As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/
Options

Fake PC Antivirus program stole my friends credit card (precautions help)

splashsplash Registered User regular
edited April 2010 in Help / Advice Forum
I helped a friend last night with some kind of trojan/virus that I've never seen before to this extent.

Description of Events:

My friend thinks he got it when he was searching for recipes (he would tell me if it was porn or something, we have no problem with that) when he clicked on the first search result without looking and the website kept redirecting him. Eventually a fake program simply called "PC Antivirus" came up and started displaying fake scanning processes. It tells the user that some hundreds of viruses have been found and that you need to register to have them removed. It's designed to not let you do anything else, so he had to restart his computer.

The big problem then was that immediately when Windows boots and you log into any of your user accounts it runs the same fake program. Since he needs to do job searches and such he went to register the product and inputted his credit card information. It gave an error message when submitted. I'll assume the error message was fake and it actually took the info.

To Get Around The Problem:

Since the program runs even before you get to the Windows Vista desktop I didn't see any way to get around it. His HP allows you to try to system restore from a special boot menu but it didn't work. To finally get around it I went to the boot menu that brings up safe mode, etc and then selected advanced boot settings (safe mode would still run the fake program) and selected something like "use last successful windows login settings." Either this alone or the combination of the system restore worked (because it did give a notice about system restore once we got to the desktop).

Now into Windows as normal, I started checking task manager and the msconfig startup list, trying to research if anything was bad, but in the limited time and the abundance of crapware on HP computers I didn't find anything unusual. We ran a full scan using the most up to date Windows Defender and AVG Antivirus (free version) and it came up with nothing at all. I installed Rootkit Revealer but it wasn't able to run. Then I installed Ad-Aware. I started the full scan but I had to head home. This morning he says it removed a lot of cookies and 3 what he called "TAI or TAL" programs. He says he couldn't identify what the 3 specifically were. It seems TAI just stands for threat analysis index so I'm not sure what really happened.

Actual Question:

Even though Windows boots normally now, what do you think I could do to try to remove any lingering bad processes or files? I'm afraid that there still might be something malicious running like a keylogger. Searching for removal to this specific PC AntiVirus problem the closest I came up with is this. From what I found nobody really mentions the part where you can't login to windows.

He notified his credit card company about what happened but should he specifically ask them to give him a new card?

Windows Defender, Windows Firewall, and User Account Controls had somehow all been turned off (not by him). They're turned on now. AVG is running. What additional programs should I run? He uses Qwest DSL. He does tend to use Firefox for the web and I'm surprised it let a malicious program run. I thought browsers stopped multiple redirects and such. Is there anything I can do to change browser settings to take better precautions?

Thanks

splash on

Posts

  • Options
    ArkanArkan Registered User regular
    edited March 2010
    Use that malwarebytes program mentioned in your last link, try Avast! antivirus for prevention in the future, and get a new credit card. Cancel the old one.

    If you really want to be 100% positive it's gone, reformat. Some viruses/rootkits can be really persistent.

    Arkan on
    Big, honkin' pile of WoW characters
    I think it's hard for someone not to rage at mario kart, while shouting "Fuck you Donkey Kong. Whose dick did you suck to get all those red shells?"
  • Options
    fightinfilipinofightinfilipino Angry as Hell #BLMRegistered User regular
    edited March 2010
    splash wrote: »
    I installed Rootkit Revealer but it wasn't able to run.

    he's got a rootkit. i've seen this a few times now working for my school's IT department. i can't find it now, but there was a recent link up on Slashdot showing even ads served by Google and Yahoo are not always sanitized and can install malicious adware on your system.

    best thing to do if you can't run rootkit revealer? nuke the system from orbit (as in, format the system and reinstall Windows). the system most likely has a rootkit installed, especially if nothing is showing up in the registry or in startup.

    best means to prevent this isht? install Spybot, update it, and immunize the system, turn ON automatic windows update, install firefox with AdBlock Plus, and set up the system for OpenDNS. a good antivirus program goes without saying. Avira is a good, free AV program.

    i've seen firefox's security get progressively worse over time. i think it's really only because firefox has become a higher-profile target as its market share increases. that being said, best protection for browsing, anyways, is Spybot's immunize with AdBlocking.

