Solved! Vista virus Ping.exe / Vista Security 2012 virus

Cathy C

Ooo! Shiny new cover!
Kind Benefactor
Absolute Sage
Super Member
Registered
Joined
Jun 5, 2005
Messages
9,907
Reaction score
1,834
Location
Hiding in my writing cave
Website
www.cathyclamp.com
Ladies & Gents:

Another round of the Internet Security malware is surfacing and it's especially insidious this time. Since AW gets a lot of Google spider hits and this happened to have been one of the sites I was on when the attack happened, I'm making sure I let people know what happened and how I was able to fix it.

Yesterday morning, I had four tabs open on IE9.0.8112 on a Windows Vista platform:
Gmail
Yahoo mail
Netmail.verizon
AW

Moments later, I started to receive the typical malware popups that appear to be a Windows Security screen. It calls itself (this round) "Windows Vista Security 2012" (insert your variant of Windows, from what I've read over the past day). If you've never encountered this type of malware before, it absolutely appears to be an official Windows notification. But Microsoft will NEVER tell you you need to "register" or that you only have a "trial version" of an internal Firewall or Security program.That's the scam. If you click on "register", you'll load a lot more problems on your computer than just the first stage.

So, DON'T CLICK ON "REGISTER"

This particular malware is a tough root trojan. It attaches primarily to your "ping.exe" file in System 32 (or 64 on Windows 7). This is a necessary file so it can't simply be deleted. It also attaches to your virus protection. It doesn't disable it, but fuses to it. Trend Micro won't find it. Norton won't either. Nor will McAffee. Malwarebytes struggled with it.

Here's what it does when the virus starts:
If you go to Control Panel > Internet Options, you'll discover that no matter what your original setting of security was, it has changed to "Accept all Cookies" and the pop-up blocker has been disabled. If you had a whole list of Restricted Sites (like I do), they've all disappeared. New sites with no names, except an http:// and IP addresses have been added to your Trusted Sites section.

And then your hard drive starts going nuts. It will start running non-stop at high speed. This is apparently a particular problem with this virus because it'll keep your CPU running at 100% on itself for so long it can burn out your fan.

I immediately disconnected my network cable, which prevented the malware from contacting itself, and shut down the computer. If you're unable to get the start button to pop up because it's gone too far, just unplug it.

Now, you'll need to get to an uninfected computer to go through the next steps and you'll need a flash drive or writeable CD. You'll also need a backup of your existing virus software.

There are a hundred or so tech sites on the web and I visited about half. Each has part of the answer, so I thought I'd condense the information into one place for non-techies like me who has their eyes glaze over at the sight of virus logs.

First, don't bother to restart into Safe Mode. It didn't help. Not a bit. It happened so fast, that everything was already compromised before I could even shut down the computer. Just close the programs you have open and take a deep breath because you're screwed. Plan on enduring the next 7-8 hours of pain because it'll take at least that long.

If you visit MSN to get help, you'll get redirected to http:// www[dot]bleepingcomputer[dot]com/virus-removal/remove-win-7-antispyware-2012 (obviously, remove all spaces and [dot]s when entering. Scroll down a long way and you'll find links to download two files:
FixNCR.reg
mbam-setup.exe

These two programs will need to be loaded onto a flash drive or CD. You'll need to reboot the computer and have the flash drive/CD inserted when you boot. Running FixNCR will disable the malware from interfering with what you're about to do next.

Running mbam is an installation of Malwarebytes software. If you're already running Malwarebytes, know that the program is already infected and compromised! You need to download a new version. You'll also need to uninstall your current virus protection software and reinstall it, so make plans to do that now. If you don't have a backup disc, go back to the website you bought it from and download a backup to a flash drive or CD.

Run Malwarebytes to do a full scan as soon as it finishes loading and updating. It takes a LOOONG time. Go get some coffee and take another deep breath. It will remove some of the obvious problems, but not the registry root_key issues.

Meaning = you've only just begun.

It's during the reinstallation of the virus software that things get interesting. Here's what you need to do right before you click to reinstall the virus protection:

1. Go to Task Manager > Processes. Click on any instance of "Ping.exe" and click "End Process." This is important. Next, open Control Panel > Internet Options > Privacy. Reset the Internet Zone Setting to "Block All Cookies". Hit "Apply" but DO NOT hit "OK". You need to leave this screen open because the virus is going to try to reverse the setting many times during the next four steps. If you see it drop to "Accept all cookies" raise it back up. Continue to battle with it until it doesn't do it anymore.

2. Skip over a tab to the left to "Security". Click on the "Restricted Sites" and "Sites" button. This will open a new screen where you can enter in sites the internet isn't allowed to visit. THIS IS CRITICAL TO THE NEXT STEP. Pop back and forth between Security and Privacy pages because you have to do steps 1 and 3 simultaneously (but can't open the same screen twice)

3. You'll see your virus software block outgoing attempts to access the internet. As each website comes up, enter the address into the Restricted Sites box and click "Add". There will be a lot of them. I had nearly a hundred attempts to access over twenty different sites. What this is going to do is make it easier for the virus protection to load without being tainted by the virus. Windows Firewall and Virus Firewall working in tandem.

4. Once the virus software is loaded, it'll want to update on the web and then scan. Again, walk away and have some more coffee (or, more likely, a long leisurely dinner). When it's completed, you're still not home free.

Go back to Bleepingcomputer[dot]com/combofix/how-to-use-combofix

ComboFix is a tough little program and it WILL fix the problem. You load it onto your desktop (it MUST be your desktop, not your C:/ drive. It won't work otherwise.) You'll find two links. One says "you'll have to save as". If you speak Spanish as a first language, use that one. Otherwise, use the first one.

It loads very quickly onto your desktop. Double clicking it will open a DOSShell box. It'll unpackage itself and start to scan. It starts in the registry and will probably immediately find the program that's infected. Write down the name of the Trojan so you have it for later because I made the mistake of thinking it would keep a log of it. Um, nope.

You're close, but not done yet. It tells you that if you still can't access the internet to run it again. What I discovered is that because it discovered a trojan and fixed it, it never went any further. You need to reboot and then run ComboFix a SECOND time in order for the full program to run to the point of getting rid of the rest of the instances of the malware virus and creating a log. This will take as long as the Malwarebyes search. Go to sleep. Start again in the morning.

Reboot fully and look at Task Manager. "Ping[dot]exe" shouldn't be running anymore. Your Restricted Sites should be set on High and your Privacy should also be on Block All Cookies. You can try lowering them to their normal settings and see what happens. So far, I'm staying on High until I'm positive it's completely gone.

So far, I've lost access to five different programs and ComboFix and Malwarebytes has restricted my access to several database programs at work. I'll have to reinstall with the help of the software's IT guys. But it's not as bad as it could be. I still have control of everything else.

Yes, I'm bloodied and sore from the battle, but my computer isn't redirecting to weird places and hijacking my every program anymore.

:hooray:

Hope this helps a few of you.
 
Last edited:

Williebee

Capeless, wingless, & yet I fly.
Super Member
Registered
Joined
May 11, 2007
Messages
20,569
Reaction score
4,814
Location
youtu.be/QRruBVFXjnY
Website
www.ifoundaknife.com
Congrats on your victory. (Fun, ain't it?) :sarcasm

The portable version of SuperAntiSpyware does a good job on the odd "Windows Security" scamwares also.

It's free. Again, you download it to a USB drive and plug the USB drive into the infected machine. (Depending upon the variant of trojan and how long it has been on the computer. Several of them will disable the USB ports.) Run it from the USB drive. It takes awhile.
 

LilGreenBookworm

I write with crayons.
Super Member
Registered
Joined
Nov 23, 2011
Messages
492
Reaction score
256
Location
San Diego, CA
I've been hit by the Windows Security 2012 thing twice now, so thank you times a million for the info.
 

kuwisdelu

Revolutionize the World
Super Member
Registered
Joined
Sep 18, 2007
Messages
38,197
Reaction score
4,544
Location
The End of the World
Out of curiosity, were you running as an administrator or a regular user account?
 

MacAllister

'Twas but a dream of thee
Staff member
Boss Mare
Administrator
Super Moderator
Moderator
Kind Benefactor
VPX
Super Member
Registered
Joined
Feb 11, 2005
Messages
22,010
Reaction score
10,705
Location
Out on a limb
Website
macallisterstone.com
(And just for the record, for our less tech-savvy users, this is NOT a malware infection anyone can possibly get from AW. It isn't compatible with our server. :) However, whenever you're opening any new page in your browser, or sometimes simply switching from tab to tab, it can jostle your AV software to send up the warning flags. )
 
Last edited:

kuwisdelu

Revolutionize the World
Super Member
Registered
Joined
Sep 18, 2007
Messages
38,197
Reaction score
4,544
Location
The End of the World
I don't use Windows so I don't know it, but it might be helpful if someone who does could remind others of the keyboard shortcut to close such pop-up windows without risking clicking on them.
 

Cathy C

Ooo! Shiny new cover!
Kind Benefactor
Absolute Sage
Super Member
Registered
Joined
Jun 5, 2005
Messages
9,907
Reaction score
1,834
Location
Hiding in my writing cave
Website
www.cathyclamp.com
(And just for the record, for our less tech-savvy users, this is NOT a malware anyone can possibly get from AW. It isn't compatible with our server. :) However, whenever you're opening any new page in your browser, or sometimes simply switching from tab to tab, it can jostle your AV software to send up the warning flags. )


Oh absolutely! I didn't mean to imply otherwise. :eek: I actually don't know where I got it. I noticed on the various boards that some pretty tech savvy people are getting it too in the past week or so, so it might be the first wave of a bigger problem. Plus, earlier versions haven't been this destructive to the CPU so I thought it was worth mentioning :)
 

Williebee

Capeless, wingless, & yet I fly.
Super Member
Registered
Joined
May 11, 2007
Messages
20,569
Reaction score
4,814
Location
youtu.be/QRruBVFXjnY
Website
www.ifoundaknife.com
I don't use Windows so I don't know it, but it might be helpful if someone who does could remind others of the keyboard shortcut to close such pop-up windows without risking clicking on them.

Windows Geek info:

It is rarely advisable to hit the red X when a pop-up window opens on your screen. Many malware and scareware programs have turned that X into a link to something more malicious.

In Windows land CTRL-W will usually close the active window. If it is the only window open, it will close the browser. (When you have several programs/browser windows open the active one is usually the one with the bright version of the blue bar -- or whatever color your theme is set to, on the top.)

Alt-F4 will close the active window, or close an active program that is running.

Go ahead, give it a test drive. Open your word processor (Word, LibreOffice, whatever), now, without a document open, hit Alt & F4 at the same time. Viola.

Now open a new instance of your internet browser (Chrome, Firefox, IE - if you must :O) ) and, with it up front, press CTRL & W at the same time. Viola, again.

PLEASE NOTE: THIS MAY NOT ALWAYS WORK. The more advanced of the malware creators code their offerings to block these keystroke commands.

Disclaimer: As always YMMV, Void where prohibited by flying monkey or the ghost of Steve Jobs.
 
Last edited:

Matera the Mad

Bartender, gimme a Linux Mint
Super Member
Registered
Joined
Jan 6, 2008
Messages
13,979
Reaction score
1,533
Location
Wisconsin's (sore) thumb
Website
www.firefromthesky.org
I don't use Windows so I don't know it, but it might be helpful if someone who does could remind others of the keyboard shortcut to close such pop-up windows without risking clicking on them.

ALT + F4

And keep hitting it untill all Idiot Exploder windows are dead.
 

Alessandra Kelley

Sophipygian
Staff member
Moderator
Super Member
Registered
Joined
Mar 27, 2011
Messages
16,874
Reaction score
5,189
Location
Near the gargoyles
Website
www.alessandrakelley.com
Eek, Cathy, and well solved.

On Macs you close windows with a different combo which I got totally wrong but thankfully kuwisdelu fixed it for me.

Those big red X'es on pop-up windows worry me.
 
Last edited: