SOLVED Malware destroyed my 7 Pro install (notebook)

[catilley1092]

I was on my notebook a couple of nights ago, and I decided to take Safari for a spin, since they claim they are better now. The site(s) that I were on may have been questionable (porn sites). I figured MSE had my back covered, after viewing 20 or so pages, I started closing them, and suddenly, my notebook acted weird, there was shown a virus scanner to click onto, but I couldn't click onto MSE or Malwarebytes. I tried to go to Windows Live Safety Scanner in IE, no go. All that I had was Firefox. I shut it down and went to XP Pro.

As soon as I got started up good, I did a MSE scan, and it was in cleaning mode for nearly an hour. Malwarebytes found nothing. Windows Live Safety Scanner found multiple infections, including this one: Trojan:JS/Fake SpyPro, the most severe. I could no longer boot into 7, and was afraid that my whole notebook would be infected, so I nuked the whole notebook with DBAN. It took a while, but after 7 hours, the job got done.

I had a good backup of Win 2K, so I first installed that with Macrium. The rest I reinstalled from scratch (XP Pro, Vista SP2 & 7 Pro), all 32 bit. But this time, instead of backing up with Macrium, I used the WD edition of Acronis. After fully updating and activating each partition, I backed up each separately, afterwards, I done a full backup.

If you have a WD or Seagate backup drive, you can get Acronis for free, Ian posted the links in Kalario's thread (Backup Failed) in Crashes, BSOD's & Debugging. It's not the same as the paid for version, but it's a damn good backup program, it allows you to clone your drive, do a drive sweep, backup, restore, create bootable media to help you recover. Many backups are useless without a CD.

Anyway, in the future, would the use of a VM (such as Mint) prevent another problem like this from happening? Getting rid of the entire VM is about three clicks away. This was bad, the worst that has ever happened to me since owning a computer.

Cat

 

[yodap]

Maybe just use the Linux Live CD to do that kind of surfing. But your idea is probably ok too.

 

[Core]

Did you have UAC enabled? I am just asking because I wonder if it makes any difference.

 

[Nibiru2012]

Did you try that RKill I posted about a few days ago?

This would have been an excellent test for it.

 

[catilley1092]

You could go either way, I guess, but it performs better after updating. And I've never broke a Linux OS.

But where was MSE when this was going on? I update it on a daily basis. For the first time, I'm having second thoughts about the product, it's supposed to protect me at all times. At least give me a chance to "get me outta here" would be acceptable to me. However, I may have had too many pages open at the time to receive a timely warning.

 

[catilley1092]

Did you have UAC enabled? I am just asking because I wonder if it makes any difference.

Yes, it's enabled, I don't disable anything to do with security. It just hit like lightning, is all that I know.

Nibiru, I did think of RKill, in fact I went to the web page. But from what I gathered, and I could have misunderstood, it only allows you to find the root cause of the problem, then you can get rid of it. But as I've said, I may have misunderstood.

At any rate, I wanted to nuke the target of infection, and DBAN does a damn good job of getting that done.

 

[TrainableMan]

I don't use MSE but if it has any malicious script detection it likely only has those hooks into common browsers like IE (of course) and maybe Firefox. I use Norton, which I don't recommend and will look to replace once my paid subscription ends, and it provides scanning in IE 32-bit browsers and Firefox, it does nothing in 64bit browsers because NIS is only a 32bit application, but at least I can see it as a toolbar of the browsers it supports. Safari isn't a huge market-share and I wouldn't expect it to be supported by Norton nor MSE.

If the code tried to run a bad exe it had copied to your HD then you would expect the virus scanner to catch it but if it is executing scripts etc in a browser that is not detected the same way. Also if it's a new type virus it may not be detected either. Or if it has taken over, hiding the file before it runs it or by disabling your virus protection first well then it's too late. Like the one that was posted about a few weeks ago that passes a good exe to the virus scanner then exploits a weakness and substitutes evil exe as it is passed to the cpu for execution.

That is why browser embedded protection is so important - to catch malicious scripts as they are being downloaded, not after it has run it's scripting to dig into your system.

I have installed something called sandboxie which is supposed to run the browser in a separate area that disappears when you close it, essentially a Virtual mode just for the browser. It is supposed to help protect you from that sort of thing but the truth is I haven't done anything with it beyond the install. I think it may be trial software that you pay for after a while but I never saw a "you have 30 days left" or whatever so I don't know. If it has an expiration I haven't hit it yet. Perhaps you might try this product or something similar when testing new browsers (or even questionable programs as it works for other exes too I believe).

