Author Topic: Malware fixes and work-arounds!  (Read 107198 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Malware-fixes and work-arounds...
« Reply #15 on: December 24, 2009, 08:19:48 PM »
Hi malware fighters,

As requested I gonna put some links and work-arounds here, starting with this one as MBAM is being halted by a rootkit: http://forum.avast.com/index.php?topic=52583.msg445341#msg445341

More to follow,

polonus

P.S. Some older considerations, some points might still be valid:
1. I cannot download Malwarebytes Anti-malware.
Probably your computer infected with DNSChanger trojan. Read and follow these instructions: How to remove trojan DNSChanger{ http://www.myantispyware.com/2007/11/06/how-to-remove-trojan-dnschanger/

2. Malwarebytes Anti-malware won`t install, run or
update:http://www.myantispyware.com/2009/06/08/malwarebytes-wont-install-run-or-update-how-to-fix-it/

3. Got error code 731 (0,9).
Try restarting the computer, it should solve the error.

« Last Edit: December 25, 2009, 05:23:23 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3061
Malware fixes and work-arounds!
« Reply #16 on: December 24, 2009, 08:22:28 PM »
sir pol,

could you change the topic header to something general? - suggestion.. what say?

nmb
« Last Edit: December 24, 2009, 08:32:22 PM by nmb »

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Re: Malware fixes and work-arounds!
« Reply #17 on: December 24, 2009, 08:31:15 PM »
Hi nmb,

This better?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3061
Re: Malware fixes and work-arounds!
« Reply #18 on: December 24, 2009, 08:32:39 PM »
yes sir,

there you go! thanks for considering my words sir.

voted for sticky.

thanks
nmb

edit : oops! already in sticky status.
« Last Edit: December 24, 2009, 08:39:21 PM by nmb »

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Re: Malware fixes and work-arounds!
« Reply #19 on: December 24, 2009, 08:38:18 PM »
Hi malware fighters,

A link to the Malware Report: http://www.besttechie.net/category/malware-report/
with removal info links for the following malware and rogues:
WinBlue Soft, Virus Sweeper, SpywareProtect 2009, Total Security, SpywareGuard 2009 and the 2008, Antivirus 360, Personal Defender 2009, Zlob,
Personal Antivrus: http://www.myantispyware.com/2009/03/18/how-to-remove-personal-antivirus-uninstall-instructions/

polonus

« Last Edit: December 25, 2009, 05:25:29 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Re: Malware fixes and work-arounds!
« Reply #20 on: December 25, 2009, 03:01:25 AM »
Hi malware fighters,

You just has experienced a svchost.exe crash, where an unknown module crashed on 0x0000000000 or an Error-bucket 738702451 then this could be due to malware but also module crash (browser)- you could try this:
Start/Run the command called regedit.exe (Registry editor). Navigate to HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services\NetBT\Parameters and on the right side, double-click TransportBindName -
press delete and give it an empty value. That will close port 445.
Also, go to HKEY_LOCAL_MACHINE\Software\Microsoft\OLE and
change the value of EnableDCOM from Y to the value N - that will close port 135.
If you know how, you may also disable NETbios. Restart the computer and the bug might be gone.
Or work this with a tool called wwdc: http://www.softpedia.com/get/Security/Firewall/Windows-Worms-Doors-Cleaner.shtml

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8788
Re: Malware fixes and work-arounds!
« Reply #21 on: December 25, 2009, 03:11:44 AM »
@ polonus

My DSL modem closes ports 135 and 445 so that tweak is un-necessary.

Quote
GRC Port Authority Report created on UTC: 2009-12-25 at 02:10:28

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
                            119, 135, 139, 143, 389, 443, 445,
                            1002, 1024-1030, 1720, 5000

    0 Ports Open
    0 Ports Closed
   26 Ports Stealth
---------------------
   26 Ports Tested

ALL PORTS tested were found to be: STEALTH.

TruStealth: PASSED - ALL tested ports were STEALTH,
                   - NO unsolicited packets were received,
                   - NO Ping reply (ICMP Echo) was received.
https://www.grc.com/x/ne.dll?bh0bkyd2

wwdc does not work on Windows 7
« Last Edit: December 25, 2009, 03:15:09 AM by YoKenny »
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Re: Malware fixes and work-arounds!
« Reply #22 on: December 25, 2009, 04:17:39 PM »
Hi YoKenny,

The newer operational systems like Vista and W7 have more protection aboard here.
wwdc is for users of XP SP3 which OS should only be run secure with normal user rights and utmost caution, so that it will not become the malware getto system, a situation for the coming years that has been predicted by anti-malware vendors,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Re: Malware fixes and work-arounds!
« Reply #23 on: December 25, 2009, 04:32:51 PM »
Hi malware fighters,

Regedit won't work and this could be because of you, an administrator or malware intervened.

