The Internet does not suffer fools, apparently.
April 25, 2010 1:39 PM   Subscribe

Help lost sheep get rid of pesky ransomware and rogue anti-spyware with dubious origins.

I don't know if it's appropriate to ask for computer help on Ask Metafilter. I kind of trust you guys more than I do some random computer forum. So please be patient.

I'll just list some general things about my computer use. I don't know the relevance but maybe it'll be helpful in determining my...risky internet behaviors.

1. I know very little about computers. I'm 18 and should probably know stuff about the internet, but I got used to my brother taking care of things, until he went to college.
2. I don't download torrents. The only time I download anything is when my friends send me things via email/rapidshare.
3. I often watch television online.
4. I mostly use my computer to do homework and read the news. No interest in games or anything like that.
7. I don't have an external hard drive, but I do have some device that lets you remove your computer's hard drive and connect it to another computer. This probably wouldn't be helpful since my computer is currently infectious.
8. It's finals week and I have a portfolio due soon. I would like to keep all the information on my computer.


So my problem is:
-Was on ninjavideo.net when I got notifications from "XP Smart Security 2010," and AVG caught on to some trojan horses
-I tried exiting all those pop-ups but it disabled my access to task manager and most everything in the control panel
-I freaked out and restarted
-Got notifications from the fake ICPP copyright thing noted in this post

Then I turned off my computer because it felt shady. I'm using my mom's computer now.

So, the internet tells me I can get rid of the XP Smart Security by just running a full system scan with an anti-spyware program (assuming I don't have to download one), but my question is:

1. How do I access my computer if the ICPP copyright message is locking it? Will this go away here and there?
2. If I do have to wait for a spyware program to download, is my computer a ticking time bomb, or does the passage of time not affect the depth of this problem (as long as I don't click anything)?
3. The ransomware appears to be the greater of my concerns. This comment scares me to death. Can I get rid of this, or must I wipe my computer? I don't want to go mucking around system files and touch something I shouldn't have. You are dealing with a high level of incompetence here.
4. What programs should I purchase/download to keep myself from being this vulnerable again? A year ago I had a similar problem with a less sophisticated anti-spyware imitation.

Sorry if that was excessive in any way. If you can help, please shoot me a message.
posted by mmmleaf to Computers & Internet (17 answers total) 2 users marked this as a favorite
 
Malwarebytes is free and generally considered effective against many types of malware. If a single scan with MB or a similar product doesn't fix things, it's often faster just to wipe the drive and reinstall Windows (faster still if you make an image of a clean desktop with all your desired programs and customizations).
posted by Inspector.Gadget at 1:59 PM on April 25, 2010


Did some Google searches, try this license code on the ICPP program:
RFHM2-TPX47-YD6RT-H4KDM. If that unlocks your computer then you should start scanning with anti-spyware tools to remove everything.

Some helpful links for you:

http://www.malwarebytes.org/ - Great scanner, free too.

http://www.bleepingcomputer.com/virus-removal/remove-i-q-manager - Removal guide for the ICPP junk.

YMMV but good luck and post back with any results!
posted by Funky Claude at 2:00 PM on April 25, 2010


I've been hit with these before, and they're not as scary as they seem. Typically here's what they do:

1) Make some copies of the fake warning programs that are placed in a temp folder somewhere
2) Edit your registry so whenever an EXE (executable files, like your programs) is called, it first runs one of the fake warning programs. This also serves to prevent you from running Malwarebytes and other security programs
3) Edits Internet Explorer preferences so that you effectively don't have internet access and can't download anything.

The fact that you have your mom's system is a good thing. Here's what you do.

1) Download malwarebytes on your mom's computer and put it on a USB key
2) Download this EXE regedit file http://www.winhelponline.com/fileasso/exefix_vista.zip (for Vista obviously) to restore your EXE registry keys
3) Boot up your bad computer and go into safe mode (press F8 on startup) with network
4) When you're in, bring up the task manager and stop suspicious looking processes (usually, some random looking names)
5) Stick in your USB, unzip the regedit file, and run it
6) Install Malwarebytes
7) Run Malwarebytes, but select the Update button so you get the latest signatures
8) Run a quick scan
9) Remove everything found
10) Reboot

That should solve 90% of all those pesky fake warning things. The thing is not to panic, it's not as bad as it seems, and Malwarebytes can get rid of most of them.
posted by reformedjerk at 2:19 PM on April 25, 2010


If you still have the reinstallation discs that came with the computer>>

If nothing works, reload Windows. Get a "Windows for Dummies" book, it will help. I was very afraid of doing this, but it was a breeze.
posted by fifilaru at 2:25 PM on April 25, 2010


Thanks for the help. The license code worked, but the fake anti-virus program is keeping me from being able to open up task manager or anything in the control panel. It won't let me open Mozilla but Chrome is extremely slow.

reformedjerk--I'll try downloading the program here w/ the USB and let you know what happens.

Thanks!

Slightly less terrified now, but pretty annoyed that people put the time into developing these kind of things.
posted by mmmleaf at 2:28 PM on April 25, 2010


MalwareBytes is great.... but ComboFix is like the Chuck Norris of spyware removal tools. When you absolutely, positively have to kill every spyware on your computer, accept no substitutes.
posted by jmnugent at 2:38 PM on April 25, 2010 [2 favorites]


Hrm. When I attempt to log into safe mode, it tells me I need to activate windows first, and login normally to do that.

