Support NeoGAF

[Bebpo]

First of all, things that were in use:
-Microsoft Security Essentials, up to date with real time protection on and high security
-Windows 7 Ultimate, all the latest security updates installed
-Firefox 8
-Java that was 3 days old apparently from the previous update and there may have been 1 newer update since

Story:
Last night I was doing a google search for some pictures from the Soul Eater comic to do a writeup and I was at some site I found through it looking at an art galley and I got a pop-up from MSE that a trojan and backdoor were found and I had it remove them.

Then suddenly a program called AV PROTECTION 2011 starts running (virus) and what's weird is that it's not a website pop-up, but is actually on my W7 toolbar as a running program. I look on the desktop and wtf there is a shortcut to this virus program and in taskbar/start menu it's there as a newly installed program.

Once in it infected a ton of stuff like firefox, windows desktop manager, etc... and MSE couldn't permanently get rid of it. MSE even gave me pop ups asking me to send my info to Microsoft because it hadn't encountered this virus in these files before.

So after 2-3 hours of trying to fix it permanently to no avail, I ended up just doing a fresh install of W7.

Which is fine, but uh, I don't want this to happen again. So I want to know how this happened and what protection failed. I've never heard of a virus that could attack you from just viewing a website and not clicking on any pop ups, or downloading anything, or opening anything. Also I've never known a program that could INSTALL ITSELF without the MSE pop-up appearing saying "do you give permission for this program to make changes to your windows". How did it stealth install and get past that? The only explanation I can think of is that it used Java and stealth installed it in the background.

I didn't catch the name of the trojan because it stopped appearing after I wiped it the first time, but the backdoor that wouldn't go away was "Cycbot.g"

Anyone know what the hell happened and how I can prevent it in the future?

 

[Ecrofirt]

It's likely that either Java or Flash is out of date on your computer. Uninstall your existing version(s), and install the latest version of each piece of software.

Additionally, the fake antivirus likely lives inside of your user folder, where your account has full read/write access. That's pretty much the de-facto spot for those things to silently install themselves now.

 

[Kapura]

Shady sites have shady shit. You could have rooted it out with Malwarebytes, but if a fresh install is easier more power to you.

 

[Ecrofirt]

Shady sites have shady shit. You could have rooted it out with Malwarebytes, but if a fresh install is easier more power to you.

It wasn't necessarily a shady site that did it. It was more likely a shady ad that either got displayed on his PC or wasn't even visible. The ad would've exploited Java/Flash, and likely slipped by the advertiser onto an otherwise good site.

 

[The Technomancer]

Isn't the whole point of Java supposed to be that it doesn't let things out of its own environment?

 

[Touch]

That AV will attach itself to a file on your harddrive then hide itself waiting for you to execute that file. It will start to copy itself as well to multi files sooner or later getting to your windows start up and causing a complete windows melt down.

You will most likely get it again. Either it from still being hidden on your computer or by using google images clicking on untrusted sources.

Once you notice it again, scan your computer from an outside source such as a thumb drive or usb hdd. If you scan from your harddrive it WILL NOT detect the virus. I have heard the booting in safe mode and running anti virus software working but I would still run it through an outside source.

 

[clav]

Uninstall Java if you don't use it.

Install Google Chrome and never worry about Flash updates as the browser updates automatically. Do not install the plug-in program.

Be sure UAC is turned on to at least default.

Setup OpenDNS on your router.

 

[Ferrio]

That one is a bitch to fix. Steps I did

-Booting into safe mode.
-Manually removing entries in the registery
-Manually removing startup entries for it
-Running Malware Byte in safe mode.

Took a couple hours but I finally got it clean. But ya, just easier reinstalling the damn OS really.

 

[Cousteau]

thin windows ya have there mate.

 

[ChiTownBuffalo]

That one is a mofo. Only go to safe pron streaming sites from now on.

 

[reKon]

Malwarebytes + Combofix in safe mode?

 

[ihearthawthats]

Anyone know what the hell happened and how I can prevent it in the future?

adblock plus + noscript

 

[powersurge]

adblock plus + noscript

Everyone should use these. Noscript can be a little annoying sometimes but its worth it for the extra layer of protection.

