Topic: WTF System Tools 2011 (Read 7613 times)

Lieutenant_Q · « **Reply #20 on:** March 01, 2011, 11:19:34 pm »

Just got back from a friends house whose computer got hit by this thing. My mother's had this about a month ago. Hers I was able to do a system restore and then an install of MBAM, problem solved. The friends computer took a little more coaxing, mostly because what ever this thing was doing it was blocking System Restore. He had already purchased a program called Spyware Doctor, we installed it while running Safe mode with Networking, updated it and ran the program in safe mode (despite Spyware Doctor saying it shouldn't be run in safe mode). It found the program and took it off, when I left his house it had booted normally with no sign of it on there. I left it running over night and told him to call me if it popped back up in the morning.

The only real difference between the two, was my mother was running 7, while my friend was still running XPSP3.

Dash Jones · « **Reply #21 on:** March 02, 2011, 01:25:08 pm »

Quote from: NJAntman on February 28, 2011, 08:27:34 pm

OK, several scans later and it seeems to be gone again. yet I still cannot connect to the web from that user logon which is really pissing me off. Anyone know of a way I can check what is different from that damaged logon to the other 3 logon id's that still work? I figure it has to be something the scare-ware changed from that user account.

Really pisses me off knowing that I'll probably see this again on family computers.

Only solution I ever found that actually worked completely was a complete reformat and reinstall of OS. On XP it goes undetectable by some Virus programs...the reason for that and the reason you may not be able to connect to the internet are interconnected, at least if it's the same that I had problems with.

What it does is to take up your admin rights. To see if it's done this, try to change something specific, like rollback on the window drivers. If it's taken your admin rights, you will not be allowed to do that.

The other thing it likes to do, and this will KILL your internet everytime, was to fool the anti-virus programs by interwriting and changing some key network files. The AV sees that it's infected and deletes them...and suddenly you have no connection. I've ONLY seen this done when you've actually gone after the trojan physically by trying to delete it's key files. The files themselves rename themselves, and after the first little file is on your computer, it rehashes itself with about several hundred others...so it's redundant. It normally has at least two different processes running at a time, so if you kill one process...it fades and appears as if you got it, but the second process bumps up a new name at random and restarts it under that one, so it once again has two processes.

I tracked down the processes, and deleted them there and in the configuration files as well as the registry...and at that point it started to do the same thing with the changing of the internet files, administrative rights...etc.

I'd probably suggest that you invest in an OS...even if it's linux, format the drive, and reinstall.

But that's just me.

Dash Jones · « **Reply #22 on:** March 02, 2011, 01:32:28 pm »

Quote from: Lieutenant_Q on March 01, 2011, 11:19:34 pm

Just got back from a friends house whose computer got hit by this thing. My mother's had this about a month ago. Hers I was able to do a system restore and then an install of MBAM, problem solved. The friends computer took a little more coaxing, mostly because what ever this thing was doing it was blocking System Restore. He had already purchased a program called Spyware Doctor, we installed it while running Safe mode with Networking, updated it and ran the program in safe mode (despite Spyware Doctor saying it shouldn't be run in safe mode). It found the program and took it off, when I left his house it had booted normally with no sign of it on there. I left it running over night and told him to call me if it popped back up in the morning.

The only real difference between the two, was my mother was running 7, while my friend was still running XPSP3.

That's a new one. I haven't heard it really popping up that much on 7. XP is extremely vulnerable as it seemed to target the specific files on it.

It works via IE...if you disconnect the internet and use another browser that actually seemed to stump it for awhile.

However, mine is old stuff, last run in I had with it that it really affected me was the beginning of last year.

I HAVE run across sites that try to put it on, Firefox and a combination of Norton seemed to catch it before it did anything on Win 7. If you son did anything that I was doing, he was looking for videos. I ran across a site with it just two days ago. I was looking for video on Dead Space via google. One of the (I think it was the fourth or fifth one down) links actually was a deceptive link and led directly to the malicious webpage.

If your son was looking for Dead Space videos via google it is possible that he stumbled across the same page I did.

FCM_SFHQ_XC · « **Reply #23 on:** March 03, 2011, 08:28:43 am »

Quote from: NJAntman on March 01, 2011, 08:18:29 pm

The MSIE diagnostic returns the following message "Check firewall settings for HTTP port (80) HTTPS port (443) and FTP port (21)".

Still nervous about messing with ports so I went poking around and in Internet Options/Connections/LAN settings tab the use a proxy server for LAN was checked on the account that isn't working but nothing was checked in that tab section on any of the accounts that were working. So I went into the not working account and chose Automatically Detect Settings and now that account is connecting to the net. Hey FCM_SFHQ_XC, any ideas on what the "normal" settins in that tab shuold be?

"Automatically Detect Settings" should be check the rest of it should not be for any standard network setup/connection
If the "Use proxy server" was checked then that will cause the broswer not to be able to connect, viruses usually will configure the browser to use a proxy, so it redirects you to a malicious server to proxy through.

knightstorm · « **Reply #24 on:** March 11, 2011, 05:45:17 pm »

I got a UAC prompt for a program I didn't recognize, as well as an authorization prompt from Zone Alarm. I immediately disconnected from the internet just before the prompt from something calling itself "vista security tools" came up. I was able to scan with Lavasoft Ad-Aware which detected and removed it.

NJAntman · « **Reply #25 on:** April 05, 2011, 05:58:30 pm »

Just shot myself in the foot. Trying to explain to my son why free music/video files are usually a trap so I let him create a registration for FilesTube to show him how what he was searching for just leads around in a circle jerk. Was on their site and the first tier of download sites they lead to for no more than 5 minutes. Soon as signed off Windows Restore pops up and when I tried to scan it all kinds of scam and scare warnings statrted to pop-up,it disabled Task Manager (still haven't gotten that back), and randomly hid half of my desktop icons, even cleared out my programs list.

Pulled the plug on my modem and got Malwarebytes to run a quick scan and it found 7 trojans along with registry entries. Starting the clean up process now; seriously thinking about a system reload cause I suspect there is still something buried deep.

Oh well needed to clean house anyway, but here is a write-up on the the bitch:
http://www.geek.com/articles/news/new-malware-tricks-users-into-thinking-hard-drive-failure-is-imminent-20110520/

News: