Author Topic: Malware fixes and work-arounds!  (Read 108347 times)

0 Members and 1 Guest are viewing this topic.

Offline Dch48

  • Massive Poster
  • ****
  • Posts: 3152
Re: Malware fixes and work-arounds!
« Reply #60 on: July 30, 2010, 11:49:38 PM »
Question--- I didn't do any fixes for the lnk problem so I'm good there but I did apply the workaround for the previous problem with the HCP protocol. I backed up the registry keys that it said to delete. Now that the patch has been applied, can I just reinsert those keys? They still are not present in my registry so HCP is still disabled. I have not encountered any problems since disabling it so maybe I should just wait until something says I need to enable the protocol?
Avatar FX6327X desktop, FX-6300 CPU, RX 470 GPU, 8GB RAM, Windows 10 Home 64 bit
HP dv6-6140us laptop, A8-3500M APU, 8GB RAM, Windows 7 Home Premium 64 bit
RCA W101 v2 10" tablet, Intel Atom Bay Trail Z3735F processor, 2GB RAM, Windows 10 Home 32 bit

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31953
  • malware fighter
Re: Malware fixes and work-arounds!
« Reply #61 on: July 30, 2010, 11:58:49 PM »
Well Dch48,

Well the sound policy is always, if there is a security hole apply the MS fix, NEVER go for a third party solution (MS and I advise you not to do that, and they know their backyard best), if the official update patch comes before applying the patch you should undo the temporal fix. If you haven't applied any MS fix then do nothing, just update and voila. As they see that more and more malcreants are abusing the "shortcut" vulnerability they apparently decided to come up with an out of band solution for the problem coming Monday - you can enable HCP if you need this, if you do not need a service do not install, the lesser services you have installed the smaller the vulnerability surface, it is a good security measure. Some do not need Java, do not install, some install VLC Media Player, they do not need other Media players, so also be lean on plug-ins, just take aboard that what is essential for your private computer experience,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline AntDude

  • Jr. Member
  • **
  • Posts: 64
Re: Malware fixes and work-arounds!
« Reply #62 on: August 01, 2010, 07:24:20 PM »
Yeah :) I have seen the LNK:Runner in the vps update history ;)

Thx

Yeah, you are right :)

16.7.2010 - 100716-0  LNK:Runner
17.7.2010 - 100717-1  LNK:Runner-A, LNK:Runner-B
25.7.2010 - 100725-0  LNK:Runner-T

Greetz, Red.
Awesome. I have an old client who still uses an old Windows 2000 SP4 with all updates. MS dropped its support last month (actually two months ago since there were no updates last month :(). He currently run the latest Avast Free on it. I'm glad that this is protected. :)

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31953
  • malware fighter
Re: Malware fixes and work-arounds!
« Reply #63 on: August 01, 2010, 10:18:51 PM »
Hi forum friends,

Probably tomorrow MS will patch the shell32.dll file with the out-of-band patch because the hole is situated there,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Mele20

  • Full Member
  • ***
  • Posts: 104
  • I'm a llama!
Re: Malware fixes and work-arounds!
« Reply #64 on: August 02, 2010, 03:39:21 AM »
Well Dch48,

Well the sound policy is always, if there is a security hole apply the MS fix, NEVER go for a third party solution (MS and I advise you not to do that, and they know their backyard best), if the official update patch comes before applying the patch you should undo the temporal fix. If you haven't applied any MS fix then do nothing, just update and voila. As they see that more and more malcreants are abusing the "shortcut" vulnerability they apparently decided to come up with an out of band solution for the problem coming Monday - you can enable HCP if you need this, if you do not need a service do not install, the lesser services you have installed the smaller the vulnerability surface, it is a good security measure. Some do not need Java, do not install, some install VLC Media Player, they do not need other Media players, so also be lean on plug-ins, just take aboard that what is essential for your private computer experience,

polonus

Ahem. Not all of us have XP SP3 or Vista or Win 7. I run XP Pro SP2 and have no intention of risking upgrading an extremely heavily used 4.5 year old desktop. It will remain at SP2.

I was quite puzzled by Virus Total's report when I would submit the two files from the POC to VT every day, or so, to see who was able to detect it. On VT, Avast showed as NOT detecting the nastiest of the two tests (suckme) but just detecting the dll.dll. I was on my Host XP machine that runs Avira 8 so I started my Vista virtual machine where I have Avast and downloaded the POC to thta machine also. Then I was able to see that Avast was detecting in a different manner than Avira (which has separate signatures for the two tests) and I assume this is why VT doesn't show Avast (and a number of other vendors) as detecting the suckme file.  Avast detects both and detects when downloading the .RAR file also but it doesn't show that on VT.

Anyhow, my main machine will not be protected by Microsoft's patch unless they do something other than patching shell32.dll. If they patch that then the SP3 patch will not work on SP2.

