My PC just got exploited... Wow.

Anyone else experience this?

I was only browsing three sites: webassign.net (Homework), 9gag.com (heh XD), and explosm.net (site for those popular comic shorts). While scrolling through explosm.net, all IE windows suddenly closed and an Adobe Flash UAC prompt popped up (A legit one). Considering Flash's sec rep and the unexpected closing of my windows, I hit DENY. But suddenly, fake scareware stuff popped uped all over! Trying to open any exe file associated with MS gives me a "Win 7 Antispyware 2012 Firewall Alert". I manage to eventually open Task Manager, and I noticed that all the warnings came from an exe in %appdata%/Local. My desktop looked like this:

[Unedited except shortcuts to protect privacy; Action Center Window is a fake one (checked exe location)]


What really baffled me was how it managed to close MSE without even ticking it off. It also managed to somehow associate all .exe files such that it passes through the malicous exe. Deleting the said exe would cause any executable to pop up an "open with" dialog except my computer. That even baffled me even more because last I checked, you need admin privilages to do that and it STILL did it without elevating!

With IE's sandboxing and Win7's security features, you would expect malicious programs to have difficulty doing dirty stuff on your computer...

Nothing beats a quick system restore, but to all of you out there, never let your guard down no matter how good you can be.

This is one valuable lesson I've learned today.

If you have UAC on, these fake security software are pretty much locked to your account, creating a new account for example would not exhibit any of these issues. (Depends if their is a hole to get administrative rights without prompting) It is also safe to say, it probably got it via Flash, it likes poking holes in IE's sandbox. As for turning off MSE, it turned off the client interface but the backend should still be running.

Athene said:

In addition to Corrine's suggestion, immediately break the physical internet connection by unplugging the internet cable or turning off the Wireless connection.

I actually did break the connection, but it took me a whole lot of minutes to realize that I should! I guess those movies we all consider stupid (the ones where they do all these "typing-non-stop-to-prevent-the-hack-when-you-can-just-pull-the-plug-thing) got in to my subconscious.. *facepalm on self*

Nonetheless, great advice!

logicearth said:

If you have UAC on, these fake security software are pretty much locked to your account, creating a new account for example would not exhibit any of these issues. (Depends if their is a hole to get administrative rights without prompting).

I actually did create a new account to try and recover mine, but I figured system restore would be much, much easier. I'm curious on that though. What do you mean by "locked to [my] account?"

logicearth said:

It is also safe to say, it probably got it via Flash, it likes poking holes in IE's sandbox..

Yeah, I blame Flash too. If it weren't for my homework and YoutTube requiring flash, I would still have it disabled.

logicearth said:

As for turning off MSE, it turned off the client interface but the backend should still be running.

You're right. I remember seeing msseces as a process on task manager. I assumed it was off because it didn't detect something so ovbious right in front of my eyes! D:

arkhi said:

I actually did create a new account to try and recover mine, but I figured system restore would be much, much easier. I'm curious on that though. What do you mean by "locked to [my] account?"

Locked to your account as in, it is only your account that is infected. File associate settings for example, limited to your account. I had the same type of malware on my mother's computer, it only affected her account which makes these type infections very easy to fix. Being that it cannot hook itself into the root of the system itself.

Thank you very much for the input logicearth!

BTW, it happened to me again but this time I'm more prepared. Thanks to UAC, no harm was done. When a random Flash UAC popped up again I just hit close and opened task manager immediately. This is what I noticed:

There was a file which seems to have a random file name suddenly saved to my Documents folder (87b0k.exe). The flash UAC seems to be provoked by it because the flash UAC just kept comming in unless I kill it. As soon as I killed it though, the fake malware pop ups started appearing. I pinpointed it to jds.exe and I just needed to kill all of those to stop it from running.

I accidentally double clicked 87b0k.exe and now all my .exe files won't open -.-

Is there a way I can upload these files to MS for analysis?

Arki,

Since all those files are < 20MB in size, you could try an analysis at these sites:

VirusTotal - Free Online Virus, Malware and URL Scanner
Jotti's malware scan
ThreatExpert - Automated Threat Analysis
Metascan Online | Free online file scanning with multiple antivirus engines

Regards,
Golden