18 posts
Hey, you're the security guru around here. I've got a couple of PC's using Avast now, but my own is still stuck on AVG Free v9 (I refused to upgrade due to all the comments about slowing down your PC). Anyway, it's time to get whatever is currently best.
About two weeks ago I got a nasty fake A/V virus due to a hacked website that was being redirected. This virus turns off your Task Manager, hides all your files and starts putting up disk error messages wanting you to buy something called "WindowsRecovery." AVG only caught part of the problem and I was required to find a solution on one of the other PC's. I ended up using a combination of RKill (that terminates known malware processes), then Malwarebytes (to clean the bulk of the problem), then Unhide to reset all of the "Hidden" bits, followed by Spybot S&D which found two final registry entries that the other A/V's (AVG and Malwarebytes) had missed.
I know two firms that build DAW's and workplace boxes that both strongly recommend Microsoft Essentials in conjunction with Spybot, then there's others (like you several months ago) that like Avast. All I know is that AVG didn't work and it's going to be gone as soon as I get a replacement.
As I mentioned above, I'm wondering what you're seeing as current the "latest and greatest" A/V.
Thanks!
I gave up on AVG for some reason a few years back and started using Avira AntiVir -
it still get's beaten by those fake A/V nasty viruses.
I was sorting one of those out recently for a friend a few weeks back over Easter.
btw - your description of your clean up sounds like it will still have a rootkit in your system and you will get reinfected.
You will need to run something like unhackme (or similar - that's the one I have used) on your system.
Then the usual suspects - malwarebytes etc. to clean up the remaining mess of viruses.
also very good is the thing I posted here back in March when I got hit myself -
http://www.eset.com/us/online-scanner
but again it doesn't deal with root kits just sweeps out the remaining mess the rootkit caused.
So the main thing is getting rid of the root kit
BUT beware - unhackme is not for novices, it takes over your machine, though you are savvy enough.
uninstall it after you are finished as it is an annoying rootkit in it's own right, all be it a white hat one.
Then run the other stuff to complete it - they all seem to miss and catch different things.
The way the solution worked for me is RKill (which has several names to get around a virus that's trying to stop things like this) kills known malware processes. You may have to run it more than once for it to be successful. At this point you now have a system that isn't trying to stop your real A/V from doing its work. Now you run Malwarebytes which will (usually) find and remove that rootkit you mentioned along with other parts of the virus. In this case, I then ran Unhide to have it automatically reset the "Hidden" attribute bits on all files (naturally you can do this yourself from DOS easily enough). I then ran Spybot to clean up what was left. Note that I did try AVG, but it didn't find anything...
Malwarebytes didn't remove the rootkit on the virus you just had.
Rkill doesn't remove anything either.
At least you nok knowwhat to do when the infection strikes again ;)
Ok, I'm a bit lost here... Malwarebytes DID remove the rootkit, but only after the running process was stopped (which is what RKill does)... What am I missing here? :-?
I just removed a virus that sounds exactly like the one you had - down to the hidden files thing.
I thought I had removed it - using similar approach - close active malware and restored registry settings using something other than rkill - can't remember what now would have to check.
the malwarebytes and then ESET thing I posted - both found crap the other missed.
It looked fine.
got thankyous etc.
Then a week later the machine got infected again out of the blue.
did the whole thing again - again it seemed ok.
But because it was a 2nd infection I was suspicious so decided to use unhackme which goes through a boot cycle to determine rootkits and it found the culprits hidden away missed by everything else.
Now the machine is fine and has been for weeks.
I can't say if they were installed as part of the infection by the fake A/V or some earlier infection that went unnoticed.
But they leave the machine compromised and wide open to repeat infection.
You may be ok - but malwarebytes misses these rootkits as they hide so well.
unhackme and some of the other rootkit stuff out there are ugly and dangerous to use - so have a bad rep by many (easy to wreck a windows installation using them)
But the way they find these suckers is by monitoring during boot up by effectively installing as a rootkit themselves.
