NSA Internet Surveillance Program ransomware virus help

[Heaven7]

How about zero viruses since 1991! That's my record, with four different computers and OS's? 98, XP, 7, 8, 8.1, Ubuntu and Mint.

What can I say about this... Congratulations! Perhaps because you skipped Vista?

 

[Arjai]

What can I say about this... Congratulations! Perhaps because you skipped Vista?

After seeing Vista once, at my sister's, for about 20 minutes...I skipped it. In Fact, I held on to 98 until it was no longer capable of opening certain websites. Did the same thing with XP, probably one of the best OS's from Window's! Then 7, another good one!

I bought this Ultrabook, with 8 on it. Hated it for a long while, until 8.1 dropped and I can now boot to desktop! I still think Metro is a joke but, they even improved IT! It is now usable, especially the search computer function! Anyways, Ubuntu and Mint are also fun, although those two computer's are currently in storage.

Despite the Hater's, 8 is really a nice OS. Small footprint and faster than anything before it. I have a year, or so, before I have to make a decision about 10...Haven't really spent any time researching it.

Anyways, WOT is the shizzle. I like to find free movie downloads. Mucho bad sites and WOT steered me clear of ALL of THEM!!

The linkfest on Facebook can be perilous, also. Not with WOT watching my back!! Undoubtedly, the best add on to a browser since bread has been sliced!

Another site I love, www.lastpass.com

 

[Heaven7]

After seeing Vista once, at my sister's, for about 20 minutes...I skipped it. In Fact, I held on to 98 until it was no longer capable of opening certain websites. Did the same thing with XP, probably one of the best OS's from Window's! Then 7, another good one!

Well, I never dreamed I would wind up with Vista as my main OS... Let's just say it's my "man in the middle" for now - for some reasons. I'm running mainly older programs on customized hardware, consumer graphics card combined with ECC-RAM, old DVB-C TV-card and so on. +1 on Win98 and XP - them good ol' days I use 7 as an alternative OS, and it really is a good one! Consider me one of those Win8 haters, but you're right - nowadays it is looking a lot more promising and usable. Win10? Let's see if they finally get it right this time
Total agreement here with WOT, nobody should be without it! Could it possibly be already integrated in Win10s new browser???
I'm not on facebook and love the "FacebookBlocker"-addon - removes all those pesky, ubiquitous social media buttons flooding websites nowadays.
That must be my slice of bread .

 

[Arjai]

Trend Micro, Personal protector, blocks the Twitter and Facebook from loading the crap in the background, and the buttons! Check it out in extensions on Google Chrome.

 

[Heaven7]

Not using Chrome... does it work with FF as well? As a sidenote: "Personal Protector" (not by TrendMicro) is malware, as correctly identified by WOT

 

[brandonwh64]

we had one of our machine in our control center get this nasty thing by "Looking at football scores" LOL. I got into safe mode before the thing loaded and took it of MSCONFIG list then ran malware bytes and kaspersky corp edition. Got rid of it then did a registry cleaner to get the rest. It was a pain though cause you had to catch the machine before it loaded the program or it would be locked to the point were a hard boot was the only way to get another chance.

 

[Heaven7]

we had one of our machine in our control center get this nasty thing by "Looking at football scores" LOL. I got into safe mode before the thing loaded and took it of MSCONFIG list then ran malware bytes and kaspersky corp edition. Got rid of it then did a registry cleaner to get the rest. It was a pain though cause you had to catch the machine before it loaded the program or it would be locked to the point were a hard boot was the only way to get another chance.

Nasty stuff indeed... there is NO way to remove this completely without using safe mode or a boot disc. Some people recommend you log on to another account at startup and go from there, but I don't think this will help at all to remove this stuff completely...
So it's not only porn sites now, but football scores as well???

 

[revin]

. I got into safe mode before the thing loaded and took it of MSCONFIG list then ran malware bytes and kaspersky corp edition. Got rid of it then did a registry cleaner to get the rest. It was a pain though cause you had to catch the machine before it loaded the program or it would be locked to the point were a hard boot was the only way to get another chance.

I actually had this a couple day's ago !!
Yep Safe Mode, then shut down, cancled when a "waiting for program to close" is actually what was my savior.
You must know ahead of time what processes are usally running !!!!!!!
Went thru Task Mnager looking for odd processess seen a couple, of which 1 was "dll.host" Nope that not supposed to be there.
Anyway took about 4 hours to get it out !
And yes it did come from an Adult site, one that I have used for many years, so never know

Between Comodo, S&D, MB got it out.Mostly Comodo, then did a Restore, used Spybot and M/Bytes but then Got rid of IE 11 !

