Re: Nasty Adware

Combofix: http://www.bleepingcomputer.com/comb...o-use-combofix

Re: Nasty Adware

do a dual-boot.
winshit for games,
Linux for web browsing.

my browse-box runs 24/7 with opera on Lin, not been down once in 5 years.

Re: Nasty Adware

Re: Nasty Adware

Roll back to the restore point to the day before this happened.

Re: Nasty Adware

You use opera on 'nix?
I've been a long time windows opera user. In fact I never used firefox, I used mozilla until the day it was unsupported/died then switched to opera.
I do have ubuntu 9.04 and mint 8, but opera has to be the biggest PITA browser ever on 'nix. Very hard to get working properly, not worth it at all.
So I forced myself to use the pre-installed firefox for a change.
To be honest though, opera still works on less sites that FF, and the latest releases are slower and buggier anyway.
edit: I'll keep using opera as preference on my windows box (with back up browsers when opera doesn't work), but I'm not going to go to the trouble of getting 'nix opera to work.

Re: Nasty Adware



For what it's worth, I've seen this crap get on through all of the major antivirus/internet security systems. Prevention is a case of not browsing the web with internet explorer, downloading suspicious flash player updates and being vigilant with what you click on!

Right, it might be SDRA64.exe, in which case it's a bitch to get rid of and can take hours, but can be done.

Before we begin, with the infected machine still running, note the name of the rouge AV program and try and find out where it's running from. If you're running Vista, enable the Image Path column in Task Manager, or download Process Explorer and transfer this onto the affected laptop via a USB pen drive. You're probably looking for AV.exe or AVE.exe or something similar. If the program has installed an icon, you can find that icon, right click, go to properties and see where the path leads to. Make note, we'll delete it later.

Boot into Safe Mode WITH networking (please hook the machine up with an Ethernet cable) and perform the following. You will most likely need to have a USB pen drive at your disposal.

Please open regedit. Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON - In the Userinit field, you should only have "C:\WINDOWS\system32\userinit.exe," specified.

If you have SDRA64.exe, we get rid of it.
Open the value and remove the entry with SDRA64, probably "C:\Windows\System32\SDRA64.exe"
You should be left with an entry: "C:\WINDOWS\system32\userinit.exe," - yes that comma is correct.
Hopefully because we're running in Safe Mode, it won't add itself back into that entry.

Now download http://swandog46.geekstogo.com/. Transfer over to the infected machine if you're unable to download it on that machine.

Open the program.
In the execute box, type the following

Folders to delete:
C:\WINDOWS\System32\lowsec
Files to delete:
C:\WINDOWS\System32\SDRA64.exe

Check the 'automatically disable any rootkits found' checkbox.

If your Userinit doesn't have SDRA64.exe listed, just leave the scripts box blank and run it anyway, it may still find some things.

Before we reboot, please delete the folders or file that the rouge program was running from earlier, using Windows Explorer.

Now click Execute on Avenger and reboot into your normal windows installation.

Hopefully things should be running a bit better now, but we're NOT done yet.

Please download and run Malwarebytes and Superantispyware, run them both one at a time on the long scans. Run them interchangeably until they find nothing.

Please also check your hosts file in C:\WINDOWS\system32\drivers\etc - open the hosts file in Notepad.
A clean file looks like this:
Hopefully by the end of this, you're all clean. If you get messages on login that it can't find xyz.dll, let us know!

Re: Nasty Adware

I had a nasty infection like that once on my dads computer. Couple of seconds on IE by mistake and boom. Some corny name I can't remember it. Luckily I had superantispyware installed on there and updated it the day before, but I didn't have malwarebytes. I had to run everything in safe mode, it wouldn't let AV programs run in normal mode. I never connected my flash drive, too risky. I had to disconnect the thing from the internet because it would just re-download itself if any little bit remained. Eventually I got it all gone using malwarebytes, superantispyware, and hijackthis. The thing somehow screwed up all the .exe files, so trying to run anything (I mean anything) would just come up with the error saying the rundll32.exe or whatever was missing. Luckily microsoft had a support page about that and I got it fixed.

Re: Nasty Adware

I forgot that part 370forlife, let me know if anyone else gets stuck and I'll post instructions for fixing it.

Edit: You don't still have that link do you?

Re: Nasty Adware


it works fine for me - better than the windows version,
as long as you stay away from the "snapshots" & early beta's

i use the RPM's
maybe it's because i'm using KDE, isnt Ubuntu Gnome based?

i'll say this, you must download the right version to match your GCC & QT versions.
although the QT thing wont matter with the next release because it's been dropped.
i think the new snapshots are using intergrated Gtk library's instead.

Re: Nasty Adware

I can't find the microsoft page about it for some reason, but this page is basically the same thing and I've used this before on a laptop that had the same problem and it works fine.

http://forums.techarena.in/windows-x...rt/1211289.htm

Re: Nasty Adware

Fixed yet JP?

Re: Nasty Adware

It's not here yet for me to fix it....

Re: Nasty Adware

the malware plants itself in the system restore files, so it usually just makes your computer's working software messed up, with an even worse infection.

Re: Nasty Adware

i use arch myself, straight compiled tarballs from the AUR.

opera doesn't care that much about gcc/qt, althought i guess gcc/qt don't deviate too much so whatever.

i see no problem in using internet explorer; the problem is ALWAYS the user.

Re: Nasty Adware

All depends on the infection, of course. I just had this happen to my wife's computer a few days ago. 5 minutes after discovering it, everything was normal after going back to the previous day's restore point. Quickest and easiest fix, if it works for you.

Re: Nasty Adware

I'm working one of these bugs as I write this.

Boot the machine in Safe mode, see if you can run MSconfig and uncheck all the Startup items. If not, Malwarebytes does a good job in safe mode.

Log in as the administrator, disable System Restore then add Administrator to the Sharing and Security group for System Volume Information. This is the restore directory where the bugs hide. Disable System Restore, then delete the contents of the folder.

Run Malwarebytes 2x or until clean. Fix everything it finds.
If you are seriously screwed, and can't do the above, download the Avira rescue CD and use it to preclean the system.

After you clean it up, install www.sandboxie.com and you won't have any more of this bullshit.