 

[Kapura]

juniors...

 

[Proelite]

That thing is a root kit. It actually blacklists programs that try to remove it. Fresh install is the safe way.

 

[akira28]

Doesn't this only install if you click on the false message popup in question?

 

[Broder Salsa]

Hmmm I have just gotten a laptop from one of my mothers friends who had gotten this as well the other day.

 

[AlimNassor]

i hate those kinds of viruses. I hate it even more when they block all .exes from running. Usually I find the file folder where its located and move its .exe into a new folder that disables it and then I nuke it.

 

[Forbiden]

My wife got that onto my main PC a couple of days ago as well, and it was no less than frustrating to get my computer working again. The stupid thing would not allow me to run a single thing, saying that they were all infected and it was impossible to run them. I had to boot into safe mode, delete a bunch of files and registry keys, then install and run Malwarebytes in Safe Mode to get rid of the thing. I am still shocked as to how it even got into my computer since my wife knows not to click on any sort of ads or pop ups.

 

[Lazy vs Crazy]

Happens a lot through Adobe Reader. What a terrible program.

 

[DopeyFish]

That virus is a bitch and a half to cleanup

I have done it before, but that little fucker is -not fun- as it tries to destroy the MBR when you install malware bytes

You could have saved it by load malware bytes with a differently named executable

 

[Particle Physicist]

Happens a lot through Adobe Reader. What a terrible program.

Adobe!!!!!!

>(

 

[Hari Seldon]

Happens a lot through Adobe Reader. What a terrible program.

Adobe is a piece of shit company in general. Never install any of that shit. Fuck flash. I wish Jobs had succeeded in ridding the internet of that pestilence.

 

[Freestyler]

Adobe is a piece of shit company in general. Never install any of that shit. Fuck flash. I wish Jobs had succeeded in ridding the internet of that pestilence.

It's happening, slowly but surely.

 

[Shogmaster]

I think I just deleted the limited user I surfed with to solve the problem (after using MSE to delete the virus first). But this was an old sacrificial laptop I have to do more "unsafe" things on the internet with so even if it's somewhere else, I don't care.

 

[Bebpo]

Lots of useful information in here. So good ideas for future are:

-adblock plus + noscript
-use google chrome instead of firefox
-install malaware bytes on a usb thumbstick to run from stick in case of problem
-do things in safe mode if possible
-don't use adobe reader if possible

One question I have is, how do you boot to safe mode in W7? Older windows always had that "boot to safe mode" restart option, but I have no idea how to get there in W7.

 

[Salmonax]

Everyone should use these. Noscript can be a little annoying sometimes but its worth it for the extra layer of protection.

Noscript requires far too much annoying micromanaging to be worth it for me.

 

[Ferrio]

One question I have is, how do you boot to safe mode in W7? Older windows always had that "boot to safe mode" restart option, but I have no idea how to get there in W7.

F8 when windows is booting up.

 

[LCGeek]

I had the same problem on the family laptop when I came for visit. Clean install get rookit deleters and make sure it's not in your master boot record. Learn windows recovery console or wipe that drive they stick around.

 

[Ecrofirt]

Isn't the whole point of Java supposed to be that it doesn't let things out of its own environment?

The The main reason there are non-major version changes to Java and Flash on a somewhat regular basis is to plug up security holes that allow things like this to install themselves on PCs.

 

[Timedog]

for some of us, reinstalling an OS takes several days/weeks

 

[Ecrofirt]

My wife got that onto my main PC a couple of days ago as well, and it was no less than frustrating to get my computer working again. The stupid thing would not allow me to run a single thing, saying that they were all infected and it was impossible to run them. I had to boot into safe mode, delete a bunch of files and registry keys, then install and run Malwarebytes in Safe Mode to get rid of the thing. I am still shocked as to how it even got into my computer since my wife knows not to click on any sort of ads or pop ups.

In all likelihood, your wife didn't actually do anything at all to cause it. See my above post for a brief explanation.

These things are a plague that feast upon old versions of Java and Flash.

