Anyone heard of this virus? My understanding it’s new. Any fixes? My up-to-date virus protection program (Trend Micro) didn’t catch it.
It can be associated with the TDSS/Alureon rootkit, so it can be a real stinker to remove.
I have always had good results with the removal guides at bleepingcomputer.com:
My daughter got it on her computer Friday night. From other threads here, I learned that you can often log in as a different user and be able to get around the virus/Trojan in order to run a program to get rid of it. That worked in this case; I was able to log in as administrator with no virus popup. Boot up in Safe Mode or Safe Mode With Networking first (F8). My daughter’s computer had file structure problems which didn’t allow some of the programs I usually use(Anti-Malware, SuperAntiSpyware) to work; the computer would lock up partway through. Spybot Search & Destroy did run all the way through without locking up the computer, but the virus was still there under my daughter’s login. I then did a system restore to a date a week earlier, and ran Spybot again, and this time it seems to have removed the virus. The computer is usable again, but I still have to figure out what’s wrong with the files that caused the programs to keep freezing up in certain folders.
Whatever program you use, use a different computer and download it to a flash drive and also download updates to the virus definitions, then install and run it. SuperAntispyware has a version that runs right off the flash drive and you don’t need to install it.
The computer was running Firefox browser with Adblock Plus. I’ve since added on the NoScript add-on. I don’t know if it would have prevented the virus or not.
I wouldn’t trust antispyware to get rid of a rootkit. Use an offline scanner, like the Avira Rescue CD.
Rootkits are serious business. This is how I removed it from my uncle’s computer. Unlike when I contracted Vundo (from a suspicious download), I did not wind up having to reformat the computer because I kept getting reinfected.
After you run the CD, do at least a repair installation.
I had it last week. I took it to the repairman and after working on it all day, he said it had been quite a difficult one to remove but he did it (and for cheap, too!). I had virus protection software but it somehow missed it. The guy put some other programs on there to serve as back-up.
If you’ve got some money to spare, I say go and find a nice local repair person to fix it.
Here’s a newsletter from today on it. Virus Alert - XP Total Security 2011
Antimalwarebytes is recommended as being able to remove it. I forgot to mention the tip about renaming it from a .exe to a .com file if it won’t run for you.
I did run several rootkit cleaner programs on my infected computer, and none of them detected anything.
I’ve seen a few variants of this recently, and renaming mbam.exe to mbam.com hasn’t worked in every case. I had some success with infected family and friends machines with renaming to mbam.scr, and in one case iexplore.exe.
My g/f’s notebook just got hit with this last week. It got by AVG antivirus and MS Windows Defender which were up to date.
It’s a real pain in the butt to deal with. I wound up doing a system restore to the previous day which got rid of it and made the machine functional again, although it does try and “hide” the system restore utility from you. Deleted the dodgy executables and registry entries that it left behind. Installed Malwarebytes and ran a complete scan, it found nothing at that point.
However it did go through and delete all of her photos, music, Office docs and ZIP files. I used Pandora file recovery to undelete everything (both Pandora and Malwarebytes are free downloads from CNET).
Well, it didn’t really delete them, it flipped the hidden file bit so you couldn’t see them. There is a tool called unhide.exe in my cite that will undo that.
Ah! Good to know, thanks! I’ll run unhide.exe on her machine next time.
Malwarebytes is pretty consistently killing these virii as they come up.
As mentioned before it hides the files not deletes, its all part of the “scareware” methodology thye use to try and coax a user to cough up a Credit card #.
even without the unhide utility you can right click on your docs and settings or users folder, select properties, and uncheck “hidden” then select “apply to all folders subfolders and files.” may take a few min, but they come back.
If malwarebytes is having a hard time running, rename mbam.exe to iexplore.exe and run it. They allow files named iexplore to run to enable users to hand over CC#'s via a web interface.
Also there is a new version of malwarebytes as of yesterday afternoon. 1.51 comes with a trial of the pro version, we are testing it out this week in the shop.
Yeah, I ran into two different machines with this in the last week. A real pisser, but I was able to get all their files back and their machines clean.
Never, ever browse social networking sites using an account with Administrator privileges. Always create a Standard or Limited account to do so. And if you run a moronic piece of software like Peachtree that doesn’t allow it - DUMP that shit and join us in the 21st century.
I was called in to triage for my family’s PCs (running XP)… Once I had some time to sit down and Google, got rid of it pretty easy. You Ctrl-alt-del to get the Task Manager to appear, kill the recovery program, then click on the processes tab and kill the one with the garbled name that ends in .exe.
Google for “unhide.exe” from BleepingComputer.com for a program that will bring most of your shortcuts, etc. back.
I really hate dealing with Windows and malware. As a Mac user, I never even give this stuff a moment’s thought…
Perhaps you should:
Apple Updates Mac OS X To Battle Malware Threats
The MacGuard malware has already adapted to the update:
I forgot to mention that my daughter forgot to mention that all her documents and media files had been turned invisible, but thanks to Fear Itself we knew what had happened and how to fix it. Thanks!
I had it about a week and a half ago - went into safe mode and ran avira but didn’t get great results, although I was able to use it to restore task manager functionality. Rebooted into regular mode, killed the processes with task manager which let boot sequence continue, then ran rkill followed by malwarebytes followed by unhide. Pain in the arse, but no real damage done.
Note that my advice isn’t to not run malwarebytes, but to run an offline virus scan afterwards to be sure you are clean, and don’t have anything else hanging around. I really wish malwarebytes would come up with an offline scanner so we wouldn’t have to deal with the renaming thing.
SuperAntiSpyware has a portable version, but I don’t know if it removes this or not.