Just removed some nasty malware....

Discussion in 'Software' started by dlb, Jun 18, 2009.

  1. dlb

    dlb MajorGeek

    I have a PC which is now clean, but I thought it might be fun and interesting to share info about this infection.... it had hijacked IE and made it appear that the PC was not going online by showing it's own "Page cannot be displayed" screen along with a "Diagnose Problems" button (which I never clicked on, DUH!). But in the address bar was this web site:
    http <colon slash slash> click <dot> w3i <dot> com
    followed by a slash and a bunch of numbers and letters. I didn't want to type out the exact site; it would have displayed as a link and someone might have clicked on it. This particular nastiness also had disabled SUPERantispyware, MBAM, AVG, and others. Renaming the setup files (which can help in a case like this) did nothing 'cuz the malware had also listed program files from these (and other) malware cleaners. I attached two screen shots below: one is of Windows Explorer with the main 3 files highlighted, and the other is a shot from regedit, and it shows the reg key and the disallowed list. I booted to a PECD and manually located and deleted the three files, then searched the registry and deleted the key shown in the 2nd screen shot below. I restarted, XP loaded to the desktop and I'm now able to run scans without any problems. Anyway- I just thought it was interesting, and if this all helps somebody, that's a plus!!

    :-D

    [dlb]

    (maybe I should post a link to this in the malware forum?)
     

    Attached Files:

  2. dlb

    dlb MajorGeek

    The Super Antispyware scan just finished and found only one trace item left in the C:\RECYCLER folder. It was identified as a rootkit:
     
  3. plodr

    plodr Major Geek Super Extraordinaire

    Found a digg blurb on it
    http://digg.com/security/How_to_Get_Rid_Of_MSIVX_Rootkit
    I never heard of it.
    Any idea how the PC got infected because it appears the person was running security programs?

    Or did I jump to a conclusion and the person was not running security and this rootkit installs to be sure no security program is able to run?
     
  4. dr.moriarty

    dr.moriarty Malware Super Sleuth Staff Member

  5. dlb

    dlb MajorGeek

    Actually they had Norton Internet Security installed, but I think they only had the trial, had never paid for it. It was popping up "Activate now; your subscription has expired" messages. The 'disallowed' list from the registry is designed to stop the most popular freeware (it has entries for ComboFix, MBAM, HijackThis, AVG, Super Antispyware, and others). Now that the PC is clean, I installed the free AntiVir, and told them to buy the full MBAM. I also recommended a firewall, either Online Armor, DSA, or Comodo, but since many newbs end up turning off their firewalls because they pop up 'all the time' during the first few days, I generally recommend 'em versus actually just installing 'em....

    Thanks for the links Dr.M. I haven't heard of "rootrepeal" until now, but I definitely will "add it to my arsenal". ;)

    [dlb]
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds