2nd computer hit with FAKE AV...Process to clean it up?

Started by Jan Regnier, May 04, 2011, 01:54:38 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Jan Regnier

Does anyone have the process for cleaning this up? 

I just got the 1st computer cleaned up today and now a 2nd computer got hit!  They aren't going anywhere (on the internet) they are not supposed to be so I can't get mad about it (I guess) - but I don't want to have to run the computer hospital with every machine that gets hit if there is a process to clean it up that I can do.  I don't mind the time it takes - I just want to have the process that works.


Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Robin Deatherage

Do you ever use ComboFix and Malwarebytes.  I've found that between the two I can usually get things cleaned up.  Sometimes have to start off running them in safe mode and then run them again normal.
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Jan Regnier

I use Malwarebytes and I have used combofix - but haven't this time..I will go get it though.  I used Sophos to clean it up but after it does that it doesn't let you access programs!  I am in safe mode  - I'll keep trying for awhile...
Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Orlando Alonzo

Robin is correct both are very good tools.

Download Malwarebytes. Install and update it.  Disable System Restore. Reboot in safe mode. Scan with Malwarebytes.
Orlando F. Alonzo III
RPM Insurance Agency • Staten Island, NY • oalonzo@rpminsurance.com

Bob

I'm curious since you say they don't visit bad sites..  Are they getting notification of fake AV update and clicking.  Run  services.msc

Sort by name, go to messenger, disable service.   Also check startup and remove msmsgs.  Native network messenging tool but sometimes exploited to trick users.  No need for it so adds an extra level of caution disabling service.  On by default I believe.

Then it's teaching even management to know your products.  Everyone should know their AV product.  Educating will prevent clicking on spoof say update AntiVirus 2011 etc..


Jeff Golas

Update Acrobat Reader, Java, and Flash. Update your browsers if they're dated. That'll stop the infections. As for what to do with a fake virus infected computer - wipe it and start over. Easier and more guaranteed.

Jeff
Jeff Golas
Johnson, Kendall & Johnson, Inc. :: Newtown, PA
Epic Online w/CSR24
http://www.jkj.com

Jeff Zylstra

#6
My best luck comes when I remove the hard drive and attach it to another computer via a USB cable.  When you are not booting the computer from an infected hard drive, the malware doesn't get a chance to load first, so you have a much better chance of disinfecting it.  Just go right click on the START button in Windows, choose EXPLORE, and then right click on the infected hard drive and choose the "Run MalwareBytes" option.   HTH.


P.S.  I would be somewhat careful of Combofix, however.  I've bricked a computer with that utility before, so I'm a little bit leery of it now. 

I also had an issue with Clonezilla last week when I tried to re-image a Dell XP computer, so I'm leery of re-imaging now too!  It keeps saying that the target partition is smaller than the source partition.  It's not.  It's 4 times larger than the drive it was originally imaged from.  And it also borked the hard drive's MBR, so I couldn't fix the errant hard drive if I wanted to, so it got a fresh Windows install with updates, service packs and assorted software again.  That's way more work than I have time for. 
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Jan Regnier

Bob--

The person today was on MSN and clicked on something on that website...  The fake Microsoft product came up and she didn't OPEN it but she did click on the "X" to cancel out of it.. 

I will continue for a while longer trying to beat this piece of "stuff" into submission...I don't like giving in to this stuff!! 

Jeff - everything does get updated - but I will confirm she on the most current..

Thanks, guys...
Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Jeff Zylstra

Quote from: Jeff Golas on May 04, 2011, 02:51:36 PM
Update Acrobat Reader, Java, and Flash. Update your browsers if they're dated. That'll stop the infections. As for what to do with a fake virus infected computer - wipe it and start over. Easier and more guaranteed.