Useing IE 10, no issues, so something in IE 11, and it had "Allow Updates" in the About tab, so nope ...............
Using a modded version based on Win 7 Pro, with SP1, and no other updates for few years, first time this slipped thru this set !
I refuse to use IE 11 anymore
BTW one culprut was a .zog file ????????????!!!!!!!!!!!!!

 

[Heaven7]

I refuse to use IE 11 anymore
BTW one culprut was a .zog file ????????????!!!!!!!!!!!!!

Never heard of a .zog file... There must have been some file association to it to let you "install" it... You perhaps have the "Hide known file extensions" function enabled, right? This is a very welcome gateway for all malware, e.g. "Your paypal order confirmation.pdf.(zog)". The .zog-extension will be hidden in this scenario and will readily install this cr@p, should you decide to open it Also, most of this specific malware is easily recognizable as it commonly uses the Windows Media Player icon, only with different colors. I won't tell you the name of some of those files (18+) , but you get my drift. Like I mentioned way earlier, I'm very interested in this stuff and how it infects user's systems. Also, like I mentioned way earlier - proper security settings and educated browsing habits / safe browsers will make it harder (while certainly not impossible) for that malware to infect your system. EDIT: sorry, of course I meant the extension to be something like "Free mp3 download.zog.exe !

 

[keakar]

Thanks! Overlooked the most important one... This will help most of all to prevent clicks to badsites! EDIT: keakar, you don't have to register to use it. Just close that window & you're done.

ok thats good to know, it was full of crap you had to register or buy so i was like huh, no thanks this is too invasive.

i will give it more thought

Never heard of a .zog file... There must have been some file association to it to let you "install" it... You perhaps have the "Hide known file extensions" function enabled, right? This is a very welcome gateway for all malware, e.g. "Your paypal order confirmation.pdf.(zog)". The .zog-extension will be hidden in this scenario and will readily install this cr@p, should you decide to open it Also, most of this specific malware is easily recognizable as it commonly uses the Windows Media Player icon, only with different colors. I won't tell you the name of some of those files (18+) , but you get my drift. Like I mentioned way earlier, I'm very interested in this stuff and how it infects user's systems. Also, like I mentioned way earlier - proper security settings and educated browsing habits / safe browsers will make it harder (while certainly not impossible) for that malware to infect your system.

i get a zog popup from avast once in a while at porn sites but it has never got past avast and avast quickly blocks that site completely for me without having to do anything.

i did actually get the zog once last year but it was through a third party site trying to get a download for adobe, at the time they had website issues and their downloads were not working. after i sorted it all out and got genuine adobe downloads i saved them on disk to avoid future issues. its old versions but i tell them to update right off so its all good

 

[revin]

you had to catch the machine before it loaded the program

Bingo, that's the hard part......

There must have been some file association to it to let you "install" it... You perhaps have the "Hide known file extensions" function enabled, right? This is a very welcome gateway for all malware,

Thank you this is Very informative !!!!
I think Google Toolbar has a hole in it also, something was in there also


The issue with my occorance was for some reason, it got thru............for what ever reason.
And your correct, using another Log in wont work, ........unless it has Admin privilages

How would "Windows "Explorer" "Hide known file extensions" function enabled ? from just the desktop "explorer" process running?

I found the .zog from the dll.host process thru Task Mgr, then used Comodo task search, and it was in an AMD folder first, then in my PS2 folder and it was a bitch to keep up with it to delete it.
Comodo task search

There was a couple more things, but first I had Comodo stop all traffic. then started looking at what/where files were trying to call out, so long story short after many times killing process's.
Knowing what is/should be running in task process is what saved my ass, then it was just sluthing to get it stopped.

I will say this, it was the hardest one yet since I started on the www in 1990!
So many may wish to "blame" me for using adult sites ect, thing is I know the risk
I've gone back to the same site, and nada, so it's hard to say just how it got in TBH

But using Revo Uninstaller, S&D, M/Byts, and Comodo has worked really well for many years.

 

[keakar]

ok guys i have an issues here i need a little help confirming

most of you use and recommend malwarebytes and so i installed it, im not saying its not good but when i run superantispyware after it the super finds all sorts of things left behind by MB.

look at this example today from yesterdays activity

i ran MB first then i ran super and this was found:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/30/2015 at 09:19 AM

Application Version : 6.0.1170
Database Version : 11732

Scan type : Complete Scan
Total Scan Time : 00:03:13

Operating System Information
Windows 7 Home Premium 64-bit, Service Pack 1 (Build 6.01.7601)
UAC On - Limited User

Memory items scanned : 484
Memory threats detected : 0
Registry items scanned : 61730
Registry threats detected : 0
File items scanned : 18351
File threats detected : 21

