Author Topic: WARNING Scare-Ware (Read 6901 times)

BFM_Crimson · « **Reply #15 on:** May 17, 2011, 12:03:33 AM »

Phew, no traces detected by MBAM

MrMxyzptlk · « **Reply #16 on:** May 17, 2011, 11:48:12 AM »

Quote from: BFM_Marty on May 16, 2011, 11:57:56 PM

As I now know that there's no problem having MBAM and an Anti-Virus on the same PC:

Downloaded, installed and updated.

Thanks, all!

Correct.

MBAM is a "demand-only" scanner - it is only active when you run a scan, it does NOT run (or spawn) any "long-term" "watcher" tasks. (FYI: It is also a ONE-PASS scan....)

If you have continuously-running, "preventative" anti-malware software installed and running, you may get some false positives as a result. Hence if you have any AV/AM suites installed it's best to DISCONNECT FROM THE INTERNET and disable the suites before running an MBAM pass.

The first time you run MBAM it's best to do a "quick scan" to go right to the heart of your system and check the OS and other key components. (I.e. Find the worst/most obvious stuff with a shorter wait....) Continue doing quick scans until MBAM finds no more problems. Then run a "full scan" ... and go have a meal! Continue doing full scans until it comes up clean. (I never use the "flash scan....")

gamepanther · « **Reply #17 on:** May 17, 2011, 09:25:03 PM »

What do you do on Macs? (I don't think there is a CTRL+ALT+DEL, is there?).

BFM_Kiwi · « **Reply #18 on:** May 17, 2011, 10:33:09 PM »

Utilities > Activity Monitor

gamepanther · « **Reply #19 on:** May 18, 2011, 04:46:02 PM »

Oh, OK. Thanks

Fraggle · « **Reply #20 on:** May 19, 2011, 06:57:37 AM »

OK! I've been bitten again. problem this time is that it's locked down Malware Bytes as well as all my browsers.

AVG has a spyware scan which is running at the moment but I'm not holding my breath.

I am currently logged onto the forums using Xfire's in-game browser through Halo. Not ideal, but it works. (gotta love Xfire right?)

I have done a little digging and found the location of the process is usually c:\users\[your profile name]\appdata\local but when looking for the file to manually delete it, it doesn't show regardless of whether I have the option to show hidden or system files checked.

I started up a command prompt and navigated to the folder and dir/a/p shows the file as apl.exe (a different name each time btw) but a delete command just brings up a file not found message.

To be brutally honest, I'd rather an application quarantined and removed the little blighter for me as I'm not sure simply finding and deleting the file will have any positive results.

i have a second question as well though. is there any security feature in the browsers that will enable me to stop or otherwise have to approve things like this from attatching themselves to my system? I run Chrome and Firefox.

Alternatively are there any other malware applications that run a real-time protection but that aren't too pop-uppy?

thanks,
~Fraggle

edit: AVG found the registry entry which was a shell open command and it pointed to the file in appdata\local. It has removed the registry entry but the 'dir' command in cmd prompt still shows the exe. is present. Still, I can now use my browsers with impunity, and more importantly, Malwarebytes is fully functional again so i will be using that to purge my system of any remnants of the insidious little blighter.

2nd edit: Interestingly, when I was worried that I wouldn't be able to use MalwareBytes, I started installing Spybot S&D and that's found 11 registry entries and the apl.exe file. and this is after AVG's spyware scanner has 'cleaned' the infection. Don't get me wrong, AVG found a registry entry and unlocked my browsers etc... but it just doesn't cut the mustard as a standalone spyware app.

MrMxyzptlk · « **Reply #21 on:** May 19, 2011, 07:56:46 AM »

Quote from: Fraggle on May 19, 2011, 06:57:37 AM

[...]

edit: AVG found the registry entry which was a shell open command and it pointed to the file in appdata\local. It has removed the registry entry but the 'dir' command in cmd prompt still shows the exe. is present. Still, I can now use my browsers with impunity, and more importantly, Malwarebytes is fully functional again so i will be using that to purge my system of any remnants of the insidious little bilghter.

2nd edit: Interestingly, when I was worried that I wouldn't be able to use MalwareBytes, I started installing Spybot S&D and that's found 11 registry entries and the apl.exe file. and this is after AVG's spyware scanner has 'cleaned' the infection. Don't get me wrong, AVG found a registry entry and unlocked my browsers etc... but it just doesn't cut the mustard as a standalone spyware app.

So... did you run a "full" MBAM pass yet?? (You don't say so in the edits....)

Fraggle · « **Reply #22 on:** May 19, 2011, 07:59:13 AM »

Quote from: MrMxyzptlk on May 19, 2011, 07:56:46 AM

So... did you run a "full" MBAM pass yet?? (You don't say so in the edits....)

I'm going to let spybot finish first, then follow up with a full MBAM scan.

Edit (again) MBAM has finished he ful scan and the system is clean... for now

Jä× · « **Reply #23 on:** May 20, 2011, 01:04:08 AM »

My room mate got a variant of this thing, every attempt I made to remove the virus was halted or prevented to the point the computer would turn itself off...

Well I eventually just said "ok, if you want to play rough..." and pulled out my oh so special DoD drive scrubber and wiped his drive, PROBLEM SOLVED LOL

These things are getting worse and worse... used to they were easy to kill, then they started to prevent you from trying, which meant safemode... now some of them prevent that, and go as far as turning the keyboard and mouse off or shutting down the pc, some nasty viruses.

MrMxyzptlk · « **Reply #24 on:** May 20, 2011, 11:14:41 AM »

Quote from: BFM_Jä× on May 20, 2011, 01:04:08 AM

My room mate got a variant of this thing, every attempt I made to remove the virus was halted or prevented to the point the computer would turn itself off...