 

[Stumpokapow]

Lots of useful information in here. So good ideas for future are:

-adblock plus + noscript
-use google chrome instead of firefox
-install malaware bytes on a usb thumbstick to run from stick in case of problem
-do things in safe mode if possible
-don't use adobe reader if possible

One question I have is, how do you boot to safe mode in W7? Older windows always had that "boot to safe mode" restart option, but I have no idea how to get there in W7.

RE: Your last conundrum

1) Chrome renders PDFs natively, you no longer need a PDF reader
2) If you want to install one for offline PDF viewer, use FoxIt Reader.

 

[Shogmaster]

RE: Your last conundrum

1) Chrome renders PDFs natively, you no longer need a PDF reader
2) If you want to install one for offline PDF viewer, use FoxIt Reader.

But does FoxIt read 3D pdf files? Our company uses that a lot...

 

[Bebpo]

I had the same problem on the family laptop when I came for visit. Clean install get rookit deleters and make sure it's not in your master boot record. Learn windows recovery console or wipe that drive they stick around.

How can you check if it's in your master boot record after a re-install of windows?

 

[Rapstah]

juniors...

It's not against the rules to say you use AdBlock plus and Noscript, you're just assumed to have at least AdBlock disabled for NeoGAF. I think it's site policy to make sure only decent quiet non-dangerous ads are let through too?

 

[Particle Physicist]

But does FoxIt read 3D pdf files? Our company uses that a lot...

3D pdfs? What madness is that?

Yeah, I've had a few pdfs that can only be opened with Adobe reader. I have it installed on my computer, but I only use it when needed.

 

[Shogmaster]

3D pdfs? What madness is that?

Yeah, I've had a few pdfs that can only be opened with Adobe reader. I have it installed on my computer, but I only use it when needed.

It's pdf files that show 3D CAD file. Pretty cool and useful. Adober Reader 9 or newer can show the 3D.

 

[Bebpo]

Also, I'm trying to update my work computer to some of these things (to make it safer) while W7 is reinstalling at home and on first look it seems like if you use Chrome you can't use Noscript since it's for Firefox. But if you use Firefox you don't have native PDF reading.

So which is the safer browser to use?

 

[Druz]

It's a very easy virus to remove.


It's hiding in your User/Appdata folder. You'll see it as a random string of numbers and letters. It might share the same executable icon as the one that should now be on your desktop. It is probably hidden and has a pair .dat file right next to it. TO unhide files, go into folder options and on the second tab check "Show hidden files and folders"

Make sure you see if your data/start menu is intact. SOme versions of this virus toss your files into your temp folder. If everything checks out okay, clear your temp folder out before moving on.

If the virus took over your file association (After it's removed and you rebooted you no longer are able to open up .exes) you simply find a file association fix in regedit form for your specific version of windows and run it/reboot.

 

[Cruzader]

I need help with some adware/virus screwing up my Windows 7 PC.

I have ESET NOD32 Antivirus running + Microsoft Security Essentials + Spybot + Malwarebytes.

MSE doesnt seem to find crap. NOD32 finds crap but cant seem to get rid of anything. Same with Spybot and Malwarebytes. I literally run Spybot everyday and find the same shit in my system. If I click on remove, NOD32 seems to kick in and quarantine the files. Does that mean they are sorta clashing with one another? I need some serious help. Im thinking of removing Java/Flash and deleting some reg files under safe mode. You guys think thats fine? Check out this screen cap. Hope this may help me in some way.

 

[Druz]

I need help with some adware/virus screwing up my Windows 7 PC.

I have ESET NOD32 Antivirus running + Microsoft Security Essentials + Spybot + Malwarebytes.

MSE doesnt seem to find crap. NOD32 finds crap but cant seem to get rid of anything. Same with Spybot and Malwarebytes. I literally run Spybot everyday and find the same shit in my system. If I click on remove, NOD32 seems to kick in and quarantine the files. Does that mean they are sorta clashing with one another? I need some serious help. Im thinking of removing Java/Flash and deleting some reg files under safe mode. You guys think thats fine? Check out this screen cap. Hope this may help me in some way.

Are you running these scans in safemode?

 

[Cruzader]

Are you running these scans in safemode?

Nope, Ill do that soon. You think that will do it?