PaperModelers.com

Go Back   PaperModelers.com > Papermodelers' Bar and Grill > The CardBoard Lounge

Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 02-17-2012, 01:34 AM
mspacemike's Avatar
Member
 
Join Date: May 2009
Location: St.Louis, Missouri
Posts: 150
Total Downloaded: 0
Finished up Cleaning a Nasty Computer Virus

Late in January I had been checking out some links that I found some interest in. One from the Trains thread dealing with futuristic designs. This led to a web site that I like to go to once in a while, www.darkroastblend.com. From there I ended up at a Russian site dealing with trains with jet engines attached. Neat I thought, until a familiar sign popped up on my screen. It was labeled the WinXP-AntiSpyware-2012 and warned that it had detected various threats on my machine. It indicated to click on it's link to download and use (pay) for the software to remove these threats. This warning is a virus and a trojan itself. I have AVG and MalwareBytes software and use ZoneAlarm firewall. All of these were disabled as well as the icons on my desktop. I immediately shut down the computer and started to work out a solution. I found win32/fakerean rogue trojan (alias antispywarexp). I ran a dos script to regain control of my desktop and shut down all ports. I found the original virus in the windows directory and upon opening it, found that it was all written in Russian Cryllic. It had been updated from earlier versions, this one opening up more ports and doing more damage than before. Once in safe mode, I ran the malwarebyte software and found more: trojan.fakems, dc13.exe, dc11.exe, trojan horse generic 26.bxh1, mxecnwraos.exe, muilerwar, aorcxrwesm.exe, cryptic.dwo, a0213536.sys, trojan.qhost.bg, blogmixnews.com/enterpoint and a js/redir. All nasty

The scans took several hours and each day I would put the computer in normal mode and check the network activity. Something was making my svchost.exe run at 90% still. I would invariably find unusual activity that had me shut it down and scan again with stronger antivirus/malware software. This went on for two weeks (I still had to go to work during the day and spend nights battling demons).

I ended up with a complete cleaning of the registry and a close look at all system files and executibles. I thought I had it licked and all was quiet (for a few hours). Then notepad started to access the internet? Not just one but several at once. Then others like eprcr.exe, oledao.864855970142993.exe and jikao.8111674874204556.exe all going to the same ip address: 190.9.35.198 (bgp.he.net). All of these were finally found in the windows prefetch and temp folders. I did a system file checker to correct any corrupted files. Then the dreaded go.google virus hit. I was really tired of this. I downloaded Microsoft's MSRT (it found 2 more trojans) and TDSS (found 3 others) , Avast( 10), IOptions (found 3, plus some that had not completely downloaded yet) and hitman pro (found several remnants and 23 other nasties!). This last one finally did it. Got rid of the last bits, but guess what - no internet.

In removing the nasties, they were not able to repair the damage from the corrupted files. I had several system files that were missing/corrupted. I rebuilt the tcp/ip stack, borrowed/copied missing system files, then found that the hosts file was hardcoded. This was really getting tiresome, so I wrote a new hosts file. One final run of hitman pro showed nothing found.

I rebooted the computer one last time and crossed my fingers. Success, no abnormal network access, no unusual port activity and the computer was humming away like new. Soooo, if you've wondered where I've been for the last few weeks, it's here - battling demons. Oh, and also if you wonder what I do when I'm not working on paper models, I used to be a programmer!
Reply With Quote
Login to remove ads
  #2 (permalink)  
Old 02-17-2012, 04:31 AM
eric_son's Avatar
Member
 
Join Date: Apr 2008
Location: Quezon City, Philippines
Posts: 498
Total Downloaded: 0
I salute your determination.
Usually, when I get a nasty infection like that, first try to salvage my files by booting from a Linux CD. Then I just nuke my Windows installation and start anew. I just can't help but feel paranoid that there are still some nasty malware that were missed by the cleanup, biding their time...
__________________
Currently designing:
* Focke-Wulf VTOL [progress: temporarily shelved]
* Heinkel HE P.1080 [progress: done! but now I need to work on the trolley]
http://cutfoldpaste.blogspot.com/
Reply With Quote
  #3 (permalink)  
Old 02-17-2012, 07:28 AM
Phil's Avatar
Member
 
