When Malware strikes ...
-
- PlutoniumLounger
- Posts: 15667
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
When Malware strikes ...
Happened to me today, second time in two weeks.
I'm curious about how to recover and re-protect myself in the future.
L'Histoire:
I search the web (Firefox 3.6.15) for answers to a Word/VBA question and open up the first hit in a new link. before I can do much more than see the headlines Firefox closes, "Antimalware" ? screen (Malicious Software Removal Tool?) pops up and starts scanning furiously, and within ten seconds has found several threats and invited me to send money to get them removed.
I unplug my network cable, but it's probably too late anyway.
Antimalware reports at least 3 infected files within 30 seconds. I delete them permanently through Windows (7 Home Premium) Explorer, and decide to fire up Grisoft's AVG. Whicj refuses to load, and the bottm right-hand corner of the screen tells me that AVG(something) is infected anyway.
AVG won't re-install, and RevoUninstaller won't fire up.
Things are getting as bad as two-inch hailstorms and, of course, I don't take PrtScr snapshots, so I'm typing this from memory.
Control Panel, System, System restore won't kick in.
I reboot and tap the ESC key to get to the Compaq Presario CQ62 BIOS menu, but F11 (I think) restore says something about boot not being possible.
I reboot and can't get Shift-F8 to take me to the SafeMode menu.
With the internet still disconnected, I unplug the power and work the laptop on my lap, as if my plywood desk was infected.
I manage to fire up System Restore to the state at this morning's 5am reboot, and the laptop slowly shuts down and restarts.
I manage to fire up AVG which is now scanning all files, reporting no errors at 528,5000 files and counting. It could be a long afternoon.
GrisSoft AVG and MSE are both updated as at about 1am this and every morning.
Once AVG is done I might give MSE a chance at a full scan.
The danger seems to have been cleared by the system restore.
My Firefox browser history is wiped back to this morning, by the look of it, so I can't recall which links caused me problems.
Question 1: Why are malicious browser links getting through AVG & MSE?
Question 2: Is there a better way to capture the identity of these malicious links and feed them into Andy?
Question 3: What is Malicious Software Removal Tool and why do they want money from me?
Question 4: What defence mechanism am I missing here?
I used to install Zonelabs ZoneAlarm, but didn't install it after I migrated from Win XP. I don't know why. I quite liked the product.
(signed) "Missing the days of punched cards" from Toronto.
P.S. Once this is posted I'll re-search and see if I can identify the offending link in a PrtScr.
I'm curious about how to recover and re-protect myself in the future.
L'Histoire:
I search the web (Firefox 3.6.15) for answers to a Word/VBA question and open up the first hit in a new link. before I can do much more than see the headlines Firefox closes, "Antimalware" ? screen (Malicious Software Removal Tool?) pops up and starts scanning furiously, and within ten seconds has found several threats and invited me to send money to get them removed.
I unplug my network cable, but it's probably too late anyway.
Antimalware reports at least 3 infected files within 30 seconds. I delete them permanently through Windows (7 Home Premium) Explorer, and decide to fire up Grisoft's AVG. Whicj refuses to load, and the bottm right-hand corner of the screen tells me that AVG(something) is infected anyway.
AVG won't re-install, and RevoUninstaller won't fire up.
Things are getting as bad as two-inch hailstorms and, of course, I don't take PrtScr snapshots, so I'm typing this from memory.
Control Panel, System, System restore won't kick in.
I reboot and tap the ESC key to get to the Compaq Presario CQ62 BIOS menu, but F11 (I think) restore says something about boot not being possible.
I reboot and can't get Shift-F8 to take me to the SafeMode menu.
With the internet still disconnected, I unplug the power and work the laptop on my lap, as if my plywood desk was infected.
I manage to fire up System Restore to the state at this morning's 5am reboot, and the laptop slowly shuts down and restarts.
I manage to fire up AVG which is now scanning all files, reporting no errors at 528,5000 files and counting. It could be a long afternoon.