It's also a good idea to maintain a hosts file of blocked sites as often times it's not the sites themselves but the advertisers that slip in the evil scripting. Spybot S&D updates your hosts file and also WinHelp2002 puts out quarterly updates which you can download & copy into your hosts file. Esentially links to any of these sites listed in your hosts file are ignored - prevents tons of ads and nasty script sites, unfortunately it often blocks advertising for MSN etc and they won't show you their news vids until you watch their commercial - usually I say its not worth it but what you can do is maintain an empty and a blocking hosts file and just copy over when you want to go from protected to unprotected. You could even write 2 simple bat files and create shortcuts to do it for you.

 

[Veedaz]

Did you try that RKill I posted about a few days ago?

This would have been an excellent test for it.

Tested RKill a few days ago and its dam good ! .... it would be an idea to keep RKill at hand Cat.

 

[Kalario]

Maybe not going on these questionable sites in the first place

 

[yodap]

Maybe not going on these questionable sites in the first place

Well.......there is that option.

 

[Nibiru2012]

Yes, it's enabled, I don't disable anything to do with security. It just hit like lightning, is all that I know.

Nibiru, I did think of RKill, in fact I went to the web page. But from what I gathered, and I could have misunderstood, it only allows you to find the root cause of the problem, then you can get rid of it. But as I've said, I may have misunderstood.

At any rate, I wanted to nuke the target of infection, and DBAN does a damn good job of getting that done.

First, you run RKill to shutdown all the bad stuff that's running, it may take several attempts to do it, but it's window will show the progress. Once it's finished then you run the AV program to eliminate the virus, trojan, malware, etc.

 

[TrainableMan]

Yes it's always best to only visit the reputable porn and warez sites

If all the porn sites closed down the internet would collapse :love:

 

[catilley1092]

Thanks to all for your answers, all were helpful in one way or the other. I'll download and keep a copy of Rkill on hand for instances such as this. I've never used it, it's worth a shot.

Secondly, the subject came up not to go to these kind of sites. A few months ago, I recommended that if you go to these sites, do not use your main computer for this, find a used or cheap notebook for it. That's what I was doing, I would never subject my main PC to these sites. And I can deal with getting burned, as long as the damage is contained to a used notebook.

As soon as it happened, I shutdown my PC at once, to keep the infection from spreading to it. While I was nuking the notebook, I did a full scan with MSE, Malwarebytes, and the Malicious Software Removal Tool that we receive each month from Microsoft. For those who doesn't know how to run the tool, type "mrt" w/o the quotes, from the Start Menu. You will see the program listed, it looks like a small slice of pie. You can run a short, long or custom scan with it. Keep in mind that a long scan takes a long time, much longer than an AV's "long scan" does. But it is a free, useful tool. If there's anyone committed to the eradication of viruses and malware from the planet, it's Microsoft. The others, they want to keep their lists updated and contain them, but they have no incentive to eradicate them altogether. Why? The AV protection industry is a multi billion dollar one, and they don't want to lose the money.

I'm grateful that the small pox researchers didn't feel this way. They were actually looking to eradicate the disease, rather than contain it. They won, now our children no longer has to get this painful shot that scars their arm. Thanks to the ones whom made this possible.

As far as the AV industry goes, perhaps they need to adapt the same mentality, instead of allowing greed to controlling their decision making. That would be a great starting point to achieve this tall order, catching viruses and malware from the source, then eliminating them, rather than containing them on our computers.

Just a thought.
Cat

 

[Nibiru2012]

Cat - don't you realize it's all about the money! Remember, money is not the root of all evil... the LOVE of money is the root of all evil.

I could go on about our illegal Federal Reserve Banking system and how it was illegally put into existence from an initial meeting at Jekyll Island (hmmmm???) back in the early part of the 20th century.

 

[TrainableMan]

Everything is about the money - do you really need a new OS every 3 years or a new printer every 6 years ... no, but for those companies to make any money they have to sell them to you any way. So they change it a little and stop supporting the old and wizbang you must pay.

 

[catilley1092]

Everything in a free society is about money. The more you have, the more products and services you can obtain. There is no questioning that. Money walks, a good example of that is this. In 1997, I bought a new Toyota Tacoma truck, loaded to the gills with everything except 4WD, which I don't care for. Anyway, I narrowed down the truck I wanted. The salesman asked me how much cash I had to put down (I was employed then). I said five, he looked at me and asked five hundred, I said no, five thousand (the truck cost $24,000). The salesman threw his arm around my neck, and actually dragged me through the door, and asked me to have a seat. He went to his sales manager, who in turn asked me if I was hungry. The salesman took me out to eat, which was not surprising, considering my sales experience. Happens all the time. But they didn't yet know my job position and who they were dealing with.

After the return from lunch, the sales manager asked me into his office, the salesman told me that everyone doesn't have this treatment, which I knew was bullshit. He asked me how much could I afford in monthly payments (a common trick, never fall for this, at least as to what you can actually afford). I said with my downpayment, $275 was all that I could afford, no more. He said I was crazy, I got up and proceeded to leave, he tried to stop me, but I left anyway.

After returning home, I noticed the phone ringing off the wall. I answered, the dealership owner was calling me. He told me, that I could get the truck for the $5000 that I offered, and a $232.75/month payment for 72 months. Nearly $6,000 was cut off the price by my walking out the door, and at that time, Toyota's were hard to get a reduced price.

So by my having that $5,000 and knowing when to walkout the door, I saved big, and better yet, got the truck that I wanted. Money talks when it comes to sales, and that's the bottom line.

As for OS's and computer hardware (especially printers) goes, a new one is almost mandated every three to five years. Except when one like Vista comes out, all the consumers can do is grit their teeth and wait. XP Pro ran fine for me from 2002 until Nov 2009, over seven years. I still use it sometimes (it folds great). But in the business world, that option may not apply, a new Windows is released, some companies go for it, and the employees just have to love it or leave (find other work). In this day, they choose to love it, which is not a bad decision, given all that 7 has to offer.

But secure as it is, thinking that malware can't attack is foolish. I wasn't thinking that way, but was depending on MSE to cover my back. A switch will be made, but I must do some researching on that AV list that Nibiru provided. I'll try it out on XP first (under tough conditions). Perhaps the same that caused the infection, that would be the ultimate test for any AV suite. If the security is cracked, I'll go to the next one. If I can't depend it to intercept viruses and malware, it's worthless to me. Period.

Cat

 

[Jeffreyobrien]

catilley,
well mate all I can add is that there is another lesson here for us all we are never really SECURE what I have discovered which does bring to mind,I saw this come up on my Compaq Notebook after downloading the newest Adobe update,Malwarebytes picked it up & Norton 360 Failed too.

Norton has given a false indication & when I ran the full clean Norton didn't find anything.Strange as it was in my Security History,weird was the fact Norton reported this as a fake Trojan which pointed to a program I downloaded called SIW System info for Windows 2010 Build 0428a,this also gave me a warning of a false AV result?

I was pleased to see that everything was where it should be as well all is working as well as could be expected.great informative post cat.
regards
jeffrey

 

[yodap]

From Trainableman

I have installed something called sandboxie which is supposed to run the browser in a separate area that disappears when you close it, essentially a Virtual mode just for the browser. It is supposed to help protect you from that sort of thing but the truth is I haven't done anything with it beyond the install. I think it may be trial software that you pay for after a while but I never saw a "you have 30 days left" or whatever so I don't know. If it has an expiration I haven't hit it yet. Perhaps you might try this product or something similar when testing new browsers (or even questionable programs as it works for other exes too I believe).

I love the concept of this program. I used it on XP but haven't installed it on my most recent install of W7. Thanks for reminding me of it. It's well worth the 30 seconds it takes to install it. It is free (not trial) and can be found here.

http://www.sandboxie.com/index.php?DownloadSandboxie

Thanks for mentioning it and it would be the quickest and easiest solution for Cat.

 

[TrainableMan]

The only reason I thought it might be shareware is because of that BUY tab on the website but since I had no plans to buy it I never actually clicked it.The author really would like it if you paid to register but I guess he didn't program in any time-frame before it is required. .

 

[catilley1092]

Well, here we go again. I cleaned installed all partitions except Win 2K, which wasn't infected anyway. A while ago, 7 Pro started acting up again, but this time, I could boot into Malwarebytes. It ran for a couple of minutes, then the system crashed on me, and I could not restart it again. Once again, there was this fake virus scanner, I headed for the RKill CD that I had burned, but by the time I could get my hands on it (I have CD's & DVD's all over the place), the crash occured. I couldn't boot into anything this time.

I'm suspecting some type of hardware infection here, even though I done boot time scans with Avast. Either the DVD ROM, RAM chip, or the Ready Boost flash drive is giving me trouble. But all were scanned, three times, and I'm using the thumb drive for Ready Boost on my desktop with no issues, so we can rule out the thumb drive. Can infection embed in hardware? I've heard in the past that it can happen, especially with RAM chips.

So for the time being, I'm nuking the laptop once again, only this time I'm using the Guttman method (35 times), over the autonuke command, which only does a DOD (3x wipe). I don't know what else to do.