Got NAILED

[Slugbait]

Ah, it's been many years. My fault, tho'.

So here's the chronological order:
I never tried Xfinity before, but tonight I wanted to see what shows they provided (auditioning for my HTPC). So I tried the 60 Minutes episode with Pres. Obama, and it wouldn't play..."maybe network issues, try again later" was the feedback.

Thinking it was advertisements being blocked by my HOSTS file, which in turn sometimes prevents content, I cleared my HOSTS file and tried again...nope, still no joy. Tried The Daily Show, and that worked fine. Hmmm.

Anyway, got distracted, forgot about the HOSTS file.

Distraction: watched My Name Is Bruce on the HTPC. Decided to look up the name of the "love interest" on my main machine...other than the title of the movie, no info on her, not even a picture at IMDB. OK, so her name is Janelle...hey, same first name as my best friend's older sister waaaay back when I was 11 years old. So I look up his name...bupkis. OK, look up a girl we both hung out with, and I see a potential facebook link that might be her. Click the link, and...

Personal Antivirus Software appears and is scanning my machine. The UI looks really slick and pro. AntiVir is just idle, but I've got a new systray icon sitting there with a balloon saying I've been infected. Interesting, I say to myself, who the frak are you, little icon? Can't kill the damn thing, it keeps relaunching to scan my system.

So I hard reset. Oops, feedback alarms everywhere, I'm infected! (scan, scan, scan). Frak. Try launching my browser...nope, browser proxy is preventing connection. Oh, double-frak me upside down.

Another hard reset (F8, F8, F8...Safe!). Launch msconfig, and find that osuwejfxsik.exe is set to load at startup (yes, I googled it. Yes, I know it doesn't exist). Uncheck, delete from from the TEMP folder where it was launching from (my mom certainly never would have figured this out) and I STILL can't get today's AntiVir updates or access the web.

RansomWare. Frak.

Don't have the latest definitions of SUPERAntiSpyware, so maybe that's why the scan came back empty. So I'm running a deep scan with AntiVir with yesterday's signatures, but it's gonna take almost an hour. Going to bed. If AntiVir can't do it, it's image drop time...not gonna waste more than 10 more minutes cleaning this fraker up.

Lesson learned: restore HOSTS file. Then surf facebook.

I hate that site.

 

[Thetech]

Ummm.... No offense, but as a computer technician I can tell you that free anti-virus is never very effective. Think of it this way, if the free anti-virus company sells a paid version, why make the free one really good?

You need to get yourself real protection, www.eset.com NOD 32.

Even if you re-image you might still have issue, because your router may have been "poisoned" meaning that the dns settings on your router were altered.

Ah, it's been many years. My fault, tho'.

So here's the chronological order:
I never tried Xfinity before, but tonight I wanted to see what shows they provided (auditioning for my HTPC). So I tried the 60 Minutes episode with Pres. Obama, and it wouldn't play..."maybe network issues, try again later" was the feedback.

Thinking it was advertisements being blocked by my HOSTS file, which in turn sometimes prevents content, I cleared my HOSTS file and tried again...nope, still no joy. Tried The Daily Show, and that worked fine. Hmmm.

Anyway, got distracted, forgot about the HOSTS file.

Distraction: watched My Name Is Bruce on the HTPC. Decided to look up the name of the "love interest" on my main machine...other than the title of the movie, no info on her, not even a picture at IMDB. OK, so her name is Janelle...hey, same first name as my best friend's older sister waaaay back when I was 11 years old. So I look up his name...bupkis. OK, look up a girl we both hung out with, and I see a potential facebook link that might be her. Click the link, and...

Personal Antivirus Software appears and is scanning my machine. The UI looks really slick and pro. AntiVir is just idle, but I've got a new systray icon sitting there with a balloon saying I've been infected. Interesting, I say to myself, who the frak are you, little icon? Can't kill the damn thing, it keeps relaunching to scan my system.

