Go Back   Steve's Digicams Forums > Misc Forums > Computers and Operating Systems

Reply
 
Thread Tools Search this Thread
Old Apr 5, 2011, 5:16 PM   #1
Senior Member
 
Join Date: Jun 2002
Location: Victoria, B.C., Canada
Posts: 866
Default Univited - and I think, malicious - program

Has anybody else been plagued by a program that pops up when viewing Google images?

I was searching for images of various sorts of plants & trees & suddenly an alarming-sounding display appeared on thje screen - and took over. It purported to have some connection with Microsoft. It announced that my computer had viruses & trojans and that it would now scan my computer - and then it appeared to be doing something.

I noticed that the URL was antispyware dot something and there was an invitation to download a .exe file called BestAntivirus2011 (which I certainly did NOT want to do.) Trying to close the displayed page didn't work - it just kept going, so I unplugged the computer, reformatted the hard drive, & re-installed Windows.

A day or two later it all happened again. The intrusion was so infuriating that
I not only wiped the hard drive yet again and reinstalled Windows, but I've kept the computer (it is my main one) disconnected from the Internet.

The same happened again then happened with my spare computer. However, because I want to use the Internet I've re-programmed the spare computer with Ubuntu 10.10. So far, it seems that Ubuntu isn't being attacked. I used Ubuntu to send this.

Thoughts anybody?
Herb is offline   Reply With Quote
Sponsored Links
Old Apr 5, 2011, 5:36 PM   #2
Administrator
 
Join Date: Jun 2003
Location: Savannah, GA (USA)
Posts: 22,378
Default

Fake malware scanners are extremely popular with criminals, as many users will pay the "blackmail" money to get the full version to remove the [fake] problems found (and of course, the problems still remain and then they have your credit card info, too).

What version of Windows are you running? What browser are your running (IE, Firefox, etc.) and what specific version of it do you have (look at it's Help>About menu choice)?

From what I can find out about that one, it's typical "drive by" type malware and shouldn't be infecting your Master Boot Record. But, even if it is, when reinstalling Windows, a new MBR (and Windows should be creating one by default) should fix it, if you're installing it in a way that recreates the partition table (and that varies by Windows version).

What you may want to do is use the Ubuntu Live CD you have and delete all partitions on the drive using the included partition manager (it probably has GParted in it's menus that you can use for that purpose). Then, reinstall Windows, letting it repartition the drive for you.

Or, zero out the MBR entirely first (you can use dd on the Ubuntu Live CD for that purpose and overwrite the first 512 bytes on the drive), just to make sure you don't have boot sector malware that's still there. But, let me know what Windows version you're running first.

How about removable media (USB Sticks, External Drives, etc.)? You may have malware on one of them that's loading when you plug in a device via autorun if you don't have that feature disabled in the version of Windows you're running now.

There are lots of ways to clean a drive, and you may be able to get rid of it without another reinstall using one of a number of malware scanners that can run from DVD or USB Stick. For example, Avira, Bit Defender, Dr.Web and others have free malware scanners based on Linux Live CDs that you can download and burn to CD or USB Stick and boot into to clean many of those types of problems. I keep some of them handy on a USB Flash drive for that purpose. That way (booting into a different operating system to run the scans), the malware isn't actually loading and able to evade the products you're trying to use to clean the infected machines.

Another technique is removing a drive and installing it in a known clean PC as a second drive. Then, use popular products (Malwarebytes, etc.) to scan the compromised drive (since you wouldn't be loading anything from it to clean it, as you'd be booting from a known clean drive with Windows installed).

But, I'd let us know more about your config first.
JimC is offline   Reply With Quote
Old Apr 5, 2011, 5:45 PM   #3
Administrator
 
Join Date: Jun 2003
Location: Savannah, GA (USA)
Posts: 22,378
Default

Quote:
Originally Posted by Herb View Post
So far, it seems that Ubuntu isn't being attacked. I used Ubuntu to send this.

Thoughts anybody?
Stick with Ubuntu? ;-)

Or, even better, try Linux Mint 10 (it uses an Ubuntu 10.10 base but has lots of stuff preinstalled and a much nicer menu system). See more about it here:

http://www.dedoimedo.com/computers/l...int-julia.html

Most malware is targeting Windows now. But, no OS is totally secure if you're not installing software from trusted sources. I use both Windows and Linux. But, with Windows, I use a number of defensive layers to reduce my vulnerability. For example, I use Avira Antivir Premium as a "first defense", and I use products like Malwarebytes and SuperAntiSpyware to scan for anything missed on a frequent basis. I also scan my Windows partitions using multiple malware scanners running under Linux, and I setup a standard (non Admin) account in Windows to keep malware from being able to install, use DNS servers that warn me about sites that may have malicious code on them, use strong firewalls, use a fully patched browser and operating system (even scanning anything I want to install using multiple scanners via sites like http://www.virustotal.com ).

In addition to many known vulnerabilities in Operating Systems and Internet Browsers (it's a *really* bad idea to run older versions of many browsers) that you need to make sure are fully patched, if you have out of date plugins for Adobe Flash Player, Acrobat Reader, Java, and others, you're just asking for trouble (because as soon as vulnerabilities are published and patched, criminals get to work producing malware for those vulnerabilities, knowing that many users are just too lazy to update their browsers and plugins to the latest versions.

Let us know more about your config as a first step (Windows version and service pack level, Browser Version, if you have an external devices like USB attached drives or flash memory sticks that the malware may be loading from after a reinstall of Windows, etc.).

Note that *most* malware comes from legitimate sites now that have been compromised by criminals without their knowledge. But, it sounds pretty suspicious that you were reinfected after formatting your drive and reinstalling Windows *if* you installed it in a way that created a new partition table and installed a new boot loader (hence my suspicion that you might have malware on an external device that's loading because you have Autorun enabled in your Windows installation). I'd let us know exactly how you formatted the drive and reinstalled Windows, too (what steps/tools you used, as if you just reinstalled from an existing "recovery" partition on the drive, you may still have boot sector malware on them, since the MBR was probably not recreated using that type of technique.
JimC is offline   Reply With Quote
Old Apr 5, 2011, 10:20 PM   #4
Senior Member
 
Join Date: Jun 2002
Location: Victoria, B.C., Canada
Posts: 866
Default

Jim - Thanks for the advice. Whenever I wipe & reformat the hard drive on my main computer, I first delete the partition(s) & also use the DOS command - fdisk /mbr

My browser is Firefox - the last one of the version 3 series. I tried version 4 but got irritated by it. I have several USB sticks and a USB connecting hard drive for backup.

Incidentally, one thing that I never, ever do though is store any financial information whatsoever - e.g. credit card numbers or bank account particulars or social insurance numbers - on my computers, so I reckon that even if some rogue gets access to my computer, he can't get anything worthwhile out of it. Not that that prevents a criminal from hacking into it for some other bad purpose.

I guess I exposed my computer to this sort of malware because I really like Windows 2000 (I have the version complete with Service Pack 4) and have persisted in using it both for photography and for going on the Internet. Windows 2000 is so easy and straightforward to use - and fast too. I've therefore decided to separate the two functions. Computer No. 1 will (at least for the time being) use Windows 2000 and be reserved for photography including Photoshop (helped by a new HP ZR24w monitor that I've just ordered) and will NOT be connected to the Internet. If that setup works without any sign of the malware problem, I'll be content - but the computer (No. 1) is going to stay separated from the Internet.

For the Internet on the other hand, I'm going to use the spare - computer (No.2). Ubuntu works very nicely on it for Internet activity, but in light of what you say, I'm going to switch to Mint 10.
Herb is offline   Reply With Quote
Old Apr 6, 2011, 7:04 AM   #5
Administrator
 
Join Date: Jun 2003
Location: Savannah, GA (USA)
Posts: 22,378
Default

Chances are, you've got malware on one of the external USB Drives or Flash drives that's loading whenever you plug it in, as becoming reinfected by the same malware again after a good reinstall when recreating the partitions and updating the MBR code is very suspicious:

Here's a patch for Win 2K SP4 that lets you disable Autorun (so that malware won't automatically run and install when you plug in a removable drive that's infected).

http://www.microsoft.com/downloads/e...displaylang=en

That particular malware strain appears to be relatively new (but, there are many similar examples around of fake anti-spyware, etc.), and I haven't seen any reports of it spreading by USB. But, my guess is that something is loading from removable media that's causing you to become reinfected.

Check for any autorun.inf files on them and look for what they're loading (probably a hidden .com or .exe file on your removable media that's installing itself and pulling even more malware from the net once it's installed).

What you may want to do is install unetbootin in Ubuntu on your second PC. It should already be in the Ubuntu software repositories (it's available for Linux and Windows), so you can install it with a mouse click or two using the Synaptic Package Manager in Ubuntu.

That will let you burn .iso files to USB Stick (so that you can boot and run Live Linux distros without wasting a CD or DVD).

Then, scan *all* of your media (internal drives, USB Flash Drives, USB Hard Drives) using a few of the popular malware scanners that have "live" linux versions available that you can boot into (so that you're not loading anything from a compromised drive).

*None* of them are perfect, *especially* with newer malware strains. So, I wouldn't trust that drives are clean when some of them come back with nothing found.

Here are a few that have Live Linux .iso files you can download and burn to a USB Flash Drive or CD/DVD and boot into:

Dr.Web (better than most for hard to find root kits):
http://download.geo.drweb.com/pub/drweb/livecd/

Avira Antivir Rescue CD:
http://dlpro.antivir.com/package/res...-common-en.iso

Bit Defender Live CD .iso
http://download.bitdefender.com/resc...-rescue-cd.iso

Panda SafeCD .iso
http://www.pandasecurity.com/resources/tools/SafeCD.iso

When you burn those to USB or CD and boot into them to scan your media, make sure to use their features to update virus definitions to the latest versions first (which will require an internet connection).

Note that I'd also install an anti-malware product in Linux if you plan on using it on your second PC. Personally, I use Eset NOD32 with Linux (even though I use other products like Avira Antivir Premium with Windows). Get it here for Linux:

http://beta.eset.com/linux
JimC is offline   Reply With Quote
Old Apr 6, 2011, 7:12 AM   #6
Senior Member
 
jdnan's Avatar
 
Join Date: Mar 2011
Location: Ft. Worth, TX
Posts: 336
Default

Is this only happening when on a Google web page? I have noticed that some web sites will have a pop up advertisement that appears to be scanning your computer, when in reality it's just part of the pop up ad and it's not truly scanning anything at all. Can you close the pop up? Does it go away when you navigate away from the offending site?
__________________
Jerry
jdnan is offline   Reply With Quote
Old Apr 6, 2011, 7:23 AM   #7
Administrator
 
Join Date: Jun 2003
Location: Savannah, GA (USA)
Posts: 22,378
Default

Yes, sometimes these scans can be amusing, as I'll see them scanning Windows folders on a Linux PC and reporting Windows malware being found. :-)

But, don't take them lightly, as many will install malware without you even clicking on anything (to install the fake program that can supposedly fix the fake problems it's reporting).

The best thing to do is immediately kill your browser (use CTRL+Alt+Delete to bring up task manager, then find your internet browser in the list of programs running and kill it) *immediately* if you see that.

Depending on your Operating System and plugins, some of them don't require you do anything else before they'll install themselves (no user intervention or clicking required).

But, if you're fully patched (up to date OS, browser, plugins for Flash Player, Adobe Reader, Java, etc.), then you may not be infected unless you click on something and install a program. Either way, I'd immediately kill your browser using Task Manager without clicking on anything else.

