When Malware strikes ...

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

When Malware strikes ...

Post by ChrisGreaves »

Happened to me today, second time in two weeks.
I'm curious about how to recover and re-protect myself in the future.

L'Histoire:

I search the web (Firefox 3.6.15) for answers to a Word/VBA question and open up the first hit in a new link. before I can do much more than see the headlines Firefox closes, "Antimalware" ? screen (Malicious Software Removal Tool?) pops up and starts scanning furiously, and within ten seconds has found several threats and invited me to send money to get them removed.

I unplug my network cable, but it's probably too late anyway.

Antimalware reports at least 3 infected files within 30 seconds. I delete them permanently through Windows (7 Home Premium) Explorer, and decide to fire up Grisoft's AVG. Whicj refuses to load, and the bottm right-hand corner of the screen tells me that AVG(something) is infected anyway.
AVG won't re-install, and RevoUninstaller won't fire up.
Things are getting as bad as two-inch hailstorms and, of course, I don't take PrtScr snapshots, so I'm typing this from memory.

Control Panel, System, System restore won't kick in.

I reboot and tap the ESC key to get to the Compaq Presario CQ62 BIOS menu, but F11 (I think) restore says something about boot not being possible.

I reboot and can't get Shift-F8 to take me to the SafeMode menu.

With the internet still disconnected, I unplug the power and work the laptop on my lap, as if my plywood desk was infected.

I manage to fire up System Restore to the state at this morning's 5am reboot, and the laptop slowly shuts down and restarts.

I manage to fire up AVG which is now scanning all files, reporting no errors at 528,5000 files and counting. It could be a long afternoon.

GrisSoft AVG and MSE are both updated as at about 1am this and every morning.
Once AVG is done I might give MSE a chance at a full scan.

The danger seems to have been cleared by the system restore.

My Firefox browser history is wiped back to this morning, by the look of it, so I can't recall which links caused me problems.

Question 1: Why are malicious browser links getting through AVG & MSE?
Question 2: Is there a better way to capture the identity of these malicious links and feed them into Andy?
Question 3: What is Malicious Software Removal Tool and why do they want money from me?
Question 4: What defence mechanism am I missing here?

I used to install Zonelabs ZoneAlarm, but didn't install it after I migrated from Win XP. I don't know why. I quite liked the product.

(signed) "Missing the days of punched cards" from Toronto.

P.S. Once this is posted I'll re-search and see if I can identify the offending link in a PrtScr.
An expensive day out: Wallet and Grimace

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: When Malware strikes ...

Post by ChrisGreaves »

ChrisGreaves wrote:P.S. Once this is posted I'll re-search and see if I can identify the offending link in a PrtScr.
The search terms are inset.
I'm not sure that either of the circled links are the culprits, but they both show up as purple-recently-visited.
1.png
You do not have the required permissions to view the files attached to this post.
An expensive day out: Wallet and Grimace

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: When Malware strikes ...

Post by ChrisGreaves »

ChrisGreaves wrote:I manage to fire up AVG which is now scanning all files, reporting no errors at 528,5000 files and counting.
No infections found by Grisoft AVG.
MSE continues ...
An expensive day out: Wallet and Grimace

User avatar
HansV
Administrator
Posts: 78235
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: When Malware strikes ...

Post by HansV »

There's a lot of fake security software, aka scareware. See for example Rogue Security Software (Microsoft article) and Rogue security software (Wikipedia article).

This kind of software is very devious, and the criminals behind it manage to hack "innocent" websites and inject their venom into it, so it can be difficult to protect yourself. If you get attacked, do not click on ANYTHING in the web page, including Cancel buttons and close buttons of pop-up dialogs, for ANY click can be interpreted as consent to continue. Use the task manager to kill the browser session.

Since you're using Firefox, I'd recommend installing NoScript and setting it to block ALL sites, then gradually allowing sites. Annoying, but very effective.

Another useful (although not perfect) add-in is WOT (Web of Trust). It'll show a green, orange or red circle next to search results based on user reviews:
x625.png
Of course, reviews can be biased, so you can't trust it absolutely, but it does give an indication.
You do not have the required permissions to view the files attached to this post.
Best wishes,
Hans

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: When Malware strikes ...

Post by ChrisGreaves »

HansV wrote:There's a lot of fake security software, aka scareware.
Fer Sure.
Are you saying that I got confused between "Antimalware" and the "Malicious Software Removal Tool"?
The latter comes from a MS KB http://support.microsoft.com/kb/890830 i believe.

