Windows zero day nightmare exploited

By byte
in Back Page News

 Share

Recommended Posts

Contributor

tomcat68

Posted
Posted

Yeah, i got this b!tch yesterday. It fricken sucks... also... it disables your task manager so you can't run it. Tried logging into safemode as admin. I couldn't log in as I think it changed my password, and yes.. i did type it correctly. Its a nasty one!! And that video doesn't say enough. When you get it, you WILL know about it. I tried cleaning with ms antispyware, for some reason it kept shutting down!?!?! Also, i was unable to shutdown my pc unless i held my power button for 5 seconds. Needless to say, i formated and started over as i had a battlefield 2 match to attend to lastnight. I would have like to see more of what it did.

Also, i was not running any antivirus and i got it from IE. Typically, all my machines have AV and i run firefox, but this was my gaming computer, so i tend not to load misc stuff... As you can guess... that will be changing.

Tomcat

Proficient

Ap0x

Posted
Posted

w00t...a friend of mine had this virus..

God its really a pain in th as* It disables task manager, deleting suspect .exe files doesnt work, trie to disable spy sheriff in msconfig and STILL booted somehow......well a quick format solved the case.. :crazy:

Hope it doesnt get to Neowin images...lol :shiftyninja: and hopefully MS will work fast to patch this..

Collaborator

Mr. Dick C. Normous

Posted
Posted (edited)

Hey Guys,

Is there any way you could just block it in Tools>Folder Options>File Types? Like here's a screenshot:

post-25252-1135875465_thumb.jpg

Only thing is, what program should I register .WMF to? Help?

- Barret

Deleting the association will not protect you. Changing it doesn't work completely either. It was one of the first things I tried. For some reason even without the association the file still runs and will recreate the association. That's actually what I meant in my last post where I said "deleting the extension". Sorry for miswording that. It was late and I was getting tired.

It would be great if a mod could change the first line of post #47 to read "file association" instead of "file extension".

@ Sawyer12 & Psgamer0921

Unregistering shimgvw.dll did not cause that problem on my system.

Edited by Mr. Dick C. Normous
Collaborator

Mr. Dick C. Normous

Posted
Posted

okay, then what's another way of banning WMFs on my WinXp Computer? I don't want to disable Windows Image & Fax Viewer cause I always use it.

For now this is the only known effective way. I don't really like it either. It took me more than a year to switch from viewing my images in IE lol. If you're careful and use a firewall you should be okay. Just don't allow internet access to anything you are not familiar with. DO NOT RELY ON WINDOWS FIREWALL!!! It will not protect you from this.

Veteran

+Troll Subscriber¹

Posted
  • Subscriber¹
Posted

Fixed a computer with this over Christmas...

They took the computer in to Best Buy and were told that the only way to fix it was to format and then purchase some anti-spyware for a total of $90!!!

I uninstalled Norton, and every other crap program, then put on Nod32 + SpySweeper + Crap Cleaner and everything is running great. The beehappyy.biz site with the spyware is detected in Nod32. Also made sure to place Irfanview on the machine so the Windows Image & Fax Viewer isn't needed.

Hopefully nobody will pay to get this off of their machine :)

Contributor

tomcat68

Posted
Posted

Fixed a computer with this over Christmas...

They took the computer in to Best Buy and were told that the only way to fix it was to format and then purchase some anti-spyware for a total of $90!!!

I uninstalled Norton, and every other crap program, then put on Nod32 + SpySweeper + Crap Cleaner and everything is running great. The beehappyy.biz site with the spyware is detected in Nod32. Also made sure to place Irfanview on the machine so the Windows Image & Fax Viewer isn't needed.

Hopefully nobody will pay to get this off of their machine :)

How is this free?? Don't you have to pay for NOD32 and SpySweeper? Also, I doubt everything is removed. I bet the taskmanager is still disabled among other things.

