"You have a security problem"

[VirtualLarry]

A friends computer, keeps popping up "You have a security problem". Clicking on the popup leads to a web site with "Antivirus 2009" on it, and it doesn't want to let the web browser go.

Anyways, I downloaded the newest Malwarebyte's Anti-Malware, and did a full scan. It found "trojan.Agent" and "trojan.FakeAlert". They were all "tmpXX.exe" files in the temp directory. Malwarebytes claimed to remove them.

I then did a Windows Update, found about 12 updates, most of them security updates. (He is running SP2 still)

So after that, I reboot the machine and hand it back over to him. He goes to the WAAF web page, and goes to this slot-machine page that is part of that site. BOOM! "You have a security problem."

So I'm guessing it's something on that site, but why is it getting in if the machine is "fully patched"? (IE7, including latest cumulative update)

Frustrated. I would install Firefox for him if he were more computer literate, but he isn't.

(A different friend of mine, I did sucessfully get to use Firefox. But he still got hit with "Antivirus 2009" a few months ago. He was running his PC without his router hooked up, I assume that's how it got in.)

Both of these friends use "limited accounts".

It's not a problem to manually end task the tmpXX.exe files, he had a whole pile of them in his temp directory.

Can anyone shed some light on this?

Edit: I should note that it looks like he does NOT actually have the "Antivirus 2009" infection itself, just some loaders that generate popups, that direct the user to a web site to supposedly install it. Thank goodness. The system screensaver is still the default one, not the fake blue-screen screensaver that it installs that you can't get out of (unless you CTRL+ALT+DEL).

 

[VirtualLarry]

The web site is "army.waaf.com", and click on "Slot Machine". That's what he's doing to get infected. He just did it in front of me, and didn't linger on the main page for very long. So it's either on the main page, or the Slot Machine page is booby-trapped.

 

[law9933]

Sorry, if you go to bad websites, bad things happen I hear.
Nothing can protect you if you will not protect yourself.
Only my personal opinion that I have seen posted by others many times.

 

[VirtualLarry]

Well, after seemingly picking up the infection again, I told him not to go to that site. This time, he only went to msn.com and then craigslist. Yet that damned popup appeared again.
So either Malwarebytes is not actually removing it, or something else is going on.
So I guess I cannot confirm that he got it from that WAAF web site, if Malwarebytes wasn't actually removing it.

Btw, neither WAAF's home page (it's a popular local radio station), nor craigslist, is a "bad site".

Edit: I left his machine alone, and now another window popped up, "AntiSpywareGuard", prompting to scan his machine. Uh-oh.

Edit: Damn. Scan with Malwarebytes, reboot, login to "Internet" account (limited user account), let it sit there, still get the popup without even opening IE. Malwarebytes keeps removing Trojan.Agent and Trojan.FakeAlert, but it's not removing whatever is causing the popup.

I've been scanning from the Admin account, do I need to do a Malwarebytes scan in each user account too, in order to clean them?

Edit: Downloaded SuperAntiSpyware, and am scanning with that. (Free version)

 

[MadAmos]

From what I have seen this is a fast morphing SOB and the anti-malware software is having a tough time keeping up with the new variants. In many cases the OS is damaged in trying to remove it and although it is possible you should probably seek help from an expert at virtualdr, wilders or similar. but Even better is nuke and start over...he does have backups of his files....Right :frown: A good lesson in why a tightly locked down system and a limited user account is a must.

 

[law9933]

If he needs to save the HD files, it would be time for a HJT log & a trained advisers help. The problem seems to be deeply dug in.

I do see you are a longtime member, but no one else is responding,

My mistake, there is a response

 

[mechBgon]

Start by checking the system with Secunia's Personal Software Inspector. Fix the stuff it indicates. My guess: vulnerable Adobe Flash Player. I will do some investigating and see if I can find out for sure what the malicious site is using.

If he wants to boost security to keep this stuff from getting anywhere, have him try a non-Admin user account. edit: I see that's already been done :thumbsup: I'd also suggest looking at the other steps on that page, such as fully enabling Data Execution Prevention, and getting his updating engine upgraded to Microsoft Update instead of Windows Update. If he can implement Software Restriction Policy (the final step), that's a very powerful countermeasure, and will make it impossible for an .EXE to run from his Temp folder. Period.

 

[RebateMonger]

Originally posted by: law9933
Sorry, if you go to bad websites, bad things happen I hear.

While completely true, waaf.com and army.waaf.com are legitimate sites for a Boston radio station. Sounds like they are getting contaminated advertisement feeds from somewhere.

Given that the PC owner keeps getting infected, I'd recommend he/she re-install Windows, learn how to backup and restore from image backups, and keep a "good" backup on an external hard drive, ready for use next time.

Note: mechBgon's advice (above) is great and I don't want to minmize it, either.

 

[Chiefcrowe]

at this point i think the time taken to try to fix this isn't worth it. I'd just wipe and reinstall and make sure everything is set up and updated correctly from the start.

 

[law9933]

Sorry, RebateMonger
My mistake, the mention of "Slot Machine" just made me make that statement.
I am glad my statement was true, I thought I would get it when responding to a long time member (no problem here), happy Thanksgiving to all.

 

[mechBgon]

Update: the main army.waaf.com page has an exploit. Here's a VirusTotal check on the HTML (safe to click): http://www.virustotal.com/anal...d1f0d1941dffd1c682d96f


I sent a Win2000 virtual machine to the malicious page, logged on as an Admin. I wasn't able to get any .EXEs to look at. Nor did I get any "You have a security problem" stuff.

Next I fired up my WinXP Pro (real, not virtual machine) and logged onto my Limited account, and sent that to the page without any virus protection running. No dice.

Vista x64 with IE7 also shrugged off whatever the exploit is supposed to be.


So my suspicion is that there's an exploitable add-on being used to run .EXEs, but that my systems don't have it installed, or have a patched version. Run that Secunia checkup. And if the system has no antivirus software, get some installed and run a full scan; antispyware apps are fine, but also use an antivirus.

Nuking the system is also an option, as the guys said. Or post a HijackThis log.

 

[VirtualLarry]

Sorry for not updating people. It seems that Malwarebytes was not cleaning up the issue, that's why it was re-appearing. So I don't have any positive proof that the waaf web site was the infection source.

I manually killed the processes, and then deleted the .exe files in the temp directory. (Which were surprisingly still there after the malwarebytes scan.) I didn't run HJT, but I did download SuperAntiSpyware, and that found the "Run" keys that kept running the malware when he logged in, and deleted them.

So as far as I know, the machine is clean now.