Well I eventually just said "ok, if you want to play rough..." and pulled out my oh so special DoD drive scrubber and wiped his drive, PROBLEM SOLVED LOL

These things are getting worse and worse... used to they were easy to kill, then they started to prevent you from trying, which meant safemode... now some of them prevent that, and go as far as turning the keyboard and mouse off or shutting down the pc, some nasty viruses.

If you want to get really armed to deal with these things, then go get yourself a USB HDD Adapter Kit(e.g.), pull the machine's C drive disk, and hook it up to another computer via USB. (FYI: This is about the only practical means any more to remove rootkits. Booting from CDs/Thumbdrives/floppies is like using stone axes nowadays....)

I have FOUR of these handy little adapters AND I have a machine in my workshop that's isolated and easily rebuilt (in case it catches something nasty from an adapter-connected drive - which has yet to ever happen. [Why FOUR of them?: One in my office, one on the workshop system, and two in my "PC Doctor travel kits" I keep around for when I assist others.

Don't get me wrong: It can STILL be a royal pain to get rid of some of these buggers, but at least this way it 1) can be done safely, and 2) can be done with a high-level set of tools (versus what you get on a bootable CD/thumbdrive.)

Trael · « **Reply #25 on:** May 20, 2011, 01:37:17 PM »

Mxy, that's actually a really great idea...I think one of my server's is gonna get pulled for an upgrade on the processors, so it can be used for this...

BFM_Octane · « **Reply #26 on:** May 20, 2011, 02:19:10 PM »

Now got my managers PC, fixing the same thing... No doubt (no antivirus installed).

It took longer this time as ran into various other problems along the way. Had to double scan and it picked up a smaller secondary load of infections or bad registry entries that were causing a "Choose a program to open this file" on attempts to open up the explorer (this happened with 2 files when opening explorer- iexplore.exe and cvvagent.exe which is a java related add-on which has been known to cause bugs, especially after fixing this specific virus). The only way to have gotten around this was to right click and run as administrator and then disable the add-on but you knew that wasn't right even if like me your not used to Vista atall, let alone fixing a computer running that OS.

Seems like ive got this one fixed running one more scan and running some windows updates and giving the whole thing and overall check over, and ill obviously be introducing the boss to an antivirus...

Marty · « **Reply #27 on:** May 21, 2011, 03:23:31 AM »

All this makes me very afraid to use the internet... $:-\$

Jä× · « **Reply #28 on:** May 21, 2011, 08:43:05 AM »

Quote from: MrMxyzptlk on May 20, 2011, 11:14:41 AM

If you want to get really armed to deal with these things, then go get yourself a USB HDD Adapter Kit(e.g.), pull the machine's C drive disk, and hook it up to another computer via USB. (FYI: This is about the only practical means any more to remove rootkits. Booting from CDs/Thumbdrives/floppies is like using stone axes nowadays....)

I have FOUR of these handy little adapters AND I have a machine in my workshop that's isolated and easily rebuilt (in case it catches something nasty from an adapter-connected drive - which has yet to ever happen. [Why FOUR of them?: One in my office, one on the workshop system, and two in my "PC Doctor travel kits" I keep around for when I assist others.

Don't get me wrong: It can STILL be a royal pain to get rid of some of these buggers, but at least this way it 1) can be done safely, and 2) can be done with a high-level set of tools (versus what you get on a bootable CD/thumbdrive.)

That is one way, I just have a 2.5/3.5" interface that the drive plugs into like a a-track tape. Although with my room mate's virus this did little good since the HDD was non responsive, was forced to wipe the drive and MFT. Worked fine after that...

Personally I use firefox, no script and a few other things, I never get viruses... only virus I ever got was on a CS major made in college that hopped onto flash drives and spread across network connections, in one week every computer on campus was infected with his little worm. Easily killed, but nasty.

MrMxyzptlk · « **Reply #29 on:** May 21, 2011, 06:15:44 PM »

Quote from: BFM_Jä× on May 21, 2011, 08:43:05 AM

[...]
That is one way, I just have a 2.5/3.5" interface that the drive plugs into like a a-track tape. Although with my room mate's virus this did little good since the HDD was non responsive, was forced to wipe the drive and MFT. Worked fine after that...

[...]

I'm going to caution you AGAINST DOING THAT, unless you're using eSATA drives ONLY!

Why? Because at boot time, Windows tries to run SW ON EVERY MOUNTED/MOUNTABLE DRIVE, so if you have one added on AT BOOT TIME it might load the virus onto the host system without you're knowing or noticing!

Using the USB device method you add the drive AFTER boot up, so it's (more likely) to be quiescent. (But be sure to DISable Windows ability to try to do something to the drive at mount time, or at least dismiss the popup if it comes up....)

I.e. Try not to access anything on that drive!

News:

Author Topic: WARNING Scare-Ware (Read 6901 times)

BFM_Crimson

Re: WARNING Scare-Ware

MrMxyzptlk

Re: WARNING Scare-Ware

gamepanther

Re: WARNING Scare-Ware

BFM_Kiwi

Re: WARNING Scare-Ware

gamepanther

Re: WARNING Scare-Ware

Fraggle

Re: WARNING Scare-Ware

MrMxyzptlk

Re: WARNING Scare-Ware

Fraggle

Re: WARNING Scare-Ware

Jä×

Re: WARNING Scare-Ware

MrMxyzptlk

Re: WARNING Scare-Ware

Trael

Re: WARNING Scare-Ware

BFM_Octane

Re: WARNING Scare-Ware

Marty

Re: WARNING Scare-Ware

Jä×

Re: WARNING Scare-Ware

MrMxyzptlk

Re: WARNING Scare-Ware