Posted on 08/11/2010 2:55:05 AM PDT by Yosemitest
I tried to block it and delete the infected files, but that just set off an attack against my computer, which caused me to reload from backup several times.
How do I get rid of this nightmare, and prevent it from coming back?
sounds like a trojan virus that unloads a bunch of them at once.
I was able to delete the ones I got from a packet even though at startup I still get a message that something can’t be found.
I just used Malware Bytes
You can boot from a Linux Cd and then save all the files you want on Memory sticks. Then do a Windows recovery.
I googled it and found a few sources saying it was a false positive.
Its a valid trojan so never mind about the false positive. Manual removal instructions here http://www.spywareremove.com/removePackedWin32Krapag.html
It will log key strokes and download other software.
Do a boot time scan and your AV should remove it.
On a non-infected box,
Grind it to cd... It is in ISO format, so you need to know how to grind a CD from a file.
BitDefender.com: "How to create a BitDefender Rescue CD"
Boot to the disk, and scan the affected computer.
kb.BitDefender.com:"Using the BitDefender Rescue CD"
BitDefender's clean up engine is pretty effective. It is Linux, but the AV pops up when the boot is done, so all you really need to do is press it's start button...
This is just like in the old days... One needs the native OS to be off-line to kill the bugger, so one must use a boot disk.
I have other solutions if this one doesn't work, but they all require a miniaturized Windows platform to run from - Something Joe-user would have a hard time putting together... Lemme know.
1. for surfing the net, make another account w/o administrative permission. Only use this account to surf with. IF I get any malware, I delete that account and make a new one.
2. I have a separate little laptop that is used for banking only. NOTHING ELSE.
I have turned off all anti-virus and firewalls on the surfing computer. It is lightning fast :)
sfl
One other thing you should do before you run a scan.Before you boot your computer, unplug your modem cable. Some of these malware viruses download things on startup and you wind up like a dog chasing its own tail. When you are clean, plug in your cable.
malwarebytes will get rid of it, but you also need to download rkill.com. It kills the process so you can safely use malwarebytes.
If you can’t get the programs downloaded onto your computer, download them onto a clean computer and copy to a flash drive or cd-rom and then install them through safe mode.
Do the following:
1. Restart your computer, while restarting, press and hold down the F8 key. If you hear a clicking sound, release the key and immediately press it down again. Repeat until you get to a screen that lists a number of options.
2. Select start in Safe Mode with networking,
3. Select the account named administrator if possible.
4. After startup, go online and download the following programs to your desktop: RKILL http://download.bleepingcomputer.com/grinler/rkill.exe”;
MALWAREBYTES: http://www.malwarebytes.org/mbam.php
5. Run RKILL it will stop the processes
6. Run Combofix, it will install the recovery console and update itself, and then run a full scan – let it complete.
7 After that install and run Malwarebytes in quickscan. That should remove the problem and fix the registry.
8. That evening run a complete scan with Malwarebytes
If you can’t get into the administrator account, download these files from another computer and copy them to the desktop. If you can, start in safe mode, log in to the computer and as soon as you can, run rkill, continue to try running it as soon as you see your desktop. It will kill the process and you can proceed from there.
I still get a message that something can’t be found.
ping
And once you get rid of it, how do you keep it from coming back?
How did the Bitdefender boot disk go?
From inside the Native OS (these are not bootable solutions):
Kaspersky AVPTool is a cleanup engine (manual scanner, limited-time use). DLD and install per normal settings. Run the scanner (if you next'd through the install, it will be on your desktop) After completion it will ask to uninstall.
**NOTE** If you say NO, it will remain... One can run it again from within it's folder on your desktop. But it MUST, MUST, MUST be run again/quit, w/ ask uninstall... Choose YES to uninstall. OTHERWISE, if the uninstaller isn't used, it will leave a low-level driver running in your box. DO NOT just delete it's folder.
ELSE, just choose "YES" to uninstall in the first place.
Each time it is installed, it will have a different and unique name... This is normal, so that bugs can't detect it by it's name. Not to worry.
REF: http://avptool.virusinfo.info/en/
NEXT Option:
WebDoctor Cureit is similar in function to KAV's AVPTool, in that it is a single DLD package. But it is simpler to use - Just DLD the executable and run it to fire up the scanner... Delete the executable when done.
WebDr Cureit is a pretty good scanner, but it is usually my last resort... It detects brilliantly, but very aggressively, and can come up with false positives. Be careful if it is giving you "generic" or "maybe" labeled names... It's a crapshoot as to whether they are really infected IMHO.
Try those and see. Best to run them from safe mode if you have it. Then see what is next...
And once you get rid of it, how do you keep it from coming back?
