"Win 7 Security 2012"- very nasty, questions

[Margo1]

I got a bad virus yesterday named "Win 7 Security 2012". I tried several ways to delete from my system to no avail. I finally had to restore my computer to another earlier point, causing pain and suffering. But I got it running fine now.
Questions:
Shouldn't Win 7 have stopped it from installing? I thought this os was designed to prevent security problems like this.
Or maybe Microsoft Security Essentials should have stopped it?
Programs I have tried: Microsoft Security Scanner, Malicious Software Removal Tool, Security Essentials, Malwarebytes, Spyware Doctor and two others I don't remember.
Where did the virus come from? Was it probably an email?
What can I do to prevent this from happening again?

 

[MustISO]

In my experience, these things come in due to out of date software that is installed on the system. Most likely old versions of Java, Flash, Shockwave, browsers, etc.

You should also be running on a limited or regular user account and not as an Administrator.

 

[MadScientist]

How you got it and how to get rid of it:
http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012

 

[Margo1]

How you got it and how to get rid of it:
http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012

Correct me if I'm wrong. After reading that website, there is no way to protect yourself from this virus?

 

[mechBgon]

Correct me if I'm wrong. After reading that website, there is no way to protect yourself from this virus?

I agree with the others, you should keep your software up-to-date, and don't let Java onto your system at all if you can possibly avoid it. Also note that the initial stage of these infections is often just a big animated picture intended to alarm and fool you into clicking something. What you should do instead, is to start up Task Manager, go to the Applications tab, and terminate the browser. Don't fall for their monkeyshines.

Regardless, if you want to protect yourself from that stuff for certain, enable either Software Restriction Policy in disallowed-by-default mode, or use the Parental Controls feature.

To use SRP, follow this: http://www.mechbgon.com/srp

To use Parental Controls,

1. create a new Administrator-level account (for your purposes here, a password is optional). Now demote your existing user account from an Admin to a Standard User, if it wasn't already.

2. in Control Panel, use the "Set up parental controls" and apply it to your account. Now switch it on and click "allow and block specific programs."

3. in the next panel, click "only the programs I allow" and then you can select all the programs currently installed, and proceed. Now any foreign executable will get stopped unless you override the protection.

There are several other steps I'd suggest too, and they're listed in the link in my signature.

 

[nitrous9200]

As mentioned, these things often get onto your system because of security flaws in software you have installed on your system - the only way to protect yourself from those is to update Adobe Flash/Reader, Java etc regularly, as those bugs are usually fixed by the updates.

Other times, I find that the program was just downloaded and run the same way as any other - probably, if you received a popup saying "you have a virus, click here to download our tool", you would have gotten a prompt to save or run a file, and that file would have been the program that installed the malware.

So it could have happened by human intervention (clicking on something) or otherwise it could have installed itself without your doing anything.

 

[Virucyde]

While updating your third-party browsing software is certainly the best way of lowering your chances of catching these viruses, there is still a significant time period between fresh exploits being found in the software and updates being released to fix them. Because of this, sandboxing is truly the only way to avoid catching these particular types of viruses.

Now, I know that not all users want to run their browsers in Sandboxie, since cookies and browsing history are fairly handy, so there are other options of protecting yourself:
1. In Firefox, the plugin NoScript will allow you to browse safely, only enabling scripts from sites you trust, this prevents Java or Flash from infecting your system without you giving permission.
2. This is the best way, IMO, use Google Chrome. It's that simple. Chrome is the only browser currently which transparently sandboxes its third-party add-ons, and I have yet to see a user catch these types of viruses when using exclusively Chrome.

As for removal, I recommend booting into a live CD, any windows-based PE should do, and removing the virus's startup entry. These entries are usually easy to find because they are either the name of the program the virus is pretending to be, or they are a random filename, often both are in startup.

For easy removal, use the LiveCD and D7's Malware Scanner v3 to easily load your remote OS's registry and edit its startup. Once you've removed the entries, you should be able to boot into your system and run scanners without the virus interfering (you've essentially cut off the head, leaving the body). Most of these scareware viruses make several system changes that need to be undone, my program of choice for fixing your settings is ComboFix. Good luck!

 

[mechBgon]

While updating your third-party browsing software is certainly the best way of lowering your chances of catching these viruses, there is still a significant time period between fresh exploits being found in the software and updates being released to fix them. Because of this, sandboxing is truly the only way to avoid catching these particular types of viruses.

Now, I know that not all users want to run their browsers in Sandboxie, since cookies and browsing history are fairly handy, so there are other options of protecting yourself:
1. In Firefox, the plugin NoScript will allow you to browse safely, only enabling scripts from sites you trust, this prevents Java or Flash from infecting your system without you giving permission.
2. This is the best way, IMO, use Google Chrome. It's that simple. Chrome is the only browser currently which transparently sandboxes its third-party add-ons, and I have yet to see a user catch these types of viruses when using exclusively Chrome.

