Virus / Malware problem

jbrown414

When I do a google search for antivirus or spyware sites and I click on the link for the site through google, they ask for a login. I've run the following programs to clean my system but I don't think everything has been cleared.

Avast
Adaware
Superantispyware
Windows Defender

It seems like it is preventing me from accessing site to get rid of what is infecting my system. Any suggestions?

skrpune

I don't have any experience with that particular problem, but I stand by my favorite anti-malware program: SpyBot Search & Destroy. Download & install & restart in Safe Mode & do a scan/clean then. Even if you just use the existing tools you have, you'll get a much better result if you're in safe mode - more crap will get cleaned out.

dynamik

Try www.safer-networking.org

Edit: Good call skrpune

msteinhilber

Just my opinion here, but I never trust a compromised system be it mine or a client if I'm doing a side job. I'm sure there are people who swear they can completely eradicate a machine, but I always prefer the route of a backup, format and reinstall.

wd40

Maybe some entries are added to the hosts file to block access to these sites, check it out.

Daniel333

Once a machine has been compromised you can't trust it again. It could have some random firewall or process out there that can make your life hell down the road. Reimage your machine.

BUT, if you are really willing to risk it here is the best way to handle it, and even this missed stuff or could cripple your system. First backup, disabled system restore and even take an image of your PC if you can (Vista has this built in!)

1) Pull hard drive and scan from a machine via a USB-to-SATA adaptor, I recommend the following
--- Webroot SpySweeper w/Antivirus
--- PCTools Spyware Doctor
--- McAfee
--- Panda Anti Malware

2) Reboot the machine, install and update the scanners you just ran and maybe a few more. You should also place the program Hijackthis on your machine at this time. Reboot into safe mode with command prompt and then run them again. This is needed because the reg needs to be checked.
--- A few of the adove again
--- Ad-aware
--- Spybot
--- Malwarebytes
--- Avast

3) Use hijackthis to ensure the hosts file and startup items are clean.
4) Reboot into regular mode, and reset IE settings to default and check trusted sites list.
5) Uninstall all the apps you installed
6) Reboot
7) Run PCTools RegMechanic, backup, scan and compact your reg. Uninstall

You should be as Malware free as you can get. For native protection (if you bother) I recommend SpySweeper with Antivirus. They make a solid product and it's tied into Sophos so you are kinda getting two scanners in one.

royal

Agreed 100% with msteinhilber and Daniel. You can never trust an infected machine.

HeroPsycho

msteinhilber wrote: »

Just my opinion here, but I never trust a compromised system be it mine or a client if I'm doing a side job. I'm sure there are people who swear they can completely eradicate a machine, but I always prefer the route of a backup, format and reinstall.

Agreed, although I also fdisk as well. Never know if some nasties are in the boot sector.

royal

HeroPsycho wrote: »

Agreed, although I also fdisk as well.

What is fdisk?

msteinhilber

royal wrote: »

Agreed 100% with msteinhilber and Daniel. You can never trust an infected machine.

Another thing I forgot to include in my post, I have a co-worker who handles most of the spyware/virus infections in our shop. My rule is never bother to salvage a machine, he on the other hand will generally try to clean the machine. I am always completely finished with a backup and reload when I help out if they get behind well before his first round of scan's with his suite of programs he uses is completed. And in the end, he still typically ends up wiping the machine out and reloading. It's a shame our shop doesn't have a policy in place to prevent wasted time on such issues and just mandate a reload by default.

wd40

royal wrote: »

What is fdisk?

You are kidding, Right?

royal

wd40 wrote: »

You are kidding, Right?

You haven't been here long enough. Any obsolete tool I always say, "What is <insert obsolete technology/tool>?"

wd40

royal wrote: »

You haven't been here long enough. Any obsolete tool I always say, "What is <insert obsolete technology/tool>?"

I see

Who's Royal

---

Are there any simple and fast alternatives to fdisk?, I am thinking about wiping my system because of a recent incident, fdisk takes less than 5 minutes to wipe the boot sector.

The problem is I do not have a Floppy drive.

jbrown414

I'm not looking forward to re imaging this thing. If it's what I have to do then I have no choice.

blargoe

wd40 wrote:

Who's Royal

Royal is obsolete? I guess that explains things.

Sie

Just wanted to add here just incase:

If your getting a pop up or the like stating you have a virus and to download XYZ application to remove it just dont do it.

Obviously use the other tools that have been mentioned here but if thats what your experiencing dont follow any links of the sort and download what they recommend.

Possibly not what you are seeing but I just wanted to make sure you were aware!

I also agree with others here, nuke it and start again. If you use it for Banking etc do you really want to take the chance?

Kaminsky

Always good to look in your registry and get very familier with what is normally supposed to live in the following sections.

HKEY_LOCAL_MACHINE/SOFTWARE/Microsift/Windows/CurrentVersion/[Run & RunOnce]

HKEY_CURRENT_USER/SOFTWARE/Microsift/Windows/CurrentVersion/[Run & RunOnce]

Don't just rip stuff out of here. You can seriously mess up your system by deleting the wrong thing. However, if you research and investigate you can get to know what should be in here and what is bogus. If you are 100% confident a key is bogus, delete the whole key.