A few weeks ago it gave me that same message even though I installed Windows with legitimate software, shiny CD and everything.

I have to unplug the internet while trying to do anything though because it keeps downloading naked people to my desktop.

Tried to install malwarebytes when logged in normally but I can't really do anything with the fake security/virus programs blocking all 'unwanted activity.'

I just don't understand why it's asking me to activate Windows. Another clever ploy?
posted by mmmleaf at 3:08 PM on April 25, 2010


jmnugent: Woah woah combofix.org is not a legit source for it. Only get it from the approved sources here.

Though the download link there (currently) points to the right place, who knows if that will last and what other sketchy links or ads they may run.

I would suggest a mod remove that link.
posted by SpookyFish at 4:45 PM on April 25, 2010


2. I don't download torrents. The only time I download anything is when my friends send me things via email/rapidshare.

What kinds of things are you downloading? You should treat any kind of executable with extreme suspicion and hostility, even if it's from a real good friend. Look, people just are clueless about this stuff. I work for a company that specializes in making enterprise security devices (firewalls, IPS, etc) and yet our own internal network is riddled with infected Windows machines. Windows is as full of holes as Swiss cheese, and the Internet is a minefield. There are a lot of vectors by which you can become infected, some of them very non-obvious. Just general advice though:

1. Keep everything up-to-date. Yes, sometimes newer stuff has bugs introduced but generally speaking major vendors are very quick to release security patches for publicly divulged vulnerabilities for which an exploit exists. The primary target are people who don't patch their software.

2. Never, ever use Internet Explorer. Never, ever allow ActiveX controls or java to run unless it's from, like, microsoft.com.

3. Never, ever open some random executable you found from an email forward or a rapidshare link, or whatever. Only get actual software from the actual vendors, from the link on their own homepage. Pretty much ever.

I can't help with cleaning the machine, I personally feel this is a waste of time. My advice would be to copy your important stuff off to a USB thumbdrive and re-install windows. Thanks to the idiotic "AutoPlay" feature it is possible for a payload to be put on the USB thumbdrive that will just re-infect your new computer, so I would offload the files on another OS entirely, reformat it, and copy the files back before reintroducing it to a Windows machine. This may be overkill because I deal with some really nasty payloads as part of work. It sounds like you just have some run-of-the-mill malware that is easily removed, but if you've seen the things I've seen, you'd nuke that computer from orbit and start fresh.

Good luck.
posted by cj_ at 4:50 PM on April 25, 2010


We exchange fairly pedestrian stuff, like word documents and audio.

I do have some files saved on my usb but am wary about plugging it into the computer I'm using now.

I was confused about which bug exactly (there appear to be three or four) was keeping me from running malwarebytes, combofix and hijack it but found this, so I think I will be able okay after I follow the instructions there. I'm guessing bleepingcomputer would be a good place to go the next time I'm confused.

Thanks!
posted by mmmleaf at 5:34 PM on April 25, 2010


Spookyfish: "Woah woah combofix.org is not a legit source for it."

Uh...since when? I've always downloaded it from there, and never had a problem. (yes, I am aware of the BleepingComputer forum link)
posted by jmnugent at 6:02 PM on April 25, 2010


Also, just FYI, if you find yourself unable to run malwarebytes or another security product like that, try renaming it's executable file!
posted by Funky Claude at 6:14 PM on April 25, 2010


I ran an MD5 checksum/compare between the ComboFix download from BleepingComputer and the one from ComboFix.org........ and the 2 files are identical. Of course I realize the content of those files could change at a moments notice,.. but I've been downloading from Combofix.org for quite a long time now,.. so... (if it was going to infect me, would'nt it have done so by now ?)
posted by jmnugent at 6:21 PM on April 25, 2010


What will you miss if you have to reload windows from scratch?
posted by Obscure Reference at 6:34 PM on April 25, 2010


FYI, here is a guide for complete removal of infections from a PC, previously posted on AskMeFi. It's a lot of work, but if the only alternative is wiping the hard drive and reloading Windows, it's worth considering.
posted by exphysicist345 at 7:51 PM on April 25, 2010


Well, there exist exploits in document readers, generally buffer overflows, such that various "infected" documents can run arbitrary code if maliciously crafted. For example, PDF and JPEG decoders have been vectors for such exploits in the past. And the number of browser vulnerabilities is mind-blowing (that's not *just* IE).

There's no way to know at this point, so it could be anything, just something to keep in mind. If I had to guess, you got tricked into allowing an activeX control to run at some point, at which point all bets are off.

Oh, and never run a "key generator" program except in a VMWare which you promptly burn with fire. Every single one of those is a trojan, literally. Even when they work.
posted by cj_ at 7:59 PM on April 25, 2010


Augh. It's possible I got it from a pdf, then.

Thanks for the link, exphysicist345.

I tried the rkill fix (ran it quite a few times because it didn't seem to do anything, but then my computer just froze up, so I restarted), but now Windows won't even boot. There's a black screen and the little bar about an inch from the bottom is frozen.

I'm ploughing through this thread but I'm probably better off just wiping the hard drive :[ Although popping in the disc doesn't seem to be doing anything either.

But thank you for the tips. I learned a lot today.
posted by mmmleaf at 8:27 PM on April 25, 2010


« Older Is my behavior completely wrong?   |   Help an apt dweller cope with a house. Newer »
This thread is closed to new comments.