If that's the case, then at least one of the "hits" that turned up in my search was a web-page which fired up fake when I clicked on it.
And I'm still surprised that neither Grisoft nor MSE detected it.
I aged five years today.

I wasn't browsing a porn site, honest, just searching for some Word/VBA clues in proper case. I don't xpect to get fake malware alerts when browsing VBA help forums, but still ...
... I'd recommend installing NoScript (http://noscript.net/" onclick="window.open(this.href);return false;)
Hans, thanks for the reminder.
I had this installed on my old laptop/XP and forgot to re-install it on the new beast.
An expensive day out: Wallet and Grimace

User avatar
HansV
Administrator
Posts: 78235
Joined: 16 Jan 2010, 00:14
Status: Microsoft MVP
Location: Wageningen, The Netherlands

Re: When Malware strikes ...

Post by HansV »

There are well-organized criminals behind these fake but convincing-looking "security programs". They scan the internet for weakly-protected websites and infect them, and/or set up infected but reputable-looking sites with "normal" keywords that will turn up in a Google search.

So you may have clicked a perfectly reasonable-looking link. It has happened to me too.

Furthermore, the malicious software is very clever, it mutates all the time so that it is hard for real security software to detect all its manifestations.
Best wishes,
Hans

User avatar
tedshemyers
2StarLounger
Posts: 142
Joined: 20 Jan 2011, 19:54
Location: Rochester, NY

Re: When Malware strikes ...

Post by tedshemyers »

Chris, In addition to an AV app running in real time, do you use both a software and hardware firewall? Perhaps I am just lucky that this has not happened to me. I use MSE AV/AM in real time. was using Windows 7 firewall but switched to Online Armor ++ software firewall and have my router firewall enabled. I have all my apps totally up to date, including all OS updates. I have my virus sigs automatically updated each day. I do use IE9 rather than FF (I do notice you do not have the latest version of FF installed)

I guess bottom line is I believe the most effective security is a multilayered, proactive security scheme.
Have a Great Day!
Ted


Sony Vaio Laptop, 2.53 MHz Duo Core Intel CPU, 4 GB RAM, 320 GB HD, Win 7 Ultimate 64 Bit

User avatar
wasbit
2StarLounger
Posts: 129
Joined: 17 Jun 2010, 14:35
Location: Edge of the Cotswolds - UK

Re: When Malware strikes ...

Post by wasbit »

These rogue softwares are mainly after your bank account & other personal details but will phone home with any information which allows them to make money.

I post a list of them on my Google Docs page but that isn't much good after you have been infected.
- http://docs.google.com/leaf?id=0BxPQVZY ... NGU5&hl=en" onclick="window.open(this.href);return false;

Tiny URL - http://tinyurl.com/y9jcds9" onclick="window.open(this.href);return false;

They are now using names the same as or very similar to genuine antimalware programmes as well as common computing terms eg
Adware Pro
Antivir
AVG Anti-virus
BitDefender
Defragmenter
Dr Web
E-Set Antivirus
Gmer
HDD +various names
IE +various
Internet +various
Live +various
Microsoft Anti Malware
Microsoft Security Advisor
Microsoft Security Essentials Alert
Microsoft Windows Malicious Software Removal Tool
MSAntispyware 2009
MS Antivirus
MS Removal Tool
Norton 360
Remove +various or Removal tools

etc. etc.


I'm glad you managed to get yourself out of trouble. IMO you did the correct thing in disconnecting from the internet. The next step is usually to reboot into safe mode (F8) & run your scans from there.

I am somewhat surprised to see that you are running two 'resident' antivirus programmes at the same time. MSE & AVG are both always on, running in the backround. The normal advice is to run one 'resident' antivirus but as many as you like 'on demand' scanners eg

MBAM - http://www.malwarebytes.org/products.php" onclick="window.open(this.href);return false;
Clamwin - http://www.clamwin.com" onclick="window.open(this.href);return false;
Dr Web - http://www.drweb-online.com/en/download ... .asp?rpid=" onclick="window.open(this.href);return false;
Hitman Pro - http://www.surfright.nl/en/hitmanpro/" onclick="window.open(this.href);return false;
Regards
wasbit

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: When Malware strikes ...

