Topic: Computer Invasion

[Dr Paul]

I have finally experienced the dreaded computer invasion. After struggling with it myself I sent the following note to the PC Club board asking for help. Here is the story.
 
OK! I am stumped.
Today when I started surfing a balloon began popping up (every couple of min. or so)from the Windows task bar that says something like, Your computer is infected. Windows has detected spyware infection. Click here to install last update of Windows security software. When I try to double-click the Win Sec Ctnr icon IE opens and ends up as in the next sentence.
Clicking the balloon opens IE through at least one proxy (Safe-Strip-something) to a site that hypes 'SpyBurner' at pcsecuritycenter.com etc. I have been running 'Spyware Blaster' for a week or so and I found that 21 sites in the Restricted Sites area were unprotected & I didn't do it.
It also hijacked my desktop background of the Hubble photo I had and it shows a message on a blue background that starts, "Warning! 'Your're' In Danger! Your computer is infected with spyware." Parts of the message are poorly worded so I know it's a fake. BUT I CAN'T CHANGE IT. It jumps right back the second I hit Apply or OK. IE also starts by itself and goes to a Canadian pharmacy or a "scanning" site from time to time. There are other warnings that refer to a trojan -SPM/LX- and wanting me to click on it to fix the problem, a web site warning that my online identity has been compromised and others.
At the suggestion of one of my computer club friends, I tried to do a system restore but I could only go back to 4-3, which was after the problem started.
I've run everything I've got; Ad-Aware, SpyBot, AOL security spyware scan and I fixed Spyware Blaster. Then, also on friend's recommendation, I tried to do the same in Safe Mode. Ad-aware showed an error and the others didn't help.
Any help would be much appreciated.
 
Bill Barnes replied;
You’re hosed. 
Immediately go to Safe Mode and run a System Restore as far back as you can. If that doesn’t do it, you might be able to get some functionality back by running all your repairs (virus scan, multiple spyware scans, registry cleaner) in safe mode and then not using IE (or Outlook)
I’ve had 3 (client’s) computers that I had to put a bullet in when they got to this point. And that was after they’d already spent the value of the computer with me trying to disinfect it.
 
Dewey Williams said;
I agree with Bill, your first option is to do a System Restore.  If that doesn't work, try to clean up in SafeMode.  In most of these cases, we end up formatting and reinstalling Windows.
 
Jack LaPointe suggested in part;
There is a freeware product out there called Hijack This (Google it). I haven’t used it for some time. It’s a little complex but what you describe is primarily what it’s for.
I asked what it was, a virus? a Trojan? Spyware?
 
Bill responded:
It’s “a malware.”
The threats are blended that I think only someone deep in Windows security could define the differences.
 
The similar attack that I’ve delved most deeply into runs from a .DLL and registers itself many (>100) places in the Registry to reinstall at bootup. It also stashes the installer with many random character extentionless names all over the C: drive. The slight consolation was that it only worked for the one profile. Since this was a corporate computer, I couldn’t arbitrarily blow away the profile; but that might be an option for you:
 
Since you always run as a limited user, it might not have been able to install into the base of Windows. Try creating another, new, account and see if it shows up there. If that’s clean, you can give your new account permission to view the files from the old one and judiciously move your data. Of course, if you use my practice and store your data in a public folder and the vector was a file in this folder, you have already made the infection available to all users. I really think that’s almost passé as a vector, though. That’s the first place most antivirus programs look and a more lucrative access to your computer is IE exploits.
 
Later, Dewey added:
Chances are your anti-virus and anti-malware programs are compromised: this is one of the first things virus/trojan writers do.  Try a free online scanning program such as:

http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym     (*must allow popup box)
http://housecall.trendmicro.com/
http://www.bitdefender.com/scan8/  (*must use Internet Explorer)
http://www.kaspersky.com/virusscanner

These may give you an idea of what you are dealing with.

You can find ways to remove certain viruses at http://www.symantec.com/norton/security_response/removaltools.jsp

Download a copy of CounterSpy from http://www.sunbeltsoftware.com/Business/CounterSpy-Enterprise/Download/ . This is the BEST anti-malware program I have ever found.  Remind me to give you a Club copy at the next meeting.

I take it system restore did not work or restore was turned off.
 
Since I have been promoting the SmartComputing web site lately, I thought I'd give it a try so I sent a slightly modified copy of the first letter. Here is their reply.
 
Dear Dr Paul, TO#581758
Thank you for your recent inquiry to Smart Computing regarding our Tech Support Service. This email is sent in regards to your Tech Support question.

Download and run the following:

Smitfraudfix  http://siri.geekstogo.com/SmitfraudFix.php


Download and run Superantispyware in safe mode. Make sure that you download the free version for home users.

www.superantispyware.com

(Best anti spyware program out. Picks up rootkits, smitfraud, some Trojans, and does an overall better job.)

Please let us know if the information we provided for your question solved the problem. Please reply to this email, or feel free to contact us at our toll free number (800) 368-8304.

Best Regards, Help Desk 1
Web Services for Sandhills Publishing
SmartComputing.com ~ PCToday.com ~ ComputerPowerUser.com ~ ceLifestyles.com
800-368-8304.

I followed the instructions above and THEY WORKED! I had to run one part of one of the fixers in normal mode on each of my accounts individually, but Bill tells me that I could have done them all at once. I am only going to use 'SuperAntispyware' instead of our perennial favorites, Spybot and Ad-Aware. I will report how it works later.

[dewey]

Unlike anti-VIRUS software, you should always run multiple, different anti-spyware programs.  Research has shown that no anti-spyware program gets them all.  I am definitely going to try these programs out.

Are you certain that your computer is completely clear?

Dewey

[Dr Paul]

It has been 5 days (as of 4-14) and I don't see any of the things that were going on. I will run scans with all the "anti's" I've got and will report back. I know my anti-virus client is up to date and on guard, so that is not an issue.

[BillB]

The model described here is still very alive and kicking. Enough so that I posted a new warning at http://fromthehelpdesk.blogspot.com/2011_01_01_archive.html.

Paul asked what type of infection this is. Now it has a name: RansomWare. The model is that they do damage to your computer and demand money - I've heard as high as $150 - to undo it. My best suggestion is to buy a new hard drive and do a restore from your original image and out-of-machine data backups. Be very careful before restoring anything from the weeks before your infection.

Bill
http://bloghd.zaitech.com

[BillB]

A very interesting story on this infection model and how hard it is to become toast is available on WindowsSecrets' free content:
http://windowssecrets.com/newsletter/lizamoon-infection-a-blow-by-blow-account/.

Although he describes multiple steps before the payload activated, the first click installs a nag that will be in your face until you clean your computer.

The moral of the story is to be very wary of anything that comes into your computer without your bidding - and some things that you do ask for. A web browsing popup may be obviously suspicious but; I have seen the popup mimic the Windows security shield and Windows and other programs' update reminders. With JAVA, Flash, Firefox, Chrome, Adobe Reader, and others needing frequent and random updates; you have to learn exactly how the reminder message looks and sounds (reads) and when to expect it before you automatically click "OK." Better still, go to the software vendor's site directly and install the update.

The rule is "Never click a link or popup - always type it in your browser or use a bookmark you created." That's obviously a little extreme. Maybe you can click a link you're expecting in an email or on a website you know to be respectable - and that you got to through a safe means. Similarly, you may accept a popup that is very familiar to you and doesn't include any suspicious copy. Unfortunately, the popups are often just an icon in the notification area (next to the clock). Those are very easy for the bad guys to spoof perfectly.

A good source to find whether you need updates to the resources you use online is http://www.mozilla.com/en-US/plugincheck/. Mozilla's checker works in IE and Chrome, also. It may not cover all your programs; but it's a good start.

Whether an email, IM, or popup; read it. Is the grammar and spelling good English? Do the links go to the domain you would expect? Do they go to an SSL ("https://") site? Do you get a security certificate error or mismatch warning? (You can even look at the certificate to see which Certificate Authority issued it to whom and its valid dates.) And the most obvious - Do you use the program or company it's telling you you need to update? For example, if you deal with BofA, ignore the request to update your password at Citi. If you use Avast!, don't "update your Norton."

Bill
http://bloghd.zaitech.com