Solved My PC just got exploited... Wow.

[arkhi]

Anyone else experience this?

I was only browsing three sites: webassign.net (Homework), 9gag.com (heh XD), and explosm.net (site for those popular comic shorts). While scrolling through explosm.net, all IE windows suddenly closed and an Adobe Flash UAC prompt popped up (A legit one). Considering Flash's sec rep and the unexpected closing of my windows, I hit DENY. But suddenly, fake scareware stuff popped uped all over! Trying to open any exe file associated with MS gives me a "Win 7 Antispyware 2012 Firewall Alert". I manage to eventually open Task Manager, and I noticed that all the warnings came from an exe in %appdata%/Local. My desktop looked like this:

[Unedited except shortcuts to protect privacy; Action Center Window is a fake one (checked exe location)]

What really baffled me was how it managed to close MSE without even ticking it off. It also managed to somehow associate all .exe files such that it passes through the malicous exe. Deleting the said exe would cause any executable to pop up an "open with" dialog except my computer. That even baffled me even more because last I checked, you need admin privilages to do that and it STILL did it without elevating!

With IE's sandboxing and Win7's security features, you would expect malicious programs to have difficulty doing dirty stuff on your computer...

Nothing beats a quick system restore, but to all of you out there, never let your guard down no matter how good you can be.

This is one valuable lesson I've learned today.

 

[Corrine]

Should you run into something like that again, don't even click Cancel. Instead, use the keyboard shortcut Alt+F4 until all windows are closed.

 

[Francis93]

I highly recommend that you install Secunia Personal Software Inspector (PSI) to detect and patch computer vulnerabilities/out-of-date programs. Vulnerabilities and out-of-date programs are sources of exploits. Vulnerabilities are like holes. Once it's busted open and left without a patch, exploits can get through these holes and infect your PC with vicious viruses (e.g. rogues, trojans, backdoors, etc). An example is that rogue antivirus/antispyware, Win 7 Antispyware 2012.

 

[Athene]

In addition to Corrine's suggestion, immediately break the physical internet connection by unplugging the internet cable or turning off the Wireless connection.
I ran into a similar situation a few years ago when the nasty ErrorSafe pop-ups were haunting the web. Clicking on the red cross to close the pop-up redirected me to the ErrorSafe website which promoted fake antivirus software. Never click on such pop-ups.

 

[roban]

All good suggestions. I have found the MSE is fairly useless in dealing with these new fake alert strains and the more you use your computer after infection the worse things get.

I have found that Norton is the best solution.

 

[logicearth]

If you have UAC on, these fake security software are pretty much locked to your account, creating a new account for example would not exhibit any of these issues. (Depends if their is a hole to get administrative rights without prompting) It is also safe to say, it probably got it via Flash, it likes poking holes in IE's sandbox. As for turning off MSE, it turned off the client interface but the backend should still be running.

 

[arkhi]

In addition to Corrine's suggestion, immediately break the physical internet connection by unplugging the internet cable or turning off the Wireless connection.

I actually did break the connection, but it took me a whole lot of minutes to realize that I should! I guess those movies we all consider stupid (the ones where they do all these "typing-non-stop-to-prevent-the-hack-when-you-can-just-pull-the-plug-thing) got in to my subconscious.. *facepalm on self*

Nonetheless, great advice!

If you have UAC on, these fake security software are pretty much locked to your account, creating a new account for example would not exhibit any of these issues. (Depends if their is a hole to get administrative rights without prompting).

I actually did create a new account to try and recover mine, but I figured system restore would be much, much easier. I'm curious on that though. What do you mean by "locked to [my] account?"

It is also safe to say, it probably got it via Flash, it likes poking holes in IE's sandbox..

Yeah, I blame Flash too. If it weren't for my homework and YoutTube requiring flash, I would still have it disabled.

As for turning off MSE, it turned off the client interface but the backend should still be running.

You're right. I remember seeing msseces as a process on task manager. I assumed it was off because it didn't detect something so ovbious right in front of my eyes! D:

 

[logicearth]

I actually did create a new account to try and recover mine, but I figured system restore would be much, much easier. I'm curious on that though. What do you mean by "locked to [my] account?"

Locked to your account as in, it is only your account that is infected. File associate settings for example, limited to your account. I had the same type of malware on my mother's computer, it only affected her account which makes these type infections very easy to fix. Being that it cannot hook itself into the root of the system itself.

 

[arkhi]

Thank you very much for the input logicearth!

BTW, it happened to me again but this time I'm more prepared. Thanks to UAC, no harm was done. When a random Flash UAC popped up again I just hit close and opened task manager immediately. This is what I noticed:

There was a file which seems to have a random file name suddenly saved to my Documents folder (87b0k.exe). The flash UAC seems to be provoked by it because the flash UAC just kept comming in unless I kill it. As soon as I killed it though, the fake malware pop ups started appearing. I pinpointed it to jds.exe and I just needed to kill all of those to stop it from running.

I accidentally double clicked 87b0k.exe and now all my .exe files won't open -.-

Is there a way I can upload these files to MS for analysis?

 

[Golden]

Arki,

Since all those files are < 20MB in size, you could try an analysis at these sites:

VirusTotal - Free Online Virus, Malware and URL Scanner
Jotti's malware scan
ThreatExpert - Automated Threat Analysis
Metascan Online | Free online file scanning with multiple antivirus engines

Regards,
Golden

 

[Corrine]

jds.exe is identified as "cloaked malware". Please do not attach infected files to your posts!

If this is the same Win 7 Antispyware 2012 that you showed in your initial post, you need to do the following:

1) Please download the following two files to the desktop. In the event you are blocked by the malware from downloading, it will be necessary to go to an uninfected computer and then transfer the files to the infected computer via CD/DVD, external drive, or USB flash drive.

It may also be possible to download the files in Select Safe Mode with Networking. (To do this, turn your computer off and then back on and immediately when you see anything on the screen, start tapping the F8 key on your keyboard. Using the arrow keys on your keyboard, select Safe Mode with Networking and press Enter on your keyboard. Windows will now boot into safe mode with networking and prompt you to login as a user.)

FixNCR.reg
Bleeping Computer Downloads: RKill

2) If downloaded to the desktop, double-click the FixNCR.reg file. If transported to the infected computer, insert the removable device into the infected computer and open the folder the drive letter associated with it. Double-click the FixNCR.reg file to fix the Registry on your infected computer.

3) Again, if downloaded to the desktop, proceed as shown below. Otherwise, copy the downloaded RKill file to the desktop of the infected computer and proceed:

• Double-click rkill to run.
• A command window will open then disappear upon completion, this is normal.
• Please leave rkill on the Desktop until otherwise advised.
• Do NOT restart your computer after running rkill as the malware program(s) will start again.

Notes: If you you receive security warnings about rkill, please ignore and allow the download to continue.

4) Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to
  Update Malwarebytes' Anti-Malware and
  Launch Malwarebytes' Anti-Malware
• Click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, be sure Quick scan is selected, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
  
  
• Click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Please post contents of that file in your next reply.

** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

 

[Jacee]

You might also try flushflash "cookie deleter" By Bobbi Flekman
Flash cookie deleter by Flush Flash - A Program To Get Rid Of Flash Cookies

The program has three modes of operation:

• Everything: this simply gets rid of everything there is
• Everything but Site settings: With the Adobe manager you can set pereferences for each site you visit. You can tell Flash how much space is alloted, what privacy conditions are valid, etc. This choice only deletes the cookies, not the Site settings.
• Everything but Adobe settings: Most people will not have configured the settings per site, but you may have changed the settings for Flash itself. So this choice, which is selected on startup, will get rid of all cookies and website settings but leave the settings for Adobe Flash itself.

 

[jimbo45]

Hi there
after that type of warning --wipe the partition and re-install from a good known backup image.

If IE is infected so will Windows explorer be as well --this means that ANY navigation on that computer will be unreliable --so even if you were to try and cleanse the machine you certainly could NOT be sure what you were running.

It's like getting totally lost and the relying on a Sat Nav to get you out of trouble after the Sat nav data has been corrupted - whether directly from the satellite or from data stored in the receiver.

I certainly wouldn't trust a computer if it's main task manager and User interface (windows Explorer / Internet Explorer) had got "contaminated".

Also shows the importance of REGULAR backups.

Cheers
jimbo

 

[logicearth]

Jimbo, that is a bit extreme and not required here. Unless the virus has gotten administrative power it is limited to the single user account. Meaning creating a new user would not be infected.

 

[mikenmar]

I manage to eventually open Task Manager, and I noticed that all the warnings came from an exe in %appdata%/Local. My desktop looked like this:

[...]

What really baffled me was how it managed to close MSE without even ticking it off. It also managed to somehow associate all .exe files such that it passes through the malicous exe. Deleting the said exe would cause any executable to pop up an "open with" dialog except my computer. That even baffled me even more because last I checked, you need admin privilages to do that and it STILL did it without elevating!

YES. I'm experiencing the exact same thing. See my neighboring thread.

MSE got shut down, can't run .exe's without hitting "Properties" and "Start".

 

[arkhi]

Jimbo, that is a bit extreme and not required here. Unless the virus has gotten administrative power it is limited to the single user account. Meaning creating a new user would not be infected.

Yup. I did some research and noticed the malware in question infects the HKCU part of HKCR, where HKCU doesn't need elevation to be modified. This realization made me realize how retarded Microsoft can be by allowing any user-power program to modify the extension properties for .exe files. It's kinda tricky doing an offline repair of the HKCR registry since it's a merger of two, but Corrine's registry files does the trick if you can somehow download it to desktop and run it within the infected user account.

@mikenmar, download Corrines regitry file. If you can't open it because of .exe errors, just press Ctrl+alt+del, open task manager, and on task manager, go to File->New Task... and select the .reg file. that should fix it. Also make sure to clean your system just to be safe.

 

[logicearth]

how retarded Microsoft can be by allowing any user-power program to modify the extension properties for .exe files.

Umm...if a user could not change file-properties for there own account, opening HTML and links in different browsers from another user, would not be possible. However, if that area is compromised one can just DELETE it (The one in HKCU) and the defaults will be used. So, your assessment of Microsoft being retarded including this is rather WRONG. Its a feature not a bug.[/QUOTE]

 

[arkhi]

Modifying extensions other than *.exe files would be fine. I don't see a need why a user would want to modify the extension properties of *.exe files. *.exe files are executables, not child objects of executables where you're supposed to choose a default parent to open it with.

Don't forget it's not that easy to mess with the user-registry hive when you can't open regedit on your user account. I tried messing with the C:\Users\%username%\ntuser.dat using an offline regedit (WinPE) to find the compromised .exe registry key but I can't for some reason. The only way to fix it was to download it and transfer to the infected system and run it under the infected user. HKCR is suppose to reference both HKLM and HKCU, but manually messing with HKCU doesn't work so might as well run it while the user is active. And even that it's very tricky because pretty much every single .exe file would file to open. Even a .reg file would fail to open unless run by task manager via ctrl+alt+del.

 

[logicearth]

Modifying extensions other than *.exe files would be fine. I don't see a need why a user would want to modify the extension properties of *.exe files. *.exe files are executables, not child objects of executables where you're supposed to choose a default parent to open it with.

The registry is just a data store, it is not an enforcer. Stop thinking that it is.

Don't forget it's not that easy to mess with the user-registry hive when you can't open regedit on your user account. I tried messing with the C:\Users\%username%\ntuser.dat...

Well there is your problem. You opened the wrong file. The one that holds all the user file associations is "UsrClass.dat" which can be found at: "AppData\Local\Microsoft\Windows" The file can be deleted, the worst outcome is you have to re-establish your file associations.

 

[arkhi]

Don't forget it's not that easy to mess with the user-registry hive when you can't open regedit on your user account. I tried messing with the C:\Users\%username%\ntuser.dat...

Well there is your problem. You opened the wrong file. The one that holds all the user file associations is "UsrClass.dat" which can be found at: "AppData\Local\Microsoft\Windows" The file can be deleted, the worst outcome is you have to re-establish your file associations.

Not bad. No wonder I couldn't find the HKCU\Software\Classes key. I've done reasearch where the hives are located and I admit that particular piece of information is hard to find. Guess I need to practice refining Google search terms more.