if it's not being fully removed or if we are just visiting sites and being reinfected but I've given up trying to removing it for the time being. I've tried a number of popular AV products, none of which seem to block it and most won't detect or remove it.
zap
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Simon

If it's returning, could it be lodged in the System Restore folder, Zap?
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

zappaDPJ

Unfortunately no, I cleared it all out. It might be hooked into the registry though but I'm not really sure at this point what I'm looking for. There's not a great deal of information available on it as yet.
zap
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Baz

Quote from: armadillo on Jul 21, 2012, 12:02:49
Baz, I thought you used Acronis True Image? The easiest thing to do is restore the OS from an Acronis backup, using the Acronis boot CD. It restores the boot sector, and the complete OS including the registry.

In your intermediate steps, at one point you had what seemed to be a clean OS on an external USB drive. Not all systems can boot from external USB. It depends on your BIOS settings, if they are available.

The way these bugs arrive in the first place is almost always due to the user clicking on something and explicitly giving it permission to install. That can be difficult to avoid when you are not the only user of your computer. No antimalware has a 100% detection rate, especially on new threats that have to be detected heuristically.

Hi Armadillo,

well I have to admit thats where I let myself down I know and was kicking my self for obvious reasons...I didnt back up regular enough to have a recent one that would have helped  :red:    I know, slap wrist time

Yes I was using Acronis but I now use EaseUS Todo Backup which seems good but havent had a chance to actually re-install one....apart from this week  :D

I was getting a bit bother with Acronis,cant remember what but it was just niggly stuff, wouldnt boot from disc I think, dont know.So I looked about and found this.

Might give Acronis another try,I found it a tad complicated to use

Baz

On another thing do you recommend or do you have windows firewall enabled.This keeps cropping up and I never know whats best.

At the moment I dont but this recent bother makes me wonder

pctech

Worth looking at the run key in the registry via Regedit HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Simon

A firewall won't protect you from malware, Baz, but something like the paid for version of Malwarebytes would offer real-time protection.
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Quote from: Baz on Jul 21, 2012, 13:33:18
On another thing do you recommend or do you have windows firewall enabled.This keeps cropping up and I never know whats best.

At the moment I dont but this recent bother makes me wonder
Your router is a firewall too baz but using the Windows one does not hurt. What you really need is a  firewall that would block the ransomewares outgoing communication. Prevx might have been a good clean up option if its still going.
Damned, if you do damned if you don't

Gary

Quote from: Simon on Jul 21, 2012, 15:57:31
A firewall won't protect you from malware, Baz, but something like the paid for version of Malwarebytes would offer real-time protection.
If its a new infection it can take hours if not days for updates to come out to products, unless you have heuristics set on paranoia mode in your av  and don't mind lots of false positives many things slip though it seems.
Damned, if you do damned if you don't

Simon

Yes indeed, it seems that nothing is 100% secure these days.  :(
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Gary

Quote from: Simon on Jul 21, 2012, 16:08:36
Yes indeed, it seems that nothing is 100% secure these days.  :(
The baddies will always be one step ahead Simon  :(
Damned, if you do damned if you don't

john

I got this a few months ago and Malaware Bytes and similar apps did not remove it.
Whenever I logged in it opened up my browser and locked the machine. It only affected my account though and I was able to log in as admin, create another account and  find some info which wasn't a great help.

I then managed to find some files in my folders with the approximate date and time that it first happened and deleted them and was able to at least minimize the window and use the machine.

In the end the only way I managed to resolve it was to do a restore from a previous restore point and it's been fine since.

If that didn't work I'd have tried saving the documents in my previous account and then deleting and recreating the account and restoring the files from backup.

Ray

#21
Baz, download and install a trial version of Webroot SecureAnywhere Complete or Essentials and see what it finds, from here: -

http://www.webroot.co.uk/En_GB/consumer-trials.html

This is the product line that is replacing Prevx since Webroot took them over, it's very good and very light on resources, I've been running the complete version on my 2 desktops and Laptop for several months now and had no issues with it. It also works with any other security software without causing any conflicts.
Ray
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

Simon

Webroot can also be found very cheaply on eBay.  ;)
Simon.
--
This post reflects my own views, opinions and experience, not those of IDNet.

Baz

thanks all  :thumb:

will look at that link Ray thanks and also Gary I have heard good stuff about Prevx but if its no more thats a shame.I used a long time back Outpost but was getting conflicts with something and as soon as I uninstalled it they stopped so didnt use it again, pity as it was ok.

So I keep going back to the good old windows firewall then not using it and relying on router one but when you get a tester like I just had it makes you more alert again.

Technical Ben

Quote from: armadillo on Jul 21, 2012, 12:02:49
Baz, I thought you used Acronis True Image? The easiest thing to do is restore the OS from an Acronis backup, using the Acronis boot CD. It restores the boot sector, and the complete OS including the registry.

In your intermediate steps, at one point you had what seemed to be a clean OS on an external USB drive. Not all systems can boot from external USB. It depends on your BIOS settings, if they are available.

The way these bugs arrive in the first place is almost always due to the user clicking on something and explicitly giving it permission to install. That can be difficult to avoid when you are not the only user of your computer. No antimalware has a 100% detection rate, especially on new threats that have to be detected heuristically.

That and everyone (including virus scanners and a driver installer CD this week!!!) want's to add in "toolbars". It's not hard for one of those toolbars to have an advert or part to play in these things. I don't know if it's done in error, or if the download sites hijack the installer (I only follow the owners recommended links for download, so it's still strange). But after seeing the motherboard driver CD ask to install a toolbar this week, I don't trust anyone now.  :shake:
I use to have a signature, then it all changed to chip and pin.

D-Dan

Ahem: Penguins offer a pretty good form of protection against malware  :eyebrow:
Have I lost my way?



This post doesn't necessarily represent even my own opinions, let alone anyone else's

Technical Ben

Well, it still leaves the weakest link on the seat...  :whistle:
I use to have a signature, then it all changed to chip and pin.

armadillo

Quote from: Baz on Jul 21, 2012, 13:30:54
Hi Armadillo,

well I have to admit thats where I let myself down I know and was kicking my self for obvious reasons...I didnt back up regular enough to have a recent one that would have helped  :red:    I know, slap wrist time

Yes I was using Acronis but I now use EaseUS Todo Backup which seems good but havent had a chance to actually re-install one....apart from this week  :D

I was getting a bit bother with Acronis,cant remember what but it was just niggly stuff, wouldnt boot from disc I think, dont know.So I looked about and found this.

Might give Acronis another try,I found it a tad complicated to use

I can understand why you kicked yourself.

Acronis does have an unnecessarily complicated interface but it does the job once you get used to using only the features you need.

The big test of any Backup/recovery software is whether the recovery works. I hope EaseUS does.

armadillo

Quote from: Simon on Jul 21, 2012, 15:57:31
A firewall won't protect you from malware, Baz, but something like the paid for version of Malwarebytes would offer real-time protection.

Malwarebytes real-time protection has a conflict with NOD32, which Baz uses.

armadillo

Quote from: Baz on Jul 21, 2012, 17:12:06
thanks all  :thumb:

I used a long time back Outpost but was getting conflicts with something and as soon as I uninstalled it they stopped so didnt use it again, pity as it was ok.

So I keep going back to the good old windows firewall then not using it and relying on router one but when you get a tester like I just had it makes you more alert again.

There is still a conflict between NOD32 and Outpost.

I agree that a firewall will not protect against instrusions such as these. As Gary says, heuristics are your best hope but they do not help if a user explicitly gives permission to the malware.

armadillo

Quote from: Technical Ben on Jul 21, 2012, 19:37:36
That and everyone (including virus scanners and a driver installer CD this week!!!) want's to add in "toolbars".

Those toolbar offers are a real pest. Shame on AV vendors for offering them. The installs are often pre-ticked too.

armadillo

Quote from: Ray on Jul 21, 2012, 16:21:21
... Webroot SecureAnywhere Complete or Essentials and see what it finds, from here: - It also works with any other security software without causing any conflicts.

Or so they say.

I know a lot of people like it but I would be very, very cautious about installing more than one real-time protection software. And definitely only after taking a full backup from which the OS can be restored without recourse to Windows Restore. Kernel mode drivers can get into a terrific tangle which a simple uninstall cannot fix.

I prefer to carry out regular secondary scans with products that do not offer real-time protection, such as Trend Micro Housecall and Emsisoft, though the latter gives plenty of false positives.

Ray

Quote from: armadillo on Jul 23, 2012, 01:50:14
Or so they say.

I know a lot of people like it but I would be very, very cautious about installing more than one real-time protection software. And definitely only after taking a full backup from which the OS can be restored without recourse to Windows Restore. Kernel mode drivers can get into a terrific tangle which a simple uninstall cannot fix.


Webroot SecureAnywhere is designed to work with other AV Security software, and I can confirm from my own experience that it will work without causing problems, I've been running it on 3 machine with KIS 2012 installed on them for over 5 months with no problems.
Webroot does most of it's work in the Cloud and installs very little on your PC the main executable is only around 680k and the service driver is 111k.
Ray
--------------------

This post reflects my own views, opinions and experience, not those of IDNet.

armadillo

Quote from: Ray on Jul 23, 2012, 11:06:58
Webroot SecureAnywhere is designed to work with other AV Security software, and I can confirm from my own experience that it will work without causing problems, I've been running it on 3 machine with KIS 2012 installed on them for over 5 months with no problems.
Webroot does most of it's work in the Cloud and installs very little on your PC the main executable is only around 680k and the service driver is 111k.

