The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Fake PC Antivirus program stole my friends credit card (precautions help)
splash
Registered User regular
Registered User regular
I helped a friend last night with some kind of trojan/virus that I've never seen before to this extent.
Description of Events:
My friend thinks he got it when he was searching for recipes (he would tell me if it was porn or something, we have no problem with that) when he clicked on the first search result without looking and the website kept redirecting him. Eventually a fake program simply called "PC Antivirus" came up and started displaying fake scanning processes. It tells the user that some hundreds of viruses have been found and that you need to register to have them removed. It's designed to not let you do anything else, so he had to restart his computer.
The big problem then was that immediately when Windows boots and you log into any of your user accounts it runs the same fake program. Since he needs to do job searches and such he went to register the product and inputted his credit card information. It gave an error message when submitted. I'll assume the error message was fake and it actually took the info.
To Get Around The Problem:
Since the program runs even before you get to the Windows Vista desktop I didn't see any way to get around it. His HP allows you to try to system restore from a special boot menu but it didn't work. To finally get around it I went to the boot menu that brings up safe mode, etc and then selected advanced boot settings (safe mode would still run the fake program) and selected something like "use last successful windows login settings." Either this alone or the combination of the system restore worked (because it did give a notice about system restore once we got to the desktop).
Now into Windows as normal, I started checking task manager and the msconfig startup list, trying to research if anything was bad, but in the limited time and the abundance of crapware on HP computers I didn't find anything unusual. We ran a full scan using the most up to date Windows Defender and AVG Antivirus (free version) and it came up with nothing at all. I installed Rootkit Revealer but it wasn't able to run. Then I installed Ad-Aware. I started the full scan but I had to head home. This morning he says it removed a lot of cookies and 3 what he called "TAI or TAL" programs. He says he couldn't identify what the 3 specifically were. It seems TAI just stands for threat analysis index so I'm not sure what really happened.
Actual Question:
Even though Windows boots normally now, what do you think I could do to try to remove any lingering bad processes or files? I'm afraid that there still might be something malicious running like a keylogger. Searching for removal to this specific PC AntiVirus problem the closest I came up with is this. From what I found nobody really mentions the part where you can't login to windows.
He notified his credit card company about what happened but should he specifically ask them to give him a new card?
Windows Defender, Windows Firewall, and User Account Controls had somehow all been turned off (not by him). They're turned on now. AVG is running. What additional programs should I run? He uses Qwest DSL. He does tend to use Firefox for the web and I'm surprised it let a malicious program run. I thought browsers stopped multiple redirects and such. Is there anything I can do to change browser settings to take better precautions?
Thanks
Description of Events:
My friend thinks he got it when he was searching for recipes (he would tell me if it was porn or something, we have no problem with that) when he clicked on the first search result without looking and the website kept redirecting him. Eventually a fake program simply called "PC Antivirus" came up and started displaying fake scanning processes. It tells the user that some hundreds of viruses have been found and that you need to register to have them removed. It's designed to not let you do anything else, so he had to restart his computer.
The big problem then was that immediately when Windows boots and you log into any of your user accounts it runs the same fake program. Since he needs to do job searches and such he went to register the product and inputted his credit card information. It gave an error message when submitted. I'll assume the error message was fake and it actually took the info.
To Get Around The Problem:
Since the program runs even before you get to the Windows Vista desktop I didn't see any way to get around it. His HP allows you to try to system restore from a special boot menu but it didn't work. To finally get around it I went to the boot menu that brings up safe mode, etc and then selected advanced boot settings (safe mode would still run the fake program) and selected something like "use last successful windows login settings." Either this alone or the combination of the system restore worked (because it did give a notice about system restore once we got to the desktop).
Now into Windows as normal, I started checking task manager and the msconfig startup list, trying to research if anything was bad, but in the limited time and the abundance of crapware on HP computers I didn't find anything unusual. We ran a full scan using the most up to date Windows Defender and AVG Antivirus (free version) and it came up with nothing at all. I installed Rootkit Revealer but it wasn't able to run. Then I installed Ad-Aware. I started the full scan but I had to head home. This morning he says it removed a lot of cookies and 3 what he called "TAI or TAL" programs. He says he couldn't identify what the 3 specifically were. It seems TAI just stands for threat analysis index so I'm not sure what really happened.
Actual Question:
Even though Windows boots normally now, what do you think I could do to try to remove any lingering bad processes or files? I'm afraid that there still might be something malicious running like a keylogger. Searching for removal to this specific PC AntiVirus problem the closest I came up with is this. From what I found nobody really mentions the part where you can't login to windows.
He notified his credit card company about what happened but should he specifically ask them to give him a new card?
Windows Defender, Windows Firewall, and User Account Controls had somehow all been turned off (not by him). They're turned on now. AVG is running. What additional programs should I run? He uses Qwest DSL. He does tend to use Firefox for the web and I'm surprised it let a malicious program run. I thought browsers stopped multiple redirects and such. Is there anything I can do to change browser settings to take better precautions?
Thanks
splash on
0
Posts
If you really want to be 100% positive it's gone, reformat. Some viruses/rootkits can be really persistent.
he's got a rootkit. i've seen this a few times now working for my school's IT department. i can't find it now, but there was a recent link up on Slashdot showing even ads served by Google and Yahoo are not always sanitized and can install malicious adware on your system.
best thing to do if you can't run rootkit revealer? nuke the system from orbit (as in, format the system and reinstall Windows). the system most likely has a rootkit installed, especially if nothing is showing up in the registry or in startup.
best means to prevent this isht? install Spybot, update it, and immunize the system, turn ON automatic windows update, install firefox with AdBlock Plus, and set up the system for OpenDNS. a good antivirus program goes without saying. Avira is a good, free AV program.
i've seen firefox's security get progressively worse over time. i think it's really only because firefox has become a higher-profile target as its market share increases. that being said, best protection for browsing, anyways, is Spybot's immunize with AdBlocking.
otherwise? tell your friend to limit visiting sketchy sites as much as possible. this isn't a matter of accusing him (or her) of anything, it's just telling your friend to be safe.
steam | Dokkan: 868846562
In short: There's no way to defend against these without updating the Adobe suite of programs (flash, reader) and Java. Google Chrome is the only browser I've seen not be instantly infected when these ads appear on Deviantart. IE is a joke, Firefox will lock up (but still allow the infection through), Chrome will crash that tab but keep going. Updated reader will open adobe reader and point out that it's a corrupt file, instead of running the exploit code.
The real genius thing they do is they give your copy of Windows a "handler" for EXE files -- i.e., like how .gif opens with picture viewer. So when you try to run a program... it opens the malware. Even in safe mode. Command prompt does not obey handlers, mostly, so you can run EXEs in command prompt still.
My current job is all about cleaning these things up every day. All day. Over the phone. With computer illiterate southerners (kinda sorta) obeying my commands and (kinda sorta) relaying what they see on the screen. Yes, it's my own personal hell, why do you ask?
Removing them is (fairly) simple. It's absolutely trivial if you have a second PC and a thumb drive:
Boot into Safe Mode with Networking
Start, Run (Win+R) MSConfig. Disable all startup programs and all NON-MICROSOFT Services.
Reboot, Safe Mode with Networking again.
Fix EXE assocations if needed (Can rename .exes as .com if you can't fix this)
Run ComboFix (renamed)
Run Malwarebytes (renamed, installed in C:\mb instead of default location)
More details:
You *May* need to repair the EXE file association. You can do so by running this REG file:
http://kita.ath.cx/work/fixexe.reg
Run Combofix in Safe Mode, then Run Malwarebytes. It will clean it up.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
If you cannot run Combofix (rename it c1f2.exe first), then prepare for an OS Reinstall.
After downloading MBAM and renaming it 1.exe, then copy mbam.exe and rename it 1.exe in the malwarebytes folder. THEN run it. You'll know it's ready to go if the title bar is a bunch of random numbers, not Malwarebytes.
Spybot, AVG, Ad Aware aren't really getting updated enough anymore. Your best bet is Combofix and MBAM for these PDF exploit malwares.
oh wow, i am copying and pasting this into my toolbox.
steam | Dokkan: 868846562
I heard Adobe Reader attacks becoming a huge problem, but I didn't realize how extensive the problem is with Flash and Java and that it can easily pass through the basic security steps. The game has changed.
