Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Killing Hazard virus won't go away


  • Please log in to reply
8 replies to this topic

#1 hanzobyte

hanzobyte

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 30 September 2010 - 12:25 PM

Hi! I have been infected with the infamous "Killing Hazard" rogue anti-virus, when I browse the web sometimes I get redirected to a website that shows a fake windows explorer screen and a popup that says: "Warning! On your computer detected the malicious code. Should immediately make sure that your system is safe! Killing Hazard ® for Microsoft Windows XP immediately started to work" or something like that. Usually if you click on the popup the site will try to make you download a file (but fortunately chrome will prevent that). The bad thing about this is that the virus apparently spread all over my computer network, infecting my girlfriend's computer, and even my other computer (which runs only ubuntu!). So there are virusses capable of infecting linux after all!
I don't know where I caught that one, I don't visit porn or cracks sites, and I don't use cracked software and in fact I never had a virus on my computer... but whatever...

What I tried to do until now:
I scanned the computer with avira antivirus (no results)
I deleted useless files with ATF-cleaner
following some guides I found here, I rebooted in safe mode, ran Rkill, did a thorough scan with SuperAntiSpyware and Malawarebytes (the free versions).
I was not able to update Malawarebytes, no matter what I tried... SuperAntiSpyware did find some viruses, I told it to delete it, but the problem remained...
Probably I did something wrong in how I did all of this, I have some computer skills but I'm not a professional, and since I never really had a problem with these kind of things, I clearly lack experience...
Any help is appreciated, really... since I don't know what else I could do...
thanks

edit: oh I forgot: I'm running Win7 x64, my girlfriend is running xp and the other computer, as I mentioned before runs ubuntu 10.04

Edited by hanzobyte, 30 September 2010 - 12:26 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:15 AM

Posted 30 September 2010 - 04:06 PM

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 rvan1

rvan1

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:15 AM

Posted 01 October 2010 - 03:38 PM

I and others are getting this due to not changing the default password on their router, so some process logs in and and changes the DNS to route through this server out in Russia (213.109.69.44).

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:15 AM

Posted 01 October 2010 - 03:45 PM

The problem is actually based in your router and that in turn is infecting all the other computers on your network.
Here is the entire fix(from the beginning) that you will need to run on each PC.

Please download Malwarebytes' Anti-Malware from Here or Here

Next disconnect your system from the internet, and your router, then…

Double Click mbam-setup.exe to install the application.
  • Launch Malwarebytes' Anti-Malware, then click Finish.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE

However, if there are other Zlob-infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. You also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

Once you have ran Malwarebytes' Anti-Malware on the infected system, and reset the router to its default configuration you can reconnect to the internet, and router. Then return to this site to post your logs.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 hanzobyte

hanzobyte
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 01 October 2010 - 03:54 PM

thanks a lot for the quick reply!

in the meantime I had opened a thread with the requested logs from the preparation guide here:
http://www.bleepingcomputer.com/forums/topic350960.html

I will follow the next steps and report back.
Shall I reply here or on the other topic?

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:15 AM

Posted 01 October 2010 - 04:02 PM

OK. I wanted to post the proper method for resetting the router. I will wait for the reults as this is a new malware.

rvan1, I wasn't running you off,justwanted thee full insyruction here as ... we do not know if the original poster knows how to do that so we want to be sure they have all the instruction.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 hanzobyte

hanzobyte
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 01 October 2010 - 04:42 PM

Hi!
here I am again, did all the steps, and in fact the router did have a different DNS address set... originally it was on "automatic"
Malawarebytes didn't find anything, either on my computer nor on my laptop (see log below).
On my girlfriends computer it's a different pair of shoes: malawarebytes won't even run! And I can't access most of the security related websites (like this one). Might have to do with it running XP. Anyway she wanted to do the upgrade to 7 anyway, so I guess this is a good time to. Format C: and start from scratch!
I didn't run malawarebytes on the ubuntu computer. There's no malawarebytes on ubuntu


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

01/10/2010 23:08:57
mbam-log-2010-10-01 (23-08-57).txt

Scan type: Quick scan
Objects scanned: 114757
Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by hanzobyte, 01 October 2010 - 04:43 PM.


#8 hanzobyte

hanzobyte
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:15 AM

Posted 03 October 2010 - 03:12 PM

So far the virus seems to be removed from all the computers here! I haven't had an issue since days. Thanks a lot again for the help, and sorry if I made a bit of a mess with the threads...

Edited by hanzobyte, 03 October 2010 - 03:14 PM.


#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:15 AM

Posted 03 October 2010 - 03:26 PM

Ok,that is good,thanks for the up date.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users