    otherwise? tell your friend to limit visiting sketchy sites as much as possible. this isn't a matter of accusing him (or her) of anything, it's just telling your friend to be safe.

    fightinfilipino on
    ffNewSig.png
    steam | Dokkan: 868846562
  • Options
    KiTAKiTA Registered User regular
    edited March 2010
    Already wrote about this on Slashdot, actually: http://slashdot.org/comments.pl?sid=1592276&cid=31584260

    In short: There's no way to defend against these without updating the Adobe suite of programs (flash, reader) and Java. Google Chrome is the only browser I've seen not be instantly infected when these ads appear on Deviantart. IE is a joke, Firefox will lock up (but still allow the infection through), Chrome will crash that tab but keep going. Updated reader will open adobe reader and point out that it's a corrupt file, instead of running the exploit code.

    The real genius thing they do is they give your copy of Windows a "handler" for EXE files -- i.e., like how .gif opens with picture viewer. So when you try to run a program... it opens the malware. Even in safe mode. Command prompt does not obey handlers, mostly, so you can run EXEs in command prompt still.


    My current job is all about cleaning these things up every day. All day. Over the phone. With computer illiterate southerners (kinda sorta) obeying my commands and (kinda sorta) relaying what they see on the screen. Yes, it's my own personal hell, why do you ask?


    Removing them is (fairly) simple. It's absolutely trivial if you have a second PC and a thumb drive:
    Boot into Safe Mode with Networking
    Start, Run (Win+R) MSConfig. Disable all startup programs and all NON-MICROSOFT Services.
    Reboot, Safe Mode with Networking again.
    Fix EXE assocations if needed (Can rename .exes as .com if you can't fix this)
    Run ComboFix (renamed)
    Run Malwarebytes (renamed, installed in C:\mb instead of default location)

    More details:
    You *May* need to repair the EXE file association. You can do so by running this REG file:
    http://kita.ath.cx/work/fixexe.reg

    Run Combofix in Safe Mode, then Run Malwarebytes. It will clean it up.
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    If you cannot run Combofix (rename it c1f2.exe first), then prepare for an OS Reinstall.

    After downloading MBAM and renaming it 1.exe, then copy mbam.exe and rename it 1.exe in the malwarebytes folder. THEN run it. You'll know it's ready to go if the title bar is a bunch of random numbers, not Malwarebytes.


    Spybot, AVG, Ad Aware aren't really getting updated enough anymore. Your best bet is Combofix and MBAM for these PDF exploit malwares.

    KiTA on
  • Options
    fightinfilipinofightinfilipino Angry as Hell #BLMRegistered User regular
    edited March 2010
    KiTA wrote: »
    Already wrote about this on Slashdot, actually: http://slashdot.org/comments.pl?sid=1592276&cid=31584260

    In short: There's no way to defend against these without updating the Adobe suite of programs (flash, reader) and Java. Google Chrome is the only browser I've seen not be instantly infected when these ads appear on Deviantart. IE is a joke, Firefox will lock up (but still allow the infection through), Chrome will crash that tab but keep going. Updated reader will open adobe reader and point out that it's a corrupt file, instead of running the exploit code.

    The real genius thing they do is they give your copy of Windows a "handler" for EXE files -- i.e., like how .gif opens with picture viewer. So when you try to run a program... it opens the malware. Even in safe mode. Command prompt does not obey handlers, mostly, so you can run EXEs in command prompt still.


    My current job is all about cleaning these things up every day. All day. Over the phone. With computer illiterate southerners (kinda sorta) obeying my commands and (kinda sorta) relaying what they see on the screen. Yes, it's my own personal hell, why do you ask?


    Removing them is (fairly) simple. It's absolutely trivial if you have a second PC and a thumb drive:
    Boot into Safe Mode with Networking
    Start, Run (Win+R) MSConfig. Disable all startup programs and all NON-MICROSOFT Services.
    Reboot, Safe Mode with Networking again.
    Fix EXE assocations if needed (Can rename .exes as .com if you can't fix this)
    Run ComboFix (renamed)
    Run Malwarebytes (renamed, installed in C:\mb instead of default location)

    More details:
    You *May* need to repair the EXE file association. You can do so by running this REG file:
    http://kita.ath.cx/work/fixexe.reg

    Run Combofix in Safe Mode, then Run Malwarebytes. It will clean it up.
    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    If you cannot run Combofix (rename it c1f2.exe first), then prepare for an OS Reinstall.

