Virus / Malware problem

jbrown414jbrown414 Member Posts: 230
When I do a google search for antivirus or spyware sites and I click on the link for the site through google, they ask for a login. I've run the following programs to clean my system but I don't think everything has been cleared.

Avast
Adaware
Superantispyware
Windows Defender

It seems like it is preventing me from accessing site to get rid of what is infecting my system. Any suggestions?
«1

Comments

  • skrpuneskrpune Member Posts: 1,409
    I don't have any experience with that particular problem, but I stand by my favorite anti-malware program: SpyBot Search & Destroy. Download & install & restart in Safe Mode & do a scan/clean then. Even if you just use the existing tools you have, you'll get a much better result if you're in safe mode - more crap will get cleaned out.
    Currently Studying For: Nothing (cert-wise, anyway)
    Next Up: Security+, 291?

    Enrolled in Masters program: CS 2011 expected completion
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
  • msteinhilbermsteinhilber Member Posts: 1,480 ■■■■■■■■□□
    Just my opinion here, but I never trust a compromised system be it mine or a client if I'm doing a side job. I'm sure there are people who swear they can completely eradicate a machine, but I always prefer the route of a backup, format and reinstall.
  • wd40wd40 Member Posts: 1,017 ■■■■□□□□□□
    Maybe some entries are added to the hosts file to block access to these sites, check it out.
  • Daniel333Daniel333 Member Posts: 2,077 ■■■■■■□□□□
    Once a machine has been compromised you can't trust it again. It could have some random firewall or process out there that can make your life hell down the road. Reimage your machine.

    BUT, if you are really willing to risk it here is the best way to handle it, and even this missed stuff or could cripple your system. First backup, disabled system restore and even take an image of your PC if you can (Vista has this built in!)

    1) Pull hard drive and scan from a machine via a USB-to-SATA adaptor, I recommend the following
    --- Webroot SpySweeper w/Antivirus
    --- PCTools Spyware Doctor
    --- McAfee
    --- Panda Anti Malware

    2) Reboot the machine, install and update the scanners you just ran and maybe a few more. You should also place the program Hijackthis on your machine at this time. Reboot into safe mode with command prompt and then run them again. This is needed because the reg needs to be checked.
    --- A few of the adove again
    --- Ad-aware
    --- Spybot
    --- Malwarebytes
    --- Avast

    3) Use hijackthis to ensure the hosts file and startup items are clean.
    4) Reboot into regular mode, and reset IE settings to default and check trusted sites list.
    5) Uninstall all the apps you installed
    6) Reboot
    7) Run PCTools RegMechanic, backup, scan and compact your reg. Uninstall

    You should be as Malware free as you can get. For native protection (if you bother) I recommend SpySweeper with Antivirus. They make a solid product and it's tied into Sophos so you are kinda getting two scanners in one.
    -Daniel
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    Agreed 100% with msteinhilber and Daniel. You can never trust an infected machine.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • HeroPsychoHeroPsycho Inactive Imported Users Posts: 1,940
    Just my opinion here, but I never trust a compromised system be it mine or a client if I'm doing a side job. I'm sure there are people who swear they can completely eradicate a machine, but I always prefer the route of a backup, format and reinstall.

    Agreed, although I also fdisk as well. Never know if some nasties are in the boot sector.
    Good luck to all!
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    HeroPsycho wrote: »
    Agreed, although I also fdisk as well.

    What is fdisk?
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • msteinhilbermsteinhilber Member Posts: 1,480 ■■■■■■■■□□
    royal wrote: »
    Agreed 100% with msteinhilber and Daniel. You can never trust an infected machine.

    Another thing I forgot to include in my post, I have a co-worker who handles most of the spyware/virus infections in our shop. My rule is never bother to salvage a machine, he on the other hand will generally try to clean the machine. I am always completely finished with a backup and reload when I help out if they get behind well before his first round of scan's with his suite of programs he uses is completed. And in the end, he still typically ends up wiping the machine out and reloading. It's a shame our shop doesn't have a policy in place to prevent wasted time on such issues and just mandate a reload by default.
  • wd40wd40 Member Posts: 1,017 ■■■■□□□□□□
    royal wrote: »
    What is fdisk?

    You are kidding, Right?
  • royalroyal Member Posts: 3,352 ■■■■□□□□□□
    wd40 wrote: »
    You are kidding, Right?

    You haven't been here long enough. Any obsolete tool I always say, "What is <insert obsolete technology/tool>?"
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • wd40wd40 Member Posts: 1,017 ■■■■□□□□□□
    royal wrote: »
    You haven't been here long enough. Any obsolete tool I always say, "What is <insert obsolete technology/tool>?"

    I see :)

    Who's Royal icon_wink.gif
    Are there any simple and fast alternatives to fdisk?, I am thinking about wiping my system because of a recent incident, fdisk takes less than 5 minutes to wipe the boot sector.

    The problem is I do not have a Floppy drive.
  • jbrown414jbrown414 Member Posts: 230
    I'm not looking forward to re imaging this thing. If it's what I have to do then I have no choice.
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    wd40 wrote:

    Who's Royal icon_wink.gif
    Royal is obsolete? I guess that explains things.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
  • SieSie Member Posts: 1,195
    Just wanted to add here just incase:

    If your getting a pop up or the like stating you have a virus and to download XYZ application to remove it just dont do it.

    Obviously use the other tools that have been mentioned here but if thats what your experiencing dont follow any links of the sort and download what they recommend.

    Possibly not what you are seeing but I just wanted to make sure you were aware!

    I also agree with others here, nuke it and start again. If you use it for Banking etc do you really want to take the chance?
    Foolproof systems don't take into account the ingenuity of fools
  • KaminskyKaminsky Member Posts: 1,235
    Always good to look in your registry and get very familier with what is normally supposed to live in the following sections.

    HKEY_LOCAL_MACHINE/SOFTWARE/Microsift/Windows/CurrentVersion/[Run & RunOnce]

    HKEY_CURRENT_USER/SOFTWARE/Microsift/Windows/CurrentVersion/[Run & RunOnce]

    Don't just rip stuff out of here. You can seriously mess up your system by deleting the wrong thing. However, if you research and investigate you can get to know what should be in here and what is bogus. If you are 100% confident a key is bogus, delete the whole key.

    This little trick has helped me out many times especially with annoying software updates that just sit there chewing up ram 99% of the time.

    In my experience, there is no one magic piece of anti malware software. They all address different things and a good wash with several trusted ones is usually the best approach. Those mentioned above are known good ones. Search&Destroy, HijackThis, etc. But, be very wary. Some anti malware will get rid of a competitors malware and fill your machine with their own.


    The very best advice, not helpful for you right now I know, is to just be careful what sites you go to each and every time you are browsing. Always open any google link in a seperate window (not tab) so that if it is bogus you can simply shut down anything that might be trying to do.


    Fdisk is a little extreme especially when users want their files back although I did recomend fdisk as an excellent defrag utility for a particularly rude and annoying user once.
    Kam.
  • elaverick1981elaverick1981 Member Posts: 161
    If you're being randomly re-directed to websites then it's most likely you have spurious entries in your HOSTS file. Have a look in %SystemRoot%\system32\drivers\etc\ and delete everything except for the localhost entry.
  • vColevCole Member Posts: 1,573 ■■■■■■■□□□
    Malware Bytes ftw
  • wd40wd40 Member Posts: 1,017 ■■■■□□□□□□
    blargoe wrote: »
    Royal is obsolete? I guess that explains things.

    Oops!

    I was trying to say that he is an old and respectful user "Old as old user and not an old man icon_lol.gif"
  • KGhaleonKGhaleon Member Posts: 1,346 ■■■■□□□□□□
    royal wrote: »
    You haven't been here long enough. Any obsolete tool I always say, "What is <insert obsolete technology/tool>?"

    Have to agree. When do you use fdisk these days, unless you're using some win 98? :D
    Present goals: MCAS, MCSA, 70-680
  • jbrown414jbrown414 Member Posts: 230
    The thing that annoys me most is that I didn't cause this. My brother and his Kids (both under 10) were staying with me for the holidays. There's no telling what they did to this thing.
  • networker050184networker050184 Mod Posts: 11,962 Mod
    jbrown414 wrote: »
    The thing that annoys me most is that I didn't cause this. My brother and his Kids (both under 10) were staying with me for the holidays. There's no telling what they did to this thing.


    And my wife wonders why I won't let anyone on my computer...
    An expert is a man who has made all the mistakes which can be made.
  • skrpuneskrpune Member Posts: 1,409
    jbrown414 wrote: »
    The thing that annoys me most is that I didn't cause this. My brother and his Kids (both under 10) were staying with me for the holidays. There's no telling what they did to this thing.
    Ugh. They probably did some unsafe surfing and downloads/installs. If you are brave enough to let someone else onto your computer again in the future, you might want to set up another (very limited) user profile for them.

    My sister in law had to set up a separate computer for her husband...she is in the IT biz & works from home and she got tired of her hubby downloading p*rn & lord knows what else and continuously infecting her computer, and thereby affecting her livelihood, so she set up a second computer juuuust for him to mess up! icon_lol.gif
    Currently Studying For: Nothing (cert-wise, anyway)
    Next Up: Security+, 291?

    Enrolled in Masters program: CS 2011 expected completion
  • JDMurrayJDMurray Admin Posts: 13,089 Admin
    skrpune wrote: »
    so she set up a second computer juuuust for him to mess up! icon_lol.gif
    If that second computer is only running VMWare, then he can restore the entire system from a snapshot each time it gets infected. Also, not running as Administrator, using an anti-spyware HOSTS file, and not allowing scripts to execute in the Web browser does go a long way to keeping a system clean.
  • skrpuneskrpune Member Posts: 1,409
    JDMurray wrote: »
    If that second computer is only running VMWare, then he can restore the entire system from a snapshot each time it gets infected.
    Very good tip, but in this particular case, not sure she wants to *encourage* the online behaviors that result in infections... icon_lol.gif
    Currently Studying For: Nothing (cert-wise, anyway)
    Next Up: Security+, 291?

    Enrolled in Masters program: CS 2011 expected completion
  • JDMurrayJDMurray Admin Posts: 13,089 Admin
    skrpune wrote: »
    Very good tip, but in this particular case, not sure she wants to *encourage* the online behaviors that result in infections... icon_lol.gif
    Ah, but she got him a second machine because she realizes that she can't control what he does. If she subscribed to one of those CyberSitter/NetNanny services he'd just start doing his p0rn surfing away from home--and that definitely not a thing to encourage.
  • skrpuneskrpune Member Posts: 1,409
    JDMurray wrote: »
    Ah, but she got him a second machine because she realizes that she can't control what he does. If she subscribed to one of those CyberSitter/NetNanny services he'd just start doing his p0rn surfing away from home--and that definitely not a thing to encourage.
    Touche...very good point
    Currently Studying For: Nothing (cert-wise, anyway)
    Next Up: Security+, 291?

    Enrolled in Masters program: CS 2011 expected completion
  • livenliven Member Posts: 918
    jbrown414 wrote: »
    When I do a google search for antivirus or spyware sites and I click on the link for the site through google, they ask for a login. I've run the following programs to clean my system but I don't think everything has been cleared.

    Avast
    Adaware
    Superantispyware
    Windows Defender

    It seems like it is preventing me from accessing site to get rid of what is infecting my system. Any suggestions?


    sounds like you got a virus that I got this morning....


    check for this file:

    wdmuad.sys

    in


    C:\WINDOWS\system32

    it shouldn't be there.


    None of the major antivirus tools detect or remove it currently.
    encrypt the encryption, never mind my brain hurts.
  • JDMurrayJDMurray Admin Posts: 13,089 Admin
    liven wrote: »
    sounds like you got a virus that I got this morning....
    How did you become infected with this virus?
  • livenliven Member Posts: 918
    I don't know.

    The posts I have read about this particular bugger state that it is spread through chat room forums (java script) or through the PDF exploit...

    I am not a big fan of PDF's and I avoid them as much as possible, that and I have not opened any recently so I don't think that is the cause.


    However I do participate in many forums for countless different topics, so I am thinking that is most likely how it spread to me.


    The only things that I noticed is that my computer had rebooted this morning to apply microsoft patches. However I do not remember downloading and telling my machine it was ok to apply them. So that was odd, and then some how the yahoo tool bar was installed.


    Bottom line the machine is borked, and will be reloaded soon. And no script will be running on for sure
    encrypt the encryption, never mind my brain hurts.
Sign In or Register to comment.