This little trick has helped me out many times especially with annoying software updates that just sit there chewing up ram 99% of the time.

In my experience, there is no one magic piece of anti malware software. They all address different things and a good wash with several trusted ones is usually the best approach. Those mentioned above are known good ones. Search&Destroy, HijackThis, etc. But, be very wary. Some anti malware will get rid of a competitors malware and fill your machine with their own.


The very best advice, not helpful for you right now I know, is to just be careful what sites you go to each and every time you are browsing. Always open any google link in a seperate window (not tab) so that if it is bogus you can simply shut down anything that might be trying to do.


Fdisk is a little extreme especially when users want their files back although I did recomend fdisk as an excellent defrag utility for a particularly rude and annoying user once.

elaverick1981

If you're being randomly re-directed to websites then it's most likely you have spurious entries in your HOSTS file. Have a look in %SystemRoot%\system32\drivers\etc\ and delete everything except for the localhost entry.

vCole

Malware Bytes ftw

wd40

blargoe wrote: »

Royal is obsolete? I guess that explains things.

Oops!

I was trying to say that he is an old and respectful user "Old as old user and not an old man "

KGhaleon

royal wrote: »

You haven't been here long enough. Any obsolete tool I always say, "What is <insert obsolete technology/tool>?"

Have to agree. When do you use fdisk these days, unless you're using some win 98?

jbrown414

The thing that annoys me most is that I didn't cause this. My brother and his Kids (both under 10) were staying with me for the holidays. There's no telling what they did to this thing.

networker050184

jbrown414 wrote: »

The thing that annoys me most is that I didn't cause this. My brother and his Kids (both under 10) were staying with me for the holidays. There's no telling what they did to this thing.

And my wife wonders why I won't let anyone on my computer...

skrpune

jbrown414 wrote: »

The thing that annoys me most is that I didn't cause this. My brother and his Kids (both under 10) were staying with me for the holidays. There's no telling what they did to this thing.

Ugh. They probably did some unsafe surfing and downloads/installs. If you are brave enough to let someone else onto your computer again in the future, you might want to set up another (very limited) user profile for them.

My sister in law had to set up a separate computer for her husband...she is in the IT biz & works from home and she got tired of her hubby downloading p*rn & lord knows what else and continuously infecting her computer, and thereby affecting her livelihood, so she set up a second computer juuuust for him to mess up!

JDMurray

skrpune wrote: »

so she set up a second computer juuuust for him to mess up!

If that second computer is only running VMWare, then he can restore the entire system from a snapshot each time it gets infected. Also, not running as Administrator, using an anti-spyware HOSTS file, and not allowing scripts to execute in the Web browser does go a long way to keeping a system clean.

skrpune

JDMurray wrote: »

If that second computer is only running VMWare, then he can restore the entire system from a snapshot each time it gets infected.

Very good tip, but in this particular case, not sure she wants to *encourage* the online behaviors that result in infections...

JDMurray

skrpune wrote: »

Very good tip, but in this particular case, not sure she wants to *encourage* the online behaviors that result in infections...

Ah, but she got him a second machine because she realizes that she can't control what he does. If she subscribed to one of those CyberSitter/NetNanny services he'd just start doing his p0rn surfing away from home--and that definitely not a thing to encourage.

skrpune

JDMurray wrote: »

Ah, but she got him a second machine because she realizes that she can't control what he does. If she subscribed to one of those CyberSitter/NetNanny services he'd just start doing his p0rn surfing away from home--and that definitely not a thing to encourage.

Touche...very good point

liven

jbrown414 wrote: »

When I do a google search for antivirus or spyware sites and I click on the link for the site through google, they ask for a login. I've run the following programs to clean my system but I don't think everything has been cleared.

Avast
Adaware
Superantispyware
Windows Defender

It seems like it is preventing me from accessing site to get rid of what is infecting my system. Any suggestions?

sounds like you got a virus that I got this morning....


check for this file:

wdmuad.sys

in


C:\WINDOWS\system32

it shouldn't be there.


None of the major antivirus tools detect or remove it currently.

JDMurray

liven wrote: »

sounds like you got a virus that I got this morning....

How did you become infected with this virus?

liven

I don't know.

The posts I have read about this particular bugger state that it is spread through chat room forums (java script) or through the PDF exploit...

I am not a big fan of PDF's and I avoid them as much as possible, that and I have not opened any recently so I don't think that is the cause.


However I do participate in many forums for countless different topics, so I am thinking that is most likely how it spread to me.


The only things that I noticed is that my computer had rebooted this morning to apply microsoft patches. However I do not remember downloading and telling my machine it was ok to apply them. So that was odd, and then some how the yahoo tool bar was installed.


Bottom line the machine is borked, and will be reloaded soon. And no script will be running on for sure