Previous Thread
Index
Next Thread
Print Thread
Go To
Page 2 of 3 1 2 3
Off-Topic
Joined: Jul 2006
Posts: 1,126
Expert
Offline
Expert
Joined: Jul 2006
Posts: 1,126
Quote:

...the Kaspersky tool that is Linux based so when you deploy it windows doesn't start...




You're starting to sound a lot like me, John! (or is it me sounding like you?)
Either way, I'd be mildly alarmed...


just looking for clues...
Oren.
http://www.masteringmatters.com
Off-Topic
Joined: Aug 2006
Posts: 7,784
R
Veteran
Offline
Veteran
R
Joined: Aug 2006
Posts: 7,784
We all want to be cool like you when we grow up Oren!


If we grow up!


Lenovo Win 10 16 gig ram, Mac mini with 16 gig of ram, BiaB 2022, Realband, Harrison Mixbus 32c version 9.1324, Melodyne 5 editor, Presonus Audiobox 1818VSL, Presonus control app, Komplete 49 key controller.
Off-Topic
Joined: Jul 2006
Posts: 1,126
Expert
Offline
Expert
Joined: Jul 2006
Posts: 1,126
Quote:

...last problem prompted me to go full linux on my internet computer, due to it kept coming back, even after two formats and four different AV assaults...



Good idea! When the drive is re-formatted to EXT2, EXT3, or EXT4 file systems, malicious code written for Windows can't survive.
It is one of life's great mysteries why Microsoft continues to use their ancient NT file system...


just looking for clues...
Oren.
http://www.masteringmatters.com
Off-Topic
Joined: Jul 2006
Posts: 1,126
Expert
Offline
Expert
Joined: Jul 2006
Posts: 1,126
Quote:

...If we grow up!...




You got that right, Pardner...


just looking for clues...
Oren.
http://www.masteringmatters.com
Off-Topic
Joined: May 2003
Posts: 8,021
Veteran
Offline
Veteran
Joined: May 2003
Posts: 8,021
Quote:

Quote:

...If we grow up!...




You got that right, Pardner...




Growing up puts you that much closer to death.


John
ESI Gigaport HD+
Lenovo Turion II /4 Gig Ram/ Win7x64 be
15.6" Monitor
"The only Band is a Real Band"
www.wintertexaninfo.com/BANDS/JohnnyD.php
Off-Topic
Joined: Jul 2006
Posts: 1,126
Expert
Offline
Expert
Joined: Jul 2006
Posts: 1,126
Quote:

Quote:

Quote:

...If we grow up!...




You got that right, Pardner...




Growing up puts you that much closer to death.




If growing up means growing dull... I agree!


just looking for clues...
Oren.
http://www.masteringmatters.com
Off-Topic
Joined: Jul 2007
Posts: 996
Expert
OP Offline
Expert
Joined: Jul 2007
Posts: 996
OK had a brief look yesterday eve and this morning (the main problem here is that I have almost no time to devote to solving this problem).

In safe mode, this is what Sophos comes up with:

Warning: Failed to query live registry key \HKEY_LOCAL_MACHINE. You may not have access rights to the whole registry.

Area: Windows registry
Description: Hidden registry key
Location: \HKEY_LOCAL_MACHINE\SAM
Removable: No
Notes: (no more detail available)


As regards the 2 iexplore.exes, I took a look at them using ProcExp, and the properties are as follows


Path
C:\Program Files\Internet Explorer\iexplore.exe

Command Line
Removed as suggested below

Current directory
C:\Documents and Settings\Marc\Bureau\


Path
C:\Program Files\Internet Explorer\iexplore.exe

Command Line
"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:5460 CREDAT:79873

Current directory
C:\Documents and Settings\Marc\Bureau\

Last edited by mglinert; 04/07/11 12:19 PM.
mglinert #110688 04/07/11 07:49 AM
Off-Topic
Joined: May 2000
Posts: 21,609
Veteran
Offline
Veteran
Joined: May 2000
Posts: 21,609
Looks like that blacboa URL is your first problem.
That page contains nothing but a script, according to web-sniffer.net

FWIW my properties show no URL after the iexplore program path.

It may be a problem that it is a clickable link above, and NOBODY CLICK ON IT!

mglinert, if you can still edit it, please remove it so nobody accidently clicks on it. It's a public link to an infected site.

Last edited by rharv; 04/07/11 07:51 AM.

Make your sound your own!
.. I do not work here, but the benefits are still awesome
rharv #110689 04/07/11 12:42 PM
Off-Topic
Joined: Jul 2007
Posts: 996
Expert
OP Offline
Expert
Joined: Jul 2007
Posts: 996
Gosh sorry Bob -Sorry everyone. HOpe no one was rash enough to click on it.

I can see now that I will almost certainly have to reformat the drive.

In my BitDefender Firewall have just set the following rule

Path: c:\program files\internet explorer\iexplore.exe
Any command line
Deny access

Yes I can still use IE to access the web!

I guess my concerns now are more these:

Where else might this malware reside?
Is my external HDD, on which my data is backed up, also infected?
After a Windows reinstall is there still a risk that the malware will have survived?

Thanks everyone

Marc

mglinert #110690 04/07/11 01:05 PM
Off-Topic
Joined: May 2000
Posts: 21,609
Veteran
Offline
Veteran
Joined: May 2000
Posts: 21,609
Better safe than sorry. What you have sounds nasty if antimalwaremalware didn't find it. I'd update the antimalware and run again in safe mode. It keeps prett current and a couple days can make a difference; I've seen that happen on a firends machine.

Is there a chance the external drive is indected? Can't rule it out.
If the problem comes back that's one thing to suspect.

I'd unhook it for a couple days after fixing, see if everything seems OK, then pay attention after hooking it back up.. if it comes back you know there's an issue.

You don't show any unusual services running in task manager?
I often start looking for clues on what the infection is right there in taskmanager. Google the processes, and see what it is. Be careful where you go to check, as some of the sites that turn up will offer to run a 'free scan'... and you probably want to avoid that.

Personally I'd google that url too and see if others reported problems related to it.
Also, I'd search BitDefender support to see if there is a way to check that behavior.

Reformatting often results in a loss of a lot of data, and I try to avoid that first, even if time is a factor. Depends on how recent your backup was.

I looked at the main home page for that URL you showed previousy and it has a script to write the URL into favorites right away if IE is browser, then forcibly using a command common in other browsers using javascript before the page even loads. Then it runs some php commands I didn't want to try to follow. Pretty nasty site there for both pages I looked at the code for ..

Last edited by rharv; 04/07/11 01:21 PM.

Make your sound your own!
.. I do not work here, but the benefits are still awesome
rharv #110691 04/08/11 03:26 AM
Off-Topic
Joined: Jul 2007
Posts: 996
Expert
OP Offline
Expert
Joined: Jul 2007
Posts: 996
I’ve been researching this a bit on the superspecialised web sites (majorgeeks, bleeping computer and what have you).
Apparently, the software protects itself from AV scans through changes it has made to the system at the registry level of even deeper.
One of the tools that is most frequently recommended for removing this protection in order to get at the malware is Kaspersky’s ‘TDSSkiller.exe’.
I can get this on to my machine, but it won’t run even when renamed (although it will on my other systems).

The standard procedure thereafter seems to involve the tools DDR, Gmer and Combofix and much expert analysis of the logs produced by these tools. The humble user is advised not to attempt to use these tools without supervision, so I have not.

Also, there are any number of support threads of this type which go on for pages (and weeks) and finish up with a still infected system.

The main symptoms I have are two bogus instances of iexplore.exe which start up shortly after bootup and without my having opened IE.
There seem to be a number of sites at the end of the command line that opens. If I close down one, the new process that opens to replace it is likely to have a different site in the command line, but they all appear to be equally suspect. These URLs are clearly written into the software (malware) as they appear when my connection is disabled.

The other symptom – which I appear to experience less frequently, if at all now – is URL redirect following searches with search engines.

When my internet connection is enabled, I note (from the BitDefender activity window) that data is being downloaded through these processes into my system; so far I have never seen any outbound data (i.e. data being uploaded from my system).

My guess now is that this infection pre-dated the installation of the ‘WindowsRepair’ virus, which must have been downloaded on to the PC through these processes. Indeed this kind of unwanted installation may be the very point of the iexplore.exe infection.

“Reformatting often results in a loss of a lot of data, and I try to avoid that first, even if time is a factor. Depends on how recent your backup was.”

Surely reformatting results in the loss of all data?
I can backup now (the system is still very much up and operational).
I have scanned my external drive (MalwareBytes, BitDefender) and it comes up clean, but then again so does my internal drive.

