Scary malware/virus!

Hikari Kisugi said:
Out of interst, what do people install java for on windows 7 nowadays? Are there specific sites and apps which require something like it to be installed.
I have 7 since launch, purposely never installed java, thus have never updated it, or I hope been subject to issues arising from its installation.
I am unaware of internet sites that don't work for me when running ie8 in protected mode from a user account with UAC on.

What am I missing out on?
Click to expand...

It's a common misconception, but Javascript is not Java. The common browsers all have Javascript interpreters built-in, it's not something you install. If you want to see the web without Javascript you can disable it in your Internet Options/security tab.

Some sites do require actual Java which will download the bytecode and run it on your machine in the browser window, but you don't see them very often.
 
Biggest things that I've seen contributing to this are, in no particular order : running older versions of IE, running XP, not blocking ads, user interaction (allowing the payload to be delivered by clicking on a dialogue box, no doesn't always mean no!)

Seen it on about 10 machines so far....
 
Work colleague had this on her lappy. Connected to the work wireless and did this:

Safemode with networking
installed mbam.
Did the mbam updates.

Visted a few sites for a few hours - all seemed fine. Colleague took lappy home, but following day announced:

"All i did was boot up, open my hotmail account, started to type an email and suddenly the systemtool virus was back."
Click to expand...

What do i do now? I can clean the virus again, but when she gets home it will 'appear' again :(

(I didn't do anything with system restore)
 
turn off sysem restore, and then clean, then delete all old system restore copies

possibly runa rootkit scan, we've a single machine in work that every 6-8 days will become reinfected with something that our support company claim is eliminated.
Going to make them reinstall, as we're fed up and I CBA wasting worktime on computer support i don't get paid to do.

The system appears clean to symantec corporate and to MWB for several days and then randomly shows signs of infection again.
 
ivrytwr3 said:
Work colleague had this on her lappy. Connected to the work wireless and did this:

Safemode with networking
installed mbam.
Did the mbam updates.

Visted a few sites for a few hours - all seemed fine. Colleague took lappy home, but following day announced:



What do i do now? I can clean the virus again, but when she gets home it will 'appear' again :(

(I didn't do anything with system restore)
Click to expand...

I seen these exist on flash drives/external hd with a hidden autorun file/ Perhaps she got re-infected that way.
 
ivrytwr3 said:
What do i do now? I can clean the virus again, but when she gets home it will 'appear' again :(

(I didn't do anything with system restore)
Click to expand...

Try running Combofix, it did the trick for me and got rid of the malware completely in one fell swoop. Also, turn off system restore / system protection ( you may have to edit the registry to do this if the malware, like it did with me, removes your "System Protection" tab under My Computer ).
 
Also had a lass from HR bring her laptop down with this earlier. Safe mode and scans with Malwarebytes found one or two things, rebooted and scanned again all clean, scanned with TrendMicro Officescan, and then Eset Online Scanner all clean. Got her to log back in and bam it was straight back there, so clearly something in her local profile. Ended up slapping Autoruns on there which found some weirdly named exe in her profile which wasnt picked up by any AV suite ... decided to remove her profile anyway and let her create a new one

Damn things
 
you guys are lucky only getting 10-15 pcs, me and the other engineer at work we gone thru at least 50 of these this entire week alone !

Seems theres variants of it going around but heres the full details and removal instructions here:

http://www.bleepingcomputer.com/virus-removal/remove-system-tool

Short end of the fix is:

Goto Safe mode with networking support
Run Rkill to kill any virus/spyware/malware process
install and UPDATE malwarebytes or download malwarebytes offline definition update file here:

http://malwarebytes.gt500.org/

Run full updated malwarebye scan
download combofix and update to latest one online>make sure u reboot pc after combofix has run otherwise no software works!

Seems as long as malwarebytes/combofix are updated it will 99% work, ive noticed if there not up to date theres less chance of it working seems the latest offline updates arent that up to date sadly !
 
Sometimes you can also just delete it via safe mode. Either in program files or appdata you can find the exe or folder, it always has a random character folder name so is easy to spot. Then run MBAM to make sure.
 
My mother in law had this the other day and was infected shortly after doing something on facebook.

Safemode and malwarebytes removed it no problems
 
JaseUK said:
My mother in law had this the other day and was infected shortly after doing something on facebook.

Safemode and malwarebytes removed it no problems
Click to expand...

Had another lass bring a laptop in today, she also said she was just chatting to a friend on Facebook and it popped up.

Wonder if there is a rogue advertisement on the loose on Facebook

Combofix/Malware update seems to do the trick
 
Had a pc brought to me on Sat after this had been 'removed' by a local pc shop, they said it reinfected the machine within minutes of it being turned back on with them having done nothing more that open an email from the neighbourhood watch police liason.

Was a vista machine and only SP1, can't beleive the shop let them have it back without informing them of the updates required or even doing them, shops response when told it had re-infected? We'll need to wipe it as it's too hard to remove :eek:

I didn't like to ask how much they got charged for such a service.
 
Spent much of the weekend running around removing this from my mum's, girlfriend's and a couple of friends machines...all were infected browsing major sites such as hotmail/facebook/ebay/autotrader etc. Nasty stuff, must be keeping a lot of IT support people very busy at the moment!
 
I've been seeing this a lot recently on clients machines, In vista and win7 its in the c:\ProgramData folder and its usually named using random letters and numbers and makes no correlation to anything. You boot into safe mode and remove it manually and then when the system is back up and running scan through with malwarebytes or another trusted scanner. Yet to come across this in XP but I would put a nickel on it that it'd be in a similar kind of place.
 
esK` said:
I've been seeing this a lot recently on clients machines, In vista and win7 its in the c:\ProgramData folder and its usually named using random letters and numbers and makes no correlation to anything. You boot into safe mode and remove it manually and then when the system is back up and running scan through with malwarebytes or another trusted scanner. Yet to come across this in XP but I would put a nickel on it that it'd be in a similar kind of place.
Click to expand...

on XP I think it was in C:\Documents and Settings\All Users\Application Data

It's worrying that these people are getting infected from very well known major sites. Anyway, the girl's laptop I fixed earlier, she just brought in a huge tub of celebrations and a 6 pack of Becks to say thanks - Winner!
 
You must log in or register to reply here.
Back
Top Bottom