General Chat Thread, Compromised Websites - Anyone else affected yet? in General; On the teacher's personal machine I did on Monday, I only had to remove the entry under RunOnce using Autoruns ...
2nd March 2011, 11:50 PM #31
On the teacher's personal machine I did on Monday, I only had to remove the entry under RunOnce using Autoruns and was then able to boot up and remove the remnants with Microsoft Security Essentials. Didn't stop the damned thing getting on there in the first place though.
VIPRE Protect, on the other hand, has been nailing it with the on-access scanner every time. Zero affected school workstations so far as a result.
3rd March 2011, 12:05 AM #32
- Rep Power
got rid of this on a few of these too, logged in as local admin and deleted the folder from the users application data\RandomCharacterFolder\RandomCharacter.exe (with icon)
I didnt think to look for it on the registry, hopefully it will leave no damage if I only removed the program itself.
Disabled the running icons in system tray too, either turned off or hid Sophos EP..
So, whats the best program to run from a domain \ group policy to put on clients, cause its clearly gonna get worse..
Last edited by Mullaney18; 3rd March 2011 at 12:07 AM.
3rd March 2011, 08:00 AM #33
- Rep Power
followed the bleeping computer guide and it worked a treat removed it no problem one happy user.
3rd March 2011, 08:19 AM #34
Came across a variant of it last night that had crippled all the file associations. Kaspersky and MalwareBytes cleaned it off but I was left to tidy up afterwards
If I could get hold of these people and force them to eat their own brains I would.
3rd March 2011, 08:23 AM #35
I've done a personal laptop (XP) and a standalone school laptop (W7) using system restore and then two scans with MSSE.
How does this stuff actually install, can you acquire it even when running under a non-privileged account?
3rd March 2011, 08:33 AM #36
It's a drive by download from a compromised website. The code is embedded in advertisements.
3rd March 2011, 08:34 AM #37
So do you have to aprove anything to install it or can you pick it up by just visiting certain websites?
3rd March 2011, 09:04 AM #38
Got our first machine infected. Just ran the free Kaspersky virus removal tool, founded loads.
Not going to bother with Safe Mode & Malaware Bytes, just going to image it!
McAfee didn't seem to find anything though, which is worrying.
3rd March 2011, 09:16 AM #39
Had this on about 8 staff laptops this week!! Sophos up to date and didn't notice a bloody thing! This is how I removed it:
1) Boot into safe mode
2) Browse to c:\documents and settings\all users\application data
3) Search for a randomly named folder (letters and numbers). Open it and note the name of the executable. There may be 2 files in here.
4) Open regedit
5) Browse to HKCU\software\microsoft\windows\currentversion\run once and delete any reference to the above file.
6) Browse to HKCU\software\microsoft\windows\ShellNoRoam\MUIcac he and again delete any references.
7) Still in regedit, select the HKLM folder and go to File Load Hive and browse to c:\documents and settings\staff\NTuser.dat Give the key a relevant name.
8) Within this mounted folder, search the same registry keys as above and delete any references to the file
9) Click on the name of the mounted folder as entered above and go to File Unload Hive
10) Load any other NTuser.dat hives for all accounts that have been logged on since the infection i.e. any domain accounts
11) Repeat searching the registry keys and hives until finished.
12) Make sure all hives are unloaded.
13) Delete the randomly titled folder from c:\documents and settings\all users\application data
14) Reboot the machine and log in as local administrator
15) Allow Sophos to update if not already updated
16) Run a full sweep on the C: drive with settings to automatically remove infections.
17) It is likely to find a FakeAV-??? File in the c:\windows\temp folder. The scan should remove this.
18) For safety, delete temporary internet files, system restore files and anything in the c:\windows\csc folder.
19) Log in as the laptop owner and watch for signs of infection
What a swine!
Last edited by themightymrp; 3rd March 2011 at 09:22 AM.
Thanks to themightymrp from:
simpsonj (7th March 2011)
3rd March 2011, 09:20 AM #40
- Rep Power
Haven't seen this in school yet but will deffo keep an eye out for it. NOD32 has been blocking alot of web based nasties recently though.
3rd March 2011, 09:23 AM #41
I had this at home 3 weeks ago, bugger of a thing to remove. Helpful but contradictory fixes online helped sort it. Pain in the bottom!
Rebuilding this weekend.
3rd March 2011, 09:30 AM #42
Quickest and easiest way I've found to remove this, is to boot into safe mode, do a system restore to at least last weekend. Run malwarebytes through twice. Sorted
3rd March 2011, 09:33 AM #43
Had 2, see http://www.edugeek.net/forums/securi...4-rootkit.html for what the root issue was
Ran Anti-rootkit utility TDSSKiller to find and remove the rootkit (tdl4)
In safemode deleted the affected users local profile (backup docs, favs etc first)
Removed virus and suspicious entries with hijackthis HijackThis - Trend Micro USA
Ran an AV scan in safe mode.
Fixed both in a reasonably quick time.
3rd March 2011, 09:46 AM #44
CA antivirus/threat manager is now detecting this as Win32/FakeAV.RGU
3rd March 2011, 11:26 AM #45
I did notice when I got caught that the Java window opened up - I thought Java could'nt do nasties - but maybe just a coincidence
Originally Posted by morganw
By smalls001 in forum General Chat
Last Post: 21st October 2010, 04:20 PM
By adicken in forum Educational IT Jobs
Last Post: 22nd January 2009, 11:01 AM
By plexer in forum General Chat
Last Post: 22nd October 2008, 07:19 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)