Tomcat

Grand Master

Banzai

Posted
Posted

How to clean a computer infected by the wnf exploit

Right By now you should know if your infected, your know because your have a cross down by your clock telling you that you have been infected by spy ware, plus your wallpaper will be changed to tell you so.

OK so what to do,

1)

Click: Run, and type msconfig then hit enter. Under the startup tab

? you should find a few entry?s for winlogon.exe located in the folder inet20099, unchecked all of them.

? You will a entry for efsdfgxg.exe located in c:/windows/system32/ unchecked this.

? There should be an entry for cmd.exe something, ensure this entry is unchecked.

? There will also be an entry for wininstall.exe located in c:/ uncheck this

2)

For this I used a bartpe cd, but you should be able to use safemode but some have said that you cant enter safemode if infected.

Anyway boot into safemode by rebooting your system and keep pressing F8 on most systems until you get the prompt where you can chose to enter safemode.

In safemode remove the following files/folders

Remove folder c:\inet20099

Remove file c:\windows\system32\efsdfgxg.exe

Remove file c:\wininstall.exe

Reboot!

3) you will find your system isn?t totally fixed the virus is uninstalled but aspects like not being able to use task manger still persists. Unless you want to spend hours trying to fix this I suggest creating a new windows profile and using that instead. Because there?s so many little things the thing does to your system. If you need any more help PM me.

However one last thing, people are blowing this out of proportion unless you use doggy sites anyways like illegal downloads and software cracks you should be ok, this thing has the potential to be dangerous but unless you go looking for this thing at the moment you wont get it.

Also my advice is to do as Microsoft have said and run regsvr32 -u %windir%\system32\shimgvw.dll it will save you allot of hassle, for the sake of using this work around until ms patch this problem. And they will patch it soon.

Hope this helps

Mentor

tkyoshi

Posted
Posted

According to Microsoft, apparently enabling full DEP/EVP will prevent this from executing as well. Do this if your computer has hardware DEP (Athlon 64/Sempron, Pentium 4 5XXJ/6XX series).

The default is essential services only as not all computers have hardware DEP/EVP built in.

Community Regular

DarkSim905

Posted
Posted

With this exploit, along with some spyware yields this:

http://jacksonfools.com/aim_tmp/WindowsSucks.jpg

Took me a while to remove it. This one in particular in addition to removing ability to use Taskman disables your desktop properties so you cannot change the background. Quite interesting, but I'm not into testing how viruses / spyware / adware works. But if there are people there, I wouldn't mind learning a thing or two . Relatively easy to remove (Atelast the spyware / infection in question)

But is there a way to tell if any immediate damage has been done to my system?

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • EA launches in-game advertising platform for brands to "connect with audiences"

      By fingletmein · Posted

      "to in-game content custom-made for the brands" Which EA will turn around and charge customers extra for in an attempt to double dip.
    • EA launches in-game advertising platform for brands to "connect with audiences"

