LizaMoon infection: a blow-by-blow account

[bobprimak]

This is just another example of the failure of Microsoft to produce a truly secure system. If Microsoft simpled used the same techniques that are routinely employed on *.nix systems, along with its handling of files, none of this would have occurred. I assume you have heard about the Epsilon data breach. Just another example at Microsoft's failed attempt to provide security for its users. Honestly, why anyone with any common sense would use Microsoft for Web browsing or reading e-mail is beyond my comprehension. There are better Web browsers and far superior MUAs available for the non-windows user. With the possible exception of MS Office, there is not a single program that Microsoft produces that is worth the hassle of using Windows and its required AV/Firewall, etcetera paraphernalia just to attempt a mediocre sense of security. Microsoft != Security is a well understood concept.

Dump Microsoft and get a secure system plus you will save a fortune in time and money.

For most other people linux with Open office and Evolution is more than adequate, and so they could easily use Linux instead on their existing PC. For people with deeper pockets and an absolute need for MS Office then the only alternative is to go for a Mac with Office 2011 or 2004 and get the safety of Unix.

'.NIX invulnerability is a myth. Mac Os is a 'NIX, and it has viruses. Same with BSD.

you know, my advice to my friends who encounter this problem. save any documents you have open in the background and then hit the reset button, I'm sure it will be gone that way. yes, it is not a "clean" way to shutdown your PC but then again, you most likely will not be infected (and I say very very likely). As for using UPS, why don't you sign onto their website to see if they send you an email. I always disgard msg from ups

Doing the Hardware Reset can cause the malware to install on the next boot-up.

As for staying on Windows, Fred is very naive and trusting of MS, sorry to say. On my Win 7 machine I do use MSE but it is supplemented with the excellent Prevx and Comodo firewall with HIPS enabled. Prevx is easy enough for all users but COmodo needs some expertise and is not for the casual user unless an expert sets it up for them on "default deny" config.

On the XP I use Comodo Internate Security and Prevx plus Malwarebytes for daily scans. So good so far.

Prevx has for me been nothing but trouble. It flags EVERYTHING as malware, and blocks everything which has changed since Prevx was last uninstalled and reinstalled. Needs to be reinstalled for this reason every month, when MS Updates are installed. Nothing but hassles and false alarms in my experience.

Comodo and Malwarebytes are fine programs, but you still need a real-time antivirus app. For this I would use MSE on Windows 7, and Avast on Windows XP, unless Avast does weird things on your computer, as it did in Version 6 on my WinXPPro SP3 laptop. There, I reverted to MSE.

[bobprimak]

I have a "safe" email address that was hacked at Epsilon, got the nice little "we're so sorry" notes from Target and Best Buy, but immediately notice I was now getting spam from various delivery services - UPS, FedEx, a couple others as well, whereas prior to the hack I got NO spam at my "safe" address. All of those notices were poorly phrased English, first clue and had attached zip files - NEVER, EVER, open a zip file from someone you don't know has always been my rule. It helped that I hadn't ordered anything from anyone too, of course. I did reply to one of them saying, gee I wonder what you could have for me since I haven't ordered anything, I am SO excited. It bounced back undeliverable in a little bit. I am quite annoyed with Epsilon and believe Best Buy violated their own privacy policy which was supposed to NOT share my address with anyone else, not even Epsilon. That Reward Zone card is now gone too along with the business I have given Best Buy over the years. And the business I would have given them in the future. When will someone get serious about prosecuting these fools? Many years ago, I'd send headers to the FCC but I don't believe they ever do anything about them. The Internet will always be a modern day "Wild West" until companies and governments get serious about prosecuting internet criminals whether they live in Moscow or Bejing.

First, Best Buy does not do what you accuse them of. Second, please avoid ethnic slurs such as your last sentence. If you can't prove allegations, don't post them here.

[bobprimak]

Greetings from LeonSprings,

I have not had the time to read all of these posts, but; very sure they are having something to do with that report by Fred Langa in Windows Secrets latest newsletter. Thank you to Fred for this report, as I have been doing just what he has suggested for many years, do not accept any bogas recommendations from unknown sources.


I have just had somewhat of a similar experience this evening just before downloading Fred's report . . . my MSC (Microsoft's Security Client version 2 of MSE) and it could not restart, title bar was RED and the restart button was also RED and could not be restarted by that button. I went into MSC Settings tab and to Real-time protection and unchecked the box for Turn-on real-time protection (recommended) and saved that setting. Then rechecked that box, turning it back on, and it did restart after a few seconds, maybe 20-30 of them. Did an imediate quick scan and all came back clean. Am going to do another with various other AV and malware software I am using on my system.

If I were to wear a hat I would take it off and SALUTE you, Fred Lanaga. I don't so I will just sing your praises here.

Actually, what you are reporting is entirely different, and may not arise from malware at all. On my Windows XP laptop, MSE frequently fails to start up at Windows boot. The issue with me is that if the boot process takes too long (due to a slow-loading driver or too many Startup Items) MSE will simply time out. It can then take a long time to restart the MSE Service (called MSC in your Startups List). Completely different issue.

[bobprimak]

I was helping a friend remove this from his computer, only it was called "Win XP Security" in that version. I was able to download MalwareBytes after rebooting in safe mode with networking support, but was not able to run it . I then found an article on my laptop from the MalwareBytes forums that recommended renaming the MalwareBytes download from *****.exe to ****.com. I was then able to install the program. (The **** indicate the latest version, which changes numbers with each new version.)

