Windows zero day nightmare exploited

[Jon]

To the people saying they had this occur months ago, please realise that an exploit is just an entry point for malware. The malware itself may well have existed for a long time, making use of other vulnerabilities.

[Chosen One]

hmm might explain why I for no reason got a bunch of virus stuff or malware, my mom and sister's comp has it too

[Banzai]

wow this looks like fun im going to run this baby in vmware and have some fun with it, when i get round to it would anyone find it useful if i wrote up some really basic removal instructions?

[+John Teacake MVC]

All the Icons on my desktop have a dark blue background round them does this mean Im Infected?

[goheels681]

Mine do too, but I'm not infected. Did you run regsvr32 /u shimgvw.dll too? I think that might be it.

[tomcat68]

Yeah, i got this b!tch yesterday. It fricken sucks... also... it disables your task manager so you can't run it. Tried logging into safemode as admin. I couldn't log in as I think it changed my password, and yes.. i did type it correctly. Its a nasty one!! And that video doesn't say enough. When you get it, you WILL know about it. I tried cleaning with ms antispyware, for some reason it kept shutting down!?!?! Also, i was unable to shutdown my pc unless i held my power button for 5 seconds. Needless to say, i formated and started over as i had a battlefield 2 match to attend to lastnight. I would have like to see more of what it did.

Also, i was not running any antivirus and i got it from IE. Typically, all my machines have AV and i run firefox, but this was my gaming computer, so i tend not to load misc stuff... As you can guess... that will be changing.

Tomcat

[Daylene]

Is it just me, or are all the sites that carry the exploit down? I've tried accessing the links that F-secure posted here: http://www.f-secure.com/weblog/ but they seem all down.

[canadian397]

Hey Guys,

Is there any way you could just block it in Tools>Folder Options>File Types? Like here's a screenshot:

Only thing is, what program should I register .WMF to? Help?

- Barret

[goheels681]

Nope, evidentally that does nothing. I'm still wondering about why my icons backgrounds turned blue on my desktop...I'm not infected, so I don't know what it could be

[Ap0x]

w00t...a friend of mine had this virus..

God its really a pain in th as* It disables task manager, deleting suspect .exe files doesnt work, trie to disable spy sheriff in msconfig and STILL booted somehow......well a quick format solved the case.. :crazy:

Hope it doesnt get to Neowin images...lol :shiftyninja: and hopefully MS will work fast to patch this..

[Mr. Dick C. Normous]

Hey Guys,

Is there any way you could just block it in Tools>Folder Options>File Types? Like here's a screenshot:

Only thing is, what program should I register .WMF to? Help?

- Barret

Deleting the association will not protect you. Changing it doesn't work completely either. It was one of the first things I tried. For some reason even without the association the file still runs and will recreate the association. That's actually what I meant in my last post where I said "deleting the extension". Sorry for miswording that. It was late and I was getting tired.

It would be great if a mod could change the first line of post #47 to read "file association" instead of "file extension".

@ Sawyer12 & Psgamer0921

Unregistering shimgvw.dll did not cause that problem on my system.

Edited December 29, 2005 by Mr. Dick C. Normous

[canadian397]

okay, then what's another way of banning WMFs on my WinXp Computer? I don't want to disable Windows Image & Fax Viewer cause I always use it.

[TimRogers]

I'm making a virtual PC to test this virus out :)

[tomcat68]

anyone have a working link... PM me if need be... i want to play with it again... i can't seem to find it.

Tomcat

[Mr. Dick C. Normous]

okay, then what's another way of banning WMFs on my WinXp Computer? I don't want to disable Windows Image & Fax Viewer cause I always use it.

For now this is the only known effective way. I don't really like it either. It took me more than a year to switch from viewing my images in IE lol. If you're careful and use a firewall you should be okay. Just don't allow internet access to anything you are not familiar with. DO NOT RELY ON WINDOWS FIREWALL!!! It will not protect you from this.

[+Troll Subscriber¹]

Fixed a computer with this over Christmas...

They took the computer in to Best Buy and were told that the only way to fix it was to format and then purchase some anti-spyware for a total of $90!!!

