N1LAF
05-14-2011, 10:09 PM
I was hit by a malicious page that even AVG missed. Symptoms: Firefox quit abruptly, a Windows Security dialog box popped up with a list of infected files (fake), Windows firewall disabled, and Malwarebytes would not run. AVG did run, and did pick up this file, that was just added according to file detail view:
C:\documents and settings\{your login name}\local settings\application data\nka.exe
If you see this, delete it right away. Turn off your router.
As soon as nka.exe was deleted, I was able to run Malwarebytes, and access Windows Firewall panel.
I ran superantispyware first, turned on router, updated database, and it did find a registry threat, but the nka.exe was already deleted. Turned router off.
I then ran Firefox. Do this with the router off. What happens when Firefox crashes, it will try to reload the previous tabs that was open at crash, and doing so may reinvent the malware load. Cleared all tabs, close Firefox.
Then I turned router on, ran Malwarebytes, updated database, rebooted computer, turned router off, and scanned with Malwarebytes. Malwarebytes found stuff missed by Superantispyware. Deleted suspect items (7 total).
Reboot computer, ran Malwarebytes again, clean bill of health. Checked Windows Firewall settings, turned on router, and ran AVG antivirus. Update database, now scanning - zero hits so far.
-----
I should know better, when doing general searches, do them in a VMware window. I have VMware on all my computers, with Firefox loaded in all.
Superantispyware has a blurb on the nka.exe file, there are three other filenames other than nka.exe that are one in the same, this threat was reported on Mar 24, 2011, so it is relatively new.
Hope this helps others....
C:\documents and settings\{your login name}\local settings\application data\nka.exe
If you see this, delete it right away. Turn off your router.
As soon as nka.exe was deleted, I was able to run Malwarebytes, and access Windows Firewall panel.
I ran superantispyware first, turned on router, updated database, and it did find a registry threat, but the nka.exe was already deleted. Turned router off.
I then ran Firefox. Do this with the router off. What happens when Firefox crashes, it will try to reload the previous tabs that was open at crash, and doing so may reinvent the malware load. Cleared all tabs, close Firefox.
Then I turned router on, ran Malwarebytes, updated database, rebooted computer, turned router off, and scanned with Malwarebytes. Malwarebytes found stuff missed by Superantispyware. Deleted suspect items (7 total).
Reboot computer, ran Malwarebytes again, clean bill of health. Checked Windows Firewall settings, turned on router, and ran AVG antivirus. Update database, now scanning - zero hits so far.
-----
I should know better, when doing general searches, do them in a VMware window. I have VMware on all my computers, with Firefox loaded in all.
Superantispyware has a blurb on the nka.exe file, there are three other filenames other than nka.exe that are one in the same, this threat was reported on Mar 24, 2011, so it is relatively new.
Hope this helps others....