Reply With QuoteI had this happen to me once or twice, and I swear by Malwarebytes' Anti-Malware. It's done absolute wonders for resolving these problems for me. The free version solved most of my problems, so you don't need to buy it.
After using computers for over 10 years it seems that I've finally been infected with a virus. I have a friend coming over tonight to take a look but I'm trying to find out what the hell happened.
Last night I played Starcraft and left 4 dead and went on my usual game sites. A family member did go on various sites to buy shoes that I don't know of. Then the same family member went on facebook earlier and said that everything looked fine. I turned on the computer and MSE is disabled , I got a fake anti virus software running and none of my programs are loading and I got random sites popping up out of nowhere. I'm usually smart enough not to go to suspicious sites and I don't know if my family member did something or if it was there all along and nothing caught it.
Hopefully we'll be able to get it cleared off tonight but other then locking my computer up when I'm not on it, are there any other programs I should download to keep this from happening? Also I have been using Google chrome.
I had this happen to me once or twice, and I swear by Malwarebytes' Anti-Malware. It's done absolute wonders for resolving these problems for me. The free version solved most of my problems, so you don't need to buy it.
Last edited by ImpAtom; 08-08-2010 at 01:51 PM. Reason: Minor typo.
What OS are you running?
If my computer were that badly compromised, I'd back up all the personal data, take off, and nuke the partition from orbit and reinstall from scratch. It's the only way to be sure.
Is MSE not that effective?
Win XP professional, I have two drives, in all honestly the games and such I have can be downloaded/ reinstalled the only thing I want to save are some documents. My last anti virus was Mcafee and the one before that was Norton and I never got hit with a virus. My mom who used the computer last said that she did not see anything weird and then when I turned the computer on all hell broke loose.
You may have been infected from a malicious google ad. There have been a few instances in the recentish past where ads from this site (Qt3) had virus payloads using exploits in either Flash and/or Adobe Reader that sound a lot like the virus you're describing.
I haven't seen any evidence of that being the case recently so you probably didn't get it from here, but the point is that even if you only visit "safe" sites, ads that are served up via google's ad system can occassionally be virus vectors and those can be running even on sites that would otherwise be trustworthy, unbeknownst to the site's admins (until their users start flipping out).
I just had the same thing happen to me. Since this is two of us now with some similar circumstances, I'll post details in case it happens to anyone else:
I played a little Starcraft 2, then browsed a little in google chrome. About an hour after playing Starcraft, and while browsing, I got the fake antivirus program. It popped up a dialog that claimed to be doing a system scan.
I'm running Windows 7 Home Premium 64-bit. I was using Google Chrome with no ad blocking. I am running Microsoft Security Essentials, which reported nothing.
The fake antivirus program was called Antivir. It also set up my browsers to use a proxy.
After Antivir popped up, I disconnected from the internet and did a full scan with Malwarebytes Anti-Malware. That seems to have cleaned it up. It found 4 infected files on the full scan. The misbehavior stopped during the run and hasn't started up again since rebooting. The Antivir program is gone. I had to manually undo the proxy setting (the proxy itself was no longer there, but my system was still configured to use a proxy).
Here's the relevant stuff from my MBAM log:
Memory Processes Infected:
C:\Users\gsarjeant\AppData\Local\bmeflmslj\iafjblp tssd.exe (Malware.Gen) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\iycishcs (Malware.Gen) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Users\gsarjeant\AppData\Local\bmeflmslj\iafjblp tssd.exe (Malware.Gen) -> Quarantined and deleted successfully.
C:\Users\gsarjeant\AppData\Local\Microsoft\Windows \Temporary Internet Files\Content.IE5\G99VXB7L\7b00ad[1].exe (Malware.Gen) -> Quarantined and deleted successfully.
I suspect a google ad as well. I had been on QT3 (in fact, I had read this thread, ironically enough), but I had gone to a few other sites with ads, so I can't say for sure where it happened. To play it safe, I'm also not going to play Starcraft for a little while to be sure this doesn't turn out to be a SC2 issue.
mbam and security essentials can't break a running infection of TDSS rootkit.
http://superantispyware.com/portable...g=SAS_HOMEPAGE
DL that if you can. If you can't then it has set up a proxy service and you'll have to do this from another PC and carry it over on a usb stick. Reboot the infected box in safe mode (beat F8 while it's starting up, before windows logo) and run it.
When SAS finishes, kill anything it found. Then go to control panel, internet options, connections, lan setup. Make sure there is NO PROXY setting. If you use firefox, also go into firefox preferences, networking, advanced and also disable any proxies.
Then run mbam, security essentials, and spybot search & destroy. All three of them. Each will find different lingering pieces of TDSS.
After all that, you're probably clean. I do this 3-4 times a week at work, I've got it down to a science.
Ok, since it's computer-troubleshooting-fun-time at Qt3, what's the deal with this:
I'm at work and I get a text from my sister "Your Facebook get hacked?"
What? No, why would it...
I go to log into Facebook (work computer, Mac running Snow Leopard) and I'm told my account has been suspended for suspicious activity. I go through the reactivation thing to change my password, and I find my account has posted one of those spammy "FREE iPad, click here!" links, as well as created an event and sent out invites to a chunk of my Facebook friends. I delete the post and delete the event (with an apology to my friends), but ok, now what actually happened?
I access Facebook from my iPad, iPhone, the aforementioned work computer, and my PC at home, running Windows XP. I haven't clicked anyone else's obviously-spammy "FREE iPad!" links (though I've seen four or five other friends have it happen in the last couple weeks), and I'm assuming actively clicking some malicious link is the only way it could have triggered from either the Mac at work (where I'm super careful about what I do online, plus it's a Mac) or my iPad or iPhone. So if I didn't actively trigger it, is my PC infected with something?
That's my line of reasoning so far, so as soon as I got home I ran MBAM as well as the thing Azurom just linked, just for giggles. Both turned up clean.
Does anyone know anything specific about the Facebook hijack and how else it could have happened? I haven't seen any other signs of strange activity on my PC.
Thanks. Like I said, it seems clean (MBAM and MSE at least don't find anything, proxy's gone, no antivirus popping up or odd site redirects, etc.), but I think I'll just wipe and reinstall when I get home (of course, this happened while I was on the road). I'm not thrilled about the fact that it happened at all and I'd rather just start over and know things are clean.Originally Posted by Aszurom
The only annoying thing is that I had just rebuilt the machine and gotten it set up the way I like before I left, but such is life. At least that means I didn't have years of stuff on here that I need to figure out how to preserve. I can just redownload things after I rebuild.
By the way, it was definitely a google ad. I just ran Spybot Search and Destroy (thanks for the rec - I didn't know about that one). It found a bunch of tracking cookies in chrome. I let it get rid of them. Thankfully, I'd switched back to Firefox.
Adblock doesn't work with Firefox 4 beta 3.
Would NoScript in Firefox or disabling Javascript in Chrome help at all with malign Google ads?
Yeah, Noscript is the most thorough way to avoid malware.
Posting Permissions