I saw the worm from hell yesterday on a windows system

2 views
Skip to first unread message

Paul Johnson

unread,
Nov 30, 2009, 3:06:14 PM11/30/09
to kul...@googlegroups.com
A lady I help called because her Win system said it was infected and she
needed to send in 49.95. It said she had a pernicious worm, but when I
went and saw it, I was quite impressed by the intrusion.

A thing called "Advanced Virus Remover" was flashing all kinds of
popups, scary warnings. It even re-writes the global user background
with a horrible warning.

http://www.removevirus.org/virus-strains/remove-advanced-virus-remover-258/

SO what, no big deal. Get rid of it.

Easier said than done. The AVR disables Mcafee antivirus. It disables
access to the command prompt, taskmgr, and regedit, telling the user
those programs cannot be run because they are infected.

I found lots of discussion about this on the net, lots of people
offering to give me something to fix it. How to know which are honest,
and which are scams that will dig me in deeper?

I gambled on one that seemed more honest.

Go here:

http://www.patheticcockroach.com/mpam4/index.php?p=31

At the bottom there is "mpam4_taskmgrXP.exe", a task manager you can run
and it defeats the Advanced Virus.

Run that, manually kill the Advanced Virus Remover program (AVR) in the
list, then manually remove the Advanced Virus directory from c:\Program
Files.

After that, your Mcafee will run and quarantine a bunch of files.

I also found another free spyware checker to run.

Malwarebytes Anti Malware

After that all is well.

--
Paul E. Johnson email: paul...@ku.edu
Dept. of Political Science http://pj.freefaculty.org
1541 Lilac Lane, Rm 504
University of Kansas Office: (785) 864-9086
Lawrence, Kansas 66044-3177 FAX: (785) 864-5700

Andrew Beals

unread,
Nov 30, 2009, 3:10:23 PM11/30/09
to kul...@googlegroups.com
Running software on your Windows box in order to cure an infection is like a doctor walking into an Ebola ward without wearing so much as a mask in order to treat the patients.  It can be done, but a linux boot disk (thumbdrive) with the latest ClamAV will work better.


--

You received this message because you are subscribed to the Google Groups "kulua-l" group.
To post to this group, send email to kul...@googlegroups.com.
To unsubscribe from this group, send email to kulua-l+u...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/kulua-l?hl=en.



David Nicol

unread,
Nov 30, 2009, 3:25:37 PM11/30/09
to kul...@googlegroups.com
On Mon, Nov 30, 2009 at 2:10 PM, Andrew Beals <andrew...@gmail.com> wrote:
> Running software on your Windows box in order to cure an infection is like a
> doctor walking into an Ebola ward without wearing so much as a mask in order
> to treat the patients.  It can be done, but a linux boot disk (thumbdrive)
> with the latest ClamAV will work better.

apparently knoppix has included clamav for a while. Anyone know of a
cdrw distro that will run clamav and also fetch updates and burn them
into later tracks on the same disk? Dear Santa...

dustin...@gmail.com

unread,
Nov 30, 2009, 3:28:25 PM11/30/09
to kul...@googlegroups.com
Clamav licensing has changed since then. Prolly not updating out of the box anymore, etc.

D.
Sent from my BlackBerry® smartphone, powered by CREDO Mobile.

Jeff Collins

unread,
Nov 30, 2009, 3:47:28 PM11/30/09
to kul...@googlegroups.com
I can vouch for MalWare Bytes.  It is effective.
 


Jeffrey S Collins
913-764-3123 home
913-768-8484 office
913-710-5530 mobile

office email    jcol...@brytechinc.com
home email    kansa...@sbcglobal.net




From: Paul Johnson <paul...@ku.edu>
To: kul...@googlegroups.com
Sent: Mon, November 30, 2009 2:06:14 PM
Subject: [KULUA] I saw the worm from hell yesterday on a windows system
--

You received this message because you are subscribed to the Google Groups "kulua-l" group.
To post to this group, send email to kul...@googlegroups.com.
To unsubscribe from this group, send email to kulua-l+unsub...@googlegroups.com.

Steve Nordquist

unread,
Nov 30, 2009, 5:27:28 PM11/30/09
to kul...@googlegroups.com
You had it easy; usually the hellish ones recognize malwarebytes,
antimalware and avg as strings of things that will do it in, and
intercept the calls. If you run into one doing that (with the same
popup paranoiac behavior and same macro-buffed images are a good tell
you got .com and .org mixed up,) MaximumPC listed bits here:
http://www.maximumpc.com/article/howtos/ultimate_malware_removal_guide_purge_your_pc_junk_files
(features pocket killbox by bleepingcomputer, combofix, comodo.)

...so, what user javascript do I want to calm down my browser's
(javascript-fueled) memory leaks? 4GB are like less when the i586
(i.e. not 64 bit libs) can't up and access things handily.
Reply all
Reply to author
Forward
0 new messages