Post by ChrisGreaves »

wasbit wrote:I am somewhat surprised to see that you are running two 'resident' antivirus programmes at the same time. MSE & AVG are both always on, running in the background. The normal advice is to run one 'resident' antivirus but as many as you like 'on demand' scanners
Hi Wasbit.
Yes, I had both going.
I have since disabled the Resident Shield portion of AVG but kept everything else (e.g. email scanner, daily updates etc. ) in place.
1.png
I am mainly surprised/concerned that the "Link Scanner" didn't detect a malicious link.
Remember, I'd searched and got hits for a Word/VBA question, opened up a link (from the hit-list) in a new tab, then was trying to copy/paste some stuff - text I thought - from that forum page.
If I'd clicked on a link regarding "hot bunnies" or similar I could understand my state, but click-and-drag on text and Ctrl-C seems to have landed me into trouble, and somehow I thought that Grisoft AVG was supposed to catch that sort of thing.
You do not have the required permissions to view the files attached to this post.
An expensive day out: Wallet and Grimace

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: When Malware strikes ...

Post by ChrisGreaves »

tedshemyers wrote:Chris, In addition to an AV app running in real time, do you use both a software and hardware firewall?
Hi Ted.
I'm not sure.

On the older laptop I used to have ZoneLabs monitor my modem, and MS WinXP firewall turned off.
Now I have a different ISP&Modem and I have Windows Firewall turned ON, and the parameters are out-of-the-box Win 7 Home Premium as I installed it.
Please see also my reply to Wasbit 5 minutes ago. I'm surprised that a rogue link could get through a "dumb-user" out-of-the-box installation.
I thought that modern anti-malware products and services were supposed to trap the most obvious rogues.
2.png
There's a part of my thinking that says that those who frequent porn sites, drug sites, and animal cruelty sites deserve what they get. I'm a bit right-wing on those issues, but someone looking for VBA code ought to (have got) get something like a pop up that says "this isn't porn/violence, are you sure you trust this action?"
You do not have the required permissions to view the files attached to this post.
An expensive day out: Wallet and Grimace

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: When Malware strikes ...

Post by ChrisGreaves »

wasbit wrote:Hitman Pro - http://www.surfright.nl/en/hitmanpro/" onclick="window.open(this.href);return false;
Thanks again, Wasbit:
3.png
You do not have the required permissions to view the files attached to this post.
An expensive day out: Wallet and Grimace

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: When Malware strikes ...

Post by ChrisGreaves »

While we're still on-topic ...

I'm fairly sure this is a scam.
Thunderbird thinks so, and when I use my Firefox bookmark to visit my YouTube account (rather than clicking on the link in the email), I see no messages for me!
4.png
You do not have the required permissions to view the files attached to this post.
An expensive day out: Wallet and Grimace

User avatar
jonwallace
5StarLounger
Posts: 1118
Joined: 26 Jan 2010, 11:32
Location: "What a mighty long bridge to such a mighty little old town"

Re: When Malware strikes ...

Post by jonwallace »

ChrisGreaves wrote: I am mainly surprised/concerned that the "Link Scanner" didn't detect a malicious link.
Remember, I'd searched and got hits for a Word/VBA question, opened up a link (from the hit-list) in a new tab, .
It may be, of course that the link was perfectly valid, but that the site itself was hosting (on purpose or otherwise) poisoned scripts or adverts. The bad guys are pretty tricky.

By the way, It is my understanding that the fake antivirus alerts generate cash mainly by offering to sell "solutions" to sort out your malware problems, which then turn out to be malware themselves, spawning offers to sell you... (see recursion)

Enough people fall for it that the extra hassle of searching your PC for banking details is not worth it.

On the (rare) occasions I encounter this sort of problem, I start by running Malwarebytes anti-malware (fully updated if possible), then go on from there.

Added note: when searching for fixes on the net, be extra careful. Bad guys love fooling you into downloading stuff from their sites rather than the genuine ones.
John

“Always trust a microbiologist because they have the best chance of predicting when the world will end”
― Teddie O. Rahube

User avatar
jonwallace
5StarLounger
Posts: 1118
Joined: 26 Jan 2010, 11:32
Location: "What a mighty long bridge to such a mighty little old town"

Re: When Malware strikes ...

Post by jonwallace »

ChrisGreaves wrote:While we're still on-topic ...