They get a chance at detection before these nasties are active and can hide themselves.
Hence my warning.
Hmm... So where IS Charger lately anyway? :-?
I just cleaned the Windows Recovery malware off my dad's system. It's not a virus and as such virus scanners won't catch it. Somehow that app was allowed access to the system... I believe my dad thought it was a malware update from Windows and clicked on a link or something.
Anyway, it doesn't matter how you clean it, I did it manually. The thing was so pernicious I had to use Safe Mode (my first time in Win7) and what I ended up doing was drastic... after I found it sprinkled throughout the registry, I actually removed the registry entry for executable files completely. Of course, first I searched for running processes, terminated them, and removed the easier to find remnants... the software installs itself in some known areas. Anyway, after crippling the registry, my dad's system was unable to launch any files... which was actually what I wanted. I then rebooted, restored the default set of file associations for an .exe file (searched on the web and found all of the default file associations for the win7 registry and transferred the file via usb from a separate system) and yes, couldn't launch regedit to fix the registry editor, but could still right-click and "merge" the registry file.
Long story, sorry for the digression.
I've used Avira and like it, and I'm currently using Avast on my home systems.
Security Essentials is a nightmare. We were getting issues on the studio PC and finally used some tools from sysinternals to determine that Security Essentials was running massive I/O operations... every couple of seconds it would do 50,000+ transactions on the i/o bus. Nothing else on the system even came close. And it was so bursty that it was throwing up errors in our audio apps--this became apparent after we added the UA cards to the system, which are very time-critical. We ditched Security Essentials and everything is fine. Windows Defender is similarly challenged. Avast, AVG, and Avira all strike me as better solutions. Throw in malware bytes and spybot and you should be protected. But virus infection is rare, typically what you got, you allowed in. Figuring out what not to click or what link not to follow is crucial.
Cool, thanks! :)
Since I already have it on two PC's I guess I'll just upgrade mine to Avast as well (and turn off that voice! ;) ).
Hookbender — May 20, 2011Cut back on Porn.
I seriously doubt that Charger's dad was visiting porn sites Hooky. ;)
(I got mine of a normal site that had been hacked with a redirect.)
Chargers Dad is alive, right? ;D
And....sure ya did. ;D ;D
CraigBert — May 20, 2011[quote author=Hookbender link=1304920182/0#10 date=1305859188]Cut back on Porn.
(I got mine of a normal site that had been hacked with a redirect.)
A normal hardcore porn site ;D
My dad didn't get it from surfing porn (I checked his history). He got it from some off-kilter news site that had a sidebar, mimicked MS security look and feel, and told him to install a critical windows anti-malware update. I am not claiming he is smart about computers because this is not the first time I have had to fix his computer. But a lot of people have been fooled by the Windows Recovery malware. It's a smart, pervasive implementation. It completely cripples your system and promises to fix it. I have not heard from anyone who's paid to uncripple their system but I would bet it keeps asking for more and more money to fix new things. It hooks in so completely to the registry that you really have to know what you are doing to get rid of it. And it looks and sounds like a known Windows product. So this is a relatively sophisticated implementation of malware, and it's only going to be followed by more, newer, better attempts.
Like everything in life, you must be aware, and you must be vigilant because no one really wants to protect your interests as much as you do.
First, completely kidding around about about the virus thing Charger!!! :)
I've become so determined not to get a virus it's a little ridiculous. I've had my Macbook Pro for around a year now with no protection at all. So far, no symptoms of any problems. things like slowing down etc. I think my computer guy at work said there were very few virus for Apple anyway and I would be fine. So far so good. I absolutely love the ease of use of these things. No updates for vitus protection and all the little pop-ups warning you of stuff, it's just a dream machine. I don't do any major stuff on a computer so it's just perfect for my needs. I have found that I don't really like Itunes though. I'll just live with it for now.
This is off subject, sorry, but has there been any new formats for music? I read that mp3 is now outdated and aac is better all around. Is that really true?
.flac seems to be gaining ground and so is that monkey audio one, .ape