Malware Hiding on me?

[Barman58]

Have just checked with malwarebytes and they say that their latest definitions catch this beast so may want to update defs and re-scan

 

[mastoark]

What you really need to do is get Hijackthis and run it and post your results on castlecops or wilders security forum they can help you with the problem in more detail there.... Not that you cant get a resolution here but they deal with this stuff all the time.

 

[NormCameron]

Nigel,
All of the things you told me to delete are deleted and the popup is still there
anything else?
ben

The problem with this @##$%%** is that it hides itself as something else and almost seems to mutate. Once you click on the teaser and it installs itself it's got you. I've never really got rid of it. The last part of Nigels advice about a reinstall was what I have had to do on most ocassions I have seen it. I've never been infected (touch wood), but I've been given enough computers that were to know it's cunning. I once found the .exe file file for Antivirus 2008 in Documents/My Pictures.

 

[SIW2]

Hi Ben,

Yep , Norm's right. If you are not too badly infected and you can get rid of it fairly quickly with malwarebytes, and deleting a few files , then great.

If you have tried that and are still infected, then it's not worth mucking about endlessly with the thing. I would save the pain and reinstall.

Odd you didn't get a disc - do you have the option to create one - if so , worth doing straight away.

Reinstalling or reimaging from the recovery partition is probably quicker than from a disc, but you need a disc for the future in case you can't boot, or the recovery partition is corrupted.

If you are lucky, the recovery partition might contain WAU files - you can make a good disc from those easily.

Here's how it's done with the recovery partition

http://www.ehow.com/how_2134715_dell-windows-vista-factory-settings.html

Hope it helps

SIW2

 

[NormCameron]

Nigel,
All of the things you told me to delete are deleted and the popup is still there
anything else?
ben

The problem with this @##$%%** is that it hides itself as something else and almost seems to mutate. Once you click on the teaser and it installs itself it's got you. I've never really got rid of it. The last part of Nigels advice about a reinstall was what I have had to do on most ocassions I have seen it. I've never been infected (touch wood), but I've been given enough computers that were to know it's cunning. I once found the .exe file file for Antivirus 2008 in Documents/My Pictures.

Guess what! Just lost all my .exe associations. Then lost half my icon cache. Had to do a system restore from Vista install disk. Guess what I found then :-

Famous last words Eh!



​

 

[NormCameron]

UPDATE. Ran Malabytes Rogue Remover with the 2 shortcuts still in start menu. Clean bill of Health. Kaspersky Scan - No threat. Defender - Your Computer is running normally, So these little beasties got in, screwed with me, are now lurking, but the tools that are supposed to find them don't. Just had firefox freeze on me? Doing a full restore from Acronis to Tuesday 11th (Last Acronis Backup). I am pretty sure I was clean until this morning. That's when I had issues. Restored to backup. Seems OK now. Whew!!

​

 

[Neverhavemoney]

Here is a list of things. This is rediculously suspicious becasue i have NOTHING for Google and i never installed anyhting on 11/8 and that is the day this all started. So i am about 95% sure this is it. There are a bunchh of pics. I am currently running a Malware Bites Scan and will inform u all once it is done. If it doesnt get it i will delete it and reboot then report back. Thanks everyone,
Ben

 

[mansrm81]

Try doing this

1. Start up computer in Safe Mode.
2. Locate the file "visfdw.exe".
("C:\Users\USER_NAME\AppData\Roaming\Google\visfdw.exe")
3. Delete that file.
4. Go into your registry.
(Start > Run > (type in "regedit"))
5. Expand the following folders in this order:
'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'
6. Locate "winlogone".
7. Delete the registry entry.
8. Restart your computer.

 

[Neverhavemoney]

I think i found it!
Here are some pictures from unlocker and others that i took with the snipping tool!!!
Look at the unlocker screenshot as i am saying this

1. All of these things are running
2. I realized a few days ago i had 2 explorers running and when i deleted one nothing happened
3. I have been getting this weird popup from ATI (which i should have thought of before) every time i start my computer. ( it is one of the captures and doesnt make sense since i updated it at the beginning of the month)
4. And finally because i couldnt delete this weird visfdw.exe file. I never installed it. and i never have used any google things so y would it be in a google folder?
5. I am going to delete the files, empty the recycle bin, run ccleaner, and restart my computer. I will do what i usually do (go on this site and work on my webpage from Dreamweaver) and see if it comes up in an hour or two.

I will make sure to keep you all informed!
Ben

 

[SIW2]

Hi ben ,

Looks like that's it . The Windows Defender Software Explorer shows a registry entry in the right hand pane - have a look and see if you can delete it



let us know how you get on

SIW2

 

[Neverhavemoney]

SIW2 and everyone else Thank you all so much for this!
We have offically stopped this horrible thing on my computer.
I hope you all will join me in vistax64's new security team. You all have done a wonderful job and i can not thank you all enough!
Thanks,
Ben

 

[Barman58]

Hi, ben

that's good news

as far as I can find out this is a new variant of a of the old AV2008 set of viruses it gets in as a "website Drive By" the only way I know of combating this type of infection is Firefox's No Script add-on. this particular beastie was only added to things such as malwarebytes in the last 48 hours so was basically a 0-day infection.

it may be an idea to change the title of your first post to something like "visfdw.exe virus infection" and mark it solved - just to help any others unfortunate enough to get infected

Have joined the Security group and posted my first info :D I get several security related articles sent to me each day so will post any I thing are of general interest

 

[Neverhavemoney]

Barman58,
I am going to post a link in our Security Group to this forum and also inform Brink so he could possibly write a new tutorial on how to defeat this insanly huge threat!
Thanks yall soo much,
Ben

Hi, ben

that's good news

as far as I can find out this is a new variant of a of the old AV2008 set of viruses it gets in as a "website Drive By" the only way I know of combating this type of infection is Firefox's No Script add-on. this particular beastie was only added to things such as malwarebytes in the last 48 hours so was basically a 0-day infection.

it may be an idea to change the title of your first post to something like "visfdw.exe virus infection" and mark it solved - just to help any others unfortunate enough to get infected

Have joined the Security group and posted my first info :D I get several security related articles sent to me each day so will post any I thing are of general interest