      By SidVicious · Posted

      Disgusting.
    • NirLauncher 1.30.24

      By Copernic · Posted

      NirLauncher 1.30.24 by Razvan Serea NirLauncher is a suite of more than 200 of NirSoft's excellent portable freeware Windows utilities, and provides an interface that makes it easy to find and launch the tools you need. Which works for us - because there's something here for everyone. Have you forgotten a password stored in your browser or email client, for instance? Recovery tools here may be able to find them for you. Maybe you'd like to check your hard drive health? A disk tool will display its S.M.A.R.T. data (if the drive supports this), so you can view read/ write errors, temperature and other useful details. Is your system unstable? The System Utilities section includes several tools that can help to explain why your PC might be crashing. And there are a host of other programs on offer in categories like "Network Monitoring", "Web Browser Tools", "Video/ Audio Related Utilities", "Outlook/ Office Utilities" and more. Please note, perhaps because a few of these tools can be used maliciously (the password revealers, say), some antivirus programs will flag them as threats. We've never had a problem with any NirSoft tool, though, and you can read more on this issue at the author's site. NirLauncher is an excellent set of free tools, and a must-have for everyone's portable troubleshooting toolkit. NirLauncher Features: NirLauncher can be used from USB flash drive without need of any installation. NirLauncher and all the utilities in the package are completely freeware, without any Spyware/Adware/Malware. This package doesn't contain any 3-party software, toolbars, Web browser plugins, or other unwanted surprises. It will not install any software on your system and it will not change your Web browser homepage or other settings on your system. NirLauncher package includes variety of tools that you may need for your daily computer use, including utilities to recover lost passwords, to monitor your network, to view and extract cookies, cache, and other information stored by your Web browser, to search files in your system, and more... For every utility in the package, you can easily run it, view the help file, or jump to the Web page of the utility. When using it from USB flash drive, the configuration of every utility is saved into .cfg file on the flash drive. On x64 systems, NirLauncher automatically run the x64 version of the utility, when there is a separated x64 version. NirLauncher also allows to add more software packages in additional to the main NirSoft package. NirLauncher allows you generate plugin files for BartPE (Launcher -> Generate BartPE Plugin Files), so you can easily use the utilities of NirSoft from a bootable live windows CD. Additional packages (Piriform, SysInternals...) and instructions are available on the Nirlauncher download page. Note: This zip file below is password-protected. The password for extracting the files is nirsoft9876$ Download: NirLauncher 1.30.24 | 39.8 MB (Freeware) Link: NirLauncher Home Page | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Euro-Office must default to ODF to be considered "genuinely European", LibreOffice argues

      By MikeK13 · Posted

      What people who support this position of LibreOffice do not understand is that EuroOffice is not made to appease the open source enthusiasts (I am also one) and evangelists. EuroOffice was made because some European companies wanted independence from Microsoft Office Suite, which is something installable on your computer. This move to independence was pushed by public institutions and governments in Europe, as well. Using a proprietary FORMAT as default, does not make you dependent on MS. The actual program does. A format can be changed with a simple update in the future in a dystopian world where MS would manipulate the format to lock others out. However, using MS Office proprietary format, guarantees that all the current documents used by companies, organizations, institutions, etc, will be compatible with EuroOffice and the suite will have the best chances at adoption, especially by slow moving organizations like governments and the public sector. It is as simple as that. For the same reason, even the UI is incredibly similar to MS Office. For the same reason (adoption) the choice was made to be open source. Not because EU particularly loves open source ideologically, but because it gives the best starting point to create trust in the project and amass developers and contributions to the project quickly, to catch up with proprietary projects like MS Office. I don't understand how people don't realize it.
    • Microsoft hides these secret Windows 11 performance boost settings available on every PC

      By WaltC · Posted

      How old is this tip? Seems 15-20 years old? Processor states for the CPU under Windows power options has been a thing for a long, long time. It certainly isn't new or hidden... Also, with laptops it doesn't make any difference what OS you are running, all of them are configured for battery longevity over performance, for obvious reasons. Wanted to add as well that most systems in use currently do burst as setup in the uefi bios settings, and usually when a setting is "hidden" like this in Windows it's because it's either obsolete or it is redundant--doesn't override the bios and the CPU drivers. There is a lot of crap in the registry that needs to come out...;) It's hamless and might consume 1-2kb of space in total, though.

  • Recent Achievements

    • Week One Done
      Jeroen Wilms earned a badge
      Week One Done
    • Week One Done
      rolfus earned a badge
      Week One Done
    • One Month Later
      Leroy Jethro Gibbs earned a badge
      One Month Later
    • Conversation Starter
      flexorcist earned a badge
      Conversation Starter
    • One Month Later
      AndreaB earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      512
    2. 2
      +Edouard
      205
    3. 3
      PsYcHoKiLLa
      136
    4. 4
      ATLien_0
      90
    5. 5
      Steven P.
      85
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!