BleepingComputer.com: Windows 7/XP/Vista Antivirus 2012 outbreak

Scottyscott, I'm curious to know what browser you were using, too...but probably for different reasons. I see a lot of people who were infected, and they say, "...but I was using Firefox/Safari/Chrome! Isn't that better/safer?" This is the same as the misconception that just having Norton/McAfee/Kasperski will keep them from getting spyware and rogue applications. Usually, it's because a friend or relative told them IE is lousy and they should use something else, but I haven't personally seen the evidence that one is safer than another.

On restart with the network disconnected, it might be a VERY good time to clear the Flash, Java caches and Temp files too, perhaps using CCleaner follow up with TFC by Oldtimer.

Unfortunately, this isn't going to happen with most users.

Does anybody know of an app that will prevent renaming of files within certain folders (Flash, Java caches)? Is there any reason these apps would need to copy from cache folders to another point in the system?

Regards -

FPC

Required Field -

Google:

Ciampa Chrome IE

and read his article on Cengage (Chrome #2 and #1 ....)

Regards -

FPC

I was actually using Internet Explorer.
Im not too big a fan of firefox nor chrome. So i stay oldschool.

About the .js files, that is definitely most likely the cause. From what i read the virus could be using outdated Java versions to create the tunnel.

System i was on was also running Symantec Endpoint.

I am currently undergoing a test stage:
DG41RQ MOBO
Intel core 2 duo(thought it was an i3 >.< WISH it was an i3 ==> would prefer a nice i7 tho ;D )
2.5GB
Windows 7 Pro 64-bit and 32-bit after the 64-bit run(supposedly the virus cannot infect 64bit)
and my infection hard drive :D

MY GOAL => to get this specific drive infected then to figure out the ultimate removal procedure hopefully capable of removing zeroaccess.

This post has been edited by ScottyScott: 25 January 2012 - 04:02 PM

ScottyScott, on 25 January 2012 - 02:44 PM, said:

Uninstall app that watches for new files and registry entries? Probably wouldn't catch the new partition...

I'm not putting any antivirus on this system. I'm basically going to act like an 'End-User.' You know? "Oh well i didnt know my Norton was expired! I thought it was still scanning my system."(Comment ive heard before at my shop)

My system will be up-to-date. However i will not have old versions of java, which i may need to try and find. I will have a 'safe-zone' which i created with acronis. In there will be my backup image of my system, if worse comes to worse then i just reinstall everything... thats what this system is intended for.

I will be going out, getting the system infected then attempt multiple different procedures in attempts to cure the infection properly.

What i hope to come from this is the knowledge on how to remove this infection properly. But on top of that to understand more in depth how this virus works or rootkits in general.

You may want to put your Acronis Secure Zone on a different physical drive, just in case the malware tries to add a partition, etc.

Might want to look in to an uninstall app that would record the changes to your system (the best it could).

Maybe contact MBAM and see if they've used a Judas Goat similar to your design?

If not and you get a payload, PM me with the url and I may try it myself...


Thanks -

FPC

Fremont PC, on 25 January 2012 - 11:50 PM, said:

Sounds good. The secure zone doesnt really seem all that beneficial because of how the virus acts... just an easy load point and i figured id give it a whirl.
I'm going to start a thread to keep track of everything im doing and looking for input from others as well.

This Antispyware virus is rampant, I've been infected with it twice in January. Bleeping Computer's removal instructions do work for me. I was able to launch my browser eventually, just keep clicking and it did start despite Antispyware's best attempts to stop it. There is one improvement in procedure that will reduce your hassle. Rkill only zaps the bastard out of RAM, the disk file is still on disk and will restart him on the next boot. Rkill reports the file names of the stuff it zaps. You should immediately use Windows Explorer to delete the offending files, 'cause Malwarebytes doesn't always find them and delete them. In which case the virus comes back to life when you reboot.
This virus carves out a special 2 megabyte partition for itself on your C drive. Sometimes you can see and delete this partition with the Windows disk management program (Settings->ControlPanel->AdministrativeTools->ComputerManagement->Storage->DiskManagement). Sometimes the virus is able to turn your hard disks invisible in DiskManagement. Which is a clue that you are still infected.

I have a question. A lot of you guys say that it seems that Java is what this virus seems to be using- does that mean that if I have all add-ons disabled on firefox (in safe mode) I'm safe®? I got three virus infections on my old laptop and now I am very paranoid with this one, scanning with MBAM at least once every other day, so anything that can keep me safer is good.

AlexandraMW, on 01 February 2012 - 01:54 PM, said:

You'll know if your getting hit by it. Just use standard web browsing knowledge, know your sites before downloading. If something random is downloading, cancel it. If something is requesting to download -> do not download it unless you requested the file from the website.

More knowledge is leading towards the infection coming in thru flash as well now.

I have access to a virus database where i downloaded zeroaccess from and am playing with zeroaccess on a standalone system specific to be infected for this purpose.

AlexandraMW, on 01 February 2012 - 01:54 PM, said:

I would add that it's best not to install Java if you don't have to; it's a popular attack vector for hackers. If you must use Java (for your bank, etc.) then install the necessary Java plugin for ONE browser, then don't use that browser for anything else. If your other browser(s) has a java plugin, disable it.

Google Chrome has Flash built in to it and keeps it updated automatically. You can also add "Flash Control" to Chrome via the extensions gallery. Firefox has an extension called Flashblock available. I would also consider running Malwarebytes Pro (a one time fee of $25) to give you another layer of protection against malicious ads.

ScottyScott brings up a VERY good point about browsing habits, but some folks have reported getting infections from "safe" sites, like MSN, ESPN, etc. This is due to the Flash-based advertising they use and the ad networks that serve up those ads.

A good whole disk backup system may save you a lot of trouble if you ever get infected again. Paragon Backup is free for personal use and will make a disk image of your entire drive to an external drive. When you use a backup program, always set it to "validate" the backup. It's worth the extra time and you can set it to kick off when you go to bed.

Always have at least 2 user accounts created so that you can log into a not so badly infected user to run a few tools to repair and remove the infections.
Do not run any cleanup or cookie/temp folder tools as that is where all of your start menu and shortcuts are in a folder named smtmp.
Hope it is ok to post the instructions from the location:
http://www.smartestcomputing.us.com/topic/46010-how-to-restore-start-menu-and-files-hiddendeleted-by-a-virus/

One more thing you may want to repair your winsock
Win 7 http://windows7themes.net/winsock-fix-for-windows-7.html
XP http://www.snapfiles.com/get/winsockxpfix.html
Vista http://support.microsoft.com/kb/811259

Then run Malwarebytes Antimalware.

Follow the instructions on Bleeping Computer.

System Check and Internet Security 2012 and TDL4 (rootkit) are what I am trying to remove at the moment.

This post has been edited by firstcompsvc: 11 February 2012 - 08:23 PM