As for removal, I recommend booting into a live CD, any windows-based PE should do, and removing the virus's startup entry. These entries are usually easy to find because they are either the name of the program the virus is pretending to be, or they are a random filename, often both are in startup.

For easy removal, use the LiveCD and D7's Malware Scanner v3 to easily load your remote OS's registry and edit its startup. Once you've removed the entries, you should be able to boot into your system and run scanners without the virus interfering (you've essentially cut off the head, leaving the body). Most of these scareware viruses make several system changes that need to be undone, my program of choice for fixing your settings is ComboFix. Good luck!

Actually, Java exploits will bypass Chrome's sandbox handily:

(credit: Dino Dai Zovi, "Attacker Math")

At that point, SRP or Parental Controls can arbitrarily halt execution of a payload file if it's written to, say, the user's Temp directory (or anywhere else they can write to without Admin elevation). But this is a great reason to simply say no to Java.

Also worth noting: the NoScript approach to restricting scripting (and Java, and ActiveX for that matter) can be done with IE5.01 through IE9 if the user so desires. Raise the Trusted Sites zone to Medium-High security and leave scripting enabled there, and add the desired sites to Trusted Sites. Disable scripting in the Internet Zone. It's still a game of chance, since a legit site can become compromised.

 

[ichy]

Ha, I remember when I had that malware. The people who created it should get the death penalty.

 

[Virucyde]

Actually, Java exploits will bypass Chrome's sandbox handily:

(credit: Dino Dai Zovi, "Attacker Math")

At that point, SRP or Parental Controls can arbitrarily halt execution of a payload file if it's written to, say, the user's Temp directory (or anywhere else they can write to without Admin elevation). But this is a great reason to simply say no to Java.

Also worth noting: the NoScript approach to restricting scripting (and Java, and ActiveX for that matter) can be done with IE5.01 through IE9 if the user so desires. Raise the Trusted Sites zone to Medium-High security and leave scripting enabled there, and add the desired sites to Trusted Sites. Disable scripting in the Internet Zone. It's still a game of chance, since a legit site can become compromised.

Certainly, but Java always asks permission before being run(unless you've marked the publisher as trusted), unlike Flash, so by using Chrome you essentially get the same effect with Java as you would using NoScript in Firefox.

 

[mechBgon]

Certainly, but Java always asks permission before being run(unless you've marked the publisher as trusted), unlike Flash, so by using Chrome you essentially get the same effect with Java as you would using NoScript in Firefox.

We would certainly hope so, but then there's stats from exploit packs that indicate Chrome users are nevertheless getting infected with some success. Maybe the explanation is that people are allowing it themselves?

If I didn't use 64-bit IE9, Chrome would be next on my list, but I avoid the thinking of "oh, I use this browser or that browser, that makes me safe. Because reasons." The bad guys are skilled and financially motivated, they'll find the loopholes and exploit them. My backup measures are SRP, EMET, and as little attack surface as practical (no unnecessary junk like Java). None of these relies on the reasoning that "well, THIS site is trustworthy, it's allowed to run scripts," when more than half the malicious sites out there would normally be safe.

 

[Virucyde]

I wouldn't be surprised, email attachment viruses still work, even when email providers require the virus to be zipped in odd formats, somehow people manage to shoot themselves in the foot, even though you've got them tied to a chair across the room from the gun.

 

[lowrider69]

NoScript goes a lot further than just disabling javascript on untrusted sites. I highly recommend it if you're using Firefox.

 

[LennyZ]

"Ha, I remember when I had that malware. The people who created it should get the death penalty. "

Last night my work (leisure) computer got it off of a car forum website.
My first thought after taking 2 hours to get rid of it was to find the person that created it and make them un-alive.

 

[Soccerman06]

I got this somehow today, since then, Ive downloaded 4 programs other than malwarebytes to get rid of this freaking thing. All of them say they can remove this program so well see from the various removal guides on the net. Well see

 

[blackangst1]

Ive always considered myself a cautious surfer, and I got hit with this 2 days ago. The removal instructions on bleepingcomputer worked for me, however I ended up having to download rkill and the other programs and burn to a CD from a different PC to get them to run.

Also, in the cleanup it wiped out a critical process for windows that, from what I read on microsoft's site, cant just be added back. I cant remember the name of the process offhand, but when I get home I'll check and post back.

Ironically, this is only the 2nd time Ive ever been infected (that I can remember) and the first time was several years ago from an earlier version of this thing.

 

[xSauronx]

I got this somehow today, since then, Ive downloaded 4 programs other than malwarebytes to get rid of this freaking thing. All of them say they can remove this program so well see from the various removal guides on the net. Well see

i got rid of it the other day, i think the primary fix was combofix but lately ive done this:

tdsskiller
rkill > combofix
unhide

that has solved some nasty issues for me lately.

 

[blackangst1]

Ive always considered myself a cautious surfer, and I got hit with this 2 days ago. The removal instructions on bleepingcomputer worked for me, however I ended up having to download rkill and the other programs and burn to a CD from a different PC to get them to run.

Also, in the cleanup it wiped out a critical process for windows that, from what I read on microsoft's site, cant just be added back. I cant remember the name of the process offhand, but when I get home I'll check and post back.

Ironically, this is only the 2nd time Ive ever been infected (that I can remember) and the first time was several years ago from an earlier version of this thing.

OK. The service that is removed by the fix for this nasy is the Base Filtering Engine Service. You can read more about it HERE but basically its an important service.

The Base Filtering Engine (BFE) is a service that manages firewall and Internet Protocol security (IPsec) policies and implements user mode filtering. Stopping or disabling the BFE service will significantly reduce the security of the system. It will also result in unpredictable behavior in IPsec management and firewall applications.

There is no known sure-fire way to restore it other than reformat, restore from earlier uninfected date, or image restore.

Be advised.

 

[Insomnihacks]

The more common exploits I see are usually flash based or java based. More so java than flash. The comments regarding not using an administrator account really does hit the nail on the head. A matter of UAC of sorts. On a rare occasion I've ended up with scareware myself but that's due to visiting websites that I shouldn't (Don't lie and act like you don't either). I've had much better success with MSE than Symantec. Symantec has always let me repeat........ALWAYS been a huge failure in the enterprise world as well as the home consumer world in my experiences.

I find that I'd rather use a VM to do certain browsing as to not corrupt my actual machine. I am a bit odd though

 

[Jeffg010]

i got rid of it the other day, i think the primary fix was combofix but lately ive done this:

tdsskiller
rkill > combofix
unhide

that has solved some nasty issues for me lately.

I just ran combofix for the first time and it worked wonders for me got rid of a rootkit. I'm going to look into the others you listed thanks.

 

[digitalbuda]

Woke up this morning with my sister saying something is wrong with her computer and I find this thing on there.

It managed to disabled MSE and the connection to the internet. At this point I won't even bother with trying to get rid of it, instead I will just perform a clean install of Windows.

What a way to spend Christmas eve, hours of installing everything back on her computer ...

 

[paperfist]

My nephew just gave me his girlfriends computer with this thing on it. Whoever wrote is brilliant and should get an award.

I've been following the directions for removal on bleepingcomputer.com and so far nothing works. If you launch an .exe it kills the process. It hijacks your browsers so you can't go to any useful sites for removal purposes. I can't even run a registry edit as it kills that process too! F even safe mode is useless

 

[blackangst1]

My nephew just gave me his girlfriends computer with this thing on it. Whoever wrote is brilliant and should get an award.

I've been following the directions for removal on bleepingcomputer.com and so far nothing works. If you launch an .exe it kills the process. It hijacks your browsers so you can't go to any useful sites for removal purposes. I can't even run a registry edit as it kills that process too! F even safe mode is useless

Download the 3 files bleepingcomputer recommends (rkill, the registry edit, and superantispyware portable) from a NON infected machine. Burn those 3 files onto a CD. Put CD in infected machine,l and follow directions. You could also use a thumb drive.

 

[MadScientist]

OK. The service that is removed by the fix for this nasy is the Base Filtering Engine Service. You can read more about it HERE but basically its an important service.

There is no known sure-fire way to restore it other than reformat, restore from earlier uninfected date, or image restore.

Be advised.

I came across this very situation this week after cleaning up a computer. The Vista Windows firewall would not start. The Base Filtering Engine and Windows Firewall services were missing.

I tried Microsoft's Fix It, sfc /scannow, and netsh firewall reset with no success. http://support.microsoft.com/kb/2271812

I found this thread on Bleepingcomputers and tried narenxp's reg fixes using the bfe.reg and firewall.reg files. It worked. http://www.bleepingcomputer.com/forums/topic434478.html

My method of cleaning an infected computer, if it will boot, is to first run one of the variations of rkill, Ccleaner, TDSSKiller, Malawarebytes Anti-malware, Combofix, and HijackThis. If it's an old slow computer I run them in Safe Mode with Networking.

Thought this was also worth mentioning. In the last few weeks I have cleaned a number of computers that had the Rootkit.ZeroAccess virus. It got by TDDSkiller and MAM. Combofix found it and this text came up: You are infected with Rootkit.ZeroAccess! This is a particularly difficult infection to remove. You may have to reboot. On one computer it added: It has inserted itself into the tcp/ip stack. This computer also had no internet access. Combofix ran for awhile, rebooted the computers, and started a new scan. It removed the virus.
On the computer that lost internet access I had to restart the DHCP Client, DNS Client, and the Remote Procedure Call services to get internet access.

One other thing, if the infected computer does not have internet access, you can download MAM's updates from here: http://malwarebytes.gt500.org/ It's an exe file and will install itself.

 

[blankslate]

why not use this with any browser or media player that you have access the internet to help prevent plug-in exploits?