Help - Virus attack?

[xiaobao12]

I was surfing the web thru Firefox and then all of a sudden, I get a window that pops up in the bottom right corner saying that I have some sort of malware/virus attack. It fooled me because it had the Windows security shield in the window so for one instance, I thought it was legit but then it started to show the install bar so I quickly closed it. I then quickly closed my browser, disabled my wireless connection and closed all open programs. However, the windows continued to pop up. Also, there was a balloon in the right taskbar that had an X thru it.

I then shutdown my computer and tried to start it in safe mode, thinking that it would be smart to run antivir, malware bytes, superantispyware. However, no programs would open up! I would get the hourglass by the mouse cursor and then nothing. The .exes would come up in the taskmanager but the programs would not start.

I am now back in regular mode and there is no pop-up or anything unusual. However, the same problem exists - the antivirus and antimalware programs do not start up!

Any advice would be appreciated.

I am running a DELL 4600 Dimension - WINDOWS XP SP 3 - 4 GB RAM - (I just got a random pop-up now saying that the google installer.exe needs to exit!) - 2 internal HDS - 2 opticals.

Thank you.

 

[mechBgon]

As an opening move, bash your head against the monitor a few times then try System Restore to go back to before the attack happened. That might work, or might not. If it works, and you can run your security programs, then give the system a full scan with all of them. If it doesn't, try renaming the Superantispyware.exe file to somethingelse.exe and try to run it, sometimes that works.

I have some other suggestions to help stop it from happening again: http://www.mechbgon.com/security You might or might not be ready to try the non-Administrator user account (step #1) but definitely get your Data Execution Prevention enabled, get the Microsoft Update engine upgrade, remove software you don't use (Java, QuickTime, whatever) to reduce "attack surface," and get the Secunia PSI checkup utility.

Since you mentioned you've got AntiVir, also go into its Configuration panel and make sure it's detecting all possible categories of malware (including spyware and adware), not just the basics.

 

[xiaobao12]

Man, am I glad you you responded Mech. I've used your help before on this forum and your guidelines were awesome.

I have two problems - I don't have system restore enabled. So, I tried reinstalling superantispyware but now, it won't install. I tried renaming the exe with malware bytes but still, it doesn't work.

As for the non-administrator account, I think I do do that? When XP starts in standard mode, I see is "MY NAME" and not "administrator". And when I start in safe mode, I do see administrator but I still log in with "MY NAME". If I log in with administrator, I don't see any of my programs or files.

What should I do now?

 

[mechBgon]

To check if you have a non-Admin account, go to the Control Panel and look in the User Accounts, and it'll say underneath each account if it's a Computer Administrator or a Limited account. Like this:

On this system, superuser is the Admin account, and user is the "daily driver" Limited account

Limited is the one that's a "padded cell" The account that's actually named "Administrator" is the system's own Administrator account (this is why it only shows up in Safe Mode), but Windows will require you to have at least one Admin-level account of your own before it'll let you have a Limited account. So if it turns out you've been using an Admin-level account, you can create a new Admin-level account, and then you'll be allowed to switch your own account down to Limited.

Since those steps weren't working, start by backing up your stuff if possible, just in case you need to take drastic action. Emails, contacts, music, video, documents, favorites/bookmarks, get them backed up if you want them.

Next, you could take the surefire approach and reinstall Windows from scratch, or slug it out with the malware and see who wins when the dust settles. If you want to reinstall Windows from scratch,

1) boot the system from the Windows CD and start Setup.

2) when you get to where it shows all the disk partitions, delete all the partitions and then press F3 twice to exit from Windows Setup.

3) now the system restarts. Boot from the Windows CD again, make a partition, and carry on with Windows setup.


If you want to stand & fight, download the Avira AntiVir Rescue System from this page. It makes a bootable CD that can run a virus scan. They've got .ISO if you have a program that burns .ISOs to disc, or a .EXE that burns the disc for you itself. Try booting from their CD and running a scan. Any good?

 

[xiaobao12]

Hi Mech,

Thanks so much. I wish I knew that you posted at 11AM. I didn't get any email notification.

I would prefer to keep Windows and fight it out. I don't even know where my Windows disc is (moved about 4 times since I've had this computer).

I will create that CD and let you know what happens.

Thanks Mech.

Oh, and you are right - under user accounts, I see that I am an administrator. Should I create a new user and change it to limited after I clean up my computer? Or do it before?

 

[xiaobao12]

Bad news Mech. I can't find any of my opticals loaded. I went in services and tried to start IMAPI CD-BURNING but it wouldn't start.

I tried to open NERO and it said something about administrator rights and NERO burn rights - never ever seen that message before.

I shall attempt a restart...

 

[xiaobao12]

Okay - so I installed Trojan Horse Remover and it removed something. That enabled me to start MalwareBytes and clean up majorly.