If there were just some failsafe way to stop any process called iexplore.exe from running, then that would help.

Thanks a lot Bob for your help

mglinert #110692 04/08/11 05:00 AM
Off-Topic
Joined: May 2003
Posts: 8,021
Veteran
Offline
Veteran
Joined: May 2003
Posts: 8,021
Marc,
I told you what to do. Why don't you do it?
Oren I guess he don't trust us Linux users. LOL


John
ESI Gigaport HD+
Lenovo Turion II /4 Gig Ram/ Win7x64 be
15.6" Monitor
"The only Band is a Real Band"
www.wintertexaninfo.com/BANDS/JohnnyD.php
Off-Topic
Joined: Jul 2007
Posts: 996
Expert
OP Offline
Expert
Joined: Jul 2007
Posts: 996
John,

I really appreciate your help and advice.

As Oren says above:

“If you have no previous experience with Linux and a live CD, think it over carefully. Success requires that you understand the fundamentals of your specific Windows release, plus a working knowledge of Linux and Live CDs - for instance, how to do an md5sum integrity confirmation of your download.”

I have never even seen a Linux system, let alone used one. And I have only the most cursory understanding of my own OS.

One of the principles I try to use in problem solving is not to make the situation worse than it is already.

While it is quite possible that a Linux- based clean up tool would take a look at my dormant Windows system, decide which file or files are the culprit and suitably eliminate them, I have no assurance of this scenario.

Also I am just a little surpised that this solution – if it is as risk free and effective as you suggest - is not more widely recommended in the specialist AV and PC support fora.

So, as Oren suggests, I am still thinking it over.

The solutions I plan to implement, in order, are as follows:
- continue Windows-based remedies and scans until I have reasonably exhaused them
- attempt to remount the image backup I have made with Reflect in the hope that it was made before any of this started occurring
- alternative OS based solution on bootable media (your recommended approach)
- reformat of internal HD and reinstallation of W XP (in the hope that my backed up data is not also infected)

All of these take a fair amount of time, which I do not have what with a FT job, a young family, a gigging band etc.

Because I have not performed your suggestion yet does not mean I have ruled it out.

Thanks again,

Marc

mglinert #110694 04/08/11 08:12 AM
Off-Topic
Joined: May 2003
Posts: 8,021
Veteran
Offline
Veteran
Joined: May 2003
Posts: 8,021
The Kaspersky rescue disc IS NOT A LIVE LINUX CD. It is a removal tool that if you follow my instructions will clean your mess up.


John
ESI Gigaport HD+
Lenovo Turion II /4 Gig Ram/ Win7x64 be
15.6" Monitor
"The only Band is a Real Band"
www.wintertexaninfo.com/BANDS/JohnnyD.php
Off-Topic
Joined: Feb 2003
Posts: 2,426
Veteran
Offline
Veteran
Joined: Feb 2003
Posts: 2,426
Marc, if I were in your shoes I'd back up valuable data and then zap the bloody lot and start over with a re-format clean install of Windows 7 64 bit. Your symptoms sound extemely scary to me and I wouldn't muck about trying to repair things. I trust you don't do online banking as I'd be petrified of key loggers stealing my passwords. Sorry to sound alarmist, but it sounds like you need to regain confidence in your system.
My PC became slow a couple of months ago and although I had none of the scary stuff going on which you describe I nevertheless lost confidence. I keep copies of my important stuff an an external drive, so reformatted and installed Windows 7 64 bit and have never looked back. It was a pain re-installing a lot of music apps like plugins, etc. but the PC runs smooth and fast now.

John


Songs web site
YouTube Channel
BIAB 2019
Cakewalk by BandLab
Studio One 4
Skyline #110696 04/08/11 02:08 PM
Off-Topic
Joined: May 2003
Posts: 8,021
Veteran
Offline
Veteran
Joined: May 2003
Posts: 8,021
Quote:

Marc, if I were in your shoes I'd back up valuable data



I don't disagree with a reformat.It's an opportune time to get a fresh install.I wouldn't take that machine from XP to Win7x64 though.Not yet anyway.
What I wouldn't do though is back up the data on an infected machine and then reinstall it on a clean machine. There are some real nasty viruses that are know to corrupt EXE., like programs that you may have saved the EXE in a folder, files and when you go and reload these programs BANG back to square one.That's why it best to try and clean the thing as much as you can first or you've got to bite the bullet and reformat the drive without saving anything.And then you may not be good. It can be bad. Sorry.


