None of the renaming schemes work any more. I had a variant of this for the third time in about three months, and the newest version tacks an exe extension on to anything you try to run, then tells you it’s infected. Get a browser running and any effort to look up antimalware software or anything on the malware in question would end with you being redirected to a site offering to sell you the software that will clean your system for you. Access to the reg editor and task manager were cut off as well as access to the Disk Restore function so my last restore point was inaccessible.
If the renaming of MBAM doesn’t work, you can also try Super Anti-Spyware aka SAS. It has a portable version that works off USB or CD. The file is saved under a random name already to get around the malware
This thread seems to have become about AT’s third question only, but I’m interested in this answer to his first. Is there a GQ answer?
I haven’t been successfully attacked by one of these assholes yet but I’ve come close. From a comment upthread it seems they are trying to strong arm you into buying software. If that involves a credit card transaction then doesn’t that require them to have a legitimate presence ie can’t they be tracked down? And isn’t what they are doing illegal somehow?
Maybe I’m being naive. I know it’s possible to base a site like this anywhere, and while I know the US government has been able to attack gambling sites through the banks that support the c/c payments, maybe there isn’t the political will.
Just speculating here, but might the existing protection you have in place (not just AV software) influence the level of infection these things can manage? Maybe on a well set up system it can’t get it’s hooks into it’s registry and won’t be able to do as much? Or can the initial infection bypass that anyway once it has gotten installed?
So the answer is basically going to come down to good backup habits, as per usual
I own/operate a computer shop so I see a broad spectrum of virused out machines, most of them have poor backup and security habits or…I wouldnt have a business.
Many of these viruses use a web page interface for accepting a CC number for the fraudulent “pro version” of the software. therfore they allow iexplore.exe to run. So by renaming mbam.exe to iexplore.exe, software launches.
They are trying to trick you into purchasing software that does not really exist. once they have your credit card they can order stuff online.
To make matters worse, several have taken to having a “customer service” number and when the banks call to investigate, they tell the bank they sell AV software and act appalled that someone might say its a scam.
Based on this, I have had several customers who stated that the bank refused to reverse the charges. I drew up a form letter that we print on our letterhead for any customers that gave up a CC number, for them to give to the bank, that has a statement from me that the “software” that was purchased was the virus and that the customer was misled by ominous messages that they needed to act immediately for fear of financial information being captured/exploited. Along with a note that I am willing to testify in court to this statement and that the customer should not be held liable for the transaction.
Banking in other countries is not always so stringent in its needs for identification, addresses, etc. Even then, good luck getting the police in Bosnia to go hunting for the guy who scammed you out of $79.
You dust off and nuke it from orbit. And I’m not joking.
Once I had a bastard that was like this (not exactly the same one) but it fethed everything. I couldn’t get into safe mode, I couldn’t rename my .exes, I couldn’t do anything.
So it was a slash and burn operation. Restore system to factory defaults. That worked.
AVG offers a bootable CD/USB that can be used. I’m pretty sure there are some antivirus programs that will run under Linux as well. Boot from a USB and scan the Windows partition. No idea if they work against this particular piece of malware.
It’s probably worth pointing out that while you are trying to get rid of it you should
Disconnect the machine from the internet/network to limit the mischief that the program can get up to in the mean time.
Change all your internet passwords using a clean machine.
After you get rid of it, give your machine a full sweep with multiple virus checkers and check that your network settings, user accounts, and other vulnerabilities haven’t be messed with.
If you use your computer for financial stuff or sensitive work, It might be worth backing up your data and then going for a full reinstall anyway (making sure you scan your backups for hitchhikers)
I generally use boot disks. You can actually make a boot disk that includes MalwareBytes and stuff like that, though I never remember to do it. I need to, as you can’t make it once your PC is down.
Not that my computer goes down, since I have it pretty well protected. I have to explicitly allow any executable when it is first run. Not even a renamed executable can get by Process Guard, as I will not have approved that version. It’s essentially an EXE whitelist that gives a user friendly prompt rather than just not working like the built in Windows version. Too bad the developer went AWOL, and it only works on XP.
I got hit by this today, and good god is it nasty. Before anyone asks, yes, I was surfing porn sites. Luckily I have a second boot sector to linux, otherwise I probably would have had to wipe the disk drive.
So the “XP Home Security” thing comes up and starts scanning my disk for “infected” files. As quickly as I can, I turn off the machine. Can’t boot into a safe mode because it is disabled. Boot into regular mode, it won’t run malwarebytes or Microsoft Security Essentials. A few boots back and forth between Windows and linux, and using hints from above, I see one strong suspect program in pjl.exe. Back into linux and a google search shows that it is bad. From linux, I delete it. I also delete a couple other files that may or may not be bad. Both are Windows system files, and I figure that Windows will just create a new one, so no harm. I tried to install an anti-malware program to linux, but it kept coming up with disk space issues. I’m not sure if that is due to my lack of knowledge of linux or if the malware was doing something.
After deleting the pjl.exe file, I get my system back. I run the Super Anti Spyware that someone recommended above that I downloaded to a thumb drive from linux, and it cleans up a bunch of stuff. Then I try to run malwarebytes, but the system doesn’t know what to do with .exe files. Thankfully it tries to help by opening foxfire, so I can google and correct that. Then I run Windows Security Essentials in full scan. Takes an hour, finds lots of bad stuff. Run malwarebytes in full scan. Takes an hour, finds some more stuff. There are other weird issues still remaining, so I try to do a system restore. Doesn’t take, as I think the malware corrupted all of the past restore points. I tried two days and neither worked. Used CCleaner to clean up some registry entries, but some are still a little wacky. Ran malwarebytes again and nothing came up. I hope that I am in the clear.
I’ve had minor viruses and crap in the past, but this is the first time my computer has been thoroughly hijacked. Maybe it is time for me to just go to linux full time.
All the users at work are limited users. Usually the admin account isn’t compromised. I run Malware Bytes and MS Essentials from there and it usually takes care of it. As a last resort, I can save the user’s files, delete his/her account and recreate it to fix things.
I recommend cruising the web with a limited account.