Offline Dch48

  • Massive Poster
  • ****
  • Posts: 3152
Re: Malware fixes and work-arounds!
« Reply #65 on: August 02, 2010, 05:03:09 AM »
Sorry but there just is no good or sound reason not to be using SP3. It performs better than SP2 in all aspects besides the security matters.
Avatar FX6327X desktop, FX-6300 CPU, RX 470 GPU, 8GB RAM, Windows 10 Home 64 bit
HP dv6-6140us laptop, A8-3500M APU, 8GB RAM, Windows 7 Home Premium 64 bit
RCA W101 v2 10" tablet, Intel Atom Bay Trail Z3735F processor, 2GB RAM, Windows 10 Home 32 bit

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82290
  • No support PMs thanks
Re: Malware fixes and work-arounds!
« Reply #66 on: August 02, 2010, 05:13:30 AM »
@ Mele20
Having SP3 shouldn't put any extra load on your resources, CPU and RAM than XP SP2. I certainly didn't find any noticeable difference when I updated on my old system. Yes it may well take up more hard disk space, but not a huge amount more.

Without SP3 you have no future security updates period.

Unfortunately the VT scan doesn't test all of avasts resident shields and one of the most proactive being the web shields detection.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Rednose

  • Pirate Party Member
  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 3624
  • Bits of Freedom : https://www.bof.nl
    • Nederlandstalig Avast! forum
Re: Malware fixes and work-arounds!
« Reply #67 on: August 02, 2010, 08:44:20 PM »
Hi forum friends,

Probably tomorrow MS will patch the shell32.dll file with the out-of-band patch because the hole is situated there,

polonus

The patch is available thru Microsoft update :

http://www.microsoft.com/technet/security/bulletin/MS10-046.mspx

Greetz, Red.
OS: Win 7 x64 SP1 / Ubuntu / Qubes OS / iOS
Real Time: Avast Premier Beta + AMS for iOS Beta WinPatrol Plus Unchecky MCShield  HOSTS File: MVPS + MDL
On Demand: MBAM SUMo
Backup: Win 7 Image
Proxy: ASL VPN's Socks 5 Tor

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31953
  • malware fighter
Re: Malware fixes and work-arounds!
« Reply #68 on: September 01, 2010, 01:05:22 AM »
How to delete a fake av:
The Internet Antivirus spyware generates fake and misleading system scan messages on an infected computer. The scans show viruses and other malware found on your hard drive. The messages also urge you to pay for the full version of the Internet Antivirus application to remove these and future threats. However, Internet Antivirus is a scam targeted at inexperienced users because the software is fake and uncapable of removing any viruses. Delete this dangerous spyware immediately upon detection.
Difficulty: Moderate
Instructions

      End System Processes
   1.
      1

      Press the "Ctrl," "Shift" and "Esc" keys at the same time to start the Task Manager.
   2.
      2

      Click the "Processes" tab.
   3.
      3

      Select "IAInstall.exe" from the list of processes and click "End Process" at the bottom of the window. Select "IAvir.exe" from the list of processes and click "End Process" at the bottom of the window.
   4.
      4

      Close the Task Manager.
      Remove Registry Entries
   5.
      1

      Go to the "Start" menu, type "regedit" in the "Start Search" box and hit "Enter" to start the Registry Editor.
   6.
      2

      Browse to and delete the following registry entries:



      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Internet Antivirus" = ""C:\program files\Internet Antivirus\IAvir.exe" /s"

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\"3P_UDEC_IA:" = ""[Installer Path]\IAInstall.exe" 0;C;"

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\"iv:" = """C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe"""
   7.
      3

      Close the Registry Editor.
      Delete Files
   8.
      1

      Go to the "Start" menu, type "Internet Antivirus" in the "Start Search" box and hit "Enter."
   9.
      2

      Delete all search results.
  10.
      3

      Restart your computer.

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31953
  • malware fighter
Re: Malware fixes and work-arounds!
« Reply #69 on: September 07, 2010, 07:29:40 PM »
Hi forum friends,

With Winsock connection problems through malware etc. for XP/W2000 then
here is a pre-Winsock Fix, install from  http://www.visualtour.com/downloads/xp_fix.exe
Then go here to download the Winsock Fix: http://www.visualtour.com/downloads/xp_fix.exe
(The pre-Winsock fix in case Winsock Fix is not supported)

For Vista we have this info: http://www.mydigitallife.info/2007/06/18/repair-and-reset-windows-vista-tcpip-winsock-catalog-corruption/

and for W7: http://windows7themes.net/repair-reset-winsock-windows-7.html

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1054
  • Proud Community Member&Helper.
Re: Malware fixes and work-arounds!
« Reply #70 on: September 19, 2010, 11:32:46 AM »
How to delete a fake av:
The Internet Antivirus spyware generates fake and misleading system scan messages on an infected computer. The scans show viruses and other malware found on your hard drive. The messages also urge you to pay for the full version of the Internet Antivirus application to remove these and future threats. However, Internet Antivirus is a scam targeted at inexperienced users because the software is fake and uncapable of removing any viruses. Delete this dangerous spyware immediately upon detection.
Difficulty: Moderate
Instructions