Jeff

Is it possible to keep Flash updated for more than 2 days?   They update more often than our AV product!
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Bob

Quote from: Jan Regnier on May 04, 2011, 03:01:07 PM
Bob--

The person today was on MSN and clicked on something on that website...  The fake Microsoft product came up and she didn't OPEN it but she did click on the "X" to cancel out of it.. 

I will continue for a while longer trying to beat this piece of "stuff" into submission...I don't like giving in to this stuff!! 

Jeff - everything does get updated - but I will confirm she on the most current..

Thanks, guys...


The X was an image map.  In other words a link.  Best way to close is ALT+F4, in future.  :)

Robin Deatherage

Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Jan Regnier

Quote from: Robin Deatherage on May 04, 2011, 03:51:46 PM
Jan is it the AntiVirus System 2011 one?  If so this should help.  http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011

No, Robin, it wasn't that one!  It said "XP HOME Security"....

I can access programs as ADMIN but not as the STATXXX.
Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Alice

Quote from: Robin Deatherage on May 04, 2011, 03:51:46 PM
Jan is it the AntiVirus System 2011 one?  If so this should help.  http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011
Robin - I must say you have links to the most colorfully named web sites I've ever seen. I know that's bad grammar but does describe it best.  ;)

Robin Deatherage

Quote from: Alice on May 04, 2011, 04:03:19 PM
Quote from: Robin Deatherage on May 04, 2011, 03:51:46 PM
Jan is it the AntiVirus System 2011 one?  If so this should help.  http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011
Robin - I must say you have links to the most colorfully named web sites I've ever seen. I know that's bad grammar but does describe it best.  ;)
LOL! Alice I wish I was that creative myself.  Wasn't, www.experts-exchange.com, at one time www.expertsexchange.com?   ;D
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Alice


Jeff Golas

Quote from: Jeff Zylstra on May 04, 2011, 03:08:55 PM
Quote from: Jeff Golas on May 04, 2011, 02:51:36 PM
Update Acrobat Reader, Java, and Flash. Update your browsers if they're dated. That'll stop the infections. As for what to do with a fake virus infected computer - wipe it and start over. Easier and more guaranteed.

Jeff

Is it possible to keep Flash updated for more than 2 days?   They update more often than our AV product!

And you're lucky if you can find it, and install it in under 3 hours using MSI files.

Jeff
Jeff Golas
Johnson, Kendall & Johnson, Inc. :: Newtown, PA
Epic Online w/CSR24
http://www.jkj.com

Robin Deatherage

Quote from: Jan Regnier on May 04, 2011, 03:59:11 PM
No, Robin, it wasn't that one!  It said "XP HOME Security"....

I can access programs as ADMIN but not as the STATXXX.
Jan have you seen this?  http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011 removal instructions look similar to the other solution but references a registry fix tool you can download. I have not used that tool but have always had good luck with tools from this site.  Hope it helps. 
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Jan Regnier

Quote from: Robin Deatherage on May 04, 2011, 04:18:05 PM
Quote from: Jan Regnier on May 04, 2011, 03:59:11 PM
No, Robin, it wasn't that one!  It said "XP HOME Security"....

I can access programs as ADMIN but not as the STATXXX.
Jan have you seen this?  http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011 removal instructions look similar to the other solution but references a registry fix tool you can download. I have not used that tool but have always had good luck with tools from this site.  Hope it helps. 

Looks promising - will give it a try!  Thanks, Robin.
Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Jan Regnier

+1 for Robin today!!!

FINALLY got it....

Used "FixzNCR.reg"
Used "RKill"
Used Malwarebytes (which I was using anyway)

Another wasted day..... sorta....but I did learn something new....


Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Robin Deatherage

Quote from: Jan Regnier on May 04, 2011, 05:06:16 PM
+1 for Robin today!!!

FINALLY got it....

Used "FixzNCR.reg"
Used "RKill"
Used Malwarebytes (which I was using anyway)

Another wasted day..... sorta....but I did learn something new....