GrisSoft AVG and MSE are both updated as at about 1am this and every morning.
Once AVG is done I might give MSE a chance at a full scan.
The danger seems to have been cleared by the system restore.
My Firefox browser history is wiped back to this morning, by the look of it, so I can't recall which links caused me problems.
Question 1: Why are malicious browser links getting through AVG & MSE?
Question 2: Is there a better way to capture the identity of these malicious links and feed them into Andy?
Question 3: What is Malicious Software Removal Tool and why do they want money from me?
Question 4: What defence mechanism am I missing here?
I used to install Zonelabs ZoneAlarm, but didn't install it after I migrated from Win XP. I don't know why. I quite liked the product.
(signed) "Missing the days of punched cards" from Toronto.
P.S. Once this is posted I'll re-search and see if I can identify the offending link in a PrtScr.
He who plants a seed, plants life.
-
- PlutoniumLounger
- Posts: 15667
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: When Malware strikes ...
The search terms are inset.ChrisGreaves wrote:P.S. Once this is posted I'll re-search and see if I can identify the offending link in a PrtScr.
I'm not sure that either of the circled links are the culprits, but they both show up as purple-recently-visited.
You do not have the required permissions to view the files attached to this post.
He who plants a seed, plants life.
-
- PlutoniumLounger
- Posts: 15667
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: When Malware strikes ...
No infections found by Grisoft AVG.ChrisGreaves wrote:I manage to fire up AVG which is now scanning all files, reporting no errors at 528,5000 files and counting.
MSE continues ...
He who plants a seed, plants life.
-
- Administrator
- Posts: 78676
- Joined: 16 Jan 2010, 00:14
- Status: Microsoft MVP
- Location: Wageningen, The Netherlands
Re: When Malware strikes ...
There's a lot of fake security software, aka scareware. See for example Rogue Security Software (Microsoft article) and Rogue security software (Wikipedia article).
This kind of software is very devious, and the criminals behind it manage to hack "innocent" websites and inject their venom into it, so it can be difficult to protect yourself. If you get attacked, do not click on ANYTHING in the web page, including Cancel buttons and close buttons of pop-up dialogs, for ANY click can be interpreted as consent to continue. Use the task manager to kill the browser session.
Since you're using Firefox, I'd recommend installing NoScript and setting it to block ALL sites, then gradually allowing sites. Annoying, but very effective.
Another useful (although not perfect) add-in is WOT (Web of Trust). It'll show a green, orange or red circle next to search results based on user reviews:
Of course, reviews can be biased, so you can't trust it absolutely, but it does give an indication.
This kind of software is very devious, and the criminals behind it manage to hack "innocent" websites and inject their venom into it, so it can be difficult to protect yourself. If you get attacked, do not click on ANYTHING in the web page, including Cancel buttons and close buttons of pop-up dialogs, for ANY click can be interpreted as consent to continue. Use the task manager to kill the browser session.
Since you're using Firefox, I'd recommend installing NoScript and setting it to block ALL sites, then gradually allowing sites. Annoying, but very effective.
Another useful (although not perfect) add-in is WOT (Web of Trust). It'll show a green, orange or red circle next to search results based on user reviews:
Of course, reviews can be biased, so you can't trust it absolutely, but it does give an indication.
You do not have the required permissions to view the files attached to this post.
Best wishes,
Hans
Hans
-
- PlutoniumLounger
- Posts: 15667
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: When Malware strikes ...
Fer Sure.HansV wrote:There's a lot of fake security software, aka scareware.
Are you saying that I got confused between "Antimalware" and the "Malicious Software Removal Tool"?
The latter comes from a MS KB http://support.microsoft.com/kb/890830 i believe.
If that's the case, then at least one of the "hits" that turned up in my search was a web-page which fired up fake when I clicked on it.
And I'm still surprised that neither Grisoft nor MSE detected it.
I aged five years today.
I wasn't browsing a porn site, honest, just searching for some Word/VBA clues in proper case. I don't xpect to get fake malware alerts when browsing VBA help forums, but still ...
Hans, thanks for the reminder.... I'd recommend installing NoScript (http://noscript.net/" onclick="window.open(this.href);return false;)
I had this installed on my old laptop/XP and forgot to re-install it on the new beast.
He who plants a seed, plants life.
-
- Administrator
- Posts: 78676
- Joined: 16 Jan 2010, 00:14
- Status: Microsoft MVP
- Location: Wageningen, The Netherlands
Re: When Malware strikes ...
There are well-organized criminals behind these fake but convincing-looking "security programs". They scan the internet for weakly-protected websites and infect them, and/or set up infected but reputable-looking sites with "normal" keywords that will turn up in a Google search.
So you may have clicked a perfectly reasonable-looking link. It has happened to me too.
Furthermore, the malicious software is very clever, it mutates all the time so that it is hard for real security software to detect all its manifestations.
So you may have clicked a perfectly reasonable-looking link. It has happened to me too.
Furthermore, the malicious software is very clever, it mutates all the time so that it is hard for real security software to detect all its manifestations.
Best wishes,
Hans
Hans
-
- 2StarLounger
- Posts: 142
- Joined: 20 Jan 2011, 19:54
- Location: Rochester, NY
Re: When Malware strikes ...
Chris, In addition to an AV app running in real time, do you use both a software and hardware firewall? Perhaps I am just lucky that this has not happened to me. I use MSE AV/AM in real time. was using Windows 7 firewall but switched to Online Armor ++ software firewall and have my router firewall enabled. I have all my apps totally up to date, including all OS updates. I have my virus sigs automatically updated each day. I do use IE9 rather than FF (I do notice you do not have the latest version of FF installed)
I guess bottom line is I believe the most effective security is a multilayered, proactive security scheme.
I guess bottom line is I believe the most effective security is a multilayered, proactive security scheme.
Have a Great Day!
Ted
Sony Vaio Laptop, 2.53 MHz Duo Core Intel CPU, 4 GB RAM, 320 GB HD, Win 7 Ultimate 64 Bit
Ted
Sony Vaio Laptop, 2.53 MHz Duo Core Intel CPU, 4 GB RAM, 320 GB HD, Win 7 Ultimate 64 Bit
-
- 2StarLounger
- Posts: 129
- Joined: 17 Jun 2010, 14:35
- Location: Edge of the Cotswolds - UK
Re: When Malware strikes ...
These rogue softwares are mainly after your bank account & other personal details but will phone home with any information which allows them to make money.
I post a list of them on my Google Docs page but that isn't much good after you have been infected.
- http://docs.google.com/leaf?id=0BxPQVZY ... NGU5&hl=en" onclick="window.open(this.href);return false;
Tiny URL - http://tinyurl.com/y9jcds9" onclick="window.open(this.href);return false;
They are now using names the same as or very similar to genuine antimalware programmes as well as common computing terms eg
Adware Pro
Antivir
AVG Anti-virus
BitDefender
Defragmenter
Dr Web
E-Set Antivirus
Gmer
HDD +various names
IE +various
Internet +various
Live +various
Microsoft Anti Malware
Microsoft Security Advisor
Microsoft Security Essentials Alert
Microsoft Windows Malicious Software Removal Tool
MSAntispyware 2009
MS Antivirus
MS Removal Tool
Norton 360
Remove +various or Removal tools
etc. etc.
I'm glad you managed to get yourself out of trouble. IMO you did the correct thing in disconnecting from the internet. The next step is usually to reboot into safe mode (F8) & run your scans from there.
