Page 1 of 5 123 ... LastLast
Results 1 to 15 of 67
  1. #1
    iNET Interactive
    Join Date
    Jan 2010
    Location
    Seattle, WA, USA
    Posts
    227
    Thanks
    0
    Thanked 9 Times in 8 Posts

    LizaMoon infection: a blow-by-blow account





    TOP STORY

    LizaMoon infection: a blow-by-blow account


    By Fred Langa

    A nasty piece of malware known as LizaMoon has hijacked links on millions of websites in the past weeks, including some normally safe iTunes and Google links.

    Fortunately, LizaMoon is easy to avoid if you know what to look for.

    The full text of this column is posted at WindowsSecrets.com/2011/04/07/01 (opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. Subscribe to our Windows Secrets Newsletter - It's Free!

    Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

    Excel 2013: The Missing Manual

    + Get this BONUS — free!

    Get the most of Excel! Learn about new features, basics of creating a new spreadsheet and using the infamous Ribbon in the first chapter of Excel 2013: The Missing Manual - Subscribe and download Chapter 1 for free!

  3. The Following 2 Users Say Thank You to Tracey Capen For This Useful Post:

    donnyg (2011-05-09),roundsdd (2011-04-14)

  4. #2
    New Lounger
    Join Date
    Dec 2009
    Location
    Berlin
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Liza Moon and Administrator or Limited Account

    When your computer was infected by the Liza Moon virus were you logged on as an administrative user or a limited user? If the latter, did you have to entire your admin password at some point? I guess the main thing I am trying to discover is could this thing take over a system as you describe without logging on via the admin acct?

  5. #3
    New Lounger
    Join Date
    Dec 2009
    Location
    Indianapolis, IN
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts

    had same porblem

    hey even paid antivirus software will ley such things run. i used nod32 for 5 years without a problem. then got hit by the same sort of malware. my daughter was at the computer when it happen. she tried to close it down with the red X. when i contacted nod32 they told me to download free software that would remove the malware. since then i have not paid for nod32, and use MSE. i also keep malwarebytes up to date manually. i have also seen this problem with other paid and free antivirus programs. so be disappointed if you want, but keep a image handy. that was my way of taking care of the problem in 5 minutes.
    richard

  6. #4
    New Lounger
    Join Date
    Apr 2011
    Location
    Mahwah, NJ USA
    Posts
    4
    Thanks
    6
    Thanked 0 Times in 0 Posts
    I thought that by using the red X the malware would still do some of its bad work. I was taught to use the ALT + F4 to kill the page. Using windows Task Manager is sometimes hard to figure out which is the bad process. A buddy had this and I had him go into safe mode and restore a previous version to get healthy.
    Last edited by roundsdd; 2011-04-07 at 08:10.

  7. #5
    New Lounger
    Join Date
    Apr 2011
    Location
    Kaikoura New zealand
    Posts
    6
    Thanks
    0
    Thanked 0 Times in 0 Posts
    me too. Lisa got me some time back. I stopped short of sending money but every time I ran a virus checker it kikked it and it killed every other checker I had. I reformatted the drive to get rid of it.

  8. #6
    New Lounger
    Join Date
    Dec 2009
    Location
    Gold Coast Australia
    Posts
    14
    Thanks
    2
    Thanked 0 Times in 0 Posts
    I got something very similar via a different route; disguised as a packing note for a DHL shipment in an email (had nothing to do with DHL of course). I would normally never have opened it but I was expecting a package from overseas. McAfee told me the email was clean but I was extra careful. It was an attached zip file (that I detached and scanned separately with McAfee and it reported clean), then a 'pdf' file (that I scanned with McAfee and it reported clean) that I ran and saw no pdf file but all the same looking pop ups that Fred got. McAfee offered to help me get rid of it for a fee (after being a loyal customer for over 10 years) but running Malawarebytes from safe mode and rkill.com (a small tool to kill suspect processes) took care of it in about 30 mins. I no longer run McAfee and as a test used MSE to scan the same email file. It picked it first time, so I'm happy with MSE.

  9. #7
    New Lounger
    Join Date
    Dec 2009
    Location
    Titusville, PA
    Posts
    7
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Most surfers could/would avoid going to the site that contained the malware if they were using WOT or like service. It is hard not to notice the red circle!

  10. #8
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Manchester, United Kingdom
    Posts
    113
    Thanks
    8
    Thanked 15 Times in 14 Posts
    I agree with RoundsDD. The advice in the article to dismiss the web page dialog using the red X is bad advice. In many cases the dialog is not a true dialog but simply part of the infecting web page and clicking the X (or any other part of the page) starts the infection.

    There was a Lounge discussion on this a while back, we concluded the safest route out was to use ctrl-alt-del to bring up Task Manager and kill the browser process. ctrl-alt-del is handled by Windows at a very low level and cannot be subverted by anything (as far as I'm aware - I'm sure some rootkit author is working on it)

    I'm sensitive about this subject right now because I've just spent a day clearing a fake AV infection from my daughter's laptop. She claims it just appeared after visiting a previously good website, didn't click or agree to anything suspicious. She was sitting in the room with me and as soon as the first indication appeared she handed me her PC. Her system includes Windows Vista, McAfee AV, Firefox and she hadn't disabled UAC.