So I hard reset. Oops, feedback alarms everywhere, I'm infected! (scan, scan, scan). Frak. Try launching my browser...nope, browser proxy is preventing connection. Oh, double-frak me upside down.

Another hard reset (F8, F8, F8...Safe!). Launch msconfig, and find that osuwejfxsik.exe is set to load at startup (yes, I googled it. Yes, I know it doesn't exist). Uncheck, delete from from the TEMP folder where it was launching from (my mom certainly never would have figured this out) and I STILL can't get today's AntiVir updates or access the web.

RansomWare. Frak.

Don't have the latest definitions of SUPERAntiSpyware, so maybe that's why the scan came back empty. So I'm running a deep scan with AntiVir with yesterday's signatures, but it's gonna take almost an hour. Going to bed. If AntiVir can't do it, it's image drop time...not gonna waste more than 10 more minutes cleaning this fraker up.

Lesson learned: restore HOSTS file. Then surf facebook.

I hate that site.

 

[slag]

How could a virus poison a router? I doubt it can guess my username or password to get in and, even then, how will it know what to adjust? If the person keeps the standard administratorassword combo, he'she deserves to get screwed. I think of that as a wake up call.

 

[Thetech]

How could a virus poison a router? I doubt it can guess my username or password to get in and, even then, how will it know what to adjust? If the person keeps the standard administratorassword combo, he'she deserves to get screwed. I think of that as a wake up call.

It can and it's more common than you would think. All that the software has to do is be programmed to connect to a typical address for a router such as 192.168.1.1 and then guess at the password, considering most people have default settings this is easy.

DNS settings are very standard and I doubt it's that hard to program something to change these settings.

If someone has the default username/password combo they do NOT deserve to be screwed.
Most people don't understand how this stuff works or would never know to re-configure it.
How would you feel if this happened to your, mother, aunt, uncle, etc? Would you feel the same way?

 

[Slugbait]

So, just got home from work, AntiVir had come back with bupkis, like I expected. Launched HijackThis and found the little ah heck almost immediately: custom IE proxy number under HKCU. I let HijackThis "fix" it, and I'm back on the interwebs again.

Grabbed the latest definitions for SUPERAntiSpyware and ran a full scan: Gen-Fraud tool.

No offense, but as a computer technician I can tell you that free anti-virus is never very effective. Think of it this way, if the free anti-virus company sells a paid version, why make the free one really good?

I consider myself as a computer technician, too (so does my employer). Avira is better than quite a few pay-fer programs. In the most recent tests conducted by AV-Comparatives, just two products out of 20 scored ADV+ across the board: Avira was one of them...NOD32 wasn't the other.

The pay-fer version of AntiVir simply adds additional features, for things like phishing, bootable rescue disc and email protection. Otherwise, it's the same engine and the same signatures.

The router is fine, I don't use default settings, and have a strong password. This was just ransomware, and my HOSTS file is back to work blocking the bad guys' IPs.

 

[tcsenter]

I'm not a fan of Avira but NOD32 hasn't been all that for a few years now.

 

[lowrider69]

Many techs or people in the industry run those free AV programs to clean systems all day long and they get the job done. Usually the first thing a tech will fire up is MBAM and then go down the line. Most free versions of AV software use the same exact engine as the paid versions. The free versions usually don't have as many features as the paid versions which is why they're free.

By the way, NOD32 routinely scores lower in detection rates than the free versions of Avast and Avira at AV-Comparatives.org. If you want a second opinion from Eset just use their free online scanner, it uses the same engine as their pay for software.

 

[Gamingphreek]

Ummm.... No offense, but as a computer technician I can tell you that free anti-virus is never very effective. Think of it this way, if the free anti-virus company sells a paid version, why make the free one really good?

You need to get yourself real protection, www.eset.com NOD 32.

Even if you re-image you might still have issue, because your router may have been "poisoned" meaning that the dns settings on your router were altered.

The free versions are absolutely fine and in a lot of cases better than any paid software you can get.