I do not doubt this at all. This is your experience. But it is anecdotal evidence. All it confirms is that you have encountered no conflicts between Webroot SecureAnywhere and KIS on your three machines. There is a difference between "designed to work with..." and "proven to work with all security software in any possible environment".

I have recently been involved with an ESET problem, requiring memory dumps from various users over a period of some 9 months for its resolution. Conflicts arose only with certain service packs of certain versions of Windows and only when certain software drivers, not necessarily from security software, were present.

All I am saying is that it is virtually impossible for any vendor to test for conflicts with everything in all possible OSs with all possible combinations of drivers present. Hence, a vendor who claims that their product works with all security software is making an untested and untestable claim. Though the claim of "designed to work with all..." is a less extravagant claim. Even a 111k driver could cause havoc in some circumstances. And security software operates in very difficult regions of the OS.

Things that might be affected by conflicts include accessing external drives, printing, scanning, accessing cameras, internet access, joysticks, sound settings, defragmenting, writing to CDs and DVDs: in fact virtually anything that needs a driver.

I am not saying that carefully designed products cannot run in parallel. Just that it is prudent to have a full OS backup before installing any additional security software so that there is a regression path if it is needed. And after installation, as much functionality as possible should be immediately tested, not simply related to the performance of security software.

I was a beta tester for KAV. I lost count of the number of times I had to restore my OS from a backup after it reached about 50.

Baz

Quote from: armadillo on Jul 23, 2012, 01:22:41
The big test of any Backup/recovery software is whether the recovery works. I hope EaseUS does.

:o :o   ooooeerrrrrr  you speak as though you doubt it will work Armadillo,  I hope it does too.I could have found out if id been more thorough with my back ups  :whistle:

I know youve helped me many times in the past with problems like this  :thumb: so I wouldnt question what you say about it, but you got me even more worried now that it doesnt work  :)

Baz

after this  recent virus I had my computer is now,just today any way, running a chkdsk on start up which is making me think its dying  :'(

so I was wondering what would be the best way to install another HD which I already have, it has XP on it already with loads of software/documents/music etc.its just my sons old system that he doesnt need.

I want to use this second drive to replace mine so need everything that is on mine now putting on this other drive.Do I need to format and just install a backup that I now have of my original system or does it require a full OS re installing.

or any other way which I dont know.

pctech

Quote from: D-Dan on Jul 21, 2012, 20:09:41
Ahem: Penguins offer a pretty good form of protection against malware  :eyebrow:

They taste nice with a cup of tea but I wouldn't use one to protect me against malware.  ;D

Gary

Quote from: armadillo on Jul 23, 2012, 14:08:00
I do not doubt this at all. This is your experience. But it is anecdotal evidence. All it confirms is that you have encountered no conflicts between Webroot SecureAnywhere and KIS on your three machines. There is a difference between "designed to work with..." and "proven to work with all security software in any possible environment".

I have recently been involved with an ESET problem, requiring memory dumps from various users over a period of some 9 months for its resolution. Conflicts arose only with certain service packs of certain versions of Windows and only when certain software drivers, not necessarily from security software, were present.

All I am saying is that it is virtually impossible for any vendor to test for conflicts with everything in all possible OSs with all possible combinations of drivers present. Hence, a vendor who claims that their product works with all security software is making an untested and untestable claim. Though the claim of "designed to work with all..." is a less extravagant claim. Even a 111k driver could cause havoc in some circumstances. And security software operates in very difficult regions of the OS.

Things that might be affected by conflicts include accessing external drives, printing, scanning, accessing cameras, internet access, joysticks, sound settings, defragmenting, writing to CDs and DVDs: in fact virtually anything that needs a driver.

I am not saying that carefully designed products cannot run in parallel. Just that it is prudent to have a full OS backup before installing any additional security software so that there is a regression path if it is needed. And after installation, as much functionality as possible should be immediately tested, not simply related to the performance of security software.

I was a beta tester for KAV. I lost count of the number of times I had to restore my OS from a backup after it reached about 50.

I used to use Prevx as well and it did indeed work with two of my computers, they had a very active forum and released new versions to deal with issues in days at points if something arose, I used it because of Esets poor detection of malware and spyware, which is still a problem, yes having 100% VB is great but in the wild is where it counts and sadly it let me down, and the new version is not receiving glowing reports on detection and clean up either  :(
Damned, if you do damned if you don't