    After downloading MBAM and renaming it 1.exe, then copy mbam.exe and rename it 1.exe in the malwarebytes folder. THEN run it. You'll know it's ready to go if the title bar is a bunch of random numbers, not Malwarebytes.


    Spybot, AVG, Ad Aware aren't really getting updated enough anymore. Your best bet is Combofix and MBAM for these PDF exploit malwares.

    oh wow, i am copying and pasting this into my toolbox.

    fightinfilipino on
    ffNewSig.png
    steam | Dokkan: 868846562
  • Options
    splashsplash Registered User regular
    edited March 2010
    This is great! Great answers. I'm setting up my defensive/counteroffensive plan now.

    I heard Adobe Reader attacks becoming a huge problem, but I didn't realize how extensive the problem is with Flash and Java and that it can easily pass through the basic security steps. The game has changed.

    With my friend doing the OS reinstall is probably the last thing I can convince him to do, so I'll be doing all the steps to remove the problems as described. I'm gonna switch out the antivirus and antimalware programs he's using too. And do Firefox AdBlock Plus.

    If anyone else knows: Is Foxit Reader a better precaution than trying to keep Adobe Reader up to date?

    splash on
  • Options
    ZxerolZxerol for the smaller pieces, my shovel wouldn't do so i took off my boot and used my shoeRegistered User regular
    edited March 2010
    My friend got his Google account compromised (which is a problem since he uses an Android phone) through Foxit Reader a couple of months ago. PDFs in general seem like a neverending den of douchebaggery.

    Zxerol on
  • Options
    splashsplash Registered User regular
    edited March 2010
    Damnit!!

    splash on
  • Options
    TetraNitroCubaneTetraNitroCubane The Djinnerator At the bottom of a bottleRegistered User regular
    edited March 2010
    splash wrote: »
    Is there anything I can do to change browser settings to take better precautions?

    Whatever browser you use, whitelist your Javascript settings - What I mean is do a blanket DENY for all javascript on all domains unless you specifically tell your browser that you WANT javascript running (Important note here: Remember that Javascript and Java are completely separate. Java shouldn't be required at all for most websites, and can be safely blocked across the board without significant impact. Javascript is much more heavily used, but should be approached with caution). This can be accomplished by using the NoScript plugin for FireFox or the site preferences options in Opera. I'm unsure of what to do for Safari or Chrome. Don't even think of using IE. Do the same thing for plugins to defend against Flash exploits.

    Almost 90% of these attacks are launched through flash or javascript. If those avenues of attack aren't available, the malware won't be delivered.

    There's still a possibility for iFrame exploits launching, but these (and the javascript exploits, too) leverage Adobe Acrobat pretty heavily these days, as was mentioned before. My biggest recommendation is to uninstall Adobe PDF viewing products. Adobe is simply ridiculously horrid at securing their products. Just don't use Acrobat. Edit: As mentioned above, PDFs in general can be problematic. One of the biggest things you can do in your viewer (whatever it is) to secure it a bit more is, again, disable javascript. The latest rash of PDF exploits (the one that stung google) could be prevented when javascript was disabled in the PDF viewer.

    Further Edit: All of the above is secondary to keeping your OS and your applications up to date as much as possible. Particularly the applications.

    If you're feeling super-paranoid, you can sandbox your browser using a variety of programs, or else run in a virtual machine. I'm hoping to update the Computer Security Thread with in-depth information regarding these types of protective measures soon, though I shamefully admit I'm behind schedule. You might check out the thread anyhow - there's a good bit of discussion and some helpful links/advice in there.

    TetraNitroCubane on
  • Options
    splashsplash Registered User regular
    edited April 2010
    splash wrote: »
    Is there anything I can do to change browser settings to take better precautions?

