Announcement

Collapse
No announcement yet.

(*&(*&%*(%&*(*)_)^%$##$$#^%

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • (*&(*&%*(%&*(*)_)^%$##$$#^%

    DAMN IT!!!! DAMN IT DAMN IT!!!!

    I got hit by a drive by malware/rootkit. The one where it constantly displays on your screen something to the effect of "THIS IS THE FBI. Your computer has been locked down for distributing child porn. Pay us $49.95 to unlock your system."

    After much knashing of teeth, sweat and FEARS, reinstalling Malware-bytes and Norton AND restoring from a restore point from 2 months ago, I finally managed to kill it off. whatever it was trashed Norton and killed off Malware-bytes database. I managed to run Mbar (Malware-bytes Anti-Rootkit killer) I have not run Spybot S&D yet. 2 days of worrying (at least I have a full backup on a external drive and that has also been scanned)

    When I finally got Malware-bytes up and running (I have the full paid version) it told me a file named sendori.exe was the most likely candidate for the infection. I pull up the Win Task Manager and find 2 processes:
    sendoriup.exe
    sendoritray.exe

    I was not sure where these came from as I am very careful about what I allow to be installed on my PC.

    The "official" description is this:

    Sendori is a cloud-based web service that helps people navigate to their favorite websites faster and protects them from malicious sites using proprietary web filtration technology. Simply type a brand, keyword or partial URL directly into your browser and Sendori delivers the correct website — every time.

    Sendori operates a custom public Domain Name Server (DNS) infrastructure. Leveraging Anycast routing methodologies, DNSSEC security and an editorially curated directory, we deliver cutting edge name server technology. Deployed across seven geo-located facilities in the United States, we distribute traffic to multiple data centers providing some of the fastest uncached name resolution speeds available.

    After a little Googling there are 2 schools of thought on sendori
    1. it seems to be a legit browser helper that corrects misspelled web sites or redirects a user to a particular website by just typing in a brand name or keyword

    2. IT seems to be the target ( and an EASY target at that ) for malicious malware rootkits, and such). the malware seems to get in through the auto-update function for sendori. The "update" hit/happened at like 4:30pm ( a time when I was not on the computer)

    in the past couple of days I have noticed that some words on the various websites I visit will be blue highlighted and double underlined. When the cursor is passed over these highlighted words small ad banners appear pointing to various "product" websites.

    NOW the fun part. I can not access the official Sendori website. Further Googling has found that this particular piece of "whatever" software is really really hard to get rid of especially after an attack. There are also 2 schools of thought
    1 the uninstall program provided "should" uninstall this piece of crap. mild agreement on the net.
    2. on bleepingcomputer.com one thread has at least 10 different steps (using 5 or 6 different programs/utilities) to remove sendori and all of the remants of the maleware/rootkits.

    Anyone have any other suggestions.

    I have and regularly use/scan with
    Norton Internet security
    Malware-bytes
    Spybot S&d
    An older version of AdAware (9.something as version 10 seems to be a full blown anti-virus and does not play well with Maleware-bytes, Norton or any other anti-virus.

    I have also marked sendori to not be started at bootup.
    I'm lost without a paddle and headed up SH*T creek.
    -- Life Sucks Then You Die.


    "I'll believe corp. are people when Texas executes one."

  • #2
    Question, why do the antiviruses not play well together?
    My Guide to Oblivion

    "I resent the implication that I've gone mad, Sprocket."

    Comment


    • #3
      I feel for you, Racket Man. My PC at work got hit with that FBI virus. As soon as it popped up, I immediately shut down and unplugged my unit from our network (we're networked over multiple states). As soon as I called support services at our home office, their response was, "sorry, nothing we can do remotely with 'that' virus. We'll send you a new hard drive."

      Apparently, this one is very difficult to get rid of, but I wasn't the only one that had picked it up. After reading your post about Sendori being cloud-based, I wonder if our home office didn't accidentally set me up to pick it up. We had just prior to that installed some type of cloud service (free ) in order to share a particular file with someone outside of company.

      My new hard drive doesn't have this cloud service on it and I'm not installing it as it ended up being useless for what they were wanting to do anyway.

      Wish you luck in getting your computer back to full operation.

      Comment


      • #4
        Quoth Tama View Post
        Question, why do the antiviruses not play well together?
        An antivirus system utilizes deep file searching, which is an activity that viruses use as well. As such, one antivirus scan trips another antivirus scan and they spend so much effort trying to remove the "virus" (aka each other) that it leaves your system open to a real virus attack.
        I AM the evil bastard!
        A+ Certified IT Technician

        Comment


        • #5
          Quoth lordlundar View Post
          An antivirus system utilizes deep file searching, which is an activity that viruses use as well. As such, one antivirus scan trips another antivirus scan and they spend so much effort trying to remove the "virus" (aka each other) that it leaves your system open to a real virus attack.
          It's kinda like some guy walking up to a guard post and saying "Hi, i'm from the other security company that the client hired, so I'll be using the same full access that you have." He's wearing something that might be a uniform.

          Comment


          • #6
            well so far so good. multipule MBAM and MBAR scans, Spybot S&D scans have given me a clean machine (fingers crossed).

            Now if I can just get rid of Sendori. the updater Sendoriup.exe is still appears in my Task Manager's process list and I can not find where in the Startup that that program would be executed/started.

            I have gone into MSCONFIG and disabled the service Application Sendori and will reboot to see if that stops this little weasel of a program/malware attractor
            I'm lost without a paddle and headed up SH*T creek.
            -- Life Sucks Then You Die.


            "I'll believe corp. are people when Texas executes one."

            Comment


            • #7
              (many fingers crossed) YES Sendori is no longer active on my machine. NOW all I have to do is uninstall it.

              I have come across users who claim that removing Sendori messes up the internet access as Sendori does something with the users DHCP or DNS settings or the hosts.txt file.

              Sendori says to use the normal uninstall procedure but with this weasel program I do not trust it.

              Any suggestions on methods or programs that might be useful????
              Last edited by Racket_Man; 09-08-2013, 10:27 AM.
              I'm lost without a paddle and headed up SH*T creek.
              -- Life Sucks Then You Die.


              "I'll believe corp. are people when Texas executes one."

              Comment


              • #8
                My boss managed to get this on his PC at work. The IT dude called it ransom-ware. They have to reimage the machine. At least he has a Mac laptop. Its possible to get viruses on a Mac but its a lot harder to do so. He'd been in his office all of five minutes before calling me and saying somethings wrong with my computer lol.

                Comment


                • #9
                  Quoth Argus View Post
                  It's kinda like some guy walking up to a guard post and saying "Hi, i'm from the other security company that the client hired, so I'll be using the same full access that you have." He's wearing something that might be a uniform.
                  A closer comparison would be if a guard from another company walked up to the manned post to get into the building and while the two guards fight each other a thief walks right by.
                  I AM the evil bastard!
                  A+ Certified IT Technician

                  Comment


                  • #10
                    another thing to do to protect yourself is installing noscript and adblock plus in your browsers. that way you don't get stuff automatically installing itself/redirecting you all over the palce if you click on a shady website.

                    Comment


                    • #11
                      I have had to help another truck driver I work with remove the FBI virus from a laptop he was using for all his financial stuff for his business. It took me a little bit, but here is where we found the solution without having to reformat or swap hard drives. And he lost none of his data either.

                      http://www.bleepingcomputer.com/foru...s-from-laptop/
                      You call, I haul. You bitch, I unhitch!

                      Comment

                      Working...
                      X