Adware.Tracking Cookie
.interclick.com [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.interclick.com [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.doubleclick.net [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.interclick.com [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.tribalfusion.com [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.atdmt.com [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.atdmt.com [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.atdmt.com [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.advertising.com [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.advertising.com [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.revsci.net [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.interclick.com [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.advertising.com [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.amazon-adsystem.com [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.amazon-adsystem.com [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.advertising.com [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.advertising.com [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]
.advertising.com [ C:\USERS\KARL\APPDATA\LOCAL\GOOGLE\CHROME\USER DATA\DEFAULT\COOKIES ]

============
End of Log
============


so my question is, can any of you try super and confirm my findings and report back?

maybe MB is better at stopping malware but it seams super is better at removing spyware

for now im just going to keep and run both but seeing the results today, this is the reason i stopped using MB in favor of super years ago, it seamed super did a much better job and made having MB seam useless

 

[Heaven7]

How would "Windows "Explorer" "Hide known file extensions" function enabled ? from just the desktop "explorer" process running?

It's enabled by default. Big security oversight, IMO. Disabled by unchecking "Hide extensions...." in the "View" tab in Folder Options.

 

[xvi]

SuperAntiSpyware is just finding tracking cookies. They're used by the advertising groups to try to figure out which websites you visit. It generally only works for affiliates of that site. Something like the AdBlock extension might help with those. I wouldn't call them harmful and they certainly won't affect the performance of your computer. Most people don't like them because they don't want anyone making money off their browsing habits.

No one anti-malware solution is going to catch everything either.

 

[Heaven7]

ok guys i have an issues here i need a little help confirming
most of you use and recommend malwarebytes and so i installed it, im not saying its not good but when i run superantispyware after it the super finds all sorts of things left behind by MB.

xvi beat me to it... +1, those (rather harmless) cookies are easily removed with Ccleaner, for example. Not MBAM's job to delete cookies, it's searching for malware. And SAS may also miss this & that, it's like xvi said.

 

[keakar]

ok, got it. that takes care of the spyware/malware question


as far as windows and making repairs:
if you guys are saying this nasty little nsa/cia/fbi worm gets in and corrupts the registry entries then assuming it has got in and done its thing already so after getting rid of it windows is borked

shouldn't I just make a backup copy of windows registry and attempt a copy and replace all files to fix windows to try and fix it before going all out with a full backup restore of windows or even a reinstall? and where would I find the registry files? I don't see a registry folder in windows

 

[Heaven7]

ok, got it. that takes care of the spyware/malware question
as far as windows and making repairs:
if you guys are saying this nasty little nsa/cia/fbi worm gets in and corrupts the registry entries then assuming it has got in and done its thing already so after getting rid of it windows is borked
shouldn't I just make a backup copy of windows registry and attempt a copy and replace all files to fix windows to try and fix it before going all out with a full backup restore of windows or even a reinstall? and where would I find the registry files? I don't see a registry folder in windows

This would be the same as relying on System Restore... it will be a half-baked solution. I relied on registry backups in the past, but guess what - didn't work out too well when I really needed them I'll say it again, a good & clean backup will be far more practical and thorough, a complete reinstall should only be your absolute last resort (if you failed to backup correctly, that is) Don't let your guard down just to save some time.

 

[revin]

Well CRAP, after day's of trying everything, I LOST !
Had to do Format fresh install !!!

1 BIG issue was I caught where it was using differant IP than my modem/router

There ws this "userbenchmark" .dat keep showing up, the it went to trash bin, on he othe drives too.
So did the Shift Delete, but still ha the issue of the IP. Not cool so can'd it !

 

[keakar]

Well CRAP, after day's of trying everything, I LOST !
Had to do Format fresh install !!!

1 BIG issue was I caught where it was using differant IP than my modem/router

There ws this "userbenchmark" .dat keep showing up, the it went to trash bin, on he othe drives too.
So did the Shift Delete, but still ha the issue of the IP. Not cool so can'd it !

revin, sorry to hear that but I kinda was expecting you would end up there.

what I found is if you start up in safe mode you can remove the files from this thing and your computer will still work right for most things but I wouldn't trust it just because it looks like its working ok, you might think you saved it but you will start to notice things in windows not working correctly or not working at all as I think you just found out too.

this thing changes, disables, and deletes registry stuff before you even know its there so you don't know for sure what this thing has done or the changes it already made to your computer by the time you even get to the ransomewhere screen so you should assume as soon as this thing takes over that a reformat and reinstall is going to be needed and the only solution to keep your data safe. the cleanup to get rid of it, in my opinion, is just to get the computer functioning long enough to get in and save your files and back up any data you need.

this is why the guys are rightly giving me grief for not having a backup program ready to restore windows, this is the only option thart saves you from needing a reinstall because it puts "everything" back the way it should be. windows restore cant or wont do this and it is often disabled by this thing anyways.

