Ladies & Gents:
Another round of the Internet Security malware is surfacing and it's especially insidious this time. Since AW gets a lot of Google spider hits and this happened to have been one of the sites I was on when the attack happened, I'm making sure I let people know what happened and how I was able to fix it.
Yesterday morning, I had four tabs open on IE9.0.8112 on a Windows Vista platform:
Moments later, I started to receive the typical malware popups that appear to be a Windows Security screen. It calls itself (this round) "Windows Vista Security 2012" (insert your variant of Windows, from what I've read over the past day). If you've never encountered this type of malware before, it absolutely appears to be an official Windows notification. But Microsoft will NEVER tell you you need to "register" or that you only have a "trial version" of an internal Firewall or Security program.That's the scam. If you click on "register", you'll load a lot more problems on your computer than just the first stage.
So, DON'T CLICK ON "REGISTER"
This particular malware is a tough root trojan. It attaches primarily to your "ping.exe" file in System 32 (or 64 on Windows 7). This is a necessary file so it can't simply be deleted. It also attaches to your virus protection. It doesn't disable it, but fuses to it. Trend Micro won't find it. Norton won't either. Nor will McAffee. Malwarebytes struggled with it.
Here's what it does when the virus starts:
If you go to Control Panel > Internet Options, you'll discover that no matter what your original setting of security was, it has changed to "Accept all Cookies" and the pop-up blocker has been disabled. If you had a whole list of Restricted Sites (like I do), they've all disappeared. New sites with no names, except an http:// and IP addresses have been added to your Trusted Sites section.
And then your hard drive starts going nuts. It will start running non-stop at high speed. This is apparently a particular problem with this virus because it'll keep your CPU running at 100% on itself for so long it can burn out your fan.
I immediately disconnected my network cable, which prevented the malware from contacting itself, and shut down the computer. If you're unable to get the start button to pop up because it's gone too far, just unplug it.
Now, you'll need to get to an uninfected computer to go through the next steps and you'll need a flash drive or writeable CD. You'll also need a backup of your existing virus software.
There are a hundred or so tech sites on the web and I visited about half. Each has part of the answer, so I thought I'd condense the information into one place for non-techies like me who has their eyes glaze over at the sight of virus logs.
First, don't bother to restart into Safe Mode. It didn't help. Not a bit. It happened so fast, that everything was already compromised before I could even shut down the computer. Just close the programs you have open and take a deep breath because you're screwed. Plan on enduring the next 7-8 hours of pain because it'll take at least that long.
If you visit MSN to get help, you'll get redirected to http:// www[dot]bleepingcomputer[dot]com/virus-removal/remove-win-7-antispyware-2012 (obviously, remove all spaces and [dot]s when entering. Scroll down a long way and you'll find links to download two files:
These two programs will need to be loaded onto a flash drive or CD. You'll need to reboot the computer and have the flash drive/CD inserted when you boot. Running FixNCR will disable the malware from interfering with what you're about to do next.
Running mbam is an installation of Malwarebytes software. If you're already running Malwarebytes, know that the program is already infected and compromised! You need to download a new version. You'll also need to uninstall your current virus protection software and reinstall it, so make plans to do that now. If you don't have a backup disc, go back to the website you bought it from and download a backup to a flash drive or CD.
Run Malwarebytes to do a full scan as soon as it finishes loading and updating. It takes a LOOONG time. Go get some coffee and take another deep breath. It will remove some of the obvious problems, but not the registry root_key issues.
Meaning = you've only just begun.
It's during the reinstallation of the virus software that things get interesting. Here's what you need to do right before you click to reinstall the virus protection:
1. Go to Task Manager > Processes. Click on any instance of "Ping.exe" and click "End Process." This is important. Next, open Control Panel > Internet Options > Privacy. Reset the Internet Zone Setting to "Block All Cookies". Hit "Apply" but DO NOT hit "OK". You need to leave this screen open because the virus is going to try to reverse the setting many times during the next four steps. If you see it drop to "Accept all cookies" raise it back up. Continue to battle with it until it doesn't do it anymore.
2. Skip over a tab to the left to "Security". Click on the "Restricted Sites" and "Sites" button. This will open a new screen where you can enter in sites the internet isn't allowed to visit. THIS IS CRITICAL TO THE NEXT STEP. Pop back and forth between Security and Privacy pages because you have to do steps 1 and 3 simultaneously (but can't open the same screen twice)
3. You'll see your virus software block outgoing attempts to access the internet. As each website comes up, enter the address into the Restricted Sites box and click "Add". There will be a lot of them. I had nearly a hundred attempts to access over twenty different sites. What this is going to do is make it easier for the virus protection to load without being tainted by the virus. Windows Firewall and Virus Firewall working in tandem.
4. Once the virus software is loaded, it'll want to update on the web and then scan. Again, walk away and have some more coffee (or, more likely, a long leisurely dinner). When it's completed, you're still not home free.
Go back to Bleepingcomputer[dot]com/combofix/how-to-use-combofix
ComboFix is a tough little program and it WILL fix the problem. You load it onto your desktop (it MUST be your desktop, not your C:/ drive. It won't work otherwise.) You'll find two links. One says "you'll have to save as". If you speak Spanish as a first language, use that one. Otherwise, use the first one.
It loads very quickly onto your desktop. Double clicking it will open a DOSShell box. It'll unpackage itself and start to scan. It starts in the registry and will probably immediately find the program that's infected. Write down the name of the Trojan so you have it for later because I made the mistake of thinking it would keep a log of it. Um, nope.
You're close, but not done yet. It tells you that if you still can't access the internet to run it again. What I discovered is that because it discovered a trojan and fixed it, it never went any further. You need to reboot and then run ComboFix a SECOND time in order for the full program to run to the point of getting rid of the rest of the instances of the malware virus and creating a log. This will take as long as the Malwarebyes search. Go to sleep. Start again in the morning.
Reboot fully and look at Task Manager. "Ping[dot]exe" shouldn't be running anymore. Your Restricted Sites should be set on High and your Privacy should also be on Block All Cookies. You can try lowering them to their normal settings and see what happens. So far, I'm staying on High until I'm positive it's completely gone.
So far, I've lost access to five different programs and ComboFix and Malwarebytes has restricted my access to several database programs at work. I'll have to reinstall with the help of the software's IT guys. But it's not as bad as it could be. I still have control of everything else.
Yes, I'm bloodied and sore from the battle, but my computer isn't redirecting to weird places and hijacking my every program anymore.
Hope this helps a few of you.