Join Date: Jul 2007
Posts: 1,687
Total Downloaded: 0
You sure went through alot when there is a simpler fix. I had the same issue on my wifes computer and was able to go online with my computer to find this page. The fix was simple and fast;
Remove Vista Antimalware 2011 and Win 7 Antispyware 2011 name changing rogue (Uninstall Guide)
__________________

Reply With Quote
  #4 (permalink)  
Old 02-17-2012, 08:18 AM
Banned
 
Join Date: Jul 2007
Location: Earth
Posts: 5,159
Total Downloaded: 0
I know which sites you speak of, Norton 360 will not even let you go into those sites. I have so confident with it that I go adventuring knowing I will be safe. I haven't got caught by any virus yet but that "Blacked Malicious Webpage" warning from Norton which fill your whole screen, in colors that look like you are about to open something Radioactive. No more of the freeware. If this had happened, Norton would take over my computer remotely and remove this virus. Worth the price. If you have a modern computer, or a well built older one (the one I am typing this one is 7 years old) then the argument about being a resource hog does not apply.
Reply With Quote
  #5 (permalink)  
Old 02-17-2012, 08:32 AM
southwestforests's Avatar
Member
 
Join Date: Feb 2011
Location: On the edge of the river valley
Posts: 321
Total Downloaded: 0
Quote:
Originally Posted by mspacemike View Post
Late in January I had been checking out some links that I found some interest in. One from the Trains thread dealing with futuristic designs. This led to a web site that I like to go to once in a while, www.darkroastblend.com. From there I ended up at a Russian site dealing with trains with jet engines attached. Neat I thought, until a familiar sign popped up on my screen.
Either that train page, if it was on englishrussia website, has been compromised since I was there before Christmas or I'm just lucky.

Damn that's a downright just plain mean thing to do to people.

Going to look up that hitman pro and see what's out there on it.
http://download.cnet.com/Hitman-Pro-...-10895604.html
Hmm, might be interesting to try and see what comes up.
Quote:
Hitman Pro is a second opinion scanner, designed to rescue your computer from malware that have infected your computer despite all the security measures you have taken (such as anti virus software, firewalls). Just relying on a single vendor is not sufficient to completely protect you. You do need a second source to make sure you are secure. Hitman Pro is designed to work alongside existing security programs without any conflicts. It scans the computer quickly (less than 5 minutes) and does not slow down the computer (except for the few minutes it is scanning). Hitman Pro does not need to be installed. It can be run straight from a USB flash drive, a CD/DVD, local or network attached hard drive.
As a point of trivia, Kato did an N-scale model of a jet powered experiment New York Central railroad (NYC) did with a Budd RDC (Rail Diesel Car) in mid 1960s KOBO Custom Shop - KATO USA : Precision Railroad Models
Some photos of the real one can be found here Budd Diesel Railroad Engines - NE Rails
__________________
Screw the rivets, I'm building for atmosphere.
later, Forrest

Last edited by southwestforests; 02-17-2012 at 08:44 AM.
Reply With Quote
Login to remove ads
  #6 (permalink)  
Old 02-17-2012, 08:38 AM
mbauer's Avatar
Member
 
Join Date: Apr 2009
Location: Kenai, Alaska
Posts: 2,069
Total Downloaded: 0
Quote:
Originally Posted by Phil View Post
You sure went through alot when there is a simpler fix. I had the same issue on my wifes computer and was able to go online with my computer to find this page. The fix was simple and fast;
Remove Vista Antimalware 2011 and Win 7 Antispyware 2011 name changing rogue (Uninstall Guide)
Hi Phil,

Thanks for the link. Downloaded the free scan, it works fast. My computer is having stability issues. It found 4-major problems.

Looks like my cpu and hardware is working as designed.

$70 is steep for just 1-year of use though.

Wondering, will my system disk repair these stability problems?

Mike
__________________
Constructive criticism of my builds & comments is welcome!
Cardstock Property Tables and Terms
Flying Cardstock Models
Reply With Quote
  #7 (permalink)  
Old 02-17-2012, 08:57 AM
southwestforests's Avatar
Member
 
Join Date: Feb 2011
Location: On the edge of the river valley
Posts: 321
Total Downloaded: 0
Oh, okay, this little box of bits and bytes is 64 bit instead of 32 bit - had to use different version of hitman than one reviewed in that cnet article.

Is running right now - kind of anxious what might come up that what is already in here hasn't found.
This thing has over a million files in it what with all the Trainz stuff and 9000+ camera photos and ... and ... and ..., probably gonna take longer than 30 seconds to scan, ya think.

mbauers - that's a familiar name from a couple other hobby groups
(which may have been said before)

Edit:

Wow, came out in pretty good shape!
http://i196.photobucket.com/albums/a...roresult-1.jpg

I like that they say to use a good av program to start with.
http://i196.photobucket.com/albums/a...oresult2-1.jpg

__________________
Screw the rivets, I'm building for atmosphere.
later, Forrest

Last edited by southwestforests; 02-17-2012 at 09:38 AM.
Reply With Quote
  #8 (permalink)  
Old 02-17-2012, 11:15 AM
Banned
 
Join Date: Jul 2007
Location: Earth
Posts: 5,159
Total Downloaded: 0
Scans a computer in 5 minutes? That has to be just hitting the main area and just on top, nothing dug in.

If you download a file into your computer, and don't scan it, you have let in the virus. If you get one from just visiting a website, then you need stronger protection than what you are currently using.

@mike, if you throw in your Operating System Disc, (Windoze), and click "Repair", it will Scan to see if there are errors, and prompt you if you wish to Repair them. It may also prompt you to Run ChkDsk, which may be indicative of a failing hard drive. If you have Seagate hard Drives, I would suggest you use SeaGate's SeaTools for Windows. You burn a .ISO image and it runs off of your optical drive.

I have around 4 to 5 Terabytes on each of my Desktop PC's, not including Laptops. Nothing could scan them in 5 or so minutes. I download files to a slaved Hard drive, then scan them file before I open it. In a worse case scenario, you do a hard shut down, restart, remove the drive the format it in safe mode, or in my case, I attach it to a USB dongle and format it that way. If my hard drive has bad sectors in it, I generally speaking, buy a new one, clone it, and toss the old one. They are cheap enough nowadays, and sometimes the information is worth far more. I keep smaller working ones, as you can install you software on it, and use it to clean your main infected drive. If you have a virus, you use the drive you just made too scan and clean the other drives.

I just had a failing drive, and did this using a really nice 10,000 R.P.M. 60G drive I had that was too small, but good for these kind of problems. One of the best drives Seagate ever made!
Reply With Quote
  #9 (permalink)  
Old 02-17-2012, 12:18 PM
SJPONeill's Avatar
Member
 
Join Date: Nov 2008
Location: Near the Spiral, NZ.
Posts: 2,259
Total Downloaded: 5.65 MB
Send a message via Skype™ to SJPONeill
Thumbs up

Quote:
Originally Posted by Zathros View Post
I know which sites you speak of, Norton 360 will not even let you go into those sites. I have so confident with it that I go adventuring knowing I will be safe. I haven't got caught by any virus yet but that "Blacked Malicious Webpage" warning from Norton which fill your whole screen, in colors that look like you are about to open something Radioactive. No more of the freeware. If this had happened, Norton would take over my computer remotely and remove this virus. Worth the price. If you have a modern computer, or a well built older one (the one I am typing this one is 7 years old) then the argument about being a resource hog does not apply.
Bottom Line: you get what you pay for with virus protection. The free stuff is all very well til someone loses and eye - or a hard drive...
__________________
Please critique my posts honestly i.e. say what you think so I can learn and improve...
The World According to Me
Reply With Quote
  #10 (permalink)  
Old 02-17-2012, 10:03 PM
mspacemike's Avatar
Member
 
Join Date: May 2009
Location: St.Louis, Missouri
Posts: 150
Total Downloaded: 0
@eric_son, yes I have used Linux on some old drives and that was going to be my backup plan. I did do a hard shutdown first in order to find the nasties.

@phil, I did get rid of the win xp antispyware 2012 program first. It had opened the floodgates of virus hell to let in the other trojans/virus after disabling my current programs. I now have active scanning of all traffic/downloads and blocks on suspicous sites.

@zathros, (windoze) was used to replace the missing or corrupted system/exe files. I would love to afford a system with more than 800GB, but with both of us on a limited income, it makes it hard. I can still dream. I remember working with 64K! Before that was the punched tape/cards and my alltime favorite 'manual binary calculator'. Now where did I put that sliderule?

@ all, It may be the thrill of the hunt for me to spend so much time in clearing out my demons. You're right, just get rid of them and have more time for paper modeling.
Reply With Quote
Login to remove ads
Reply

Tags
computer virus, trojans

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT -6. The time now is 07:15 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 3.3.2