I really see no way it would be wise to use a computer after its infected by something like this, but to each his own.

try this program for backing up your computer, I find its a good one and one of the easiest to use and best free backup utilities out there.

http://www.backup-utility.com/download.html

 

[Solaris17]

Goddamnit I wish I had seen this earlier. I have removed this stuff alot at work! Im sorry you had to format. That is bad news. in the future. I have made a batch file (yes batch I was feeling academic) that we actually use to "get systems ready" if you will for more targeted repairs. Its not a fix all but it touches ALOT of things and for the most part pulls a machine out of the grave if you will. Its still on crutches but it most cases it makes it easier to fix. Understand I do not EXPRESS ANY warranty or support. but I do try my best to help people. If anyone is interested here you go. I did spend alot of time on this and while I cant stop everyone id appreciate a credit if you manage to use it elsewhere and modify it out of respect.

 

[Heaven7]

this thing changes, disables, and deletes registry stuff before you even know its there so you don't know for sure what this thing has done or the changes it already made to your computer by the time you even get to the ransomewhere screen so you should assume as soon as this thing takes over that a reformat and reinstall is going to be needed and the only solution to keep your data safe. the cleanup to get rid of it, in my opinion, is just to get the computer functioning long enough to get in and save your files and back up any data you need.

I agree, just because it seems to be gone it sure doesn't mean this thing is dead. I myself wouldn't touch or save anything after being infected with this however, unless there's no other option. Thanks for the link, keakar - this backup utility looks very promising. I'll have to check it out. Thanks!

Goddamnit I wish I had seen this earlier. I have removed this stuff alot at work! Im sorry you had to format. That is bad news. in the future. I have made a batch file (yes batch I was feeling academic) that we actually use to "get systems ready" if you will for more targeted repairs. Its not a fix all but it touches ALOT of things and for the most part pulls a machine out of the grave if you will. Its still on crutches but it most cases it makes it easier to fix. Understand I do not EXPRESS ANY warranty or support. but I do try my best to help people. If anyone is interested here you go. I did spend alot of time on this and while I cant stop everyone id appreciate a credit if you manage to use it elsewhere and modify it out of respect.

It looks very interesting... sure took a lot of time. I'll give ATLAS a try on an infected system & will tell you how it worked for me.
EDIT: Did that, cannot be run in Safe Mode - so, in a real emergency it sadly is useless.

 

[keakar]

I agree, just because it seems to be gone it sure doesn't mean this thing is dead. I myself wouldn't touch or save anything after being infected with this however, unless there's no other option. Thanks for the link, keakar - this backup utility looks very promising. I'll have to check it out. Thanks!

by "save your stuff" I meant just your basic documents only like word and excel files, maybe pictures and maybe your desktop shortcuts and your favorites links but that's it, I would never save anything software related

 

[Heaven7]

Yep, I knew you wouldn't. You know your way around this whole problem now, that's for sure Hope your system will be safe from harm now... Glad to hear about it !

 

[keakar]

Yep, I knew you wouldn't. You know your way around this whole problem now, that's for sure Hope your system will be safe from harm now... Glad to hear about it !

I just got very lazy, that's all. as you can see, I had the backup utility, I just didn't use it, and so I paid the price for it.

its been so long since I had virus and I selected a handful of porn sites I feel "safer" at then most (if there is such a thing) so other then pesky spyware I had no threats to deal with in years.

it just pisses me off to no end that this virus is so well know yet the basic protection tools cant stop it if you open a website where its lurking at.

its like a websites own version of spyware that even if they get rid of it can still show up anywhere at anytime and I would think in todays world old threats like this wouldn't be able to get passed even the most mundain spyware blockers.

that's the part that chaps my ass the most is it should have been relegated to no longer having a chance to even get on your computer by todays most basic protection software

 

[Heaven7]

I just got very lazy, that's all. as you can see, I had the backup utility, I just didn't use it, and so I paid the price for it.
its been so long since I had virus and I selected a handful of porn sites I feel "safer" at then most (if there is such a thing) so other then pesky spyware I had no threats to deal with in years.
it just pisses me off to no end that this virus is so well know yet the basic protection tools cant stop it if you open a website where its lurking at.

Basic protection (i.e. on a newly bought computer) is no match for this kind of malware. You'll have to rely on specialized tools and proper settings to cope with these threats. You'll never be one step ahead, though... I know how you might have felt like you were safe for a while, but it's right then you're the most vulnerable. If any good came of it, you've learned your lesson and know a lot better how to deal with stuff like this now. I'm very glad the folks participating in this thread were able to help you understand this problem better. I'm certain you will be a lot better protected (while definitely not safe - nobody is) out there Surf safe, keakar - and all the best.