Please help Onlinestability.com malware infestation

EQTitan

Diamond Member
Jun 4, 2004
4,031
0
71
A customer of mine came to me with the following symptoms.

Popups
W32.SkyBright.D@mm infection
Onlinestability.com browser hijacking
Wallpaper turned Ad for antivirus software
Random popups saying Windows Suspicious Threat detected please click here to fix problem

They are using Mcafee software provided to them from Comcast

So, far I have ran NOD32, AVG, S&S, and getting ready to run adaware. The results are all the same nothing has changed. It never finds onlinestability in any of the results. I did do a search online about the file, and the site which just leads to a never ending hurdle of software apps that claim to remove it. (and don't)

So, If anyone has experience dealing with this infection please please help me out.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Could you

0) set a System Restore point, so you can go back to your starting point if things get worse instead of better. You also might see if there's a System Restore point that is prior to the infection, if you know when it began.

1) download WinsockFix to the computer and save it. If the IntarWeb doesn't browse anymore after removing bad stuff, this may fix it.

2) Download HijackThis and extract it out of its Zip file to a permanent location, then run it, scan & save logfile, and post the logfile here, if you are OK with that.

3) Download Panda AntiRootkit to the computer and run it, doing the in-depth scan that requires a reboot. If it detects rootkits, please note the precise names and report them?

4) Run the F-Secure online scanner while the system is in Safe Mode With Networking. Save a report at the end and post the results if they're interesting. This is an ActiveX-based tool, so use Internet Explorer.


BTW it turns out I reviewed Onlinestability.com myself here and based on that, it's almost certain to be a Zlob attack. If you want a suggestion, throw on AOL Kaspersky in place of the antivirus it's got now, and scan with that. They go after Zlob pretty aggressively (McAfee, by contrast, is basically useless on Zlob). The secondary infections may also be recognized as fraudware.
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
A couple more suggestions:

1) run the Malicious Software Removal Tool, which targets Zlob and Renos (the fake alerts from the System Tray).

2) other suggestions here, and note #6 especially. If it turns out to be a Trojan Horse, then user education is required or everything else is likely to be in vain.
 

EQTitan

Diamond Member
Jun 4, 2004
4,031
0
71
Ok, downloading the arsenal of software and transferring it to my usb drive to then put on the said computer. I'll let you know in like an hour (or thereof).

BTW mechBgon best AT'er I have ever had the exchange of words with not the first time you've been there to rescue me.....
 

John

Moderator Emeritus<br>Elite Member
Oct 9, 1999
33,944
1
0
Smitfraudfix, RogueFix, and/or Combofix should get rid of the trojan and desktop hijackers.

Here's what I would do.

1) Download and install SUPERAntiSpyware (SAS) but do not run it yet
2) Download my rogue removal kit and extract as a folder to c:
2) Reboot to safe mode w/ networking
4) Disable system restore
5) Navigate to c:\rogueremoval, check the README and follow the directions - if combofix reboots your pc be sure to go back into safe mode w/ networking!
6) Run SAS, look under preferences > scanning control - enable everything, now run a complete scan. It will ask you to reboot if it finds anything, so if you choose to do so boot back into safe mode w/ networking!
7) Run an F-Secure online and/or NOD32 online scan

* If your internet stops working at any point SAS has an option to repair the winsock under preferences > repairs. Otherwise run the WinsockFix.

Update: I just updated the rogueremoval.zip so please download it again. :)
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Originally posted by: John
Smitfraudfix, RogueFix, and/or Combofix should get rid of the trojan and desktop hijackers.

Here's what I would do.

1) Download and install SUPERAntiSpyware (SAS) but do not run it yet
2) Download my rogue removal kit and extract as a folder to c:
2) Reboot to safe mode w/ networking
4) Disable system restore
5) Navigate to c:\rogueremoval, check the README and follow the directions - if combofix reboots your pc be sure to go back into safe mode w/ networking!
6) Run SAS, look under preferences > scanning control - enable everything, now run a complete scan. It will ask you to reboot if it finds anything, so if you choose to do so boot back into safe mode w/ networking!
7) Run an F-Secure online and/or NOD32 online scan

* If your internet stops working at any point SAS has an option to repair the winsock under preferences > repairs. Otherwise run the WinsockFix.

Update: I just updated the rogueremoval.zip so please download it again. :)

:thumbsup: John is the pro here, listen to his advice :cool:

 

John

Moderator Emeritus<br>Elite Member
Oct 9, 1999
33,944
1
0
Nah, I'm just a geek like you. :p I should have said "if" mech's sound advice doesn't get rid of the problem(s)..... :beer:
 

montag451

Diamond Member
Dec 17, 2004
4,587
0
0
You may have to run winsock depending on what you managed to get rid of.

Make sure yo dl the right winsock - ie, not the win98 version ;-(
 

mechBgon

Super Moderator<br>Elite Member
Oct 31, 1999
30,699
1
0
Yeah, bust out WinsockFix now, or use the feature in SUPERAntispyware that John described above.

Originally posted by: John
Nah, I'm just a geek like you. :p I should have said "if" mech's sound advice doesn't get rid of the problem(s)..... :beer:

:beer::D
 

EQTitan

Diamond Member
Jun 4, 2004
4,031
0
71
I did the Winsockfix 1.2 that mechBgon linked to and still the same issue, but I;ll try the SAS one when I get back home.

Also on a side note what if anything do you guys/gals charge customers/friends/family to do repairs/virus removal/data backup.

I have alot of people that come to me that want windows reinstalled but don't have the restore disk or are currently using a bootleg windows install. What do I guys do? Tell the customer sorry I can't help you unless your willing to buy the windows disk.

Thanks, in advance
 

John

Moderator Emeritus<br>Elite Member
Oct 9, 1999
33,944
1
0
Originally posted by: EQTitan
I have alot of people that come to me that want windows reinstalled but don't have the restore disk or are currently using a bootleg windows install. What do I guys do? Tell the customer sorry I can't help you unless your willing to buy the windows disk.

You can still service the pc, but explain how it's important to have a legal OS. I would never use their Corp copy, or my own if I had one, to do a repair or clean install. It's unethical. :p Make them aware of the bootleg OS, and depending on the VLK they are using it could block the installation of SP1 or SP2. An unpatched OS is going to be a malware harvester of sorrow.

 

EQTitan

Diamond Member
Jun 4, 2004
4,031
0
71
ok, last question for you two fine gent's. What AntiVirus do you recommend both free and subscription based?
 

Medea

Golden Member
Dec 5, 2000
1,606
0
0
Check your HOSTS file. That's usually where Onlinestability.com is and other sites are. Make sure they're gone.