I uninstalled Norton, and every other crap program, then put on Nod32 + SpySweeper + Crap Cleaner and everything is running great. The beehappyy.biz site with the spyware is detected in Nod32. Also made sure to place Irfanview on the machine so the Windows Image & Fax Viewer isn't needed.

Hopefully nobody will pay to get this off of their machine :)

[madnuke]

Had the first one in today, god knows whats going to happen seeing as its new year. :no:

[tomcat68]

Fixed a computer with this over Christmas...

They took the computer in to Best Buy and were told that the only way to fix it was to format and then purchase some anti-spyware for a total of $90!!!

I uninstalled Norton, and every other crap program, then put on Nod32 + SpySweeper + Crap Cleaner and everything is running great. The beehappyy.biz site with the spyware is detected in Nod32. Also made sure to place Irfanview on the machine so the Windows Image & Fax Viewer isn't needed.

Hopefully nobody will pay to get this off of their machine :)

How is this free?? Don't you have to pay for NOD32 and SpySweeper? Also, I doubt everything is removed. I bet the taskmanager is still disabled among other things.

Tomcat

[goheels681]

Well somehow, the blue text went away for me. The only thing I can think of that I did was after I reregistered it this morning, was to unregister and reregister again. But I'm not totally sure if that fixed it

[Mr. Dick C. Normous]

Here is a registry file that will re-enable the task manager. The change should be immediate and not require a reboot.

enabletaskmanager.zip

[Banzai]

How to clean a computer infected by the wnf exploit

Right By now you should know if your infected, your know because your have a cross down by your clock telling you that you have been infected by spy ware, plus your wallpaper will be changed to tell you so.

OK so what to do,

1)

Click: Run, and type msconfig then hit enter. Under the startup tab

? you should find a few entry?s for winlogon.exe located in the folder inet20099, unchecked all of them.

? You will a entry for efsdfgxg.exe located in c:/windows/system32/ unchecked this.

? There should be an entry for cmd.exe something, ensure this entry is unchecked.

? There will also be an entry for wininstall.exe located in c:/ uncheck this

2)

For this I used a bartpe cd, but you should be able to use safemode but some have said that you cant enter safemode if infected.

Anyway boot into safemode by rebooting your system and keep pressing F8 on most systems until you get the prompt where you can chose to enter safemode.

In safemode remove the following files/folders

Remove folder c:\inet20099

Remove file c:\windows\system32\efsdfgxg.exe

Remove file c:\wininstall.exe

Reboot!

3) you will find your system isn?t totally fixed the virus is uninstalled but aspects like not being able to use task manger still persists. Unless you want to spend hours trying to fix this I suggest creating a new windows profile and using that instead. Because there?s so many little things the thing does to your system. If you need any more help PM me.

However one last thing, people are blowing this out of proportion unless you use doggy sites anyways like illegal downloads and software cracks you should be ok, this thing has the potential to be dangerous but unless you go looking for this thing at the moment you wont get it.

Also my advice is to do as Microsoft have said and run regsvr32 -u %windir%\system32\shimgvw.dll it will save you allot of hassle, for the sake of using this work around until ms patch this problem. And they will patch it soon.

Hope this helps

[tkyoshi]

According to Microsoft, apparently enabling full DEP/EVP will prevent this from executing as well. Do this if your computer has hardware DEP (Athlon 64/Sempron, Pentium 4 5XXJ/6XX series).

The default is essential services only as not all computers have hardware DEP/EVP built in.

[DrIndianaJones]

I stumbled across this nasty little bugger last night, hidden in an ad I assume. DEP indeed does prevent the virus/malware from running.

[DarkSim905]

With this exploit, along with some spyware yields this:

http://jacksonfools.com/aim_tmp/WindowsSucks.jpg

Took me a while to remove it. This one in particular in addition to removing ability to use Taskman disables your desktop properties so you cannot change the background. Quite interesting, but I'm not into testing how viruses / spyware / adware works. But if there are people there, I wouldn't mind learning a thing or two . Relatively easy to remove (Atelast the spyware / infection in question)

But is there a way to tell if any immediate damage has been done to my system?

[madnuke]

I'm advising reinstalls all round! Its going to be the only way god knows how many varients out and I was also wondering if DEP works?