Malware/Privacy Intrusion Virus in P.M.'s?!?!

I've been using Vipre Premium for a while now and it's been pretty good about blocking everything that tries to squirm into my PC. I also recently installed that Malwarebytes script as well, but in the few days I've been running both of them together, not got a peep from either one about any malicious code being present on any pages here.

I think that if you keep your virus and malware definitions up to date, and keep your OS up to date as well, you can greatly limit your exposure. And NEVER, EVER click on ANY attachments or embedded URLs that come to you via email, no matter who they are from.

I got the vista version of this virus (It's the same for XP, vista and 7) and there are different versions other then the antivirus.

I didn't get it from here, however. I got it from NFL.com. I purged my system on the 13th when I got it. I got it again a day later at aprox the same time. After some extensive digging, I've learned that its caused by a cookie. Clear them out and then run the anti-malwayre program of your choice. (I'm using malwayre bytes pro, and spyware DR.) It took me 3-4 clearings before getting rid of all the root issues, but it still has some elements that neither program can fix. To see if you have anything still lurking around in your system, here's some steps you might want to take.

Open up a document, and input this:

C:\Users\(your name here)\AppData\Roaming
(my leftover was "WallpaperSS")

C:\Users\(your name here)\AppData\Local
and look for .exe files. (ex: vlr.exe, tbl.exe)

If you cant see hidden files, then go to:

Control Panel\Appearance and Personalization

Click on "Folder Options", then click on the "View" tab on the window that pops up.

You'll see "show hidden files and folders" click on that, and "Hide extensions for known file types" along with "Hide protected operating system files". (when you're done, click on them back if you dont want to see the hidden files) then click "ok" not "apply"

(hope I didn't confuse anyone lol)

Utta, Latest combofix will get it in one swipe. They had an update the day my work pc got it for the 2012 version. Takes about 15 min to repair on avg pc. I've used it on about 6 or 7 other 2012 antivirus pc's since then and it grabs everything. It will reboot your pc several times. Nice thing is, I had it going on 3 computers at once and all 3 one week later seem fine.

I read a large thread on the BP forums about this happening. It seems that most of these attacks occur while in the classifieds section. I had the same issue yesterday and while I don't remember the site it was from, I do remember that it was the same one listed in the BP.net forum. The admin gave the Op to that thread your contact info Rich. Thankfully Norton caught and stopped mine.

There are infections now that require only the display of a particular banner ad on your screen, no clicking required.
I've dealt with them on three occasions, but I have never known the mechanism of the infection. I tend to think the banner is remotely hosted, not stored on the site it is being displayed on. That would make it more difficult to pinpoint.
The biggest problem with the ones I have had to deal with is they must be completely cleaned in one go, many of the files installed are capable of replicating the entire virus on the next reboot, so if you miss one, you're back at square one.

The anti virus and malware programs are all well and good, but no real protection plan should be without a complete system backup done on a regular basis.
I image the C drives on all my computers regularly so when the really nasty infections come along I always have the last resort option of restoring the last good image with minimal loss of recent changes. I currently use Acronis True Image for this.
It has saved my bacon and kept me from having to do a full wipe and start from scratch on many occasions.

So, are these banner ads being passed through Google?

Yes they are remotely hosted and it could be google or other ad hosting. Flash is the biggest culprit. I fixed another pc last night and the people said they were on yahoo news when they got hit. Unfortunately they clicked to fix and got nailed.

Quote:

Originally Posted by Clay Davenport

The biggest problem with the ones I have had to deal with is they must be completely cleaned in one go, many of the files installed are capable of replicating the entire virus on the next reboot, so if you miss one, you're back at square one.

As i have stated before, combofix will take care of it. If manually cleaning or using another program, You need to turn off system restore and delete restore points or it will come back on reboot.

Quote:

Originally Posted by JColt

As i have stated before, combofix will take care of it. If manually cleaning or using another program, You need to turn off system restore and delete restore points or it will come back on reboot.

Well the thing that is interesting about this is that apparently the people trying to infect viewers with malicious code are willing to PAY to be able to do this. I would think that Google would require a payment account to be set up with them before accepting any ads.

Unless I just don't understand the vehicle being used in the delivery method.

Quote:

Originally Posted by WebSlave

Well the thing that is interesting about this is that apparently the people trying to infect viewers with malicious code are willing to PAY to be able to do this. I would think that Google would require a payment account to be set up with them before accepting any ads.

Unless I just don't understand the vehicle being used in the delivery method.

It is done with out the knowledge of google or other advertisers. It is slipped in usually through flash, javascript or activex. You can read a bit about it here Webslave, http://www.malwarehelp.org/methods-of-infection.html