With my friend doing the OS reinstall is probably the last thing I can convince him to do, so I'll be doing all the steps to remove the problems as described. I'm gonna switch out the antivirus and antimalware programs he's using too. And do Firefox AdBlock Plus.
If anyone else knows: Is Foxit Reader a better precaution than trying to keep Adobe Reader up to date?
Whatever browser you use, whitelist your Javascript settings - What I mean is do a blanket DENY for all javascript on all domains unless you specifically tell your browser that you WANT javascript running (Important note here: Remember that Javascript and Java are completely separate. Java shouldn't be required at all for most websites, and can be safely blocked across the board without significant impact. Javascript is much more heavily used, but should be approached with caution). This can be accomplished by using the NoScript plugin for FireFox or the site preferences options in Opera. I'm unsure of what to do for Safari or Chrome. Don't even think of using IE. Do the same thing for plugins to defend against Flash exploits.
Almost 90% of these attacks are launched through flash or javascript. If those avenues of attack aren't available, the malware won't be delivered.
There's still a possibility for iFrame exploits launching, but these (and the javascript exploits, too) leverage Adobe Acrobat pretty heavily these days, as was mentioned before. My biggest recommendation is to uninstall Adobe PDF viewing products. Adobe is simply ridiculously horrid at securing their products. Just don't use Acrobat. Edit: As mentioned above, PDFs in general can be problematic. One of the biggest things you can do in your viewer (whatever it is) to secure it a bit more is, again, disable javascript. The latest rash of PDF exploits (the one that stung google) could be prevented when javascript was disabled in the PDF viewer.
Further Edit: All of the above is secondary to keeping your OS and your applications up to date as much as possible. Particularly the applications.
If you're feeling super-paranoid, you can sandbox your browser using a variety of programs, or else run in a virtual machine. I'm hoping to update the Computer Security Thread with in-depth information regarding these types of protective measures soon, though I shamefully admit I'm behind schedule. You might check out the thread anyhow - there's a good bit of discussion and some helpful links/advice in there.
Thanks, I was wondering if there was some list where people were talking about these security issues. That thread looks perfect, I hadn't seen it before.
I now disabled Javascript in Adobe Reader. I don't even have Java installed on my computer I've never had a use for it. I'll probably do the same measures for my friend's computer and my brother's and my mom's.
In Google Chrome there is the option to not allow any site to use javascript, or plug-ins, and then an exceptions list, which isn't quite convenient but I'll try to see if any browser alert comes up and it adds exceptions when you click it.
Someone tried to charge him $3,000 in the last few days. His credit card was already flagged for caution so nothing would happen, but after the call to discuss this, the person that initially didn't want to reorder a credit card has been reprimanded.
As for finding the person that did this, the company doesn't bother to investigate unless the amount is above $50,000. Other companies have a similar policy.
MBAM unfortunately didn't do anything in regular or safe mode. The exe did not need to be repaired and I'm reading up on using ComboFix since it's more "powerful."
SumatraPDF isn't bad, Foxit was getting awfully bloated the last time I tried it anyway. It's possible that the vulnerabilities exist there as well, but I haven't heard about any. Would DEP prevent some of this drive-by nonsense?
Combofix is indeed more "powerful", make sure you follow the directions as it can be a little complex to deal with.
So I got one of this same type of spyware/virus things. Once it started taking over my computer and demanding I pay them, I went on another computer, looked up the name of the software and found some contact info for the company. I sent them a threatening e-mail saying their software has hijacked my computer and that I didn't give it permission to enter my computer and that either they or one of their advertising partners is forcing it onto people. They e-mailed me back (to my surprise) with a serial number to register the software for free, so I used the code, it worked. It let me uninstall it right after that.
HOWEVER, about a week later it was back. I'm sure the program just hid some time delayed versions of itself in the computer.
Moral of the story: Format and reinstall Windows. It is the only way to really get rid of these things because, in my opinion, they are FAR FAR worse than any other type of malicious code and getting rid of one without a format would take a hell of a lot of time and patience.