FA+
Shop
malware
14 years ago
General
hnnnnnngh. So today, I was looking for a comic book on a Chinese forum, and got quite a nasty cocktail of malware the likes I've never seen before. It completely wiped out my windows update service, changed my hosts file, added a custom DNS server to redirect my google results (even after the main components were removed!), and added itself as a service; but worst of all, it changed the association for .exe files to re-run itself every time any EXE on the system was run, making it come up even in safe mode.
The custom DNS shit (privatedns.com btw, Canada you should be ashamed of yourselves for allowing this business to continue to operate) basically would try and make it look like it couldn't load anything that might help the issue, such as Windows Safety Scanner, Malwarebytes, or anything like that; not like it mattered, since the main payload was gonna disable any of those things upon running.
Once I started to attempt to remove this fucking thing, I realized just how hosed my system was. Running SFC to try and make sure none of the critical system components were altered wasn't enough -- in fact, it caused my system to fail WGA validation and on top of that, killed my graphics card driver (which was already on thin ice, but caused full halts in standard mode). All of this because I just wanted a comic book? :<
So far, here is what I found my computer infected with today:
win32/FakeRean
PUP.keylogger
Alareon.A
Wimpixo.E
Trojan.Hitoli
I'm not even sure if I'm out of the woods yet...
And as if that weren't enough annoyances today, a stray ember caught my shirt on fire while I was outside, burning a hole in it. It was my favorite green shirt too :c
The custom DNS shit (privatedns.com btw, Canada you should be ashamed of yourselves for allowing this business to continue to operate) basically would try and make it look like it couldn't load anything that might help the issue, such as Windows Safety Scanner, Malwarebytes, or anything like that; not like it mattered, since the main payload was gonna disable any of those things upon running.
Once I started to attempt to remove this fucking thing, I realized just how hosed my system was. Running SFC to try and make sure none of the critical system components were altered wasn't enough -- in fact, it caused my system to fail WGA validation and on top of that, killed my graphics card driver (which was already on thin ice, but caused full halts in standard mode). All of this because I just wanted a comic book? :<
So far, here is what I found my computer infected with today:
win32/FakeRean
PUP.keylogger
Alareon.A
Wimpixo.E
Trojan.Hitoli
I'm not even sure if I'm out of the woods yet...
And as if that weren't enough annoyances today, a stray ember caught my shirt on fire while I was outside, burning a hole in it. It was my favorite green shirt too :c
8C
I'd take that advice if I were less stubborn on keeping the machine running exactly how I want it. Truth is, if I really wanted to blast it, I've got a cloned drive backup from about a month ago I could use to rewind with. But I refuse !
Sounds like you've got a piece of work, but at least it made it obvious when it got you. The more subtle it is, the nastier, usually.
You need sunglasses! That's how damn respected you should be. :D
:M
I would be removing the HDD, placing it another PC and doing some scan on there, usually with some flavor of ESET products.
malwarebytes, it might help. I use it and haven't had any major problems in quite a while now
http://mirrors.us.securitywonks.net.....pybotsd162.exe
spybot S&D, I've used it for years
http://download.cnet.com/3001-8022_4-10045910.html?spi=817b596a6faae9f5c2d41055a73ad9b9&part=dl-ad-aware
ad-aware, andother good one
http://download.cnet.com/3001-2144_.....48426d5fbc3e64
Crap Cleaner. I use this every time I shutdown my browser.
I hope these help, if not the only option is to format and reinstall from scratch
Windows Safety Scanner (or Security Essentials if you have a legit copy of Windows) actually catches a lot of stuff, including new stuff. I'm surprised this isn't recommended more.
I may or may not start recommending ClamAV for those particularly nasty infections, since you can run it from a linux liveCD without having to have an extra computer nearby to properly sandbox the system..
have an extra computer nearby to properly sandbox the system
Sandbox the system? must be a linux thing that I haven't heard of before...
Uncle Bill stole my soul somewhere around DOS 2.0 (old school pc-user)
There are premade registry files, but this requires you to trust someone else's work, unless you have the entire key set memorized.
http://www.sevenforums.com/tutorial.....s-restore.html has the key sets.
You may need a copy of RKill to even be able to extract them.
http://www.bleepingcomputer.com/dow.....ti-virus/rkill contains a few different links to RKill. I recommend the .com or the 'iexplore.exe' variant.
Deliver the kill and then flush the registry keys for .exe and .lnk.
Then flush the temp folders using CCleaner (http://www.piriform.com/ccleaner/download/slim - Fuck C|Net. I get my shit straight from the software writer's site), and check your start-up list for additional weird shit.
Once these are done, NOW you should be able to scan for stuff using MalwareBytes or Spybot, or SUPERAntiSpyware.
But those other steps need to happen.
"Windows 7 Recovery" required steps like this to be taken for me to get it off a customer's machine. It was interesting as all hell, but I walked a computer illiterate customer through its removal using these steps from thousands of miles away.
Hope this helps ya, man`.
The inability for svchost / winlogon to properly access the Windows Update services causes them to misbehave and leak tons of memory (we're talking hundreds of megs to a gigabyte or more) and run full CPU, so getting it replaced is a good idea. I would add this link to your excellent advice:
http://support.microsoft.com/kb/971058
And of course, to fix the DNS, while I'm not sure this is a 100% perfect solution, you've gotta go into your network adapter tcp/ip properties, and manually specify the DNS lookup server...... 8.8.8.8 is a good one (google public DNS!) and is unlikely to screw you over. On the plus side, you also stop getting those lame comcast DNS redirects :3
Granted, most of that shit is fixable, it's gonna be a while before your pc is running smooth...
Why not ammend the journal with a link, or description of this site, to make sure no one else runs into it?
I'm sorry that it happened to you... Maybe you can get a Linux boot CD, and look at the content of your HD-- move them to something else or back them up, and then reformat after the progs are saved?
Sorry to hear that.
Mainly because of things like that.