Windows zero day nightmare exploited

By byte
in Back Page News

 Share

Recommended Posts

Contributor

tomcat68

Posted
Posted

Yeah, i got this b!tch yesterday. It fricken sucks... also... it disables your task manager so you can't run it. Tried logging into safemode as admin. I couldn't log in as I think it changed my password, and yes.. i did type it correctly. Its a nasty one!! And that video doesn't say enough. When you get it, you WILL know about it. I tried cleaning with ms antispyware, for some reason it kept shutting down!?!?! Also, i was unable to shutdown my pc unless i held my power button for 5 seconds. Needless to say, i formated and started over as i had a battlefield 2 match to attend to lastnight. I would have like to see more of what it did.

Also, i was not running any antivirus and i got it from IE. Typically, all my machines have AV and i run firefox, but this was my gaming computer, so i tend not to load misc stuff... As you can guess... that will be changing.

Tomcat

Proficient

Ap0x

Posted
Posted

w00t...a friend of mine had this virus..

God its really a pain in th as* It disables task manager, deleting suspect .exe files doesnt work, trie to disable spy sheriff in msconfig and STILL booted somehow......well a quick format solved the case.. :crazy:

Hope it doesnt get to Neowin images...lol :shiftyninja: and hopefully MS will work fast to patch this..

Collaborator

Mr. Dick C. Normous

Posted
Posted (edited)

Hey Guys,

Is there any way you could just block it in Tools>Folder Options>File Types? Like here's a screenshot:

post-25252-1135875465_thumb.jpg

Only thing is, what program should I register .WMF to? Help?

- Barret

Deleting the association will not protect you. Changing it doesn't work completely either. It was one of the first things I tried. For some reason even without the association the file still runs and will recreate the association. That's actually what I meant in my last post where I said "deleting the extension". Sorry for miswording that. It was late and I was getting tired.

It would be great if a mod could change the first line of post #47 to read "file association" instead of "file extension".

@ Sawyer12 & Psgamer0921

Unregistering shimgvw.dll did not cause that problem on my system.

Edited by Mr. Dick C. Normous
Collaborator

Mr. Dick C. Normous

Posted
Posted

okay, then what's another way of banning WMFs on my WinXp Computer? I don't want to disable Windows Image & Fax Viewer cause I always use it.

For now this is the only known effective way. I don't really like it either. It took me more than a year to switch from viewing my images in IE lol. If you're careful and use a firewall you should be okay. Just don't allow internet access to anything you are not familiar with. DO NOT RELY ON WINDOWS FIREWALL!!! It will not protect you from this.

Veteran

+Troll Subscriber¹

Posted
  • Subscriber¹
Posted

Fixed a computer with this over Christmas...

They took the computer in to Best Buy and were told that the only way to fix it was to format and then purchase some anti-spyware for a total of $90!!!

I uninstalled Norton, and every other crap program, then put on Nod32 + SpySweeper + Crap Cleaner and everything is running great. The beehappyy.biz site with the spyware is detected in Nod32. Also made sure to place Irfanview on the machine so the Windows Image & Fax Viewer isn't needed.

Hopefully nobody will pay to get this off of their machine :)

Contributor

tomcat68

Posted
Posted

Fixed a computer with this over Christmas...

They took the computer in to Best Buy and were told that the only way to fix it was to format and then purchase some anti-spyware for a total of $90!!!

I uninstalled Norton, and every other crap program, then put on Nod32 + SpySweeper + Crap Cleaner and everything is running great. The beehappyy.biz site with the spyware is detected in Nod32. Also made sure to place Irfanview on the machine so the Windows Image & Fax Viewer isn't needed.

Hopefully nobody will pay to get this off of their machine :)

How is this free?? Don't you have to pay for NOD32 and SpySweeper? Also, I doubt everything is removed. I bet the taskmanager is still disabled among other things.

Tomcat

Grand Master

Banzai

Posted
Posted

How to clean a computer infected by the wnf exploit

Right By now you should know if your infected, your know because your have a cross down by your clock telling you that you have been infected by spy ware, plus your wallpaper will be changed to tell you so.

OK so what to do,

1)

Click: Run, and type msconfig then hit enter. Under the startup tab

? you should find a few entry?s for winlogon.exe located in the folder inet20099, unchecked all of them.

? You will a entry for efsdfgxg.exe located in c:/windows/system32/ unchecked this.

? There should be an entry for cmd.exe something, ensure this entry is unchecked.

? There will also be an entry for wininstall.exe located in c:/ uncheck this

2)

For this I used a bartpe cd, but you should be able to use safemode but some have said that you cant enter safemode if infected.

Anyway boot into safemode by rebooting your system and keep pressing F8 on most systems until you get the prompt where you can chose to enter safemode.

In safemode remove the following files/folders

Remove folder c:\inet20099

Remove file c:\windows\system32\efsdfgxg.exe

Remove file c:\wininstall.exe

Reboot!

3) you will find your system isn?t totally fixed the virus is uninstalled but aspects like not being able to use task manger still persists. Unless you want to spend hours trying to fix this I suggest creating a new windows profile and using that instead. Because there?s so many little things the thing does to your system. If you need any more help PM me.

However one last thing, people are blowing this out of proportion unless you use doggy sites anyways like illegal downloads and software cracks you should be ok, this thing has the potential to be dangerous but unless you go looking for this thing at the moment you wont get it.

Also my advice is to do as Microsoft have said and run regsvr32 -u %windir%\system32\shimgvw.dll it will save you allot of hassle, for the sake of using this work around until ms patch this problem. And they will patch it soon.

Hope this helps

Mentor

tkyoshi

Posted
Posted

According to Microsoft, apparently enabling full DEP/EVP will prevent this from executing as well. Do this if your computer has hardware DEP (Athlon 64/Sempron, Pentium 4 5XXJ/6XX series).

The default is essential services only as not all computers have hardware DEP/EVP built in.

Community Regular

DarkSim905

Posted
Posted

With this exploit, along with some spyware yields this:

http://jacksonfools.com/aim_tmp/WindowsSucks.jpg

Took me a while to remove it. This one in particular in addition to removing ability to use Taskman disables your desktop properties so you cannot change the background. Quite interesting, but I'm not into testing how viruses / spyware / adware works. But if there are people there, I wouldn't mind learning a thing or two . Relatively easy to remove (Atelast the spyware / infection in question)

But is there a way to tell if any immediate damage has been done to my system?

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.