malware alert! help!

[geronimotwo]

just went through a malware ordeal.   picked up "antivirus live" which kept wanting me to buy their product as i was "infected" (by them).  would lockup my programs, and spit porn at me every 8-10 minutes.   the next day, my discover card calls me to say they have numerous "suspicious" purchases, none of which were mine.  i think the malware came through on some game sites my daughter was downloading from  (big fish was the most used that day).

i was able to gain control again, but still cannot get online unless in safemode.  i had downloaded the latest spybot upgrade (in regular windows)and then used it to finish debuging my pc. after that i called my isp and they recomended that i remove spybot, which i did (but now i am kicking myself for not using the undo button first). the connection wizard is telling me it is probably due to firewall settings, as windows claims it will not accept any http,  https,  or ftp addresses.  i haven't been able to get anything to come through internet explorer unless in safe mode.  i am using windows xp, and have tried lowering the firewall settings, as well as using the factory defaults.  any thoughts?

i keep wondering if it was that tiny and cheap video camera i was thinking about buying

[Tim L]

My friend sent me this recently while I was trying to beat some malware into submission and it was blocking internet explorer.  Go into the settings for IE and change the LAN setting. If Proxy is checked, uncheck it.  The one I was fighting had created new user accounts and changed the ownership of all personal files to protect itself.  Talk about wanting to get my hands on someone.

[geronimotwo]

My friend sent me this recently while I was trying to beat some malware into submission and it was blocking internet explorer.  Go into the settings for IE and change the LAN setting. If Proxy is checked, uncheck it.  The one I was fighting had created new user accounts and changed the ownership of all personal files to protect itself.  Talk about wanting to get my hands on someone.

i will check that. i have found a few of my defaults changed, as well as my start menu has been changed.  right now i am running a minimum until i compare the programs to a list i found online.

yup, that did it.  that nasty had ridirected me to a proxy server.

thanks.  

as far as the discover charges,  they said not to pay for anything that we didn't buy, and they were taking care of the rest.  (although they have called me twice to sell me their identity protection plan...hmmm....)

[TechMan]

geronimotwo,
Try http://www.malwarebytes.org/mbam-download.php (free for personal use.)  Install in safe mode and update the database and then run a full scan in safe mode.
-Andy

[never_retreat]

Hijack this is a handy free program also.
http://download.cnet.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html?tag=mncol

[RocketMan]

Ditto on the MalwareBytes and Hijack This.  You can reset or delete a lot of the redirects with Hijack This.  It also allows you to delete unwanted startup objects and browser helper objects.

[lee n. field]

malwarebytes
hijack this

Now what's fun is when you've got a nasty that actively blocks this stuff.

Hint: right click the task bar.  If "task manager" is greyed out in the pop up menu, you're in for a hard, hard time cleaning that one up.  Better off wiping.

[Battle Monkey of Zardoz]

Best option, nuke it from orbit.  DBAN, boot and nuke.  Then re install.  I had to do that last month.  Picked up a nasty that spybot search and destroy would see and fix, but upon reboot it would re manifest itself.  It was in my registry in at least 8 places that I could find.  Back up what data you can, and wipe then re install.  Trust me, it is a pain in the ass, but it will be faster.

[TechMan]

Now what's fun is when you've got a nasty that actively blocks this stuff.

Hint: right click the task bar.  If "task manager" is greyed out in the pop up menu, you're in for a hard, hard time cleaning that one up.  Better off wiping.

lee n. field,
I have run into that before, but there is a way around that too.  I use process explorer http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
It is task manager on steroids and the $&#*heads that program the malware don't usually block it.
-Andy

[RocketMan]

Now what's fun is when you've got a nasty that actively blocks this stuff.

Vee haf vays off making chew co-operate.  It can be beaten without nuking, but it does take some effort.

[MechAg94]

I recently discovered the most effective Virus/Spyware blocker ever.  Trend Microsystems!

I have had trouble getting IE or Firefox to connect to any site at all and none of my other programs will update.  I got on the phone with my brother and he got me to ping yahoo.com and such to confirm I did have communications.  After seeing Trend try to block a scan by Spybot, I closed it out and suddenly realized my browsers worked again.  Trend was blocking everything.  I don't know whether to be ticked off or satisfied that it did its job very very well.  :)

I have uninstalled it already.  I need to pick up something else soon.

[geronimotwo]

thanks for the suggestions,  still trying to get all the bugs out.  wondering if any other info may have been taken.   last year i did my taxes online with taxact, and am concerned about all that info being abused.

[lee n. field]

I use process explorer

The ones I've seen block process explorer as well.  Process Explorer can be real handy on the lesser ones.  Note the location of the executable, then "kill process tree".

You have to judge the value of your time here.  At this point it's usually better (IMHO) to cut your losses and set up the system from scratch and restore from backup.  No backup??  Well...

[geronimotwo]

The ones I've seen block process explorer as well.  Process Explorer can be real handy on the lesser ones.  Note the location of the executable, then "kill process tree".

You have to judge the value of your time here.  At this point it's usually better (IMHO) to cut your losses and set up the system from scratch and restore from backup.  No backup??  Well...

the only backup is on my partitioned c drive.   funny how i had just made the decision to purchase a "my passport" backup drive, after reading one of the katrina blogs.  two weeks too late it seems.

[MechAg94]

One suggestion I used last year.  I had something on my home computer that was blocking everything including all scanners I could find.  I ended up pulling out the hard drive, getting a USB to SATA converter and used my laptop from work with Norton to scan the hard drive.  Norton cleaned out a handful of things.  After that, I reinstalled the hard drive, updated everything, and was able to clean out a couple of other things. 

If you have the option of another computer, that worked for me once.

[geronimotwo]

just wanted to mention that when i received this malware, i was running avg 8.5 with resident shield active, plus daily scans and updates.  i have since switched.

[RocketMan]

I don't know of any anti-virus program that can stop a rogue from installing itself if you click anywhere on the rogue's pop-up window.  Clicking anywhere on a rogue's pop-up, even on the "No" button or on the red [X] in the upper right corner, just gives the rogue access to your system.  The first thing most rogues do after that is disable any security software you have installed.
You have to stop the rogue's process either via Task Manager, or by just pulling the plug on the computer.
There may be a pop-up blocker out there that can stop rogue pop-ups from appearing on your system in the first place, but I have not found one as yet.  I must admit that I have not looked all that hard for one, either.

Be aware, too, that you can encounter rogues most anywhere.  The last one that tried to nail me came from an infected news story page on the Fox News website.  Only that page attempted to infect my system.  I accessed it a few times to confirm the infection.  The others I read that day were clean.

[tyme]

DBAN, boot and nuke.

Um, not really.  DBAN is for securely erasing sensitive information.  A simple quick format and reinstall is enough to get rid of malware, unless it's extremely advanced (hiding in bios) in which case you could replace the disk and that still wouldn't help.

Malware might remain on the disk, but if it's not in a file, or attached to a file, somewhere in the new filesystem, there's no way for it to become active.  Barring a filesystem bug and some ridiculously improbable (bad) luck, on-disk malware will not survive a simple (quick) filesystem reformat and MBR overwrite.

[Thor]

There are some viruses that hide in the mbr. a format doesn't always clear them. I've run into a couple of them in the past ( 98SE days) I had to do a wipe of the disk (debug) with some command line stuff and a boot disk. I have run into a few that I had to format and reinstall the OS to get rid of. That always sucks.

[RocketMan]

There are some viruses that hide in the mbr. a format doesn't always clear them.

You can often use the recovery console to do a fixmbr.  That wipes the original mbr and installs a new one.