Options

Windows XP Recovery Malware

the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
in Off-Topic
Have you guys seen an influx of this malware? The past week and a half we have been inundated with calls regarding this piece of malware. Thus far we have had them reboot into safe mode with networking, run iexplore.exe (since it hides all their icons), remote us into the machine, we install Malwarebytes (if it isn't already on the device), and clean the device. After that we run the unhide.exe tool to get the icons back, but we've had to recreate some short cuts. It's starting to become harder to remove, anyone do anything different when it comes to removing this?

All the machines thus far had had antivirus that was up to date. We've seen it affect Panda Endpoint Protection and Symantec Endpoint Protection (two antiviruses most of our customers use).
WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
· Share on FacebookShare on Twitter

Comments

  • Options
    Asif DaslAsif Dasl Member Posts: 2,116 ■■■■■■■■□□
    Get better antivirus/antispyware like Vipre...
    You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions. - Naguib Mahfouz

    The mind is the limit. As long as the mind can envision the fact that you can do something, you can do it, as long as you really believe 100 percent. - Arnold Schwarzenegger
    · Share on FacebookShare on Twitter
  • Options
    BokehBokeh Member Posts: 1,636 ■■■■■■■□□□
    Yeah Ive seen this one as well, pain in the butt to get rid of.
    · Share on FacebookShare on Twitter
  • Options
    HypntickHypntick Member Posts: 1,451 ■■■■■■□□□□
    the_Grinch wrote: »
    Have you guys seen an influx of this malware? The past week and a half we have been inundated with calls regarding this piece of malware. Thus far we have had them reboot into safe mode with networking, run iexplore.exe (since it hides all their icons), remote us into the machine, we install Malwarebytes (if it isn't already on the device), and clean the device. After that we run the unhide.exe tool to get the icons back, but we've had to recreate some short cuts. It's starting to become harder to remove, anyone do anything different when it comes to removing this?

    All the machines thus far had had antivirus that was up to date. We've seen it affect Panda Endpoint Protection and Symantec Endpoint Protection (two antiviruses most of our customers use).

    Getting a ton of calls about this one in the last week or so as well. It is a particularly nasty pain in the butt to get rid of. Have had instances of removing it and it coming back, combofix has picked up some of them as root kits. Hopefully these die off pretty quick otherwise it's gonna be another busy week.
    WGU BS:IT Completed June 30th 2012.
    WGU MS:ISA Completed October 30th 2013.
    · Share on FacebookShare on Twitter
  • Options
    nimrod.sixty9nimrod.sixty9 Banned Posts: 125 ■□□□□□□□□□
    You guys happen to find out where the PC's are getting infected from? Sites, email, etc...
    I hope to not run into this on Monday...
    · Share on FacebookShare on Twitter
  • Options
    nhan.ngnhan.ng Member Posts: 184
    attrib -h /s /d

    run that command, if it's vista/7, make sure u run them as admin. Then reboot, and run tdsskiller/mbam full scan.

    if you want to make sure, you can always run a 2nd scanner such as superantispyware. it usually pick up more stuff than mbam.
    · Share on FacebookShare on Twitter
  • Options
    SteveLordSteveLord Member Posts: 1,717
    Antivirus are always 1 step behind...so it doesnt matter what you use. Infections can come from emails, using Google/Bing images or even embedded in ad banners.
    WGU B.S.IT - 9/1/2015 >>> ???
    · Share on FacebookShare on Twitter
  • Options
    steve13adsteve13ad Member Posts: 398 ■■■■□□□□□□
    We've been getting hammered with calls as well. We've found the easiest solution is to use System Restore to get rid of it. Works every time!
    · Share on FacebookShare on Twitter
  • Options
    BokehBokeh Member Posts: 1,636 ■■■■■■■□□□
    One I dealt with on Wed came from going to Anthem.com checking their health benefits.
    · Share on FacebookShare on Twitter
  • Options
    it_consultantit_consultant Member Posts: 1,903
    the_Grinch wrote: »
    Have you guys seen an influx of this malware? The past week and a half we have been inundated with calls regarding this piece of malware. Thus far we have had them reboot into safe mode with networking, run iexplore.exe (since it hides all their icons), remote us into the machine, we install Malwarebytes (if it isn't already on the device), and clean the device. After that we run the unhide.exe tool to get the icons back, but we've had to recreate some short cuts. It's starting to become harder to remove, anyone do anything different when it comes to removing this?

    All the machines thus far had had antivirus that was up to date. We've seen it affect Panda Endpoint Protection and Symantec Endpoint Protection (two antiviruses most of our customers use).

    There are 2 things you can do to prevent this from happening. First you can stop using IE - firefox or chrome don't seem to be affected by this virus. Second - tell your users that if they see ANY security software pop up that is not their company software (better let them know what that is) to not click on ANYTHING at all and call the help desk. If you catch it before your users click on anything - forcing a shutdown of IE from the command line (tasskill /f /im iexplore.exe) will prevent infection.
    · Share on FacebookShare on Twitter
  • Options
    it_consultantit_consultant Member Posts: 1,903
    Bokeh wrote: »
    One I dealt with on Wed came from going to Anthem.com checking their health benefits.

    Here too, my client bills health insurance to Anthem. They must have weak security on their website, someone got in and put a malicious script on the site.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.