I can't stop this guy

Tozai · Sep 6, 2015

m.icolor19495344.com (146.185.234.88)
Malicious File Download 14

Attacks me every time i log in. norton catches it, but my subscription ends and i'll be vulnerable for a while till i can replace it. I blocked the ip on the firewall, but i'm still getting the "attempted intrusion"

I've run scans, anti-spyware, everything, how can i ban this asshat permanently before he encrypts my system?

I'm running Windows 7 through a wired network.
the attack report:
http

/tinypic.com/view.php?pic=r2jodv&s=8

It only happens when I log in (usually 2 minutes in), so maybe its something in my startup that all the scans just don't see?

Ubrales · Sep 6, 2015

Install and run Malwarebytes (free version).

CTurbo · Sep 6, 2015

When all else fails, do a clean re-install of windows

Tozai · Sep 8, 2015

A clean install wouldn't stop it i'd think. since the ip is static and bound to the components right?

Ubrales · Sep 8, 2015

Tozai :

No. A clean install will definitely stop this guy in his tracks. Unfortunately, you will also have to install every other program that you are using. It's a PITA but will get the job done.

After you do that, install and run Malwarebytes, and make complete backups to an external disk regularly.

Tozai · Sep 8, 2015

oh awesome, I'll get on that then, thank you for your help.

Beezqp · Sep 20, 2015

I had this solved yesterday on my own and decided to share my solution - maybe it will help other people who get this nasty SOB and do not want to undergo format C.

For me this attempt was initialized by a Windows WSCRIPT.exe (it is mentioned in the alert from antivirus). This is a system application that runs a scheduled scripts from files with extension .vbs and .vbe. So I ran a system search to locate all the files with these extensions (you may need to make all hidden files visible first). vbs files seem to me as critical scripts to run the system, but I had only one .vbe file and it was created exactly when I downloaded the suspicious file... The path to the file was:

C:\ProgramData\Origin\update.vbe (nothing else was in the folder)

I removed this BS and get no more alerts on system start. Hopefully this will work for other folks as well.

Weird enough, none antivirus saw anything suspicious in the file itself so they didn't catch it during the system scan.

Ubrales · Sep 20, 2015

Thanks for sharing!

Tozai · Sep 26, 2015

Beezqp :

I had this solved yesterday on my own and decided to share my solution - maybe it will help other people who get this nasty SOB and do not want to undergo format C.

For me this attempt was initialized by a Windows WSCRIPT.exe (it is mentioned in the alert from antivirus). This is a system application that runs a scheduled scripts from files with extension .vbs and .vbe. So I ran a system search to locate all the files with these extensions (you may need to make all hidden files visible first). vbs files seem to me as critical scripts to run the system, but I had only one .vbe file and it was created exactly when I downloaded the suspicious file... The path to the file was:

C:\ProgramData\Origin\update.vbe (nothing else was in the folder)

I removed this BS and get no more alerts on system start. Hopefully this will work for other folks as well.

Weird enough, none antivirus saw anything suspicious in the file itself so they didn't catch it during the system scan.

The file was there! deleting it stopped it entirely, thank you!

Search

I can't stop this guy

Tozai

Estimable

Ubrales

Ubrales

Distinguished

CTurbo

Honorable

Tozai

Estimable

Ubrales

Distinguished

Tozai

Estimable

Beezqp

Estimable

Ubrales

Distinguished

Tozai

Estimable

Similar threads

TRENDING THREADS

Share this page