I'm fairly sure this is a scam.
Thunderbird thinks so, and when I use my Firefox bookmark to visit my YouTube account (rather than clicking on the link in the email), I see no messages for me!
A quick hover over the links might reveal the true destination in the status bar. ( I can't see why people turn off the status bar, it's just so darned useful)
John

“Always trust a microbiologist because they have the best chance of predicting when the world will end”
― Teddie O. Rahube

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: When Malware strikes ...

Post by ChrisGreaves »

jonwallace wrote:It may be, of course that the link was perfectly valid, but that the site itself was hosting (on purpose or otherwise) poisoned scripts or adverts. The bad guys are pretty tricky.
Hi Jon.
Your point is valid, and I'm stretching the nanny-state here, I know.
Given the prevalance of this stuff, I can't expect any malware suite to be up-to-the-microsecond active on bad guys.
And I am always responsible for my own safety.
The NoScript solution (thanks Hans!) is the obvious try-before-you-buy filter (and inadvertently inhibits me from redaing newspaper comments when i have better things to do!).
An expensive day out: Wallet and Grimace

User avatar
wasbit
2StarLounger
Posts: 129
Joined: 17 Jun 2010, 14:35
Location: Edge of the Cotswolds - UK

Re: When Malware strikes ...

Post by wasbit »

Hi Chris, I'm only a little 'w' but most people call me a big one.

I tried to post this in the early hours but I think they were working in the telephone exchange & dropped my connection.

What you have to remember is that it doesn't matter how well your PC is protected from malware as soon as you click that mouse button you allow your defences to be bypassed. The scammers art is making you make that mouse click.

IIRC Hitman Pro was originally recommended in the Lounge by Hans so the credit should really go to him.

I also agree with everything said by jonwallace in the two posts above.
Regards
wasbit

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: When Malware strikes ...

Post by ChrisGreaves »

wasbit wrote:... as soon as you click that mouse button you allow your defences to be bypassed.
Hi wasbit.
That's the bit I don't get.

I thought that a mouse-click could be intercepted on the client machine (mine), interrogated for validity, and then either passed or suspended.

To my mind the whole point of Anti-malware is to intercept potentially fatal actions on my part.
An expensive day out: Wallet and Grimace

User avatar
DaveA
GoldLounger
Posts: 2599
Joined: 24 Jan 2010, 15:26
Location: Olympia, WA

Re: When Malware strikes ...

Post by DaveA »

I thought that a mouse-click could be intercepted on the client machine (mine), interrogated for validity, and then either passed or suspended.

To my mind the whole point of Anti-malware is to intercept potentially fatal actions on my part.
If all of your protection has not been told (definitions) about this new clickable varmint, how is it (your Protection) suppose to know what to do when you click OK?

Not only that, which protection program kicked in to check this file, since we have AV, spam blockers, worm blockers and etc, which all protect us from something different?
I am so far behind, I think I am First :evilgrin:
Genealogy....confusing the dead and annoying the living

User avatar
ChrisGreaves
PlutoniumLounger
Posts: 15498
Joined: 24 Jan 2010, 23:23
Location: brings.slot.perky

Re: When Malware strikes ...

Post by ChrisGreaves »

DaveA wrote:If all of your protection has not been told (definitions) about this new clickable varmint, how is it (your Protection) suppose to know what to do when you click OK?
Well, that's the part that has me confused.

(I'm assuming that by "when you click OK?" you mean "when you click"; there was no question of an OK/cancel dilogue; I just clicked on a link and then click-and-dragged prior to copying the text I saw there).

It seems to me that either
(1) I don't have a full set of anti-malware devices in place or
(2) What I have does not hold a full set of definitions.
Then
(2a) No anti-malware device can be 100% up to date. This becomes clear on those times when I preview my email (MailWasher Pro), process the spam, re-check the mail and then download the mail, and in that tiny interval between 'recheck" and 'download" an occasional spam creeps in.
An expensive day out: Wallet and Grimace

User avatar
DaveA
GoldLounger
Posts: 2599
Joined: 24 Jan 2010, 15:26
Location: Olympia, WA

Re: When Malware strikes ...

Post by DaveA »

We will all get one these from time to time. I was hit by one of your links to a news site the other day. Just close the pane and then run you Malwarebytes and SuperAntiSpyware to clean anything that may have been loaded.

It is in these panes that most will pick OK to download the fix, but, all one needs to do is close the pane using the "White" X on the RED button.
I am so far behind, I think I am First :evilgrin:
Genealogy....confusing the dead and annoying the living