John
ESI Gigaport HD+
Lenovo Turion II /4 Gig Ram/ Win7x64 be
15.6" Monitor
"The only Band is a Real Band"
www.wintertexaninfo.com/BANDS/JohnnyD.php
Off-Topic
Joined: Jul 2006
Posts: 1,126
Expert
Offline
Expert
Joined: Jul 2006
Posts: 1,126
Quote:

The Kaspersky rescue disc IS NOT A LIVE LINUX CD. It is a removal tool that if you follow my instructions will clean your mess up.




That Kapersky tool (and the one from AVG) is designed to function within the comfort zone of a Microsoft user, but still work with Windows disabled - and contain the open-source (Linux) elements required to recognise and eliminate Microsoft-dependent malicious code.
Invasive software that relies upon Windows' vulnerabilities to hide and "mutate" can not perform its trickery when your Microsoft operating system is dormant and Linux (from AVG or Kapersky) is running the show.

Just make sure all your imortant files are backed up, then procede with confidence.
Worst case - you accidentally scramble your drive and have to re-format. If this goes down, wipe the drive squeaky clean with "Darryl's Boot and Nuke" (D-BAN) and reformat to NTFS. Your system will be sanitized and ready for a fresh install... not such a bad thing...


just looking for clues...
Oren.
http://www.masteringmatters.com
Off-Topic
Joined: Jun 2000
Posts: 1,944
Jim Offline
Expert
Offline
Expert
Joined: Jun 2000
Posts: 1,944
Marc said:

Quote:

One of the principles I try to use in problem solving is not to make the situation worse than it is already.




Marc I like your caution. I have always thought the expression "Don't do anything until you know what to do" has served me well through the years.

Oren said:
Quote:

Just make sure all your important files are backed up, then proceed with confidence.




John (silvertones) said:
Quote:

What I wouldn't do though is back up the data on an infected machine and then reinstall it on a clean machine. There are some real nasty viruses that are know to corrupt EXE., like programs that you may have saved the EXE in a folder, files and when you go and reload these programs BANG back to square one.





I'm certain when Oren said your "important files", he meant your data files; text files, mp3s, waves, Biab music files, etc. Unless you are a programmer or an extreme advanced user, I highly doubt you would need to back up any executable files; ".exe", "bat", ".com", etc. Your critical data files should be safe from malware infections, and once they have been copied to cd, dvd, or a separate usb drive, you can scan them when your system has been cleaned by one of the many processes mentioned here.

Lastly, I would like to suggest that since you live in France (found in your profile), you might do a search for some knowledgeable, friendly local Linux help. Europe seems to be a bastion for Linux.


Jim
†=☮&♥
Jim #110699 04/08/11 10:47 PM
Off-Topic
Joined: Dec 2007
Posts: 1,439
Expert
Offline
Expert
Joined: Dec 2007
Posts: 1,439
G'day Marc,
I would have no trouble with using either the Kaspersky or AVG disks. I suspect you do not have a root kit or the root kit killer you tried would have fixed it. Root kit killers do only that, kill root kits. They are not normal AV or Anti malware tools and do not look for anything other than root kits.

hmm, there's a lot of root kits there...

Whatever malware is left is clearly hiding from your AV software so a tool like the Kaspersky or AVG boot CD is a good tool to use.


--=-- My credo: If it's worth doing, it's worth overdoing - just ask my missus, she'll tell ya laugh --=--
You're only paranoid if you're wrong!
mglinert #110700 04/09/11 04:22 AM
Off-Topic
Joined: Dec 2007
Posts: 618
Journeyman
Offline
Journeyman
Joined: Dec 2007
Posts: 618
Marc,
If you're worried about infections being on your backup, don't remount the image backup.
Just backup your data and reformat and do a clean install.
When you're done your machine will be like new. Clean and fast and then make an image backup.

Wayne,

Previous Thread
Next Thread
Go To
Page 2 of 3 1 2 3

Link Copied to Clipboard
ChatPG

Ask sales and support questions about Band-in-a-Box using natural language.

ChatPG's knowledge base includes the full Band-in-a-Box User Manual and sales information from the website.

PG Music News
Band-in-a-Box® 2024 Review: 4.75 out of 5 Stars!

