[SOLVED] Malware destroyed my 7 Pro install (notebook)

I was on my notebook a couple of nights ago, and I decided to take Safari for a spin, since they claim they are better now. The site(s) that I were on may have been questionable (porn sites). I figured MSE had my back covered, after viewing 20 or so pages, I started closing them, and suddenly, my notebook acted weird, there was shown a virus scanner to click onto, but I couldn't click onto MSE or Malwarebytes. I tried to go to Windows Live Safety Scanner in IE, no go. All that I had was Firefox. I shut it down and went to XP Pro.

As soon as I got started up good, I did a MSE scan, and it was in cleaning mode for nearly an hour. Malwarebytes found nothing. Windows Live Safety Scanner found multiple infections, including this one: Trojan:JS/Fake SpyPro, the most severe. I could no longer boot into 7, and was afraid that my whole notebook would be infected, so I nuked the whole notebook with DBAN. It took a while, but after 7 hours, the job got done.

I had a good backup of Win 2K, so I first installed that with Macrium. The rest I reinstalled from scratch (XP Pro, Vista SP2 & 7 Pro), all 32 bit. But this time, instead of backing up with Macrium, I used the WD edition of Acronis. After fully updating and activating each partition, I backed up each separately, afterwards, I done a full backup.

If you have a WD or Seagate backup drive, you can get Acronis for free, Ian posted the links in Kalario's thread (Backup Failed) in Crashes, BSOD's & Debugging. It's not the same as the paid for version, but it's a damn good backup program, it allows you to clone your drive, do a drive sweep, backup, restore, create bootable media to help you recover. Many backups are useless without a CD.

Anyway, in the future, would the use of a VM (such as Mint) prevent another problem like this from happening? Getting rid of the entire VM is about three clicks away. This was bad, the worst that has ever happened to me since owning a computer.

Cat

Maybe just use the Linux Live CD to do that kind of surfing. But your idea is probably ok too.

Did you have UAC enabled? I am just asking because I wonder if it makes any difference.

Did you try that RKill I posted about a few days ago?

This would have been an excellent test for it.

You could go either way, I guess, but it performs better after updating. And I've never broke a Linux OS.

But where was MSE when this was going on? I update it on a daily basis. For the first time, I'm having second thoughts about the product, it's supposed to protect me at all times. At least give me a chance to "get me outta here" would be acceptable to me. However, I may have had too many pages open at the time to receive a timely warning.

Yes, it's enabled, I don't disable anything to do with security. It just hit like lightning, is all that I know.

Nibiru, I did think of RKill, in fact I went to the web page. But from what I gathered, and I could have misunderstood, it only allows you to find the root cause of the problem, then you can get rid of it. But as I've said, I may have misunderstood.

At any rate, I wanted to nuke the target of infection, and DBAN does a damn good job of getting that done.

I don't use MSE but if it has any malicious script detection it likely only has those hooks into common browsers like IE (of course) and maybe Firefox. I use Norton, which I don't recommend and will look to replace once my paid subscription ends, and it provides scanning in IE 32-bit browsers and Firefox, it does nothing in 64bit browsers because NIS is only a 32bit application, but at least I can see it as a toolbar of the browsers it supports. Safari isn't a huge market-share and I wouldn't expect it to be supported by Norton nor MSE.

If the code tried to run a bad exe it had copied to your HD then you would expect the virus scanner to catch it but if it is executing scripts etc in a browser that is not detected the same way. Also if it's a new type virus it may not be detected either. Or if it has taken over, hiding the file before it runs it or by disabling your virus protection first well then it's too late. Like the one that was posted about a few weeks ago that passes a good exe to the virus scanner then exploits a weakness and substitutes evil exe as it is passed to the cpu for execution.

That is why browser embedded protection is so important - to catch malicious scripts as they are being downloaded, not after it has run it's scripting to dig into your system.

I have installed something called sandboxie which is supposed to run the browser in a separate area that disappears when you close it, essentially a Virtual mode just for the browser. It is supposed to help protect you from that sort of thing but the truth is I haven't done anything with it beyond the install. I think it may be trial software that you pay for after a while but I never saw a "you have 30 days left" or whatever so I don't know. If it has an expiration I haven't hit it yet. Perhaps you might try this product or something similar when testing new browsers (or even questionable programs as it works for other exes too I believe).

It's also a good idea to maintain a hosts file of blocked sites as often times it's not the sites themselves but the advertisers that slip in the evil scripting. Spybot S&D updates your hosts file and also WinHelp2002 puts out quarterly updates which you can download & copy into your hosts file. Esentially links to any of these sites listed in your hosts file are ignored - prevents tons of ads and nasty script sites, unfortunately it often blocks advertising for MSN etc and they won't show you their news vids until you watch their commercial - usually I say its not worth it but what you can do is maintain an empty and a blocking hosts file and just copy over when you want to go from protected to unprotected. You could even write 2 simple bat files and create shortcuts to do it for you.

Tested RKill a few days ago and its dam good ! .... it would be an idea to keep RKill at hand Cat.

Maybe not going on these questionable sites in the first place

Well.......there is that option.