Has anyone seen this before?

A

anth

Member
Reaction score
0
Location
USA
I had customer bring a laptop that was infected with malware. I was able to successfully disinfect the computer, but I was wondering if any body has come across this type of malware so far, once the desk top appeared this message would fill the entire screen with no options other than to restart the computer.
 

Attachments

  • IMG_20110309_180207.jpg
    IMG_20110309_180207.jpg
    96.7 KB · Views: 223
Did you also preform the Host file fix? I'm kicking myself because I did not do that..
 
anth said:
Does any one what happens if you don't fix the Host file?
Click to expand...

Ummm :confused:...... It could mean you have redirects, can't access the web etc. etc.

I have done about 20 of these in the last 2 weeks :D

System Tool didn't edit the HOST file so you will be ok, but it did change enable the proxy connection. However, that doesn't mean that something else couldn't have edited it?? It standard practice for most people I think to replace the HOST file.

If you used RKill or one of the variations, it now removes the Proxy for you as well as terminating the executable.
 
Last edited:
There was no redirect as far I could see, I was able to to get on the internet and surf to websites with out any issues, but it is definitely something I will be fixing and checking in all future repairs.

I ran hijack this and looked at every line, and did not see anything also, which brings up another question.

When do you guys feel absolutely 110% confident that every thing malicious has been removed, and you can tell your customer "it is now safe for you to do your online banking again..."
 
I dealt with that infection over the weekend. That computer got infected 3 months ago. This time after I removed the infection i had no choice but to lock down the user and the browser.. Hope they don't get hit again...
 
Funny story... The place where I work in the morning just got hit with the same virus... The boss is not to happy..lol..... oh well.......
 
From what I can see the hosts file was not changed at all on the computer I worked on today.

***Just to let you guys know that the infection I worked on today came from a fake DHL email. The personal clicked on the link and she got infected. I did hear about this fake DHL email 2 days ago and its spreading. So please tell all your clients not to open an email that is from DHL or says they are from DHL****
 
Lone99star said:
I had one this week that was throwing a fake bsod, havent seen that in awhile.
Click to expand...

Haven't seen one of these for a while. The last one - if left long enough - appeared the reboot the machine. If you used alt+tab you could actually watch the process in a window. Nasty bit of stuff contained several rootkits.
 
anth said:
When do you guys feel absolutely 110% confident that every thing malicious has been removed, and you can tell your customer "it is now safe for you to do your online banking again..."
Click to expand...

When I've seen that there are no symptoms, no suspicious processes are running, no suspicious startup entries exist, scans by a normal AV and by a malware scanner (e.g. Hitman Pro or MBAM) are clean, hosts is normal, DNS is normal, no proxies are set, TDSSkiller shows nothing, the mbr is normal, no suspicious scheduled tasks, no hooks in Kernel Detective or RKU.
 
Just got 3 in today. Both the hosts and proxies were altered on all 3.

Clients said that they got a java 6 icon in the center of the screen prior to System Tools displaying its self. Purposely infected one of my test machines with this and I experienced the same java 6 window.
 
6 this wk, 4 the previous wk, I think it was just 1 or 2 the wk before that so it's obviously starting to catch more people out round here too... it's good for business but most ppl don't know how or where they've caught it...

on a side note, because we're fed up with telling people where they got the infections... we've created a 15-point list of the most common ways to catch a virus... if enough people are interested I'll share it in a separate thread & we can all add to it.
BCC
 
Never assume that all PC Tools infections are the same, scamware applications like PC Tools, WinAntivirus et al. are generic front ends that can be downloaded from the Internet and used as part of more malicious virus attacks by anyone who's minded to do so. Whenever you tackle obvious infections like this you should always search for rootkits, proxies, browser redirects, tampered hosts files and winsock anomalies.
 
You must log in or register to reply here.

Similar threads

britechguy
iPhone: Anyone ever encountered one that's infected?
Replies
11
Views
900
Markverhyden
Markverhyden
britechguy
What's going on here? [Samsung Galaxy S24]
Replies
18
Views
752
GTP
GTP
GTP
Got this missive this morning...
Replies
13
Views
1K
xrobwx71
xrobwx71
britechguy
Current "tech favorites" for mesh WiFi for a large home or business covering about the same square footage
Replies
12
Views
2K
NETWizz
NETWizz
britechguy
Can anyone give me a "safe" example to use to trigger Chrome's "This is not safe" and keep/deny messages?
Replies
10
Views
1K
Mick
M
Back
Top