Now, I am running Spybot.

Whew - I guess I am fine. But how did I activate this malware? Was it because I clicked on the X (close sign) of the window?

 

[Ken g6]

IANASE(LM) - I am not a Security Expert (like Mech), but my best guess is that it might have been a Firefox exploit that didn't require any user intervention.

A limited user account would have stopped it, but I know from experience that when a computer comes with an admin account as default, switching off of it can be hard. And it gets harder the longer you use (and customize) the admin account.

My solution, from Mech's page, is to download DropMyRights, and insert that before each browser executable in each shortcut. It's not perfect, but it's relatively easy.

 

[KeypoX]

sounds intense. Personally i would reinstall, learn from experience and try again lol

 

[xiaobao12]

IANASE(LM) - I am not a Security Expert (like Mech), but my best guess is that it might have been a Firefox exploit that didn't require any user intervention.

A limited user account would have stopped it, but I know from experience that when a computer comes with an admin account as default, switching off of it can be hard. And it gets harder the longer you use (and customize) the admin account.

My solution, from Mech's page, is to download DropMyRights, and insert that before each browser executable in each shortcut. It's not perfect, but it's relatively easy.

hi ken,

what do you mean by "it gets harder the longer you use it" - is it too late to switch my account to limited?

 

[Blazer]

Whew - I guess I am fine. But how did I activate this malware? Was it because I clicked on the X (close sign) of the window?

when these things happen never click an X or Cancel, or anything, just control alt delete, when task manager comes up highlite the application and close it, then start scanning.

 

[Ken g6]

hi ken,

what do you mean by "it gets harder the longer you use it" - is it too late to switch my account to limited?

Only for the same reasons you decided to "stay and fight" - you get your account set up just so and don't want to mess with changes.

AFAIK, one can't change one's account to limited; one has to set up a new account and move there. Am I wrong about this?

 

[mechBgon]

It could also have been an exploit of a plug-in that can be reached through FireFox, such as Flash Player or Adobe Reader. That's why I emphasized getting the Secunia PSI checkup utility (link), which will tell you if you need updates to that stuff, and give you links to the updates.

That's also why I suggested fully enabling DEP, although I'm not sure if your Dimension 4600 has hardware-enforced DEP... software-mode DEP is far less effective. DEP is a technology that makes it harder to do certain types of exploits.

If you're considering trying out a Limited account, try the approach I spelled out on this page. It's easy, you just make a new Admin account (since there always needs to be at least one), and then you can switch your old account to Limited. Tada, no need to transplant files and settings Keep using your old account except when you need to do some Admin stuff (installing software, etc), in which case you log into the Admin account you made.

If you give the Admin account a password, then you can also run stuff as Admin from inside your Limited account by holding down the SHIFT key while right-clicking what you want to run, and choosing "Run as..." from the menu and picking your Admin account's name and providing the password.

If it doesn't work out well for you, you can change back to being an Admin or get a modern Windows OS such as Win7.

Note: Limited accounts are great. But they aren't a panacea. The bad guys can still do harm if they can exploit your Limited account with a well-designed attack. For example, they could encrypt your documents and hold them for ransom. They could reprogram your modem or router (srsly!) to use malicious DNS servers. They could delete or copy your stuff. They could steal your game installation keys. On WinXP, anything you can do, they could also do if they get hold of your powers. On Win7 or Vista, Protected Mode helps stop those monkeyshines if you use IE7 or IE8.

 

[Modelworks]

Don't feel bad about clicking on the pop up. Malware folks are copying anti virus apps look and feel as quickly as the companies change them now. Some are so complete they even have the application sounds . If you are on a 32 bit OS I suggest looking at sandbox . Sandbox puts the application in a virtual machine of sorts. It cannot make changes to your system , If the application has malware like yours did, then you just close sandbox and no harm done.
http://www.sandboxie.com/


I use virtual machines for browsing, which is another approach. You can download virtual box and install a copy of something like linux or XP and browse inside that and just close it if you get problems without worry.
http://www.virtualbox.org/

 

[mechBgon]

I use virtual machines for browsing, which is another approach. You can download virtual box and install a copy of something like linux or XP and browse inside that and just close it if you get problems without worry.
http://www.virtualbox.org/

That's still not a cure-all. I can think of several ways it could backfire, based on past history. For example, if the VM's browser has Flash, it could be used to launch an exploit that reprograms one's router or modem to use malicious DNS servers. Or inject malicious content into other computers' network packets on-the-fly (I kid you not), resulting in attacks on the host OS and other computers on the network. If you use a VM, secure its OS as best you can, it's just best practices.

 

[monkey333]

IANASE(LM) -
And it gets harder the longer you use
.

sorry I have to chime and be of no help...


"THAT'S WHAT SHE SAID!!!!"