If you're looking for a in-depth review of the newest Band-in-a-Box® 2024 for Windows version, you'll definitely find it with Sound-Guy's latest review, Band-in-a-Box® 2024 for Windows Review: Incredible new capabilities to experiment, compose, arrange and mix songs.

A few excerpts:
"The Tracks view is possibly the single most powerful addition in 2024 and opens up a new way to edit and generate accompaniments. Combined with the new MultiPicker Library Window, it makes BIAB nearly perfect as an 'intelligent' composer/arranger program."

"MIDI SuperTracks partial generation showing six variations – each time the section is generated it can be instantly auditioned, re-generated or backed out to a previous generation – and you can do this with any track type. This is MAJOR! This takes musical experimentation and honing an arrangement to a new level, and faster than ever."

"Band in a Box continues to be an expansive musical tool-set for both novice and experienced musicians to experiment, compose, arrange and mix songs, as well as an extensive educational resource. It is huge, with hundreds of functions, more than any one person is likely to ever use. Yet, so is any DAW that I have used. BIAB can do some things that no DAW does, and this year BIAB has more DAW-like functions than ever."

Happy Easter! Holiday Hours...

2024 is well underway - it's already Easter Weekend!

Our Customer Service hours this weekend are:

Friday, March 29: 8-4
Saturday, March 30: 8-4
Sunday, March 31: closed

Regular hours resume Monday, April 1st - no joke!

Convenient Ways to Listen to Band-in-a-Box® Songs Created by Program Users!

The User Showcase Forum is an excellent place to share your Band-in-a-Box® songs and listen to songs other program users are creating!

There are other places you can listen to these songs too! Visit our User Showcase page to sort by genre, artist (forum name), song title, and date - each listing will direct you to the forum post for that song.

If you'd rather listen to these songs in one place, head to our Band-in-a-Box® Radio, where you'll have the option to select the genre playlist for your listening pleasure. This page has SoundCloud built in, so it won't redirect you. We've also added the link to the Artists SoundCloud page here, and a link to their forum post.

We hope you find some inspiration from this amazing collection of User Showcase Songs!

Congratulations to the 2023 User Showcase Award Winners!

We've just announced the 2023 User Showcase Award Winners!

There are 45 winners, each receiving a Band-in-a-Box 2024 UltraPAK! Read the official announcement to see if you've won.

Our User Showcase Forum receives more than 50 posts per day, with people sharing their Band-in-a-Box songs and providing feedback for other songs posted.

Thank you to everyone who has contributed!

Video: Volume Automation in Band-in-a-Box® 2024 for Windows®

We've created a video to help you learn more about the Volume Automation options in Band-in-a-Box® 2024 for Windows.

Band-in-a-Box® 2024: Volume Automation

www.pgmusic.com/manuals/bbw2024full/chapter11.htm#volume-automation

Video: Audio Input Monitoring with Band-in-a-Box® 2024 for Windows®

We've created this short video to explain Audio Input Monitoring within Band-in-a-Box® 2024, and included some tips & troubleshooting details too!

Band-in-a-Box® 2024: Audio Input Monitoring

3:17: Tips
5:10: Troubleshooting

www.pgmusic.com/manuals/bbw2024full/chapter11.htm#audio-input-monitoring

Video: Enhanced Melodists in Band-in-a-Box® 2024 for Windows®!

We've enhanced the Melodists feature included in Band-in-a-Box® 2024 for Windows!

Access the Melodist feature by pressing F7 in the program to open the new MultiPicker Library and locate the [Melodist] tab.

You can now generate a melody on any track in the program - very handy! Plus, you select how much of the melody you want generated - specify a range, or apply it to the whole track.

See the Melodist in action with our video, Band-in-a-Box® 2024: The Melodist Window.

Learn even more about the enhancements to the Melodist feature in Band-in-a-Box® 2024 for Windows at www.pgmusic.com/manuals/bbw2024upgrade/chapter3.htm#enhanced-melodist

Forum Statistics
Forums66
Topics81,398
Posts732,549
Members38,442
Most Online2,537
Jan 19th, 2020
Newest Members
danielsk, Mark Morgan, zagrajbarke, Ernest J, Izzy
38,442 Registered Users
Top Posters(30 Days)
MarioD 199
Al-David 133
DC Ron 115
rsdean 85
dcuny 83
Today's Birthdays
(charlie), WobblyGstring
Powered by UBB.threads™ PHP Forum Software 7.7.5