      End System Processes
   1.
      1

      Press the "Ctrl," "Shift" and "Esc" keys at the same time to start the Task Manager.
   2.
      2

      Click the "Processes" tab.
   3.
      3

      Select "IAInstall.exe" from the list of processes and click "End Process" at the bottom of the window. Select "IAvir.exe" from the list of processes and click "End Process" at the bottom of the window.
   4.
      4

      Close the Task Manager.
      Remove Registry Entries
   5.
      1

      Go to the "Start" menu, type "regedit" in the "Start Search" box and hit "Enter" to start the Registry Editor.
   6.
      2

      Browse to and delete the following registry entries:



      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Internet Antivirus" = ""C:\program files\Internet Antivirus\IAvir.exe" /s"

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\"3P_UDEC_IA:" = ""[Installer Path]\IAInstall.exe" 0;C;"

      HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\"iv:" = """C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\iv.exe"""
   7.
      3

      Close the Registry Editor.
      Delete Files
   8.
      1

      Go to the "Start" menu, type "Internet Antivirus" in the "Start Search" box and hit "Enter."
   9.
      2

      Delete all search results.
  10.
      3

      Restart your computer.

pol


some times the new afake av's like NAVa SHIEld or other av's block the task manager in this case they must download procexp
picture:
[

AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82290
  • No support PMs thanks
Re: Malware fixes and work-arounds!
« Reply #71 on: September 19, 2010, 02:42:44 PM »
@ Left123
When posting images, please crop the image to show only what is relevant and reduce the file size (that will make it small enough to attach to the post as opposed to having a direct link), not everyone viewing the images is using broadband.

I don't know why you felt you needed to quote the whole of Polonus's post just reference the relevant part. You make a valid point that the Task Manager might not be available, the other information is in the original post. These two options reduces the need for huge amounts of scrolling.

How to delete a fake av:
The Internet Antivirus spyware generates fake and misleading system scan messages on an infected computer. The scans show viruses and other malware found on your hard drive. The messages also urge you to pay for the full version of the Internet Antivirus application to remove these and future threats. However, Internet Antivirus is a scam targeted at inexperienced users because the software is fake and uncapable of removing any viruses. Delete this dangerous spyware immediately upon detection.
Difficulty: Moderate
Instructions

      End System Processes
   1.
      1
      Press the "Ctrl," "Shift" and "Esc" keys at the same time to start the Task Manager.
<snip>
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1054
  • Proud Community Member&Helper.
Re: Malware fixes and work-arounds!
« Reply #72 on: September 19, 2010, 03:40:34 PM »
@ Left123
When posting images, please crop the image to show only what is relevant and reduce the file size (that will make it small enough to attach to the post as opposed to having a direct link), not everyone viewing the images is using broadband.

I don't know why you felt you needed to quote the whole of Polonus's post just reference the relevant part. You make a valid point that the Task Manager might not be available, the other information is in the original post. These two options reduces the need for huge amounts of scrolling.

How to delete a fake av:
The Internet Antivirus spyware generates fake and misleading system scan messages on an infected computer. The scans show viruses and other malware found on your hard drive. The messages also urge you to pay for the full version of the Internet Antivirus application to remove these and future threats. However, Internet Antivirus is a scam targeted at inexperienced users because the software is fake and uncapable of removing any viruses. Delete this dangerous spyware immediately upon detection.
Difficulty: Moderate
Instructions

      End System Processes
   1.
      1
      Press the "Ctrl," "Shift" and "Esc" keys at the same time to start the Task Manager.
<snip>


about the quote you have right,i dont know how to attach an image,shall i upload the pic and post the link next time?
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82290
  • No support PMs thanks
Re: Malware fixes and work-arounds!
« Reply #73 on: September 19, 2010, 04:33:42 PM »
When you click the Reply button, there is an Additional Options link, this expands the options to attach a file, that can be an image file or a text file (.log or .txt). Also see How to post an Image.
« Last Edit: September 19, 2010, 04:35:24 PM by DavidR »
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31953
  • malware fighter
Re: Malware fixes and work-arounds!
« Reply #74 on: April 01, 2011, 11:09:04 PM »
Applied in a recent Fake-AV malware cleansing. To remove this completely in certain cases is best to combine MBAM and SAS.

MBAM, Trojans will block the downloading and installation of MBAM. If this happens, download it from a known clean computer, update, and rename the executable file before executing on the infected computer.
Download MBAM free from here: http://www.malwarebytes.org/mbam-download.php
So do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Download and run SuperAntiSpyware Portable Scanner. Download and Instructions to be found here: http://www.superantispyware.com/portablescanner.html
Both tools can be downloaded from a known clean computer onto a USB stick and run on the infected computer.
Hope this could help other users as well,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!