I am somewhat surprised to see that you are running two 'resident' antivirus programmes at the same time. MSE & AVG are both always on, running in the backround. The normal advice is to run one 'resident' antivirus but as many as you like 'on demand' scanners eg
MBAM - http://www.malwarebytes.org/products.php" onclick="window.open(this.href);return false;
Clamwin - http://www.clamwin.com" onclick="window.open(this.href);return false;
Dr Web - http://www.drweb-online.com/en/download ... .asp?rpid=" onclick="window.open(this.href);return false;
Hitman Pro - http://www.surfright.nl/en/hitmanpro/" onclick="window.open(this.href);return false;
I post a list of them on my Google Docs page but that isn't much good after you have been infected.
- http://docs.google.com/leaf?id=0BxPQVZY ... NGU5&hl=en" onclick="window.open(this.href);return false;
Tiny URL - http://tinyurl.com/y9jcds9" onclick="window.open(this.href);return false;
They are now using names the same as or very similar to genuine antimalware programmes as well as common computing terms eg
Adware Pro
Antivir
AVG Anti-virus
BitDefender
Defragmenter
Dr Web
E-Set Antivirus
Gmer
HDD +various names
IE +various
Internet +various
Live +various
Microsoft Anti Malware
Microsoft Security Advisor
Microsoft Security Essentials Alert
Microsoft Windows Malicious Software Removal Tool
MSAntispyware 2009
MS Antivirus
MS Removal Tool
Norton 360
Remove +various or Removal tools
etc. etc.
I'm glad you managed to get yourself out of trouble. IMO you did the correct thing in disconnecting from the internet. The next step is usually to reboot into safe mode (F8) & run your scans from there.
I am somewhat surprised to see that you are running two 'resident' antivirus programmes at the same time. MSE & AVG are both always on, running in the backround. The normal advice is to run one 'resident' antivirus but as many as you like 'on demand' scanners eg
MBAM - http://www.malwarebytes.org/products.php" onclick="window.open(this.href);return false;
Clamwin - http://www.clamwin.com" onclick="window.open(this.href);return false;
Dr Web - http://www.drweb-online.com/en/download ... .asp?rpid=" onclick="window.open(this.href);return false;
Hitman Pro - http://www.surfright.nl/en/hitmanpro/" onclick="window.open(this.href);return false;
Regards
wasbit
wasbit
-
- PlutoniumLounger
- Posts: 15667
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: When Malware strikes ...
Hi Wasbit.wasbit wrote:I am somewhat surprised to see that you are running two 'resident' antivirus programmes at the same time. MSE & AVG are both always on, running in the background. The normal advice is to run one 'resident' antivirus but as many as you like 'on demand' scanners
Yes, I had both going.
I have since disabled the Resident Shield portion of AVG but kept everything else (e.g. email scanner, daily updates etc. ) in place. I am mainly surprised/concerned that the "Link Scanner" didn't detect a malicious link.
Remember, I'd searched and got hits for a Word/VBA question, opened up a link (from the hit-list) in a new tab, then was trying to copy/paste some stuff - text I thought - from that forum page.
If I'd clicked on a link regarding "hot bunnies" or similar I could understand my state, but click-and-drag on text and Ctrl-C seems to have landed me into trouble, and somehow I thought that Grisoft AVG was supposed to catch that sort of thing.
You do not have the required permissions to view the files attached to this post.
He who plants a seed, plants life.
-
- PlutoniumLounger
- Posts: 15667
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: When Malware strikes ...
Hi Ted.tedshemyers wrote:Chris, In addition to an AV app running in real time, do you use both a software and hardware firewall?
I'm not sure.
On the older laptop I used to have ZoneLabs monitor my modem, and MS WinXP firewall turned off.
Now I have a different ISP&Modem and I have Windows Firewall turned ON, and the parameters are out-of-the-box Win 7 Home Premium as I installed it.
Please see also my reply to Wasbit 5 minutes ago. I'm surprised that a rogue link could get through a "dumb-user" out-of-the-box installation.
