LizaMoon infection: a blow-by-blow account

[Tracey Capen]

TOP STORY LizaMoon infection: a blow-by-blow account By Fred Langa A nasty piece of malware known as LizaMoon has hijacked links on millions of websites in the past weeks, including some normally safe iTunes and Google links. Fortunately, LizaMoon is easy to avoid if you know what to look for. The full text of this column is posted at WindowsSecrets.com/2011/04/07/01 (opens in a new window/tab). Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

[gtd123]

When your computer was infected by the Liza Moon virus were you logged on as an administrative user or a limited user? If the latter, did you have to entire your admin password at some point? I guess the main thing I am trying to discover is could this thing take over a system as you describe without logging on via the admin acct?

[jredwards]

hey even paid antivirus software will ley such things run. i used nod32 for 5 years without a problem. then got hit by the same sort of malware. my daughter was at the computer when it happen. she tried to close it down with the red X. when i contacted nod32 they told me to download free software that would remove the malware. since then i have not paid for nod32, and use MSE. i also keep malwarebytes up to date manually. i have also seen this problem with other paid and free antivirus programs. so be disappointed if you want, but keep a image handy. that was my way of taking care of the problem in 5 minutes.
richard

[roundsdd]

I thought that by using the red X the malware would still do some of its bad work. I was taught to use the ALT + F4 to kill the page. Using windows Task Manager is sometimes hard to figure out which is the bad process. A buddy had this and I had him go into safe mode and restore a previous version to get healthy.

[Damer]

me too. Lisa got me some time back. I stopped short of sending money but every time I ran a virus checker it kikked it and it killed every other checker I had. I reformatted the drive to get rid of it.

[AndyDap]

I got something very similar via a different route; disguised as a packing note for a DHL shipment in an email (had nothing to do with DHL of course). I would normally never have opened it but I was expecting a package from overseas. McAfee told me the email was clean but I was extra careful. It was an attached zip file (that I detached and scanned separately with McAfee and it reported clean), then a 'pdf' file (that I scanned with McAfee and it reported clean) that I ran and saw no pdf file but all the same looking pop ups that Fred got. McAfee offered to help me get rid of it for a fee (after being a loyal customer for over 10 years) but running Malawarebytes from safe mode and rkill.com (a small tool to kill suspect processes) took care of it in about 30 mins. I no longer run McAfee and as a test used MSE to scan the same email file. It picked it first time, so I'm happy with MSE.

[ratchet]

Most surfers could/would avoid going to the site that contained the malware if they were using WOT or like service. It is hard not to notice the red circle!

[iansavell]

I agree with RoundsDD. The advice in the article to dismiss the web page dialog using the red X is bad advice. In many cases the dialog is not a true dialog but simply part of the infecting web page and clicking the X (or any other part of the page) starts the infection.

There was a Lounge discussion on this a while back, we concluded the safest route out was to use ctrl-alt-del to bring up Task Manager and kill the browser process. ctrl-alt-del is handled by Windows at a very low level and cannot be subverted by anything (as far as I'm aware - I'm sure some rootkit author is working on it)

I'm sensitive about this subject right now because I've just spent a day clearing a fake AV infection from my daughter's laptop. She claims it just appeared after visiting a previously good website, didn't click or agree to anything suspicious. She was sitting in the room with me and as soon as the first indication appeared she handed me her PC. Her system includes Windows Vista, McAfee AV, Firefox and she hadn't disabled UAC.

The culprit called itself "spyware protection" and part of it was an exe: "c:\users\****\appdata\roaming\defender.exe". It had already disabled launching task manager from the taskbar. It took four different AVs, two Malwarebytes passes and msconfig to clear about 30 items identified as "trojan.<something>". Before her McAfee sub runs out next month I've told her to switch to MSE. If your AV is going to miss something critical it's as well you're not paying through the nose for it as well. All the detections were by free tools like HouseCall and Malwarebytes.

Ian

[RandomChance]

Right after WS starter declaring how great MSE was, I used MSE for 2 weeks before I ran into an infected page on a very popular site. MSE did not catch until too late. (gocomics if I remember right).
I dumped it immediately going back to Avast, which has blocked several such attacks in embedded ad's on known good safe sites.

[mfa]

My wife's computer (Windows 7 Home Premium, WSE, Administrative user account) got infected with this on 4/5. I rebooted in Safe Mode, and ran a full WSE and McAfee scan. Neither found anything amiss. Eventually removed it manually by deleting suspicious folders in Program Data and similarly-named keys in several Run or RunOnce entries in the Registry. Demoted user to Standard to lessen chance of further problems.

[Johnlee]

I had a similar problem. I was expecting aUPS package and received an email purporting to contain details. When I clicked on the enclosed file I got similar warnings to LizaMoon called CleanThis but was fooled by the Microsoft appearance to thinking it was genuine. After clicking the clear all button my PC was infected. I also turned off my network connection and sought advice on the internet from another computer. Several solutions were offered including several needing payment but I found one that recommended starting up the infected PC and entering as another user. Fortunately my wife was already entered as a user with full authority. I entered under her name and immediately went to system restore and picked a restore point before the infection. Bingo the system was clear!! I then entered in my own right and ran all the usual AV checks to find only 2 items which MacAfee safely removed. All my PCs now have an extra user with full authority in case of further need.

[Deadeye81]

Hi roundsdd, and welcome to the Lounge!

There are many scareware variants circulating around the Internet these days, and some of them will inject malware when clicking the red close square in the upper right corner of the popup, or by clicking anywhere in the popup. To cover all possible avenues of infection when encountering one of these buggers, the safest action is to start Task Manager and just look for the name of your Internet browser process, such as iexplore.exe (Internet Explorer), Chrome.exe, Firefox.exe, etc. The browser process is the only one that needs to be killed, as anything running in the current browser session is killed when you shut down the browser process.

[Deadeye81]

Most surfers could/would avoid going to the site that contained the malware if they were using WOT or like service. It is hard not to notice the red circle!

Hi ratchet,

WOT and other systems like it are very useful, and do offer some protection. However, when a previously clean site becomes a host to malware, there is some time involved before it is discovered and updated as a risky site. It is good to remember that no security measures are 100% effective. This helps us to stay alert, and to exercise good judgment

[chipallen]

I have run into LizaMoon, installed by panicked users certain their systems were infected by some horrible virus. Clicking the X to kill the program has no effect, and in some cases it is not possible to start Task Manager, install Malware Bytes or scan with MSE. Running anti-virus programs in Safe Mode sometimes works, but this is the single hardest to get rid of virus I've run into in 30+ years of tech support. I reformat and start over, just to be sure everything is gone.

[pjustice57]

The missing piece in this "blow by blow" article is exactly the process used to disinfect the PC. Did it require running the scanners in Safe Mode? How did the latest versions of the scanners get on the PC if it was disconnected - USB stick, CD burned on another PC, etc.?