X
Xray
Well, if you're volunteering to kick me in the ass, I just may take you up on
that
Well, if you're volunteering to kick me in the ass, I just may take you up on
that
X
Xray
Well, the virus hosed Avast, seemed like an option worth trying, since the
alternative is basically to reinstall the OS.
Kaspersky detected the problem, was unable for whatever reason to do anything
about it, so I moved on.
At this point, since I've nothing left to lose, I'm going to unistall Avast
[again] and try AVG.
B
Buffalo
Xray wrote:
[snip]
Have you tried running MalwareBytes as Lipman suggested. (renaming,etc)?
Have you tried installing and running SuperAntiSpyware (free version)? You
may have to rename the superantispyware.exe to something like xray.exe or
xray.com.
Buffalo
[snip]
Have you tried running MalwareBytes as Lipman suggested. (renaming,etc)?
Have you tried installing and running SuperAntiSpyware (free version)? You
may have to rename the superantispyware.exe to something like xray.exe or
xray.com.
Buffalo
D
David H. Lipman
From: "Xray" <[email protected]>
| Well, if you're volunteering to kick me in the ass, I just may take you up on
| that
I infer you've learned an important lesson here!
| Well, if you're volunteering to kick me in the ass, I just may take you up on
| that
I infer you've learned an important lesson here!
X
Xray
Lets hope.
I often do things i regret, and know as I'm doing them I very well might
regret it.
Somewhat of a risk taker, I guess you'd say.
But I must say, ignoring the warning of anti virus software, disabling it,
then clicking on the exe file, crosses the line from risk taking into
another realm.
Suffice it to say that I won't do that again.
X
Xray
malwarebytes refuses to run, I even tried running it from an entirely
different drive - If I try to name it something.com, it won't run unless
its an exe extension.
I can change it to donaldduck.exe or whatever, doesn't seem to do any good.
This infection seems geared to stop most programs, either by corrupting the
install or not letting them run.
Super did run, found and cleaned a few infections, ran it again and it came
back with nothing.
Rebooted, ran it once more, and still nothing.
Ran spybot and it found a bunch of infections that super didn't find - Then
when I installed Kaspersky, it uninstalled super, so its no longer on my
system.
I'm trying "clamwin" antivirus now, it installed and runs with the dormant
avast still installed. Don't have high hopes for it, its been running over
an hour and so far has detected a few tracking cookies and thats it.
I think I'm screwed, I'm basically in experimental mode right now.
Computer functions Ok, but god knows whats going on behind the scenes.
My ISP already stopped my ability to send email, it detected the virus like
behavior. Can still receive at least.
Can't connect to google, it also detected the shenanigans of the virus.
Pressing ctrl/alt/delete doesn't bring up the process box anymore, other
than that things seem normal.
X
Xray
Xray said:
You don't give up easy, do you?
I'm guessing I can clone a drive, wipe it out and reninstall XP, get the
updates, reinstall the software, import all the documents, email,
favorites, etc. back from the drive I cloned to in about 5 hours. Some
would say I'm slow but I'm trying not to exaggerate. There's lots of
variables there, of course. Especially if you don't have the install CD's
for everything.
It sounds like you've spent way more time than that trying to clean it
up. Even if you get all the junk out of it, you will still have a
crippled system.
Haven't spent much time at all, just downloading programs, clicking buttons
to run them and rebooting now and then.
Sit around, playing my guitar and watching my kids, I'd be doing that
anyhow.
Its a matter of debate how crippled my system is, that may or may not be
the case, and nothing you or I know would allow a definitive statement in
that regards - I'm not trying to "clean it up", per se.
I am trying to get rid of malicious infections, then I can go to the
cleaning stage.
Fresh install, firstly have to download the 100's of security updates &
service packs from microsoft, install video card/sound card/printer/scanner
drivers, all of the dozens or 100's of apps & programs.
IF I had a cloned drive from a month back or so, then yeah piece of cake.
I don't.
F
FromTheRafters
Xray said:
Usenet binaries can only be trusted if you are *looking* for malware.
The fact that malware is often dispensed through that channel makes the
entire channel untrustworthy. There is no accountability for posters
posting programs, and even many viruses are first injected as germ files
(mainly trojans) posted to usenet.
F
FromTheRafters
You can also look at it this way. You have a problem with a program that
you downloaded and executed, contact the person that you got the program
from for help. If you cannot contact that person, you shouldn't have
trusted the file. Continuing to operate in this manner, it is only a
matter of time before you get something that the AV won't even
recognize.
Don't beat yourself up over ignoring the AV's warning - beat yourself up
over even allowing your AV to scan that program.
T
Toxic
Including all the many jpegs found on binaries newsgroups?
F
FromTheRafters
Toxic said:
I was going to write "program binaries" above, but figured the context
was already established.
I have an excellent collection of usenet binaries (an M.C.Escher
collection and some really interesting fractal geometry and other math
related pieces).
But yes, even jpegs - if a popular program mishandles jpeg data, you
will probably find malware exploiting it in those groups as well. This
would not be as likely on a website with a contactable webmaster (or an
FTP from a personal contact).