Out of date Internet Browser versions and plugins like Adobe Acrobat reader, Adobe Flash Player, etc., , are the most common attack vectors for "drive by" malware (able to install without any user intervention at all). So, make sure you're fully updated to the latest versions of them. New vulnerabilities are found on a regular basis, and when users don't update those types of things, malware writers take advantage of the vulnerabilities once they become published.

Here's a good tool for checking to see if you're up to date on a lot of that stuff (many users leave out of date Adobe Flash Player, Acrobat Reader, etc., installed; and that's just asking for trouble). It's a browser plugin I use with Firefox that checks to see how vulnerable you are, and helps you to download and install current versions of products that are out of date:

https://browsercheck.qualys.com/

Note that I'd also suggest using the NoScript addon for Firefox. Get it here:

http://noscript.net/
JimC is offline   Reply With Quote
Old Apr 6, 2011, 1:49 PM   #8
Senior Member
 
VTphotog's Avatar
 
Join Date: Mar 2005
Location: Extreme Northeastern Vermont, USA
Posts: 4,212
Default

There are also some programs offering free registry or malware scans, which install parts of themselves in the Startup folder, but these parts don't go away when you uninstall the program. Recently ran into this with Registry Mechanic, which a friend had tried. Every time she booted the computer, it popped up a window saying there were 240 incorrect entries in the registry, and brought up the browser to the program's home page. (one of her children had tried it out to try to solve a speed issue with the laptop).

brian
VTphotog is offline   Reply With Quote
Old Apr 6, 2011, 9:18 PM   #9
Senior Member
 
Join Date: Jun 2002
Location: Victoria, B.C., Canada
Posts: 866
Default

UPDATE

I've installed Linux Mint 10 - and like it better than Ubuntu - mainly, I think, because the interface (if that's the right word) is so clean, simple & easy on the eye.

The only problem so far has been the Thunderbird e-mail program - it would receive but not send. The experts at our local ISP couldn't help & the nearest I got to identifying the problem was finding a box about troubleshooting or some such & it read - "Server does not support RFC 5746, see CVE-2009-3555" whatever that is all about. An internet search disclosed that a lot of other people have met with the same problem, but so far as I can see only a super computer geek could ever understand the explanations that followed after that.

I'm glad to say that I managed to restore full email service by uninstalling Thunderbird and - (with some difficulty because I'm not a computer geek) - download and install Evolution Mail in its place.

JDNAN - Yes, it only happened on a Google web page while I was searching for Google images of plants & trees - and No, I couldn't close it down - in fact I couldn't get away from the offending page and had to resort to unplugging the power cord.
Herb is offline   Reply With Quote
Old Apr 6, 2011, 11:46 PM   #10
Senior Member
 
Join Date: Nov 2010
Location: Belize & UK
Posts: 463
Default

Quote:
Originally Posted by Herb View Post
My browser is Firefox - the last one of the version 3 series. I tried version 4 but got irritated by it
Why? I downloaded V4 recently and it keeps hanging. An absolute pain in the neck. But I no longer have any of the earlier versions to go back to.

A friend's Windows machine had pretty well the problem you outlined in your opening post, and asked me to help with it. I tried all sorts of things, but in the end I had to copy off all his data & check it was clean (it was), then reformat the HD & start again. He was running his machine with no firewall or anti-malware software, and allowing kids free use of it. I hope I convinced him to change his ways!

Can anyone tell me how the reload the last 3.xx version of Firefox? Version 4.0 doesn't work on my machine (Win7 Ultimate, and it hangs maybe 3 times in 10) and I'm having to use Chrome.
__________________
Canon 5D & 7D (both gripped), 24-105L, 100-400L, EF-S 15-85, 50 f1.8, Tamron 28-75, Sigma 12-24, G10, A1+10 FD lenses, tripods, lights etc

Last edited by peterbj7; Apr 6, 2011 at 11:55 PM.
peterbj7 is offline   Reply With Quote
 
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -5. The time now is 8:26 PM.