Windows: SP-3. Newest IE (whether you use it or not, PS: Don't use it, see below), Newest Media Player (whether you use it or not). ***ALWAYS ALL UPDATES***.
Firewall: Meh. At LEAST Windows Firewall running. More than that is questionable, especially if you are behind a router.
AV (Choose ONE from below):
Norton, Mcaffee, Trend... All are POO. Discard, slap upside head for being a dumba$$.
NOTE: McAffee and Norton do not uninstall cleanly, and you must find their respective uninstallers and run them AFTER normal uninstall/restart. Otherwise, many other AV's will not install due to their vestiges.
Everything below (except F-Protect) can be found at http://www.filehippo.com, mostly in the "Anti-malware" section.
For $$, the very BEST is Kaspersky Anti-Virus (Don't need the full Internet Security version) For multiple machines, find a local dealer that can set you up with corporate KAV (way cheaper). Extremely effective, but can be heavy (fat) on older machines.
Next best, NOD32 by Eset - Though if multiple machines, this gets spendy fast... Very effective, but it is very light-weight
Next best: F-Protect: Just about as good as above, but killer good deal for multiple boxes... $30 per year buys 5 seats. Very effective, pretty light-weight. This is my house brand, though I use Kaspersky on my server and test-benches.
Honorable mention: Sophos, BitDefender.
ALL of the above have 15-30 day trials, so try them and see which you prefer. ONLY ONE AV running on the box at a time
If $$ is a problem, FREEWARE:
Microsoft Security Essentials - Excellent protection, and probably the best AV at finding Rootkits. I run this on my laptop. NOTE: Requires Activated/Genuine Microsoft, so if you are running bandit, nevermind.
Avira Antivir (personal free): Excellent, but does not include an e-mail scanner. If you use only web mail (Yahoo, Gmail, hotmail, etc) this is a fine solution.
SPYWARE:
MUST HAVE Spybot Search and Destroy. Doesn't detect everything, but what it does, it does very well. Also has good adv. tools for start-up management, HOSTS file, etc. Note: turn off "tea-timer" on install.
AND
SuperAntiSpyware; Super all-around at spyware detection. If you are a malwarebytes fan, this could be skipped - But I think SuperAntiSpyware is better.
CLEANER:
CCleaner dumps all caches and trash with the push of a button. MUST HAVE.
Operation:
Only the AV runs in background. all others are manual scanners. So you have to run them once a week or so.
Running CCleaner first removes cookies and temp stuff, so any hits with the anti-spyware/anti-virus will be serious ones... So pay attention:
1.CCleaner
2.Spybot S&D (Update, immunize, scan, fix)
3.Superantispyware (Update, scan, fix)
4.Antivirus, (manual update, manual scan, fix)
Finally, for web browser, use Firefox, or Opera. Do not use IE for surfing, though it is fine for sites you know are safe. Preference is Firefox.
For Mail, use Thunderbird, Eudora, or Pegasus. Avoid OE and Outlook, UNLESS you have a PIM that you sync to your box. Preference is Thunderbird.
Browser and mail are important. IE and OE/Outlook use ActiveX, which is a sorry way to go. Install Sun Java, and most sites will use it instead, but even displaying a message in a preview pane in OE\Outlook can get you infected (Preview uses ActiveX), and most drive-by scripts use ActiveX code to infect.
Ancillary:
Newest Adobe Flash (two installers, one for IE, one for Firefox/Opera.
Newest Adobe Shockwave (if Shockwave is installed)
Newest/update Java
I have been using the following two programs for years now. Zero problems and my computer runs like day one. I have had my computer for 8 years now and it is extremely fast.
Just get CC Cleaner which is free.
http://www.piriform.com/ccleaner
and
Advance System Care. It will be the best $18 you ever spent.
http://download.cnet.com/Advanced-SystemCare-Free/3000-2086_4-10407614.html
I'll check out what you suggested, but Online Armor++ 4.0 is my current firewall. I use CCleaner to help me get rid of bad system loads.
Spyware Terminator Advanced Mode and don't trust but a few select programs has help me keep them at bay, but they're still on my computer.
Advanced SystemCare Pro also helps, but I found a autosweep program loaded in an obscure location that was deleting most of my security programs after a certain time limit.
I believe I've stopped that little nasty job, but I'm not confident.
I heard on Fox news that there's a new virus that's wiping out allot of on-line banking accounts, and that's my biggest concern.
I'm seriously considering going to the pay version of Malywarebytes' Anti-Malware, but their free version, even with manual updates before I scan, didn't detect this problem.
Only Online Armor++ caught it.
I use CCleaner, and keep it updated, and I like it, but it was attacked by the "autosweep" program that this virus installed.
It took me three reloads from backup before I figured it out.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.