Usapang Virus

**1D4LV** · May 26th, 2015 01:43 PM

Originally Posted by shadow

How about yun laging na redirect yun browser sa mga "powered by xxxx" or meron lumalabas na mga for sale ads sa girlie ng browser. How to remove those?

install a browser based adblocker bro.

**Syuryuken** · May 26th, 2015 02:01 PM

Originally Posted by shadow

How about yun laging na redirect yun browser sa mga "powered by xxxx" or meron lumalabas na mga for sale ads sa girlie ng browser. How to remove those?

anong browser mo? install ka ng adblock plus or ublock

**badkuk** · May 26th, 2015 02:12 PM

the symptoms are quite similar to what we had last year sa office. Nakita ko rin to on a cousin's flash drive. Eto ba yung gumagawa ng fake thumbs.db and desktop.ini, and me hidden file na *init* ?

You can see the files by opening a command prompt and running "dir/a/p" on the flash drive.

If you need to copy files from that flash drive, stick it into a linux box. The file managers typically list out all files, You may see a folder with no name, that's where your files are. In our case i just made sure i didn't copy any autorun.inf, desktop.ini, thumbs.db, *.init files. You can quickly do this by creating a bootable live USB of Ubuntu or Fedora. You will get the graphical UI so no Linux skills are necessary really(but do be careful what you delete).i try to keep one handy in case Windows goes awry.

i think the way it works is that the malware hides all the files on the flash drive under a folder with an unprintable name; you will be tricked into clicking the shortcut, which loads the malware code, hidden in the .init, desktop.ini, and thumbs.db files. afaik the two files get read by Windows Explorer, inadvertently running the code.

Better to check with your IT guys, but just to be safe, i deleted all desktop.ini and thumbs.db files on the flash drive.

If possible, back up and go for complete reformat. Even the better AVs today can't totally clean our malware. And don't forget to install AV.

afaik there should be some registry settings in Windows that prevents autorun,inf, desktop.ini and thumbs.db from being read automatically.

**shadow** · May 26th, 2015 03:06 PM

Originally Posted by 1D4LV

install a browser based adblocker bro.

Thanks...

Originally Posted by Syuryuken

anong browser mo? install ka ng adblock plus or ublock

Firefox...

Meron na ako Adblock plus eh, ganun pa rin

Nag simul ayan nun inalis ko Symantec eh

**1D4LV** · May 26th, 2015 03:17 PM

Originally Posted by badkuk

the symptoms are quite similar to what we had last year sa office. Nakita ko rin to on a cousin's flash drive. Eto ba yung gumagawa ng fake thumbs.db and desktop.ini, and me hidden file na *init* ?

You can see the files by opening a command prompt and running "dir/a/p" on the flash drive.

If you need to copy files from that flash drive, stick it into a linux box. The file managers typically list out all files, You may see a folder with no name, that's where your files are. In our case i just made sure i didn't copy any autorun.inf, desktop.ini, thumbs.db, *.init files. You can quickly do this by creating a bootable live USB of Ubuntu or Fedora. You will get the graphical UI so no Linux skills are necessary really(but do be careful what you delete).i try to keep one handy in case Windows goes awry.

i think the way it works is that the malware hides all the files on the flash drive under a folder with an unprintable name; you will be tricked into clicking the shortcut, which loads the malware code, hidden in the .init, desktop.ini, and thumbs.db files. afaik the two files get read by Windows Explorer, inadvertently running the code.

Better to check with your IT guys, but just to be safe, i deleted all desktop.ini and thumbs.db files on the flash drive.

If possible, back up and go for complete reformat. Even the better AVs today can't totally clean our malware. And don't forget to install AV.

afaik there should be some registry settings in Windows that prevents autorun,inf, desktop.ini and thumbs.db from being read automatically.

errrr. may not work bro.... the malware attaches itself to the windows registry so there is a need to have the registry not load in full (via safe mode) and clean...

**1D4LV** · May 26th, 2015 03:22 PM

Originally Posted by shadow

Thanks...

Firefox...

Meron na ako Adblock plus eh, ganun pa rin

Nag simul ayan nun inalis ko Symantec eh

baka mali ang configuration ng Adblock Plus mo bro...... It works for me.

- - - - - - - - - - - - - - - - - - - - - -

Originally Posted by shadow

Thanks...

Firefox...

Meron na ako Adblock plus eh, ganun pa rin

Nag simul ayan nun inalis ko Symantec eh

baka mali ang configuration ng Adblock Plus mo bro...... It works for me.

**shadow** · May 26th, 2015 03:24 PM

Originally Posted by 1D4LV

baka mali ang configuration ng Adblock Plus mo bro...... It works for me.

- - - - - - - - - - - - - - - - - - - - - -

baka mali ang configuration ng Adblock Plus mo bro...... It works for me.

Paano ba dapat configuration? Hinde ko run ma add yun ads Sa Adblock dati iadd ko Lang po na eh

**piscesboy** · May 26th, 2015 03:43 PM

*shadow: Lagi siguro sa adult site kaya ganyan, dineretso na agad sa favorite site. Haha. Jk!
Performing full scan in safe mode (avira,malwarebytes, superantispyware) pag dipa naayos to reformat ko na.

**piscesboy** · May 26th, 2015 03:49 PM

Sir 1d4lv, eto napansin ko, pag nagright click ako dun sa shortcut ng flahdrive then select open file location, sa windows/system32/rundll32 yung punta niya. I read it somewhere na legit ang rundll32 pero may malware daw na nangongopya ng same name para magtago sa mga legit ms prog

**1D4LV** · May 26th, 2015 04:07 PM

Originally Posted by piscesboy

Sir 1d4lv, eto napansin ko, pag nagright click ako dun sa shortcut ng flahdrive then select open file location, sa windows/system32/rundll32 yung punta niya. I read it somewhere na legit ang rundll32 pero may malware daw na nangongopya ng same name para magtago sa mga legit ms prog

tama bro. but as i've stated earlier, the virus/malware already embedded itself to the registry wherein an infected rundll32.dll runs instead of the original rundll file na malinis.

try to follow my previous advise first and let us know here what happens.
worst thing that you need to do is to have that formatted.

- - - - - - - - - - - - - - - - - - - - - -

Originally Posted by piscesboy

Sir 1d4lv, eto napansin ko, pag nagright click ako dun sa shortcut ng flahdrive then select open file location, sa windows/system32/rundll32 yung punta niya. I read it somewhere na legit ang rundll32 pero may malware daw na nangongopya ng same name para magtago sa mga legit ms prog

tama bro. but as i've stated earlier, the virus/malware already embedded itself to the registry wherein an infected rundll32.dll runs instead of the original rundll file na malinis.

try to follow my previous advise first and let us know here what happens.
worst thing that you need to do is to have that formatted.

The Largest Car Forum in the Philippines

Usapang Virus

Thread Tools

Search Thread

Display

Tags for this Thread

Verifpro - paypal, ebay, banks, crypto, docs and...

Car Sales Data (2024)

Verifpro - paypal, ebay, banks, crypto, docs and...

Verifpro - paypal, ebay, banks, crypto, docs and...

Car Sales Data (2024)

Car Sales Data (2024)

Car Sales Data (2024)