i've been hacked--warning!!!

[Steve Cebu]

I run a firewall and that stops a lot from getting through. You might just think your PC is clean when in fact it could have bad stuff on it. It's best to check if you have nothing then you are lucky.

[RaymondV]

I had this same thing on Friday night.
It was a pain in the a$$ to get rid of it.

[JACKSJE4]

As some of you know, my primary "day" job is to provide computer tech support for a very large, global company. While I am a small fish in a large pond, I occasionally stumble upon simple solutions to what seem like big problems. This week I spent 10-12 hours each day assisting my "customers" with removing the "XP Security 2012" malware (and several other versions like it) from their computers. Through lots of researching, conversing with coworkers across the country who perform the same function, as well as a LOT of trial and error, we developed an approach to removing this @#$%^& malware that appears to be simple and effective. Remembering this thread, I thought I would post it here to help save all of you some time should your computer become infected.


It's important to note that our company is a Windows XP shop, so this remedy was developed for Windows XP users. I do not know how/if it will work on any other version.


1. Find the link on the XP security 2012 'scan' page to "register/activate" the software (typically in the upper right) and enter this Registration Key: 3425-814615-3990. The malware will activate, and drop some of its defenses.

2. Download and run Rkill.exe ( Bleeping Computer Downloads: RKill ) Note: rkill takes 15-25 seconds to appear after you launch it, so be patient! Rkill will end all spyware processes and allow you to install Malwarebytes

3. Download, install and update the free version of Malwarebytes ( Malwarebytes : Free anti-malware, anti-virus and spyware removal download ). This program will remove the malware files and registry keys. Perform a "quick scan" and remove all infections it finds. Click on "Yes" to reboot your computer when it is done.

4. Save the text file (attached below) to your desktop. Change the file extension of this txt file to .reg and run it on the system. This will correct any file association issues that some versions of the malware create

5. Click Start -> Run, and type sfc /scannow on the "Open" line. Click OK. This will correct any residual windows system file issues that can cause problems with the network card, among other things.

6. Reboot your computer.


I also recommend creating a second user account with full administrator access. Some versions of the malware will not activate with the above code, and rkill will not run while the malware is active. To get around this issue, you can right-click on rkill.exe and select "Run As..." then enter the name and password (if any) of your second user account. rkill should launch and run normally.

I sincerely hope you don't fall victim to any of the malware programs circulating around the internet right now, but if you do, these steps should help you get your computer healthy again.

Jeff

[beachcat]

Jeff, this information is valuable! Thank you for sharing it.. this needs to be made a sticky for future references

[RaymondV]

I got this damn thing on my computer again today.
I used Jeff's method to get rid of it.

[Microbus99]

Jeff, Thanks for your technical expert advice. I got bit by the same viruses mentioned by everyone. Its usually calls itself an "antivirus removal program" and totally takes over your computer. It was also on my work laptop and wouldnt let me access our secured server. I run Mcaffee Antivirus and the virus disables this program.

I had to send my laptop to our corporate IT department and they took care of it. I have no idea how they did it but they returned my computer in the exact condition before the virus attacked. Windows Restore doesnt change anything and Malwarebytes didnt help either.

Surf the net wisely!!

[Meathead]

My wife's laptop just picked it up. She has Vista though. Opened a window called "System Check" Any suggestions for removal? Is it the same process as XP?

[mark1120]

Has anyone else sent a PM to Sid? I did so about a week ago, but at the time I wasn't 100% certain that pachitalk.com was the source...but that's obviously the case now. I'm now hesitant to visit the site. About 20% of the time, my malware alert goes off when I log on.

[RaymondV]

My wife's laptop just picked it up. She has Vista though. Opened a window called "System Check" Any suggestions for removal? Is it the same process as XP?

I have Vista, it worked for me.
I don't think Pachitalk is the source, not for me anyway.

[owennewton]

It is the banner ads that are the issue and not the site.

[Steve Cebu]

It is the banner ads that are the issue and not the site.

Time for some new sponsors then.

[luckydog]

I don't think the people running ads are responsible, the ads are being hacked too!!

[JACKSJE4]

I am not sure what the source of this malware is, but I suspect that a "seed" is transmitted via Java, Flash, a .JPG or some other transport medium, and then the "seed" slowly downloads the malware installer over a short period of time and assembles/builds the malware on your hard drive. I have been infected with it on my computer, and the only sites I had visited was CNN, Craigslist and PachiTalk. I assisted one of my work "customers" who got hit over the Christmas weekend, and all he did was connect to his parents WiFi network, and without opening a web page it took over his computer (possibly transmitted by another computer on the network??). Perhaps there are multiple ways it can propagate.

Vigilance is key. Be careful of the sites you visit and make sure you have both a virus AND a malware detection program running at all times. (Virus and Malware are two completely different animals).

[Meathead]

Are there any recommended free anti-virus and malware programs? I have always hated some of the commercially available programs. They have dramatically slowed down my computer and greatly increased the time to boot up. My last installation of Norton I could not uninstall when I wanted to.

[Microbus99]

You're the man Jeff. By the way I've never had this problem with this site. However, when I'm logged into the VW/Audi server, it wont let me into Pachitalk because it picks up the word "gambling" somewhere and blocks it. Not every time but its funny when it does sometimes.

Thanks again. We need you on our IT team!

[luckydog]

malwarebytes and windows essentials are free

[owennewton]

Avast and Comodo are good virus protection and comodo is also a great firewall

[Steve Cebu]

I use Comodo, it works very well all the years I've used it.

[Sid]

In regards to the Malware coming from Pachitalk.

just saying or declaring that the PT is infected without pointing out exact details of where and or what happened is like saying the sky is falling the sky is falling
there is no way to go over the entire site to see if there is an infection without some help. merely stating PT is infected without exact instances of where it occurred what you saw etc doesnt do much to help.
neither does making generalizations that PT is the source of the malware. if it was the case i am sure that we would have had a great many more users pointing it out.


as for the ads, our ads are provided by Google Adsense, they are reputable(industry leader in web advertising).. does this mean that there wont be issues from time to time. nope.. but they are reputable.
should i turn the ads off? sure. but they are the thing that pays for the hosting of the site and cost of domain renewals, and software renewals.


and finally me answering my PM's or Emails, every effort is made to reply to PM's and email but...

As much as I'd like to have PT be the only thing i do with my life and be here 24/7 and give it sole priority in my life.
i have the following things that unfortunately take precedent

1) Full time job which entails a lot of overtime
2) a Son that i am trying to see as much of as i can
3) a significant other
4) my need to actually get away from a computer and out of my mom's basement...
5) its the holidays.. i'd like to enjoy them with friends and family...

[Sid]

Jeff Thanks for your helpful malware removal tips..