+ Post New Thread
Page 3 of 8 FirstFirst 1234567 ... LastLast
Results 31 to 45 of 111
General Chat Thread, Compromised Websites - Anyone else affected yet? in General; On the teacher's personal machine I did on Monday, I only had to remove the entry under RunOnce using Autoruns ...
  1. #31

    AngryTechnician's Avatar
    Join Date
    Oct 2008
    Posts
    3,730
    Thank Post
    698
    Thanked 1,212 Times in 761 Posts
    Rep Power
    395
    On the teacher's personal machine I did on Monday, I only had to remove the entry under RunOnce using Autoruns and was then able to boot up and remove the remnants with Microsoft Security Essentials. Didn't stop the damned thing getting on there in the first place though.

    VIPRE Protect, on the other hand, has been nailing it with the on-access scanner every time. Zero affected school workstations so far as a result.

  2. #32

    Join Date
    Apr 2010
    Location
    Bradford
    Posts
    72
    Thank Post
    10
    Thanked 6 Times in 6 Posts
    Rep Power
    10
    got rid of this on a few of these too, logged in as local admin and deleted the folder from the users application data\RandomCharacterFolder\RandomCharacter.exe (with icon)

    I didnt think to look for it on the registry, hopefully it will leave no damage if I only removed the program itself.

    Disabled the running icons in system tray too, either turned off or hid Sophos EP..

    So, whats the best program to run from a domain \ group policy to put on clients, cause its clearly gonna get worse..
    Last edited by Mullaney18; 3rd March 2011 at 12:07 AM.

  3. #33
    ticker's Avatar
    Join Date
    Mar 2006
    Location
    Waterfoot, Rossendale
    Posts
    301
    Thank Post
    56
    Thanked 20 Times in 17 Posts
    Rep Power
    21
    followed the bleeping computer guide and it worked a treat removed it no problem one happy user.

  4. #34

    tech_guy's Avatar
    Join Date
    May 2007
    Location
    That little bit in the middle of Little Old England
    Posts
    8,136
    Thank Post
    1,913
    Thanked 1,345 Times in 743 Posts
    Blog Entries
    3
    Rep Power
    395
    Came across a variant of it last night that had crippled all the file associations. Kaspersky and MalwareBytes cleaned it off but I was left to tidy up afterwards

    If I could get hold of these people and force them to eat their own brains I would.

  5. #35
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    816
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    40
    I've done a personal laptop (XP) and a standalone school laptop (W7) using system restore and then two scans with MSSE.
    How does this stuff actually install, can you acquire it even when running under a non-privileged account?

  6. #36

    tech_guy's Avatar
    Join Date
    May 2007
    Location
    That little bit in the middle of Little Old England
    Posts
    8,136
    Thank Post
    1,913
    Thanked 1,345 Times in 743 Posts
    Blog Entries
    3
    Rep Power
    395
    It's a drive by download from a compromised website. The code is embedded in advertisements.

  7. #37
    morganw's Avatar
    Join Date
    Apr 2009
    Location
    Cambridge
    Posts
    816
    Thank Post
    46
    Thanked 132 Times in 126 Posts
    Rep Power
    40
    So do you have to aprove anything to install it or can you pick it up by just visiting certain websites?

  8. #38
    JoeBloggs's Avatar
    Join Date
    Jun 2010
    Location
    Leeds
    Posts
    544
    Thank Post
    160
    Thanked 75 Times in 52 Posts
    Rep Power
    35
    Got our first machine infected. Just ran the free Kaspersky virus removal tool, founded loads.

    Not going to bother with Safe Mode & Malaware Bytes, just going to image it!

    McAfee didn't seem to find anything though, which is worrying.

  9. #39
    themightymrp's Avatar
    Join Date
    Dec 2009
    Location
    Leeds, West Yorkshire
    Posts
    1,220
    Thank Post
    216
    Thanked 226 Times in 195 Posts
    Rep Power
    73
    Had this on about 8 staff laptops this week!! Sophos up to date and didn't notice a bloody thing! This is how I removed it:

    1) Boot into safe mode
    2) Browse to c:\documents and settings\all users\application data
    3) Search for a randomly named folder (letters and numbers). Open it and note the name of the executable. There may be 2 files in here.
    4) Open regedit
    5) Browse to HKCU\software\microsoft\windows\currentversion\run once and delete any reference to the above file.
    6) Browse to HKCU\software\microsoft\windows\ShellNoRoam\MUIcac he and again delete any references.
    7) Still in regedit, select the HKLM folder and go to File  Load Hive and browse to c:\documents and settings\staff\NTuser.dat Give the key a relevant name.
    8) Within this mounted folder, search the same registry keys as above and delete any references to the file
    9) Click on the name of the mounted folder as entered above and go to File  Unload Hive
    10) Load any other NTuser.dat hives for all accounts that have been logged on since the infection i.e. any domain accounts
    11) Repeat searching the registry keys and hives until finished.
    12) Make sure all hives are unloaded.
    13) Delete the randomly titled folder from c:\documents and settings\all users\application data
    14) Reboot the machine and log in as local administrator
    15) Allow Sophos to update if not already updated
    16) Run a full sweep on the C: drive with settings to automatically remove infections.
    17) It is likely to find a FakeAV-??? File in the c:\windows\temp folder. The scan should remove this.
    18) For safety, delete temporary internet files, system restore files and anything in the c:\windows\csc folder.
    19) Log in as the laptop owner and watch for signs of infection


    What a swine!
    Last edited by themightymrp; 3rd March 2011 at 09:22 AM.

  10. Thanks to themightymrp from:

    simpsonj (7th March 2011)

  11. #40

    Join Date
    Aug 2009
    Location
    Huddersfield
    Posts
    55
    Thank Post
    10
    Thanked 14 Times in 10 Posts
    Rep Power
    13
    Haven't seen this in school yet but will deffo keep an eye out for it. NOD32 has been blocking alot of web based nasties recently though.

  12. #41

    GREED's Avatar
    Join Date
    Mar 2008
    Location
    Portsmouth
    Posts
    3,072
    Thank Post
    377
    Thanked 380 Times in 309 Posts
    Blog Entries
    8
    Rep Power
    178
    I had this at home 3 weeks ago, bugger of a thing to remove. Helpful but contradictory fixes online helped sort it. Pain in the bottom!

    Rebuilding this weekend.

  13. #42
    achedgy's Avatar
    Join Date
    Apr 2006
    Location
    Somerset
    Posts
    189
    Thank Post
    40
    Thanked 39 Times in 34 Posts
    Rep Power
    24
    Quickest and easiest way I've found to remove this, is to boot into safe mode, do a system restore to at least last weekend. Run malwarebytes through twice. Sorted

  14. #43

    CHR1S's Avatar
    Join Date
    Feb 2006
    Location
    Birmingham
    Posts
    4,505
    Thank Post
    1,585
    Thanked 486 Times in 304 Posts
    Rep Power
    217
    Had 2, see http://www.edugeek.net/forums/securi...4-rootkit.html for what the root issue was

    Ran Anti-rootkit utility TDSSKiller to find and remove the rootkit (tdl4)
    In safemode deleted the affected users local profile (backup docs, favs etc first)
    Removed virus and suspicious entries with hijackthis HijackThis - Trend Micro USA
    Ran an AV scan in safe mode.

    Fixed both in a reasonably quick time.

  15. #44
    Jobos's Avatar
    Join Date
    Apr 2007
    Posts
    1,150
    Thank Post
    182
    Thanked 50 Times in 43 Posts
    Rep Power
    25
    CA antivirus/threat manager is now detecting this as Win32/FakeAV.RGU

  16. #45

    SpuffMonkey's Avatar
    Join Date
    Jul 2005
    Posts
    2,241
    Thank Post
    55
    Thanked 278 Times in 186 Posts
    Rep Power
    134
    Quote Originally Posted by morganw View Post
    I've done a personal laptop (XP) and a standalone school laptop (W7) using system restore and then two scans with MSSE.
    How does this stuff actually install, can you acquire it even when running under a non-privileged account?
    I did notice when I got caught that the Java window opened up - I thought Java could'nt do nasties - but maybe just a coincidence

SHARE:
+ Post New Thread
Page 3 of 8 FirstFirst 1234567 ... LastLast

Similar Threads

  1. Replies: 5
    Last Post: 21st October 2010, 04:20 PM
  2. Staffordshire Job evaluation - Are you affected?
    By adicken in forum Educational IT Jobs
    Replies: 81
    Last Post: 22nd January 2009, 11:01 AM
  3. Norfolk MRS Affected People
    By plexer in forum General Chat
    Replies: 21
    Last Post: 22nd October 2008, 07:19 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •