Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: REDACTED on November 14, 2017, 06:34:16 PM
-
My Windows 7 Pro, 64-bit computer was infected by Eternal Blue when I downloaded Google Chrome on 10/5/2017. It lay low for a bit before erupting on 10/30. Fortunately I had Avast and it caught it. However it's now over 2 weeks later now and I am still being yelled at by Avast 2 to 8 times a day. I hear "Threat detected!" eight times in a row with each attack.
(https://flic.kr/p/21ud3BE)
I did what I could to remove it. I ran a full Avast scan, installed the MS17-010 fix, and downloaded and ran both Malwarebytes and CCleaner, but none of this got rid of it. I found a webpage where detailed instructions were given for removing it manually but when I went through all the steps, I wound up removing nothing because I found nothing to remove. I had already uninstalled Chrome.
https://www.removeallvirus.com/steps-remove-eternalblue-exploit-virus-easily
But then, while checking the entries in the registry step, I noticed something that I though was a little odd - a registry entry that had what appeared to be a Chinese character in it. I asked my brother about it (he's an IT professional) and he said that having Chinese characters in your registry only meant that a program that you installed had originated in China.
Still, I'd like to confirm that this has nothing to do with Eternal Blue because I am still being attacked.
So here's a screenshot of what I see when I run regedit:
(https://flic.kr/p/ZrMDhy)
If this is not the issue causing Eternal Hell to keep haunting me, then I have to ask what is? And what more can I do to get rid of it?
Some other info that might come in handy when figuring this out:
My brother gave me this computer about six months ago when I asked for one of his old desktops to supplement my own ancient Windows XP laptop. Being an IT professional, he gave it to me as a clean machine - with all his own stuff removed. I think he may also have reinstalled Windows 7 from scratch.
I installed quite a bit of my own software (I am into 3D design and animation, and used 4 or 5 programs associated with that alone). However, once I got infected with Eternal Blue, I decided to back up all my data to an external hard drive, clean what I had backed up off of my system disks, except for what I would have immediate need for, and disconnected the external drive.
I then uninstalled every program that I didn't immediately have need of, including all my 3D programs (I was in a hiatus from development at that point).
So I have a pretty clean machine at this point. So clean that I can show all the programs installed on my computer in a single screenshot:
(https://flic.kr/p/ZrMEcu)
If there is any more info I can provide, please let me know.
Beth
EDIT: Since I don't see my images in the post, I am guessing that it's because images are banned until either reviewed for new members or until new members have posted a set number of posts, so here are direct links to those images.
Avast warning screenshot: https://flic.kr/p/21ud3BE
regedit screenshot: https://flic.kr/p/ZrMDhy
Installed programs screenshot: https://flic.kr/p/ZrMEcu
-
Try this: Turn off file share and close port 445 for incomming traffic
any change ?
-
I didn't know how to do that, so I looked it up and found this webpage and followed the instructions - although I think they should have put the note suggesting a system restore point on the TOP rather than the bottom of the procedure. ???
http://practicalrambler.blogspot.com/2011/10/how-to-close-port-445-in-windows-7.html
It seemed to take okay and I tried a test print to make sure that my bluetooth printer was still working (clueless what I'm doing here) and it worked.
As far as whether or not it helped, only time will tell because the attacks are seemingly random with no apparent set time period between them. I would say that if 24 hours passes and there are no further attacks, then I would say it worked.
I'll let you know! Thanks! ;D
-
Oops! Almost forgot about the file and printer sharing!
I found this YouTube video explaining how to do it and it turned out that file and printer sharing was already off.
https://youtu.be/pFct_fYaQuo
-
How to Block Port 445 in Windows Firewall?
https://www.backup-utility.com/anti-ransomware/how-to-block-port-445-in-windows-3889.html
SMB Exploited: WannaCry Use of "EternalBlue"
https://www.fireeye.com/blog/threat-research/2017/05/smb-exploited-wannacry-use-of-eternalblue.html
-
Well, it's been nearly 24 hours now and Avast hasn't yelled "Intruder aler...", um, I mean "Threat detected," even one time, so I guess that means closing port 445 did the trick.
But, I have to wonder about something.
Closing port 445 is just a stop-gap measure, isn't it? I mean it does nothing to change anything on the machine, so doesn't that mean that Eternal Blue is still there, lurking in the belly (or brain) of my computer?
Do you think anyone is working on a real solution - the complete removal of the malicious code?
Thank you VERY much Officer Wigg..., um, Pondus! I can't express how much I appreciate all your help! ;D ;D ;D ;D
And thank you for those links. I'll be passing them onto my brother so that if anyone ever comes to him as head of IT for this same problem, he'll have the solution ready at hand for a swift resolution.
-
See: https://forum.avast.com/index.php?topic=208445.msg1419511#msg1419511
-
Thank you Asyn.
-
You're welcome Beth.