Anyone have any experience with this? My computer has it. Apparently it's a real pain to remove and involves editing / deleting windows root files and registry settings. I'm technically capable, but wanted to see if anyone had gone through this process before and had any advice or an easier way before I start stripping out Windows system files. Thanks in advance!

My Thinkpad caught this one. I was able to remove it by following instructions at bleepingcomputer.com
I've used that website a few times to remove different viruses.

had this motherfucker the other day. I think this was what i used. How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller (http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller)

I heartily second the endorsement of bleepingcomputer.com walkthroughs.

Saved my ass from a nasty virus last Sunday night & then saved me again from a less painful version last night. The tools are linked for d'loading, the walkthroughs are not quite idiot level but they're close enough (thank God).

Meanwhile I'm wondering why the hell my Avast has gone 0-2 on consecutive Sunday nights.

Meanwhile I'm wondering why the hell my Avast has gone 0-2 on consecutive Sunday nights.

Was it a home or an away game? Natural grass or astroturf?

I heartily second the endorsement of bleepingcomputer.com walkthroughs.

Saved my ass from a nasty virus last Sunday night & then saved me again from a less painful version last night. The tools are linked for d'loading, the walkthroughs are not quite idiot level but they're close enough (thank God).

Meanwhile I'm wondering why the hell my Avast has gone 0-2 on consecutive Sunday nights.

I also got the nasty bug on Saturday, and my Avast also whiffed.

fwiw, I absolutely support torture for the asshats who write & disseminate these trojans.

Meanwhile I'm wondering why the hell my Avast has gone 0-2 on consecutive Sunday nights.

You should view porn on more nights. Keep the whole system in practice.

You should view porn on more nights. Keep the whole system in practice.

That's the damnable thing ... unless it was a time released virus, both incidents have occurred well outside the porn time zone.

I also got the nasty bug on Saturday, and my Avast also whiffed.

Fake "Windows Security" bug?

Fake "Windows Security" bug?

yep

The fake windows security bug was the same as the google redirect I think? I know I had both on different machines. I think we need to better utilize black ops troops to fix the people that make these problems.

Don't have the bug but d'loaded the fix stevew linked just in case I need it.

Is this something no-script would block? How about winpatrol? Anyone know if it gets around the warnings that something is trying to be installed?

Don't have the bug but d'loaded the fix stevew linked just in case I need it.

Is this something no-script would block? How about winpatrol? Anyone know if it gets around the warnings that something is trying to be installed?


Yes, no script would block it if you didn't have it set to trust the site that the malicious web code would come from. Same with people who don't use firefox/noscript they could block this if they disabled scripting in their browser, but then to them many webpages would look "broken" most likely, so noscript is a more graceful approach. If people use noscript but blindly trust everything, or globally run scripting, they basically make no script worthless. Also by default noscript does not block iframes, so you need to enable that as most of these infections occur using iframes on legitimate websites.

As for Winpatrol, hypothetically it -should- protect against it, but that depends more on how you have winpatrol set up most likely. Running a Winpatrol or similar product is a good idea, but the best way to protect against these type of attacks is blocking scripting/iframes in your browser.

Yes, no script would block it if you didn't have it set to trust the site that the malicious web code would come from. Same with people who don't use firefox/noscript they could block this if they disabled scripting in their browser, but then to them many webpages would look "broken" most likely, so noscript is a more graceful approach. If people use noscript but blindly trust everything, or globally run scripting, they basically make no script worthless. Also by default noscript does not block iframes, so you need to enable that as most of these infections occur using iframes on legitimate websites.

As for Winpatrol, hypothetically it -should- protect against it, but that depends more on how you have winpatrol set up most likely. Running a Winpatrol or similar product is a good idea, but the best way to protect against these type of attacks is blocking scripting/iframes in your browser.

Thanks. I don't even have fofc on trusted:) and per your advice in other threads Iframes are blocked too. When I surf I only use the "temporarily allow" options in noscript. I had a bad virus years ago and took me a day and a half screwing around at comptercops with hijackthis to get rid of it. Since then I've been very conscious of where I go and what I allow. I'm sure at some time I'll get bit again but for now, for me, paranoid is better:)

Fake "Windows Security" bug?

I got this last week. When it popped up I hit crtl-alt-del and shut the browser down from there. That seemed to take care of it. At what point does it actually install the virus?

ComboFix

I got this last week. When it popped up I hit crtl-alt-del and shut the browser down from there. That seemed to take care of it. At what point does it actually install the virus?

Based on the hell I went through to fix the variant last weekend, it depends upon the variant.

For example, the one I got 8 days ago overrode all displays while giving scary warning messages about hard disk errors, bad sectors, etc. It went so far as to hide certain files/file types to make it appear as though you had serious data loss. In the end there were over 300 different images associated with the virus, each with a different "windows message" warning you about the warning (fake) problems. When the hell this thing installed, how the hell it installed without me ever seeing it/approving it, etc ... no clue. Considering how often I'm prompted to verify installation/overwriting, etc. etc. I would have thought this would have been next to impossible w/out user (i.e. me) taking some action but apparently that isn't the case.

The version I got last night was simpler & less scary but no less troublesome as a user. It did something in the registry that prevented virtually any executable from running. No web browser, no anti-viral, no d'loading, nothing. It basically blocked any operation (on Win XP) other than popping up a full screen "windows message" warning me that I was at risk & needed to purchase/install a "Windows Security" program. After getting through all the fixes & sitting through the 3 hours it takes for Malwarebytes to run a full scan, it was a total of 7 files/registry entries (including one java file in my web temp folder that I would guess was tied to the origin of the virus). Once again, no clue where/how/when the trojan came from, got installed, etc.

Oddly enough, both incidents reared their heads on Sunday night around 11pm. Now either they both were "time-released" (or whatever the terminology) for the same time OR I got them from a major newspaper website since that's where I was when I discovered the one last night & where I had been a relative short time before the problem emerged the previous week.

OR I got them from a major newspaper website since that's where I was when I discovered the one last night & where I had been a relative short time before the problem emerged the previous week.

That's exactly where I was when I got it on Saturday - some british tabloid linked from drudge. At least that's where i was when all hell broke loose.

Oddly enough, both incidents reared their heads on Sunday night around 11pm. Now either they both were "time-released" (or whatever the terminology) for the same time OR I got them from a major newspaper website since that's where I was when I discovered the one last night & where I had been a relative short time before the problem emerged the previous week.


Because the gross majority of web users do not block scripting in their browsers, this is the most common method of infecting systems these days (several million infections every day). The hackers now actually spend time trying to hack legitimate websites (such as CNN, wall street journal, etc) to slip in code that is usually not even visible (via iframe). Then when your browser hits that site, it unknowingly also downloads the rogue code and if your system is not properly patched or protected against it will then infect your system. Several months ago, even FOFC was infecting people through this means, what the hackers did was inject the attack into one of the advertisements on the top of our boards.

So it wouldn't surprise me at all if you got something from a major website these days, the list of major companies and sites attacked by this manner are enormous.

I've seen the "Windows Security" quite a bit this year. My wife got it on her laptop and I have fixed it on a couple of my friend's computers. Combination of following the steps on bleepingcomputer and malwarebytes seems to do the job.

As a side note, all of these computers had anti-virus on them, none of them caught it. A couple of the computers had Microsoft Security Essentials, 1 had Avast!, one had AVG Free Edition, and one had McAfee.

So it wouldn't surprise me at all if you got something from a major website these days, the list of major companies and sites attacked by this manner are enormous.

Okay, that part I kind of get/knew already.

What has me thrown is that, in my mind at least, the point to that method would be infecting on a larger scale. Considering all the things people complain very loudly about, I'm having a tough time picturing ajc.com being used for virus delivery without hearing something about it somewhere. Hell, that's the kind of thing I figure would produce three FB pages, a Twitter feed, and two websites just to protest it. (Just explaining why I've previously discounted them in spite of being the most obvious suspect because of proximity of visit to infection).

I got this mother fucker a few weeks ago also. Wonder if maybe it isn't from those FOFC ad's?

It was a work laptop so I wasn't anywhere unsafe with it. I had also just backed up my data so I just had the computer guy reinstall windows.

Wonder if maybe it isn't from those FOFC ad's?


Only if it can be delivered by those even if we never see them.

The version I got last night was simpler & less scary but no less troublesome as a user. It did something in the registry that prevented virtually any executable from running. No web browser, no anti-viral, no d'loading, nothing. It basically blocked any operation (on Win XP) other than popping up a full screen "windows message" warning me that I was at risk & needed to purchase/install a "Windows Security" program. After getting through all the fixes & sitting through the 3 hours it takes for Malwarebytes to run a full scan, it was a total of 7 files/registry entries (including one java file in my web temp folder that I would guess was tied to the origin of the virus). Once again, no clue where/how/when the trojan came from, got installed, etc.



This is the one that popped up on me. I saw it doing its "fake" scan and must have stopped it before a virus was actually installed.