OT- Windows Restore Virus

Submitted by swdude12 on

I believe I got this virus from mgoblog.  I got it on my home cpu and I also got it on my work cpu, which i dont have admin rights too, so now I am kinda screwed. FYI be careful! It hides all your files and pretends to run a restore program, says your harddrives have crashed etc.

 

mikoyan

June 10th, 2011 at 9:41 PM ^

I got it twice at work both times were right after I visited here.  Then tonight when I first came on here, my virus checker at home caught it.  It is a nasty little virus.  Hides all your files.  Sets it up so you can't do Task Manager.  Etc.  I don't think it's from the blog, may be one of the ads.

joeyb

June 7th, 2011 at 4:53 PM ^

I doubt you got it from MGoBlog, because then more of us would have it and all of the browsers would be shitting themselves in fear again.

Those viruses do suck and I generally try to save whatever I can for a friend who gets this and then reformat because even if you remove it, it changes registry values and corupts files to the point that it's not even worth it to try to get it working like normal again.

MichiganMan2424

June 7th, 2011 at 5:05 PM ^

I got the same virus last night on my laptop. It just crashed 30 minutes ago.

In reply to by MichiganMan2424

Aero01

June 7th, 2011 at 5:56 PM ^

Got the virus this morning and was able to fix my registry and remove the virus. My harddrive failed an hour ago.

LB

June 7th, 2011 at 5:09 PM ^

whose confusers I babysit to just turn them off via the power button if they see any malware or a browser hijack. Some of these are really nasty. All of the machines I read MGoBlog with are happy right now (several). That didn't come from MgoBlog.

Dhani Bowtie

June 7th, 2011 at 5:11 PM ^

I got that last night on my work computer as well. I don't think it came from here but it may have been in a link or an ad we both clicked on. Seems like to much of a coincedence not to be related.

BiSB

June 7th, 2011 at 5:13 PM ^

Most of you have probably already done this after the MGoUnpleasantness, but if you haven't, download MalWareBytes and Rkill right now.  Install them right now.  We'll wait.

You'll really be glad to have those some day.

MKEblue

June 7th, 2011 at 5:39 PM ^

I've just recentely (once yesterday and once today) had AVG flag mgoblog as suspicious when I browsed to it and then it said it was blocking a file from downloading. It hasn't done that since the meltdown, so I was actually kind of waiting to see if something was up.

tdcarl

June 7th, 2011 at 5:55 PM ^

I got the same thing earlier. I ran a system restore which seemed to kinda work, but it hid all my files and made me damn near have a heart attack. I can deal with having hidden files, but is there anything else I should do to fix this bitch beyond malwarebytes?

swdude12

June 7th, 2011 at 6:14 PM ^

Ya im pretty sure it was from this site because at work I dont go that many sites...Mgoblog, detnews, yahoo, and espn. No i do not go to porn sites at work...i think i know better.

readyourguard

June 7th, 2011 at 6:16 PM ^

Our IT guy just warned us about this virus.  By any chance, are your running Microsoft Security Essentials?    He told us all to dump MSE and reload AVG Free.  He has 10 clients who experienced the same virus last week and all 10 ran MSE yet the virus got by it.

 

Sac Fly

June 7th, 2011 at 6:28 PM ^

This will not help you on XP, since the folders are named different. First go into options and click view hidden files. Go into the hard drive and into the program data file. You can find the malicious programs in this folder, one is a registry icon and another is a blue colored icon, looks like a puzzle peice. Both icons will be listed as applications in the file type, and will be larger than most of the files you see. Change the names of both and go into the task manager using crtl+alt+delete. Since you just changed the names you can look for both in the process folder, the most important one is decribed as privacy assist. End those processes, and delete the files you renamed. You should have 3 more random files at the bottom, delete those too. Unhide all your files on the C:/ only. The next part is more advanced, go C:/ to sys32 to drivers to ect. Open host file, and it should show your local host ip number 127.0.0.1. Under that should be blank, if not I can not help you anymore becuase im not a windows user and i can only do so much with my virtual machine. Anytime anyone has security issues im always available, send me an email [email protected]

MichiganStudent

June 7th, 2011 at 6:59 PM ^

I had MGoBlog on my office computer today for like 3 clicks. I didn't get it, as far as I know. 

 

Do you guys not work for companies that have good anti-virus tech?

Griff88

June 7th, 2011 at 7:51 PM ^

for Malwarebytes. It is not a stand alone anti-virus. However, it is a great compliment to whatever anti-virus you use. I also recommend making a backup of a good system configuration. Here is a free option that works well,

http://www.easeus.com/disk-copy/

EASEUS Todo Backup Free 2.5 will make an exact copy of your system. If something goes wrong you can use it to restore your setup. Using this system backup method will save you a lot of time and effort later. Easeus is not the only backup software available, there are many. However, it's free and has always worked for me. It also has the option for making a recovery boot disk. You can also use it to clone an image on a brand new Hard Drive, without having to do a new install of the operating system.