DNS poisoning cannot occur on the router as it is not a DNS source in that it doesn't hold/cache DNS records. What *can* happen (though rare) is a piece of malware manages to change the DNS Server entries on the router, thus redirecting them towards a poisoned DNS Server.

You can mitigate this by not automatically pointing your NIC at your Gateway/Router but instead manually assigning a Primary and Secondary DNS Server in your IP Configuration. Since this requires Administrative Access to change in Windows and Linux, it is much more unlikely that a piece of malware would exploit this. After all, if it has Administrative Access, why bother playing DNS games?

-GP

 

[VirtualLarry]

Slug, what OS are you running, XP or Win7? What browser were you using when infected, and what version? Was the OS fully patched, or not? Was your flash player up to date?

Just curious, because I want to gauge how secure Win7 is these days, compared to older XP running SRP and locked down. My current feeling is that Win7's protections are not quite as good as SRP. (Of course, you can get SRP with Pro or Ultimate.) But Win7 is so much more seductive and easy to use.

 

[Slugbait]

It's XP, but didn't have Tuesday's patch package installed yet (this all happened Tuesday evening, and my machine is powered down during the day). Using FF4. Had just accepted the prompt to update Flash a couple of days earlier.

Up until a couple of weeks ago, it was a dual-boot machine. I dropped my XP image and was in the process of tweaking it before installing Win7 again. I think I'm going to start the process over again, cuz after cleaning one trojan with SUPERAntiSpyware, Spybot told me there was some more cleaning to do with a similar trojan. Considering it began with a google link click to Facebook, I think I got hit by someone very good.

 

[piasabird]

Some of this Virus notices are not anti-virus but the virus themselves. I think if you search form them on AVG, they may have a cleaner to get rid of them.

 

[Ancalagon44]

What browser were you using OP?

Ummm.... No offense, but as a computer technician I can tell you that free anti-virus is never very effective. Think of it this way, if the free anti-virus company sells a paid version, why make the free one really good?

You need to get yourself real protection, www.eset.com NOD 32.

Even if you re-image you might still have issue, because your router may have been "poisoned" meaning that the dns settings on your router were altered.

Sorry, complete rubbish. Free AV is just fine, been using it for years. And many sites run tests of free AV and find it works just fine.

Poisoning a router? Excuse me while I say rubbish again, you think a virus can somehow hack a router? You know how every router pretty much runs its own OS?

EDIT: Thetech, are you sure you are a tech?

I mean, think about what you are saying with router poisoning. This is what you expect a simple virus to accomplish:
1. Know the most common user name and password combinations.
2. Be able to interface with the router. This is the big one. Most probably wont expose a web service, and those that expose an HTML interface will all be different, even among the same model.
3. Be able to use that interface, remember the one that is unique per router and often HTML only, to change specific settings on the router.
4. Carry all of this stuff in a reasonable sized payload.

Absolute rubbish.

 

[VirtualLarry]

It's XP, but didn't have Tuesday's patch package installed yet (this all happened Tuesday evening, and my machine is powered down during the day). Using FF4. Had just accepted the prompt to update Flash a couple of days earlier.

Are you running as Administrator? Or a limited user? (Seems as though you had to be running as Admin, for it to infect your entire system.)

Have you investigated SRP and a limited-user account for websurfing?

Since I've implemented that on all of my friend's computers that use XP, none that I am aware of have been compromised. (*)

(*) I do have one friend, that didn't have viruses when he was using his computer, but then his dad was using it while he was away, and now he thinks it has viruses.

Come to think of it, it's possible that a different friend set that up for him, I don't think I did the OS install. So possibly he was/is not running SRP on that box.

My experience running XP has been, running as Admin is bad, you WILL get "own3d" eventually, by some sort of drive-by malware. But running XP Pro with a limited-user account and SRP implemented, is virtually bulletproof to drive-by malware.

Yes, it may be possible to bypass still in theory, but I've never seen any sort of SRP-busting malware in the wild.

Btw, SRP is "Software Restrictions Policy". Basically, you deny-by-default any executable file, unless it is in a "blessed" directory, and only the Admin has the rights to write to those "blessed" directories. So malware is locked out.

 

[Slugbait]

Yeah, been running as an Admin since Whistler beta. Honestly, the last time I remember getting pwned, I was still using 98 (it was a keylogger...I suspected my wife installed it, she once caught me surfing pr0n). Can't remember exactly when I started utilizing my HOSTS file, but I think it was while I was still running OSR2.

I thought about SRP back when Springboard (SP2) was first released, but all the damn rules to configure, and my constant upgrading, image dropping, clean installs...pita.

Besides, when dual-booting I primarily use Win7 nowadays...XP is for my older software and hardware. For example, I wasn't able to get Nero 6.6.0.18 to work with Win7, so I boot into XP for burning discs. And I have a couple of webcams that aren't supported with Win7. Plus, no NetMeeting with Win7, so when I need to do remote troubleshooting on machines of some friends and family, NM is critical.

 

[Thetech]

So, just got home from work, AntiVir had come back with bupkis, like I expected. Launched HijackThis and found the little ah heck almost immediately: custom IE proxy number under HKCU. I let HijackThis "fix" it, and I'm back on the interwebs again.

Grabbed the latest definitions for SUPERAntiSpyware and ran a full scan: Gen-Fraud tool.

I consider myself as a computer technician, too (so does my employer). Avira is better than quite a few pay-fer programs. In the most recent tests conducted by AV-Comparatives, just two products out of 20 scored ADV+ across the board: Avira was one of them...NOD32 wasn't the other.

The pay-fer version of AntiVir simply adds additional features, for things like phishing, bootable rescue disc and email protection. Otherwise, it's the same engine and the same signatures.

The router is fine, I don't use default settings, and have a strong password. This was just ransomware, and my HOSTS file is back to work blocking the bad guys' IPs.

Depends on who's test you are reading.

Real world examples are what count, besides depends on how much experience you
have in seeing different environments in the real world

Really? Is it really that effective if you get infections and other people commonly get infected with the same software?

If you know how to configure it right you can get better security out of NOD32.
Everyone can stick to their guns, but in the long run I know I'll be sharp shootin'.

 

[Slugbait]

Um, ok. Thanks for your feedback.

 

[LiuKangBakinPie]

No antivirus in the world can stop browser exploits.

Sandboxie great little utility to run your browsers in.
Update Adobe flash and Java reguarly. Uninstall all the older versions of JAVA

Get the following add ons
WOT
Better Privacy
No Script
Add Block Plus

Use Spyware Blaster to protect and backup your system settings
GET OUT OF THE ADMIN ACCOUNT AND LOCK IT UP
Get a Anti Spyware application like malwarebytes to run resident with your antivirus

For your current situation. Forget about a antivirus.

Download malwarebytes update it and run it
Then download and run combofix

 

[Slugbait]

No antivirus in the world can stop browser exploits.

Yeah, considering the number of criticals for Firefox last year, I wouldn't be surprised if it was tailored and IE wouldn't have allowed it. No way to know unless I repeat.

Don't have Java, and always update Flash immediately when prompted.

I don't do add-ons. My HOSTS file goes well beyond what AdBlock Plus would do, and applies to all browsers. WOT is worthless for a site that accidentally sells an ad to organized crime (once happened here, once happened with WL Messenger, happened just last weekend to seattletimes.com, etc...the people who sell advertising are more concerned about the money than the ad itself). Can't use BetterPrivacy because they can't write a single god-damned sentence on their website with coherency, or without misspellings or incorrect use of punctuation...but they can write golden code? Hell, I'm surprised they can click the compile button. NoScript requires a painful whitelist to build...my HOSTS file is a better whitelist, and requires no building.

I've been hit only a couple of times in over a decade as an admin...only once that I actually remember.

I have MalwareBytes installed. It gives me several false-positives of files I know are clean, and SUPERAntiSpyware correctly ignores. So I seldom use MalwareBytes.

Combofix. Um, no.

 

[Emulex]

i got pwned recently.

malwarebytes/7-zip extract/mse scan/super anti spyware. all clean. ran it and boom. dropped 50+ all over. the only action is to restore. backup daily or more! it is the easiest way. have a spare drive so you can restore and copy any new data bits over. works great.

I believe there is no solution other than scorched earth when it comes to virus these days. the droppers are too l33t for me.

 

[Chiefcrowe]

I didn't get it but what did you download or was it via the web?

I recently had to wipe someone's laptop because i couldn't get rid of some virus which was coming from a website I believe. It would hide all files/programs on start menu and had some kind of fake AV alerts. crazy stuff out there!!!

i got pwned recently.

malwarebytes/7-zip extract/mse scan/super anti spyware. all clean. ran it and boom. dropped 50+ all over. the only action is to restore. backup daily or more! it is the easiest way. have a spare drive so you can restore and copy any new data bits over. works great.

I believe there is no solution other than scorched earth when it comes to virus these days. the droppers are too l33t for me.

 

[Emulex]

i downloaded a file - from the web. it was irrelevant - but it was an exe and i knew it was sketch - so i did a comprehensive (to what i thought) scan using multiple products. I guess i was wrong. nothing showed the exe as a virus by signature until its payload was dropped. MSE caught a few but many got through.

if you use windows easy transfer and don't transfer the common admin user /settings but just your user(s) you can get a good clean transfer of settings. otherwise it's pretty easy to do most things by hand.

I now backup more often to more places which is what i should have done in the first place.

 

[LiuKangBakinPie]

Yeah, considering the number of criticals for Firefox last year, I wouldn't be surprised if it was tailored and IE wouldn't have allowed it. No way to know unless I repeat.

Don't have Java, and always update Flash immediately when prompted.

I don't do add-ons. My HOSTS file goes well beyond what AdBlock Plus would do, and applies to all browsers. WOT is worthless for a site that accidentally sells an ad to organized crime (once happened here, once happened with WL Messenger, happened just last weekend to seattletimes.com, etc...the people who sell advertising are more concerned about the money than the ad itself). Can't use BetterPrivacy because they can't write a single god-damned sentence on their website with coherency, or without misspellings or incorrect use of punctuation...but they can write golden code? Hell, I'm surprised they can click the compile button. NoScript requires a painful whitelist to build...my HOSTS file is a better whitelist, and requires no building.

I've been hit only a couple of times in over a decade as an admin...only once that I actually remember.

I have MalwareBytes installed. It gives me several false-positives of files I know are clean, and SUPERAntiSpyware correctly ignores. So I seldom use MalwareBytes.

Combofix. Um, no.

with that attitude no wonder you got nailed. Better privacy is just to delete flash cookies what are you smoking can I have some?
Your running on Xp wait give me your ip and I will load up metasploit and see if you are really getting patches or security updates from Microsoft. I will rip your pc apart 100 times all over with a outdated metasploit

 

[Revolution 11]

Better Privacy just removes flash cookies. And NoScript, even with the All Scripts Allowed, still has anti-XSS and clickjacking protections.

MalwareBytes does have some false-positives. Use ESet's online scanner to scan the suspect file. VirusTotal is also a good site to scan false positives.

Why are you refusing to use Combofix? It is rare when Combofix can't fix malware problems.

EDIT: My first post. Woo.

 

[Slugbait]

with that attitude no wonder you got nailed. Better privacy is just to delete flash cookies what are you smoking can I have some?
Your running on Xp wait give me your ip and I will load up metasploit and see if you are really getting patches or security updates from Microsoft. I will rip your pc apart 100 times all over with a outdated metasploit

With that attitude, you'd think I had been nailed 100 times over the last decade or so...

 

[LiuKangBakinPie]

With that attitude, you'd think I had been nailed 100 times over the last decade or so...

lol
WOT makes use of the OpenDNS project titled Phishtank to help detect bad websites btw.
A russian malware kit goes for $100 these days filled with zero days exploits and social site exploits.