I thought that modern anti-malware products and services were supposed to trap the most obvious rogues. There's a part of my thinking that says that those who frequent porn sites, drug sites, and animal cruelty sites deserve what they get. I'm a bit right-wing on those issues, but someone looking for VBA code ought to (have got) get something like a pop up that says "this isn't porn/violence, are you sure you trust this action?"
You do not have the required permissions to view the files attached to this post.
He who plants a seed, plants life.
-
- PlutoniumLounger
- Posts: 15667
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: When Malware strikes ...
Thanks again, Wasbit:wasbit wrote:Hitman Pro - http://www.surfright.nl/en/hitmanpro/" onclick="window.open(this.href);return false;
You do not have the required permissions to view the files attached to this post.
He who plants a seed, plants life.
-
- PlutoniumLounger
- Posts: 15667
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: When Malware strikes ...
While we're still on-topic ...
I'm fairly sure this is a scam.
Thunderbird thinks so, and when I use my Firefox bookmark to visit my YouTube account (rather than clicking on the link in the email), I see no messages for me!
I'm fairly sure this is a scam.
Thunderbird thinks so, and when I use my Firefox bookmark to visit my YouTube account (rather than clicking on the link in the email), I see no messages for me!
You do not have the required permissions to view the files attached to this post.
He who plants a seed, plants life.
-
- 5StarLounger
- Posts: 1120
- Joined: 26 Jan 2010, 11:32
- Location: "What a mighty long bridge to such a mighty little old town"
Re: When Malware strikes ...
It may be, of course that the link was perfectly valid, but that the site itself was hosting (on purpose or otherwise) poisoned scripts or adverts. The bad guys are pretty tricky.ChrisGreaves wrote: I am mainly surprised/concerned that the "Link Scanner" didn't detect a malicious link.
Remember, I'd searched and got hits for a Word/VBA question, opened up a link (from the hit-list) in a new tab, .
By the way, It is my understanding that the fake antivirus alerts generate cash mainly by offering to sell "solutions" to sort out your malware problems, which then turn out to be malware themselves, spawning offers to sell you... (see recursion)
Enough people fall for it that the extra hassle of searching your PC for banking details is not worth it.
On the (rare) occasions I encounter this sort of problem, I start by running Malwarebytes anti-malware (fully updated if possible), then go on from there.
Added note: when searching for fixes on the net, be extra careful. Bad guys love fooling you into downloading stuff from their sites rather than the genuine ones.
John
“Always trust a microbiologist because they have the best chance of predicting when the world will end”
― Teddie O. Rahube
“Always trust a microbiologist because they have the best chance of predicting when the world will end”
― Teddie O. Rahube
-
- 5StarLounger
- Posts: 1120
- Joined: 26 Jan 2010, 11:32
- Location: "What a mighty long bridge to such a mighty little old town"
Re: When Malware strikes ...
A quick hover over the links might reveal the true destination in the status bar. ( I can't see why people turn off the status bar, it's just so darned useful)ChrisGreaves wrote:While we're still on-topic ...
I'm fairly sure this is a scam.
Thunderbird thinks so, and when I use my Firefox bookmark to visit my YouTube account (rather than clicking on the link in the email), I see no messages for me!
John
“Always trust a microbiologist because they have the best chance of predicting when the world will end”
― Teddie O. Rahube
“Always trust a microbiologist because they have the best chance of predicting when the world will end”
― Teddie O. Rahube
-
- PlutoniumLounger
- Posts: 15667
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: When Malware strikes ...
Hi Jon.jonwallace wrote:It may be, of course that the link was perfectly valid, but that the site itself was hosting (on purpose or otherwise) poisoned scripts or adverts. The bad guys are pretty tricky.
Your point is valid, and I'm stretching the nanny-state here, I know.
Given the prevalance of this stuff, I can't expect any malware suite to be up-to-the-microsecond active on bad guys.
And I am always responsible for my own safety.
The NoScript solution (thanks Hans!) is the obvious try-before-you-buy filter (and inadvertently inhibits me from redaing newspaper comments when i have better things to do!).
He who plants a seed, plants life.
-
- 2StarLounger
- Posts: 129
- Joined: 17 Jun 2010, 14:35
- Location: Edge of the Cotswolds - UK
Re: When Malware strikes ...
Hi Chris, I'm only a little 'w' but most people call me a big one.
I tried to post this in the early hours but I think they were working in the telephone exchange & dropped my connection.
What you have to remember is that it doesn't matter how well your PC is protected from malware as soon as you click that mouse button you allow your defences to be bypassed. The scammers art is making you make that mouse click.
IIRC Hitman Pro was originally recommended in the Lounge by Hans so the credit should really go to him.
I also agree with everything said by jonwallace in the two posts above.
I tried to post this in the early hours but I think they were working in the telephone exchange & dropped my connection.
What you have to remember is that it doesn't matter how well your PC is protected from malware as soon as you click that mouse button you allow your defences to be bypassed. The scammers art is making you make that mouse click.
IIRC Hitman Pro was originally recommended in the Lounge by Hans so the credit should really go to him.
I also agree with everything said by jonwallace in the two posts above.
Regards
wasbit
wasbit
-
- PlutoniumLounger
- Posts: 15667
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: When Malware strikes ...
Hi wasbit.wasbit wrote:... as soon as you click that mouse button you allow your defences to be bypassed.
That's the bit I don't get.
I thought that a mouse-click could be intercepted on the client machine (mine), interrogated for validity, and then either passed or suspended.
To my mind the whole point of Anti-malware is to intercept potentially fatal actions on my part.
He who plants a seed, plants life.
-
- GoldLounger
- Posts: 2599
- Joined: 24 Jan 2010, 15:26
- Location: Olympia, WA
Re: When Malware strikes ...
If all of your protection has not been told (definitions) about this new clickable varmint, how is it (your Protection) suppose to know what to do when you click OK?I thought that a mouse-click could be intercepted on the client machine (mine), interrogated for validity, and then either passed or suspended.
To my mind the whole point of Anti-malware is to intercept potentially fatal actions on my part.
Not only that, which protection program kicked in to check this file, since we have AV, spam blockers, worm blockers and etc, which all protect us from something different?
I am so far behind, I think I am First
Genealogy....confusing the dead and annoying the living
Genealogy....confusing the dead and annoying the living
-
- PlutoniumLounger
- Posts: 15667
- Joined: 24 Jan 2010, 23:23
- Location: brings.slot.perky
Re: When Malware strikes ...
Well, that's the part that has me confused.DaveA wrote:If all of your protection has not been told (definitions) about this new clickable varmint, how is it (your Protection) suppose to know what to do when you click OK?
(I'm assuming that by "when you click OK?" you mean "when you click"; there was no question of an OK/cancel dilogue; I just clicked on a link and then click-and-dragged prior to copying the text I saw there).
It seems to me that either
(1) I don't have a full set of anti-malware devices in place or
(2) What I have does not hold a full set of definitions.
Then
(2a) No anti-malware device can be 100% up to date. This becomes clear on those times when I preview my email (MailWasher Pro), process the spam, re-check the mail and then download the mail, and in that tiny interval between 'recheck" and 'download" an occasional spam creeps in.
He who plants a seed, plants life.
-
- GoldLounger
- Posts: 2599
- Joined: 24 Jan 2010, 15:26
- Location: Olympia, WA
Re: When Malware strikes ...
We will all get one these from time to time. I was hit by one of your links to a news site the other day. Just close the pane and then run you Malwarebytes and SuperAntiSpyware to clean anything that may have been loaded.
It is in these panes that most will pick OK to download the fix, but, all one needs to do is close the pane using the "White" X on the RED button.
It is in these panes that most will pick OK to download the fix, but, all one needs to do is close the pane using the "White" X on the RED button.
I am so far behind, I think I am First
Genealogy....confusing the dead and annoying the living
Genealogy....confusing the dead and annoying the living