    The culprit called itself "spyware protection" and part of it was an exe: "c:\users\****\appdata\roaming\defender.exe". It had already disabled launching task manager from the taskbar. It took four different AVs, two Malwarebytes passes and msconfig to clear about 30 items identified as "trojan.<something>". Before her McAfee sub runs out next month I've told her to switch to MSE. If your AV is going to miss something critical it's as well you're not paying through the nose for it as well. All the detections were by free tools like HouseCall and Malwarebytes.

    Ian

  11. The Following 2 Users Say Thank You to iansavell For This Useful Post:

    infael (2011-08-03),roundsdd (2011-04-14)

  12. #9
    New Lounger
    Join Date
    Apr 2011
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Right after WS starter declaring how great MSE was, I used MSE for 2 weeks before I ran into an infected page on a very popular site. MSE did not catch until too late. (gocomics if I remember right).
    I dumped it immediately going back to Avast, which has blocked several such attacks in embedded ad's on known good safe sites.
    Last edited by RandomChance; 2011-04-07 at 04:40.

  13. #10
    Lounger
    Join Date
    Apr 2002
    Location
    Polk City, Florida, USA
    Posts
    30
    Thanks
    3
    Thanked 2 Times in 1 Post
    My wife's computer (Windows 7 Home Premium, WSE, Administrative user account) got infected with this on 4/5. I rebooted in Safe Mode, and ran a full WSE and McAfee scan. Neither found anything amiss. Eventually removed it manually by deleting suspicious folders in Program Data and similarly-named keys in several Run or RunOnce entries in the Registry. Demoted user to Standard to lessen chance of further problems.

  14. #11
    New Lounger
    Join Date
    Jan 2010
    Location
    Shepperton, Middx, UK
    Posts
    10
    Thanks
    2
    Thanked 0 Times in 0 Posts

    LizaMoon aka CleanThis

    I had a similar problem. I was expecting aUPS package and received an email purporting to contain details. When I clicked on the enclosed file I got similar warnings to LizaMoon called CleanThis but was fooled by the Microsoft appearance to thinking it was genuine. After clicking the clear all button my PC was infected. I also turned off my network connection and sought advice on the internet from another computer. Several solutions were offered including several needing payment but I found one that recommended starting up the infected PC and entering as another user. Fortunately my wife was already entered as a user with full authority. I entered under her name and immediately went to system restore and picked a restore point before the infection. Bingo the system was clear!! I then entered in my own right and ran all the usual AV checks to find only 2 items which MacAfee safely removed. All my PCs now have an extra user with full authority in case of further need.

  15. #12
    Super Moderator Deadeye81's Avatar
    Join Date
    Dec 2009
    Location
    North Carolina, USA
    Posts
    2,655
    Thanks
    7
    Thanked 112 Times in 97 Posts
    Hi roundsdd, and welcome to the Lounge!

    There are many scareware variants circulating around the Internet these days, and some of them will inject malware when clicking the red close square in the upper right corner of the popup, or by clicking anywhere in the popup. To cover all possible avenues of infection when encountering one of these buggers, the safest action is to start Task Manager and just look for the name of your Internet browser process, such as iexplore.exe (Internet Explorer), Chrome.exe, Firefox.exe, etc. The browser process is the only one that needs to be killed, as anything running in the current browser session is killed when you shut down the browser process.

  16. The Following User Says Thank You to Deadeye81 For This Useful Post:

    roundsdd (2011-04-14)

  17. #13
    Super Moderator Deadeye81's Avatar
    Join Date
    Dec 2009
    Location
    North Carolina, USA
    Posts
    2,655
    Thanks
    7
    Thanked 112 Times in 97 Posts
    Quote Originally Posted by ratchet View Post
    Most surfers could/would avoid going to the site that contained the malware if they were using WOT or like service. It is hard not to notice the red circle!
    Hi ratchet,

    WOT and other systems like it are very useful, and do offer some protection. However, when a previously clean site becomes a host to malware, there is some time involved before it is discovered and updated as a risky site. It is good to remember that no security measures are 100% effective. This helps us to stay alert, and to exercise good judgment

  18. #14
    New Lounger
    Join Date
    Jan 2011
    Location
    Glennville, GA
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I have run into LizaMoon, installed by panicked users certain their systems were infected by some horrible virus. Clicking the X to kill the program has no effect, and in some cases it is not possible to start Task Manager, install Malware Bytes or scan with MSE. Running anti-virus programs in Safe Mode sometimes works, but this is the single hardest to get rid of virus I've run into in 30+ years of tech support. I reformat and start over, just to be sure everything is gone.

  19. #15
    2 Star Lounger
    Join Date
    Mar 2010
    Location
    Tampa, FL, USA
    Posts
    111
    Thanks
    11
    Thanked 7 Times in 7 Posts
    The missing piece in this "blow by blow" article is exactly the process used to disinfect the PC. Did it require running the scanners in Safe Mode? How did the latest versions of the scanners get on the PC if it was disconnected - USB stick, CD burned on another PC, etc.?
    PJ in FL

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •