Got a nasty virus yesterday...

Just because the forums were down doesn't mean I went surfing pron sites, however, another forum I go to was hacked and redirected to one that downloaded a fake AV (called WindowsRecovery).  This wasn't on my studio box, but my personal/work box.
 
Anyway, I haven't migrated from AVG yet and even though it has the most current virus database AND it did catch a part of the virus download, it didn't catch the main part.  After scanning in Safe Mode for over nine hours it didn't find anything else (although the virus was definitely there).  I ended up having to use Malwarebytes along with two other utilities (RKill that stops malicious processes so you can run Malwarebytes and Unhide to make all my files visable again).  Malwarebytes found the main parts of the virus and removed them, but even it missed one part (found later by AVG) and two Registry entries that were found by Spybot.
 
The bottom line (besides having over 20 hours of PC usage lost), is that none of these solutions found all the parts of the virus by itself!
 
Now I'm wondering if MS Essentials would have prevented this (or even AVAST which is what my business partner now uses after being sent a malware link from a "trusted" friend).  For a computer that must travel down dark alleys once in a while (unlike my studio box), what IS the best choice for an AV?  Is it still MS Essentials with SpyBot?  The "Pro" version of Malwarebytes?  AVAST?  Something else???  Even having to pay a small amount isn't as bad as wasting 20 hours of my time, but I don't want something that completely makes my PC unusable (like Norton used to).
 
Thanks for listening - I'm done venting now.
 
Also, I wanted to put out a warning that, even if you're only going to sites you believe are clean, you can still end up with something nasty.

I got that one too at on my business machine. Malwarebytes rocks!

... another forum I go to was hacked and redirected to one that downloaded a fake AV (called WindowsRecovery).

 
FYI: When these windows first pop up the damage has not yet been initiated. That window is 100% fake, and is luring you into clicking anywhere within it. They usually even have a fake "cancel" or "close" button, but they are just as dangerous as "buy now" or "fix".
 
When the fake A/V appears, it immediately takes over focus. Simply press ALT/F4 to close the window, then move on. If that doesn't work - just reboot the computer - it is the safest way out. Closing the window by any method "they" have provided, will result in infection, but if you can let Windows close it out - you will be fine.

Nine hours of scanning in safe mode in the hopes you "might" clean up a virus?!

In my experience, it's not worth chasing malware for hours when it's entirely probable that even if you reach a point where it "looks" clean, some part of it is still there, waiting to bite you on another day.

But, you say, the alternative is reformatting and reinstalling everything back on my C: drive!

I see your point... and you're right:  that is your only alternative this time.   So here's what you're going to do (at least I hope for your sake) for next time:

Read the following (My post, and the next one with the link to the free software):

http://forum.cakewalk.com/fb.ashx?m=2272988

Installing this program, and putting in 20-30 min of maintenance time every month, will give you a safety net against any software problems (That includes viruses).

From that point on, you will always be only minutes away from restoring your C: partition.

(And this is to every DAW owner without a backup imaging program):  You really, really need this. 

Just a thought...

Just an FYI, I left every message on my screen except for blocking cookies (I have it set to prompt me).  I'm not sure what I could have clicked to initiate the download, in fact it seemed to download automatically after the redirect.  One of the first things it did was to remove my ability to use the Task Manager so I eventually had to power down to get out of the page instead of ending the process.

I also just got Acronis, but haven't used it yet - I'm way behind on creating a new system but will image it once I do.

Just to reiterate, AVG did stopped one trojan, but not the WindowRecovery fake AV virus and even Malwarebytes missed two entries in the registry that SpyBot caught.  I'm just wondering if I'll always have to use multiple layers of AV...

Long Live Avast.

Catching nasty a nasty virus is never good.

BTW, a tip someone once gave me : when cleaning out a virus its better to turn OFF System Restore before starting the cleaning. If the virus is particularly virulent, it could worm(sic) its way into a SR point.

So, you do manage to clear it off your machine, and then have to do an emergancy restore for whatever reason right after said disinfection, you become infected again through SR.

Once you've finished disinfection and re-booted, you can turn SR on again, and immediately create a fresh non-infected Restore point.

S'wot I done in the past (not through dodgy pron sites though ! )

Cheers,
Jerry

Cheers,

Ok, an unfortunate update...  Turns out I didn't get ALL of the virus before.  It left a rootkit that stayed dormant until two nights ago - then all heck broke loose.  Bottom line:  Avast! works the best of the many A/V's I've had to use (including AVG and Malwarebytes).  I've also had to try out some of the "Big Boys" like Combofix, TDSS Killer and Hitman, but with varying success.  One of the nasties that I inheirited is the so-called Google Redirection Virus (the Alureon variant).  NOTHING has fully gotten rid of this one and, although it's talked about, I couldn't find any fix that worked.

So, even though I STILL don't own Windows 7, I'm preparing to do a full format & reinstall.  "Not a big deal" I bet some of you are saying, however, because all of my various work programs & files along with my personal programs & files for the LAST SIX YEARS are on there, it's going to be VERY annoying to figure out what needs to be reinstalled (then adding all the tweaks, customizations, templates, etc.).  Of course, it's Windows that makes this so annoying because they hide important files where the average user would never think to look (for example, WHY isn't your mail database in a normal documents area?).

This time the virus has wasted over 48 hours of my time and I know it's from the previous infection after checking my offline and internet backups.  I even found it sleeping on a different PC here (since nothing seems to remove it including DOS and Bootscans, I may have to reformat and reinstall on that PC as well).

My mind keeps playing images of really nasty things to do to the punk hackers that created these infections...

Craig
My girlfriend got the same virus last week. She uses AVG. I think she got it because of AVG. The program has become quite intrusive over the years.

I just started from scratch and re-installed windows. data gone, problem fixed.

she's on Facebook a lot. could also be the culprit.

It is a common myth that the operator must take a positive action in order to download malware. Saying that you have to click a button in order to be infected is like saying you have to invite a vampire into your house in order to get bitten, it gives a false sense of security. Unless you have pretty much everything from the website blocked, just visiting the site can initiate a download. Using something like noscript can be helpful, but you will rapidly learn that, given how easy and tempting it is to write gee-whiz web pages with scripts that run automatically, most web pages are paralyzed or incoherent when this stuff is blocked.
It is also a myth that any antivirus software will be able to stop or clean all viruses. By definition, new wild viruses will not be in anyone's signature file, and sufficiently rigorous heuristic analysis will probably shut down stuff that you need to run. Windows 7 at least has the potential to confine the damage of some viruses to one account, provided you are not running an administrator account while surfing. Surfing from a sandbox is even more effective at limiting damage, but is beyond the capability of most people using a computer for fun. And yes, it is possible to infect a restore point, and it is ludicrous to set a restore point after you are infected, since you have most likely put the virus in the can along with everything else.
Frequent off-machine imaging is probably the most efficient way to recover an infected machine. It is a lot faster than waiting for hours while a crew of anti-malware apps try to find the bugger, but it is also possible to have a stealth virus waiting in your disk image for its activation. Re-installation from distribution disks is the only way to be sure, and that only after a very thorough wipe of the disk. Parts of the hard disk are not accessible to the OS, and are not affected by a format.
In short, there is no absolute safety from viruses. The most careful operator with the most up to date software can not be guaranteed immune, in spite of spending hours attending to his security. The average user is just playing the averages. Guard your data (out of reach of the computer), and be prepared to re-install your system more than once in a computer's lifetime.

When removing the nasty bits I use:
Malwarebytes

SpyBot Search and Destroy

Kasperksy removal tool:     one of the best

'tis about 80meg. Does deep cleaning. Can take hours.
This tool is updated at least every day. A client's computer took three days, and three updates of Kaspersk to get all the **** removed
http://majorgeeks.com/Kaspersky_Virus_Removal_Tool_d4515.html

Viri do hide themselves in the pagefiles and the hibernate files.
So, if the viri does not prevent such: I stop the all pagefiles, disable hibernate, disk clean-up all temporary files, and empty recycle bin BEFORE running any of these tools. Often the little bastard is in one of these areas (except for java exploits, and few other animals) and I do not want to waste time scanning stuff that should be gone anyway.

J

One way to deal with difficulties in removing stuff, like root kits and hidden files, is to boot an alternate OS (from CD). It makes those things easier to delete.

For example, use root kit revealer on Windows to identify the files that are hidden, then boot linux-based systemrescuecd from a CD to remove those files. It can be annoying to figure out how to mount your Windows partitions on linux, but the Windows-base malware doesn't get a chance to run or hide itself. SystemRescueCD also contains some antivirus programs, but  don't know how effective or up to date they are.

Bill B

kaspersk does look for rootkits

set it for deep scan  and rootkit detection