    Whatever browser you use, whitelist your Javascript settings - What I mean is do a blanket DENY for all javascript on all domains unless you specifically tell your browser that you WANT javascript running (Important note here: Remember that Javascript and Java are completely separate. Java shouldn't be required at all for most websites, and can be safely blocked across the board without significant impact. Javascript is much more heavily used, but should be approached with caution). This can be accomplished by using the NoScript plugin for FireFox or the site preferences options in Opera. I'm unsure of what to do for Safari or Chrome. Don't even think of using IE. Do the same thing for plugins to defend against Flash exploits.

    Almost 90% of these attacks are launched through flash or javascript. If those avenues of attack aren't available, the malware won't be delivered.

    There's still a possibility for iFrame exploits launching, but these (and the javascript exploits, too) leverage Adobe Acrobat pretty heavily these days, as was mentioned before. My biggest recommendation is to uninstall Adobe PDF viewing products. Adobe is simply ridiculously horrid at securing their products. Just don't use Acrobat. Edit: As mentioned above, PDFs in general can be problematic. One of the biggest things you can do in your viewer (whatever it is) to secure it a bit more is, again, disable javascript. The latest rash of PDF exploits (the one that stung google) could be prevented when javascript was disabled in the PDF viewer.

    Further Edit: All of the above is secondary to keeping your OS and your applications up to date as much as possible. Particularly the applications.

    If you're feeling super-paranoid, you can sandbox your browser using a variety of programs, or else run in a virtual machine. I'm hoping to update the Computer Security Thread with in-depth information regarding these types of protective measures soon, though I shamefully admit I'm behind schedule. You might check out the thread anyhow - there's a good bit of discussion and some helpful links/advice in there.

    Thanks, I was wondering if there was some list where people were talking about these security issues. That thread looks perfect, I hadn't seen it before.

    I now disabled Javascript in Adobe Reader. I don't even have Java installed on my computer I've never had a use for it. I'll probably do the same measures for my friend's computer and my brother's and my mom's.

    In Google Chrome there is the option to not allow any site to use javascript, or plug-ins, and then an exceptions list, which isn't quite convenient but I'll try to see if any browser alert comes up and it adds exceptions when you click it.

    splash on
  • Options
    splashsplash Registered User regular
    edited April 2010
    A few final notes...

    Someone tried to charge him $3,000 in the last few days. His credit card was already flagged for caution so nothing would happen, but after the call to discuss this, the person that initially didn't want to reorder a credit card has been reprimanded.

    As for finding the person that did this, the company doesn't bother to investigate unless the amount is above $50,000. Other companies have a similar policy.

    MBAM unfortunately didn't do anything in regular or safe mode. The exe did not need to be repaired and I'm reading up on using ComboFix since it's more "powerful."

    splash on
  • Options
    FatsFats Corvallis, ORRegistered User regular
    edited April 2010
    splash wrote: »
    Damnit!!

    SumatraPDF isn't bad, Foxit was getting awfully bloated the last time I tried it anyway. It's possible that the vulnerabilities exist there as well, but I haven't heard about any. Would DEP prevent some of this drive-by nonsense?

    Combofix is indeed more "powerful", make sure you follow the directions as it can be a little complex to deal with.

    Fats on
  • Options
    WezoinWezoin Registered User regular
    edited April 2010
    YMMV with this technique as it (kind of) worked for me once. But there is a lesson to it as well:

    So I got one of this same type of spyware/virus things. Once it started taking over my computer and demanding I pay them, I went on another computer, looked up the name of the software and found some contact info for the company. I sent them a threatening e-mail saying their software has hijacked my computer and that I didn't give it permission to enter my computer and that either they or one of their advertising partners is forcing it onto people. They e-mailed me back (to my surprise) with a serial number to register the software for free, so I used the code, it worked. It let me uninstall it right after that.

    HOWEVER, about a week later it was back. I'm sure the program just hid some time delayed versions of itself in the computer.

    Moral of the story: Format and reinstall Windows. It is the only way to really get rid of these things because, in my opinion, they are FAR FAR worse than any other type of malicious code and getting rid of one without a format would take a hell of a lot of time and patience.

    Wezoin on
Sign In or Register to comment.