T
Toxic
PBS's NOVA series did an interview documentary on Benoît Mandelbrot back
in 2005, real likeable guy. http://tinyurl.com/6s845a
Wasn't it the renowned 'Soooge' who crafted just such a jpg viewer?
then there was that MP3 player by Kim Vanvaeck...
ya rilly gotta be careful whatcha click anymore ;-)
(confession)
and yes in addition to disks of fractals,
I've got many full of mp3s as well.
D
David H. Lipman
From: "FromTheRafters" <[email protected]>
| I was going to write "program binaries" above, but figured the context
| was already established.
| I have an excellent collection of usenet binaries (an M.C.Escher
| collection and some really interesting fractal geometry and other math
| related pieces).
| But yes, even jpegs - if a popular program mishandles jpeg data, you
| will probably find malware exploiting it in those groups as well. This
| would not be as likely on a website with a contactable webmaster (or an
| FTP from a personal contact).
Some of the binaries that are malicious are NOT executables but are media files exploiting
Windows DRM such as Wimad trojans.
| I was going to write "program binaries" above, but figured the context
| was already established.
| I have an excellent collection of usenet binaries (an M.C.Escher
| collection and some really interesting fractal geometry and other math
| related pieces).
| But yes, even jpegs - if a popular program mishandles jpeg data, you
| will probably find malware exploiting it in those groups as well. This
| would not be as likely on a website with a contactable webmaster (or an
| FTP from a personal contact).
Some of the binaries that are malicious are NOT executables but are media files exploiting
Windows DRM such as Wimad trojans.
D
David Kaye
Xray said:
It doesn't sound like a virus but a trojan. Anyhow, you can usually install
and run Mbam while in safe mode (and sometimes even update it if you run safe
mode with networking, though that's not always the case). At the moment, Mbam
still appears to be the best anti-malware tool out there.
D
David Kaye
Xray said:
I've seen this a lot; the malware appears to look at the size of the file.
There are some older tools I can use, such as a copy of SpySweeper from about
3 years ago that most malware won't shut down, though they'll shut down more
recent versions.
But try installing it in safe mode and you might have better success. Also,
try rolling back the registry manually (copy and paste) to at least a week
before the infection was first noticed.
D
David Kaye
I think your computer can be saved without reinstalling Windows. It doesn't
sound like that bad an infection, just annoying as hell.
If you feel comfortable monkeying around in the registry, look at HKLM,
Software, Microsoft, Windows, CurrentVersion, Run and look at the first key.
It should say (default) and (value not set). If it doesn't say (value not
set) and instead is blank, delete that entry. I see this a lot -- it'a a RUN
entry that is masked by delete characters, making it invisible. These
infections that disable anti-malware tools and disable certain Control Panel
functions often hide themselves this way. I've seen it a LOT.
Also, while you're looking at the RUN section, see what else runs at startup.
Are there any programs with random characters in the file name? Do they
reside in the user's localsettings/temp directory rather than in Windows
System32? Nothing legitimate should be starting up from any temp or
local settings directory.
Some ideas for you...
F
FromTheRafters
Toxic said:
Thanks for the link (nabbed a couple of small pics as well while I was
there - can't help myself).
....while others might do it by accident (an unintended vulnerability),
doing it on purpose is crafting a trojan.
Hadn't heard of that - Google here I come...
Yes indeed!
Same things apply, but you already knew that.
)
F
FromTheRafters
Could you expand on that?
F
FromTheRafters
David H. Lipman said:
Exploiting in this case meaning the utilization of an IMO ill conceived
feature of the filetype which is supported by the player rather than an
exploit of a software flaw. Still, I would file that under "mishandling
data" and I have long considered WMP to be a trojan. Why would anyone
want a media file to cause the browser to fire up and visit a URL
supplied by what should always be considered untrusted input?
D
David H. Lipman
From: "FromTheRafters" <[email protected]>
| Exploiting in this case meaning the utilization of an IMO ill conceived
| feature of the filetype which is supported by the player rather than an
| exploit of a software flaw. Still, I would file that under "mishandling
| data" and I have long considered WMP to be a trojan. Why would anyone
| want a media file to cause the browser to fire up and visit a URL
| supplied by what should always be considered untrusted input?
Some believe it is a good idea to connect to the web to get a license for a media file or
such things ans artist or album information. That concept is what's being exploited.
Instead of getting a licence the malwre is obtained. Zango is well known for exploting
the DRM "feature".
| Exploiting in this case meaning the utilization of an IMO ill conceived
| feature of the filetype which is supported by the player rather than an
| exploit of a software flaw. Still, I would file that under "mishandling
| data" and I have long considered WMP to be a trojan. Why would anyone
| want a media file to cause the browser to fire up and visit a URL
| supplied by what should always be considered untrusted input?
Some believe it is a good idea to connect to the web to get a license for a media file or
such things ans artist or album information. That concept is what's being exploited.
Instead of getting a licence the malwre is obtained. Zango is well known for exploting
the DRM "feature".