Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: My PC just got exploited... Wow.


27 Nov 2011   #1

Windows 2000 5.0 Build 2195
 
 
My PC just got exploited... Wow.

Anyone else experience this?

I was only browsing three sites: webassign.net (Homework), 9gag.com (heh XD), and explosm.net (site for those popular comic shorts). While scrolling through explosm.net, all IE windows suddenly closed and an Adobe Flash UAC prompt popped up (A legit one). Considering Flash's sec rep and the unexpected closing of my windows, I hit DENY. But suddenly, fake scareware stuff popped uped all over! Trying to open any exe file associated with MS gives me a "Win 7 Antispyware 2012 Firewall Alert". I manage to eventually open Task Manager, and I noticed that all the warnings came from an exe in %appdata%/Local. My desktop looked like this:

[Unedited except shortcuts to protect privacy; Action Center Window is a fake one (checked exe location)]


What really baffled me was how it managed to close MSE without even ticking it off. It also managed to somehow associate all .exe files such that it passes through the malicous exe. Deleting the said exe would cause any executable to pop up an "open with" dialog except my computer. That even baffled me even more because last I checked, you need admin privilages to do that and it STILL did it without elevating!

With IE's sandboxing and Windows 7's security features, you would expect malicious programs to have difficulty doing dirty stuff on your computer...

Nothing beats a quick system restore, but to all of you out there, never let your guard down no matter how good you can be.

This is one valuable lesson I've learned today.


My System SpecsSystem Spec
.

27 Nov 2011   #2

Windows 7 & Windows Vista Ultimate
 
 

Should you run into something like that again, don't even click Cancel. Instead, use the keyboard shortcut Alt+F4 until all windows are closed.
My System SpecsSystem Spec
27 Nov 2011   #3

Windows 7 Ultimate x64
 
 

I highly recommend that you install Secunia Personal Software Inspector (PSI) to detect and patch computer vulnerabilities/out-of-date programs. Vulnerabilities and out-of-date programs are sources of exploits. Vulnerabilities are like holes. Once it's busted open and left without a patch, exploits can get through these holes and infect your PC with vicious viruses (e.g. rogues, trojans, backdoors, etc). An example is that rogue antivirus/antispyware, Win 7 Antispyware 2012.
My System SpecsSystem Spec
.


29 Nov 2011   #4

 

In addition to Corrine's suggestion, immediately break the physical internet connection by unplugging the internet cable or turning off the Wireless connection.
I ran into a similar situation a few years ago when the nasty ErrorSafe pop-ups were haunting the web. Clicking on the red cross to close the pop-up redirected me to the ErrorSafe website which promoted fake antivirus software. Never click on such pop-ups.
My System SpecsSystem Spec
29 Nov 2011   #5

Windows 7 Professional 64bit
 
 

All good suggestions. I have found the MSE is fairly useless in dealing with these new fake alert strains and the more you use your computer after infection the worse things get.

I have found that Norton is the best solution.
My System SpecsSystem Spec
29 Nov 2011   #6

Windows 8.1 Pro (x64)
 
 

If you have UAC on, these fake security software are pretty much locked to your account, creating a new account for example would not exhibit any of these issues. (Depends if their is a hole to get administrative rights without prompting) It is also safe to say, it probably got it via Flash, it likes poking holes in IE's sandbox. As for turning off MSE, it turned off the client interface but the backend should still be running.
My System SpecsSystem Spec
30 Nov 2011   #7

Windows 2000 5.0 Build 2195
 
 

Quote   Quote: Originally Posted by Athene View Post
In addition to Corrine's suggestion, immediately break the physical internet connection by unplugging the internet cable or turning off the Wireless connection.
I actually did break the connection, but it took me a whole lot of minutes to realize that I should! I guess those movies we all consider stupid (the ones where they do all these "typing-non-stop-to-prevent-the-hack-when-you-can-just-pull-the-plug-thing) got in to my subconscious.. *facepalm on self*

Nonetheless, great advice!

Quote   Quote: Originally Posted by logicearth View Post
If you have UAC on, these fake security software are pretty much locked to your account, creating a new account for example would not exhibit any of these issues. (Depends if their is a hole to get administrative rights without prompting).
I actually did create a new account to try and recover mine, but I figured system restore would be much, much easier. I'm curious on that though. What do you mean by "locked to [my] account?"

Quote   Quote: Originally Posted by logicearth View Post
It is also safe to say, it probably got it via Flash, it likes poking holes in IE's sandbox..
Yeah, I blame Flash too. If it weren't for my homework and YoutTube requiring flash, I would still have it disabled.

Quote   Quote: Originally Posted by logicearth View Post
As for turning off MSE, it turned off the client interface but the backend should still be running.
You're right. I remember seeing msseces as a process on task manager. I assumed it was off because it didn't detect something so ovbious right in front of my eyes! D:
My System SpecsSystem Spec
30 Nov 2011   #8

Windows 8.1 Pro (x64)
 
 

Quote   Quote: Originally Posted by arkhi View Post
I actually did create a new account to try and recover mine, but I figured system restore would be much, much easier. I'm curious on that though. What do you mean by "locked to [my] account?"
Locked to your account as in, it is only your account that is infected. File associate settings for example, limited to your account. I had the same type of malware on my mother's computer, it only affected her account which makes these type infections very easy to fix. Being that it cannot hook itself into the root of the system itself.
My System SpecsSystem Spec
10 Dec 2011   #9

Windows 2000 5.0 Build 2195
 
 

Thank you very much for the input logicearth!

BTW, it happened to me again but this time I'm more prepared. Thanks to UAC, no harm was done. When a random Flash UAC popped up again I just hit close and opened task manager immediately. This is what I noticed:

There was a file which seems to have a random file name suddenly saved to my Documents folder (87b0k.exe). The flash UAC seems to be provoked by it because the flash UAC just kept comming in unless I kill it. As soon as I killed it though, the fake malware pop ups started appearing. I pinpointed it to jds.exe and I just needed to kill all of those to stop it from running.

I accidentally double clicked 87b0k.exe and now all my .exe files won't open -.-

Is there a way I can upload these files to MS for analysis?
My System SpecsSystem Spec
10 Dec 2011   #10

Microsoft Community Contributor Award Recipient

Windows 7 Ult. x64 Windows 8.1 x64
 
 

My System SpecsSystem Spec
Reply

 My PC just got exploited... Wow.




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 05:21 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33