Yea!!! Way to go Jan, glad it worked.  Sorry you had another wasted day but as you said you did learn something new.  And thanks for the karma.   ;D
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Jeff Zylstra

+1 to Robin for mentioning one of my favorite sites, BleepingComputer.Com.  Great site for delousing infected machines, as well as other utilities and problems solvers.
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Bloody Jack Kidd

I recently came across a really excellent link that was a malware removal how-to listing all the good tools and how to employ them... gotta find that link.
Sysadmin - Parallel42

Jan Regnier

OK - computer #3 got hit today.....used my new "handy-dandy FAKE AV Repel tool" and in a matter of a few minutes - cleaned up and back in business.  It never got loaded because--->

THANK GOODNESS I passed out the "What NOT to DO" document I put together to the staff yesterday!  It worked perfectly.

*DO NOT CLICK ON ANYTHING  -
*Use CTL/ALT/DEL and end processes for iexplorer (using IE)
*Control Panel /Internet-delete cookies/temp/history

I also went to Control Panel/System and turned off restore point, restarted computer and then reactivated restore point.
Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Bloody Jack Kidd

I guarantee this people are following links to images, videos etc. supposedly relating to Osama, SEAL, raid, etc.
Sysadmin - Parallel42

Jan Regnier

Quote from: Rick Chisholm on May 05, 2011, 02:28:32 PM
I guarantee this people are following links to images, videos etc. supposedly relating to Osama, SEAL, raid, etc.

She was in TAM on a client but she had the internet open and minimized- she wasn't actually viewing the internet - and it popped up..
Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Jeff Zylstra

Quote from: Jan Regnier on May 05, 2011, 02:24:09 PM
OK - computer #3 got hit today.....used my new "handy-dandy FAKE AV Repel tool" and in a matter of a few minutes - cleaned up and back in business.  It never got loaded because--->

THANK GOODNESS I passed out the "What NOT to DO" document I put together to the staff yesterday!  It worked perfectly.

-
*Use CTL/ALT/DEL and end processes for iexplorer (using IE)


I think I know your problem.   ;D
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Jan Regnier

Quote from: Jeff Zylstra on May 05, 2011, 03:05:43 PM
Quote from: Jan Regnier on May 05, 2011, 02:24:09 PM
OK - computer #3 got hit today.....used my new "handy-dandy FAKE AV Repel tool" and in a matter of a few minutes - cleaned up and back in business.  It never got loaded because--->

THANK GOODNESS I passed out the "What NOT to DO" document I put together to the staff yesterday!  It worked perfectly.

-
*Use CTL/ALT/DEL and end processes for iexplorer (using IE)



I think I know your problem.   ;D



Yeah - I know!!!  I have FF on some of the machines - but since most company websites work with IE - we still keep it as the default.  I am loading FF on all and asking that other than CO websites they use FF.
Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Jeff Zylstra

Quote from: Jan Regnier on May 05, 2011, 03:09:23 PM
Quote from: Jeff Zylstra on May 05, 2011, 03:05:43 PM
Quote from: Jan Regnier on May 05, 2011, 02:24:09 PM
OK - computer #3 got hit today.....used my new "handy-dandy FAKE AV Repel tool" and in a matter of a few minutes - cleaned up and back in business.  It never got loaded because--->

THANK GOODNESS I passed out the "What NOT to DO" document I put together to the staff yesterday!  It worked perfectly.

-
*Use CTL/ALT/DEL and end processes for iexplorer (using IE)



I think I know your problem.   ;D



Yeah - I know!!!  I have FF on some of the machines - but since most company websites work with IE - we still keep it as the default.  I am loading FF on all and asking that other than CO websites they use FF.


I haven't used IETabs in Firefox lately, but I think that would get around many of the issues with company websites.  Sadly, there are some companies that force us to use plug ins for printing and display that will only work in IE.  I really have to question why these proprietary plug ins are necessary, and who they really benefit!
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop