Hit by Google Related Virus, Again.

[Rob]

So once again whilst trying to get a crack for a damn piece of software for my boss, I've ended up getting another google related virus, the last one wouldnt let me search on google, but this one is much worse...

I cannot even access "www.google.com" or any derrivative, i.e my mozilla firefox homepage does not work.....

Any ideas? (as google is out)

I've tried clearing cookies etc, looking for new .exe files but nothing has ridded me of it, it started off just advertising some facebook layout overlay website, but now its that annoying fake virus scan screen, that then hides the window and makes a box appear telling you you have a virus.

 

[Rob]

P.s it is of great benefit for you geeks and admin to help me, or CS actually will become my google....

 

[David]

teach you to use cracked software!

check your host file.

 

[Rob]

My host file?

It wasn't actually technically cracked software, as he owns it, but has lost his code... lol!!!!

I run malwarebytes etc and found lots, but nothing has rid me of this deamon!!!!

It has however found one .dll that it can't removed so that could be it???

 

[The Hoff]

Check your browser add-ons, [tools>add-ons] in both FF and IE. Remove anything Java related from the list, retry, if that doesn't work also remove Java from your machine, retry.

Let me know if that helps your problem.

I doubt it's a hosts file entry, but you can check by looking in your C:\wINDOWS\System32\drivers\etc you can open it with Notepad. There shouldn't be anything in there [that's uncommented apart from a single localhost redirect], unless you have a custom list of bad URL's added. If you see anything related to 64.233.181.99 comment it out/remove it and resave the file.

Failing all of the above, also run an online NOD virus scan, and you may need to look into downloading Hijackthis and GMER [check bleepingcomputer.com for further assistance].

Let us know anyway.

 

[Krispwee]

I've had something like that before. Try downloading spyware removal software using another laptop/PC and putting it on a USB device and installing it over to infected PC. Try boot in safemode aswell to install and scan to begin with and then boot into normal mode to do another scan. I noticied when I had mine I couldn't go to any of the known spyware removal sites either.

Also format the USB once you have installed all the software etc. After doing all the above my PC was fine but I formatted after anyway just to make sure.

Next time you need a crack I would recommend forums that cater to that kind of thing as if its a dodgy bit of software another user will have already found out and the crack would get deleted.

 

[Rob]

Hmmm, I've tried lots of anti spyware stuff so far, but I'm failing badly, it looks like I'll be doing a system reboot tbh, can't live without google...

 

[Andy.]

Did you open the hosts file in the following directory:

C:\WINDOWS\System32\drivers\etc

?

 

[Homer-Simpson]

What operating system?

 

[Rob]

Did you open the hosts file in the following directory:

C:\WINDOWS\System32\drivers\etc

?

I don't know what you mean by "the hosts file"

What operating system?

Windows XP SP3 (hardcore)

I've downloaded "Avast" Antivirus, and its picking it up and stopping it from doing it every time I try to load google, or firefox homepage....

Unfortunately this program just blocks it from opening, and doesnt seem to give me the ability to remove, or want to tell me the exact location?!!? So I can't go after it.

Its called (according to Avast):

JS:FakeAV-EJ[Trj] ??

 

[Stuart.Atkinson]

Stinger might be a good shout:
from here: http://vil.nai.com/vil/stinger/default.aspx

instructions here:
http://www.geckoandfly.com/2010/03/...rity-fakespypro-winwebsec-and-antivirus-soft/

 

[Andy.]

You open it with notepad and see if there is an entry that has google in it:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

 

[Rob]

There are two with google in mate, remove them and then CTRL + S?

 

[Rob]

I f**king heart you hard!

Removed them in the "host" file, and offski the problem went, well that was something I never knew.

Cheers CS, better than Yahoo, fact

(But not google as I couldnt check it )

 

[PinkoCommie]

There are two with google in mate, remove them and then CTRL + S?

yes.

I would still get yourself a copy of HijackThis and run a scan, as it's entirely possible that something is memory resident and the next timee you reboot the entries will return to the hosts file.

After you save, right click the hosts file, choose properties, then clikc the "read only" option. This should stop anything screwing with the hosts file as easily.

 

[Andy.]

Glad it worked! Just out of interest, are there other entries in there too?

 

[Rob]

yes.

I would still get yourself a copy of HijackThis and run a scan, as it's entirely possible that something is memory resident and the next timee you reboot the entries will return to the hosts file.

After you save, right click the hosts file, choose properties, then clikc the "read only" option. This should stop anything screwing with the hosts file as easily.

Cheer Pink, I've used that before and didn't really rate it, but I'm still getting pop up's from my anti virus, so I'm guessing it will return. :S lol! Either that or its just something I'm not gonna be able to get rid of, it seems like a really persistant little git, it pops up like every 2 minutes... attacking loads of diff process's, svchost, iexplorer (which i don't even have) and firefox mainly

Glad it worked! Just out of interest, are there other entries in there too?

Will copy it in....

Just one from Microsoft.

I'm pretty good with computers and keep mine pretty tidy, so I guess thats why its not as bad as it could be.

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
127.0.0.1 mpa.one.microsoft.com

 

[The Hoff]

At the risk of being completely and utterly invisible again. I will repeat, Avast has pointed out an infection, run an online scan at NOD32's site, or Kaspersky and report back what it says.

 

[David]

this made me laugh

"I've tried lots of anti spyware stuff so far, but I'm failing badly, it looks like I'll be doing a system reboot tbh,"

ROFLCOPTERS

 

[Rob]

I just gave up last time and did that, I can reboot in an hour, so its not like its a biggie, everything's tidy on my computer, and content all stored on ex HD, lol!

I'll do the above a bit later when I'm home and post.

 

[PinkoCommie]

Just one from Microsoft.

Are you running a cracked version of windows?

If not then you also need to remove that MS entry.

mpa.one.microsoft.com is to do with the WGA (Windows Genuine Advantage), and you may not be able to download updates from windows update with that entry in there.

If you're running a hooky copy of windows though, you probably need it.

 

[DMS]

Wouldn't surprise me if the malware in question put the entry for mpa.one.microsoft.com in there to prevent the computer automatically downloading and running the Malicious Software Removal Tool and getting rid of it.

 

[PinkoCommie]

Yeah, that's probably the reason for the entry, but I also know that putting this entry in is a work around for not being able to install service packs on XP machines that are using dodgy validation keys.

 

[DMS]

Yup. Stops WGA from being able to "phone home" so that pikey cnuts can't use dodgy serial numbers.
Technet subscriptions FTW though. Legitimate software and legitimate keys for you to use illegitimately at your leisure

 

[PinkoCommie]

I love the technet folder. Makes life so much easier.

 

[DMS]

And the "Subscriber downloads" section on the Technet website for when you're at home or leave the company

 

[PinkoCommie]

And the "Subscriber downloads" section on the Technet website for when you're at home or leave the company

Yeah, I still have one of those from about 6 years ago linked to my hotmail account. I may have also added a couple of others onto the account as well. The company it was registered to doesn't axctually exist any more (they were bought out, and then the new parent comapny was bought out), so unfortunatly it doesn't have anything later than Office 2k3 iirc.

 

[Rob]

I am indeed running a hooky copy of windows, as it wouldnt let me downgrade from vista, and I HATE vista.... lol.

I guess thats what that is there for, once again I have masses of problems, awesome, there is a constant mouse click going on when ever I am browsing the web, sound like I'm pressing refresh or something.

I f**king hate this wanky s**t virus crap, I think I'm just gonna re-boot if I've still got the file

 

[Homer-Simpson]

Try this - http://www.combofix.org/

 

[Rob]

Trying eset scannner atm, will try that after, as recommended earlier in the thread by the hoff, didn't even see I'd ignored the poor chap

Just so damn fustrating, ya know?

 

[Aluco]

Improvise.

http://www.yahoo.com

 

[Rob]

ESET found f**k all, and Aluco, stfu beanboy, google rocks!

 

[The Hoff]

Ok good, after rebooting, did you see any other symptoms, or did it look healthier? Can you try downloading Superantispyware please?

http://www.superantispyware.com/download.html

Run that [in full on all local drives] and report back.

 

[Rob]

Re-install, done LOL!