Here are a couple of videos on how the software works. The first one is an older video, but even though the software has been upgraded since it was made... the general principle on how it works, is still the same.

http://www.youtube.com/watch?v=AEyAtFJR8fI

http://www.youtube.com/watch?v=Ib99WihC8qI

name redacted

June 7th, 2011 at 7:58 PM ^

I use the free AVG, and last night it reported a threat while I was surfing MGoBlog.  I took a screen capture, its big I apologize, don't have time to shrink it. Because the weird URL it reported I figured it was one of the advertisements.  Also, I closed the tab and came back, no threats reported, surfed mgoblog for the usual 30 minutes, no more threats.  Only the first time.  Here is the screen cap :



 

 

 

Sac Fly

June 7th, 2011 at 8:24 PM ^

Blackhole came out a little while ago, and we should be familiar with it. It uses SQL injection and the URL redirect looks something like .co.cc That's the same thing that hit mgoblog a few months ago. It exploits java and adobe files, running in .jar or under the filename info.exe or on linux icinfo.exe. AVG can not pick it up, neither can most antiviruses.

The BlackHand

June 7th, 2011 at 8:01 PM ^

Dude, Get rid of windows and just install Linux. I have been virus free for many, many years. Either that or build yourself a system that will run OSX.

 

Even if you decided to use linux and you still need some microsoft apps like office. you can install crossover in linux and run MS office.

ottomatic

June 7th, 2011 at 8:17 PM ^

I work in the cybersecurity world, more on the vulnerability management and configuration management realm than with inciden response so my big contribituion would be to question if you're configration levels.



Here's what I know from looking at 230K assets everyday:



If you run Windows XP, you can be 100% patched and you are still vulnerable to dozens of exploits. As some of you have found out, you don't have to be logged in admin, or execute anyhing to get hit. If you are running a down level of Internet Explorer you are at risk. Adobe products and Java JRE are huge attack vectors. If you had my job you'd hate Adobe like posion. Adobe Reader X is an important half-step in the right direction.



Win7 with IE9, and Office 2010 is a tough nut to crack. As long as you are keeping up with MS and 3rd party paches this is optimal - if you have to use Windows. Firefox and Chrome need to be he newest version.



AV software is hit and miss. It's all signature based and none is perfect. On our high sensitivity systems we run two different AV soultions and trust neither.



Here's the problem, modern cyber criminals aren't pushing malicious malware like what you are seeing. They don't want you having to reimage your system. They want to get in and stay in - low and slow so they can steal your shit. This malware comes from some dickhead in Columbus using Metasploit to exploit mgoblog. Probably T. Pryor using a sweet borrowed laptop.

thisisme08

June 8th, 2011 at 9:51 AM ^

So to cliff note that; dont be an idiot and keep your system updated and you will more than likely have a nice safe browsing experience?

Honestly the OSX agrument is sooo old, I do believe they just got hit with a round of malware attacks a couple weeks ago yes? How many of these people that are getting virus warning s are running XP SP2 w/ IE7 or Win7 w/out a firewall or AV program meanwhile I keep my laptop up to date (not hard people, you can set it to automatic) and I have yet to encounter a virus even during the Mgoapocalypse.  Doing your due diligence is a must. 

Tater

June 7th, 2011 at 9:08 PM ^

Avast stopped a couple of things for me yesterday while I was on mgb, but I thought it was because I was downloading music from "the daemon."  Avast is pretty cool for free; I took a paid version of Norton off of my computer to put Avast on, and have almost no problems.  

Indiana Blue

June 7th, 2011 at 9:09 PM ^

is so obviously a fake.  The intent is to get you to buy their "fix".  If you know how to analyze your entire system, you can delete all recent files installed on your system .... I did this once ..it's a PITA.   

I have over 20 PC systems at work & 2 of them recently got this (real Windows errors are never this colorful or graphic).  I immediately shut down the the computers, took them to a local PC store and they fixed them in about an hour ... for $99.

Doesn't have to be porn .... it just happens in cyber-space.

Go Blue !

ps  -  Pryor .... wawwawawawawwaaaaaa !

phork

June 7th, 2011 at 10:05 PM ^

I got this virus as well from mgoblog last night.  My stuff still isn't straight.  While i got my desktop back in order, the start menu is still FUBAR'd, no idea how to get it back.

swdude12

June 7th, 2011 at 10:15 PM ^

I downloaded unhide.exe and it unhides all the files and stuff.  right click on the start menu and click properties and look at the options.

phork

June 7th, 2011 at 10:35 PM ^

Firefox or Chrome + adblock 4tw.  This is my work laptop unfortunately it still uses IE7 and our Enterprise AV is McAfee...  God help us all.