Unless you or an administrator has applied this policy in your system for the users,
it is safe to have freefixer or HijackThis fix this entry (one of so-called 07 restrictions)

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
(there could also be one or more additional 04 entries involved with worms and trojans of this sort)

The malcreants without the victim noticing changed a registry key,
so one can no longer access regedit.

It is a component of malware or spyware,
you should immediately remove it using an antivirus and antispyware program.
If that does not help, then ask us for help in the forum.
Name of trojan activity: DisableRegedit
HijackThis Category: O7
HijackThis Line:

O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Description: Disabled Regedit tools is a signature of trojan activity

How to remove: Use HijackThis, freefixer or Use Malwarebytes Antimalware

A work-around is to download freefixer.
You find it here: (http://www.freefixer.com/static/freefixersetup.exe).
Install, perform a scan and maybe you encounter this item:

HKCU Software Microsoft WindowsCurrent VersionPoliciesSystem, DisableRegedit=1

That is the cause of your predicament. Select this item and click"fix checked"
and then restart your computer.

How to use MBAM here:
Download MalwareBytes' Anti-Malware: http://www.besttechie.net/mbam/mbam-setup.exe
then download it onto your desktop.
Double click mbam-setup.exe to install the program.

See to it that after install there are tags next to:
Update MalwareBytes' Anti-Malware
Start MalwareBytes' Anti-Malware
Then click "Finish".
Whenever an update is available , that will be downloaded and installed.
As soon as the program is started, go to the tab window "General Settings".
Here you tag: "Close Internet Explorer during removal of malware".
Then go to tab window "Scanner", choose "Quick Scan".
Then click "Scan" to start the scan.
Scanning may take a while so be patient.
When the sacn has finished, you click OK, then view "View results" to see results.
See to it that everything is tagged there, and then click: "Remove selected".
After removal a log will open and you will be asked to restart the computer.
The log will be automatically be saved by MalwareBytes' Anti-Malware
and can be found by clicking the "Logs" tab inside the program.

Now a practical example description of a worm that disables regedit
 in this fashion and how to remove it can be found here:
http://www.quickheal.co.in/alerts/archives/alerts-Worm-VB-jp.asp

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline balzarini_marzia

  • Newbie
  • *
  • Posts: 2
Re: Malware fixes and work-arounds!
« Reply #24 on: December 27, 2009, 04:56:46 PM »
Salve, ho da poco scaricato avast 4.8 home edition ma ricevo sempre questo messaggio:avast: allarme nel controllo della posta. avast non sarà capace di proteggere la posta in arrivo (protocollo IMAP), la posta in uscita (POP3) e le news (NNTP protocol). Errore: 10022. Controllare che lo scanner di posta elettronica non sia bloccato dal firewall. come posso fare? Per favore aiutami!!!!

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3061
Re: Malware fixes and work-arounds!
« Reply #25 on: January 01, 2010, 03:48:24 PM »
The Undeletable SafeBoot Key

Hello friends,

Quote
I present you a new program to create the SafeBoot registry key with special permissions protecting it from deletion. After using this new program, you’ll be able to restore the SafeBoot registry keys with my .REG files.

Many malware deletes the SafeBoot registry key to prevent you from booting into Safe Mode. I provide a registry fix to restore these keys.

here : Didier stevens' blog

Hope it helps all malware fighters.

Thanks
nmb

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Re: Malware fixes and work-arounds!
« Reply #26 on: January 02, 2010, 01:48:59 PM »
Hi nmb,

We can read each others minds, look here: http://forum.avast.com/index.php?topic=52960.msg448960#msg448960
With additional comments,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Re: Malware fixes and work-arounds!
« Reply #27 on: January 07, 2010, 07:40:09 PM »
Hi malware fighters,

Cloaked malware. Eradication: See the procedure discribed here: http://techver2.blogspot.com/2009_11_22_archive.html

polonus

« Last Edit: January 07, 2010, 07:45:09 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31626
  • malware fighter
Re: Malware fixes and work-arounds!
« Reply #28 on: January 09, 2010, 01:48:29 PM »
Hi malware fighters,
Protection agains Samy's nattransversal exploit with NS inside Fx

If you want to change ABE should select, copy and paste this rule with Notepad

# NAT Pinning blockage (blocks outbound HTTP traffic to unlikely ports)
Site https?://[^/]+:[0-35-7]
Deny

What to do next:

Navigate via Noscript, Options, Advanced to tabwindow ABE worden There left click USER and then button change, a prompt will pop up saying no file can be coupled to ABE. Choose the last option with the txt "select a program within the list of installed programs" and search for Notepad. Paste the rule at the top inside Notepad. At closing Notepad choose save. Click OK. The rule now has been added. Click OK to close the Option and save all.
You are now fully protected against router travesal...
(Coutesy of NS's Giorgio Maone- with thanks)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline nmb

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3061
Re: Malware fixes and work-arounds!
« Reply #29 on: January 09, 2010, 06:05:29 PM »
Protection agains Samy's nattransversal exploit with NS inside Fx

Here is the original : Hackademix

Thanks
nmb