I then went to the install location, and rename the "mbam.exe" to "mbam.com" which was able to run normally. I let it run and deleted the results, and it killed the infection immediately. I ran it in "full scan" till no more infections came up. I then tried to update the computer but was unable to until I re-registered the dll files associated with Windows Security Center. You can find articles on Google to do this. I launched windows update and updated all. The process was brief, as the computer was set up for automatic updates already, but the infection had disabled that.

Since this was the second time this had happened to him, I encouraged him to purchase a license for MalwareBytes. If you look around you can find coupons to reduce the price. He ended up paying about $21.45 for a license, and it started blocking him from attacks immediately. I was very impressed with this.

I did not run Microsoft's Security Center, but after reading this article I might suggest he change from Avira anti-virus to MSC.

Thanks for the great article, Mr. Langa.

Malwarebytes is available in a free version. There is no need to pay for it, unless you want the frilly, fancy, unnecessary features of the paid version.

[wackieworld]

I have had similar malware attack systems with McAfee and Trend Micro successfully. If caught quickly enough I have been successful removing it with System Restore. In several instances the restore points were not available and I had to manually restore using a seperate PC. One of the PC's infected took several different tools to remove all of the garbage and one needed to have a system reload.

[b1rd]

Malwarebytes is available in a free version. There is no need to pay for it, unless you want the frilly, fancy, unnecessary features of the paid version.

I think he was referring to the "real-time" protection aspect and perhaps the automated updates, thus blocking the problem rather than trying to fix it.

COMODO is decent, however it's only a snapshot. Also, it does insert itself into the Master Boot Record, so if there's a problem with it- that can be a problem (However I do use it with no problems)

Another FREE option is PargaonBackup & Recovery 2011 (Advanced) Free It's a free mirroring program in the event you can't boot. (You need to make an ISO image media which the initial installation will prompt you to do)

I have made several archives, however I have yet to try and restore my system using this program, so I have no comments on that part. I did see it received decent ratings though. Also, if you can boot, you can still use the restore feature without the boot media, but remember it will bring your entire system back to the date of the archive, thus taking away anything you've saved as of that time period.

Personally, I use COMODO / TrueImage / and Paragon to back things up.

Paragon is defaulted to save the archive on the main drive, but I would suggest saving it to an external drive (Or another internal dive if you have one) if possible, to reduce the chances of a corrupted archive file, not to mention the longer defrag lag time on a the main drive as well.


b1rd

[Damer]

me too I would like to know. I have a return of the malware so have pulled the plug to wi fi and need to know how to get rid of it. Last time i had to have the drive reformated. Can I just turn the clock back with a restore. Ctl -alt del dont work -- they just flash up and are killed. should I use safe mode.. I cant get in in any significant way. should I boot from another disc or pen drive. Can I load a prog to a pen drive and scan from there. I have a lap link usb can I scan from another computer. Any help would be great Thanks

[b1rd]

I was able to get rid of it through SafeMode. I installed MalwareBytes from a flash drive while in SafeMode, then ran it while still in SafeMode.

Several people have had success with renaming the file from .exe to .com (renaming it, not changing the file extension) Both during the download, as well as within the programs folder.

Another option I found some place was a portable version of SuperAnti Spyware. It assigns the file a random name, and can be both downloaded directly to a flash drive, then run from it as well. I would still suggest running either in Safemode, or if you can boot, then hit Run> type msconfig and select diagnostic start up, which is basically the same, just easier to get to on many systems.

Edit:

I did do some quick checking and there were a couple people saying not to start this in Safemode, but did not indicate why. They suggested to bring up the task manager Run > msconfig and get to the start up tab ASAP, and quickly uncheck it if you can find it. Personally, I've removed several of these, however different variations, and that has never worked for me. Also, I can't see why running the fix in Safemode would be any problem at all.

[Damer]

Thanks Bird will try its so annoying. dont know where it came from but it has got to go!!!

[Damer]

Thanks again Bird.. I downloaded super anti spyware to my flash drive -- via another computer -- started my computer in safe mode and ran restore. I restored to the day before. All seemed well. so ran super antispy and it unearthed 7 nasties. Have since been running other scanners but have not found anything else. I learnt from the last time not to exit by clicking X I also pulled out the wifi and disconnected from the internet. So thanks again Cheers Damer Farrell

[mfa]

I now have a cocktail CD of RKill, Malwarebytes, Spybot Search and Destroy and sometimes one or two other malware killers. I give that to the people, tell them how and in what order to run the cleanup and have seen it work 100% of the time.

Are there any licensing issues doing that, or are all of those ingredients in the cocktail freeware?

[b1rd]

Originally Posted by Dammer
Have since been running other scanners but have not found anything else.

If things seem fine, and if you don't have already it, this might be a good time to download MalwareBytes and do a direct install to the computer / update and do full scan. I think these two programs that I mentioned are the only two free ones, that I'm aware of that rids this thing.

Also, you did a system restore it sounds like. I just wonder if any of these variations include a time bomb, which simply means set to trigger on a certain date. I doubt it at this time, as I've never ready anything about that as of yet, however I did have a program that did that.

Anyhow, glad to hear it appears you got things fixed. This one can be a bitch to work with.

I would seriously look at Paragon Back-up & recovery 2011 Free .It's free and when things get really bad, it might be a good way to get things back to normal. Again, I've only made archives, never a restore, as I'm a big believer in Acronis TrueImage, which has saved my several times.

b1rd

[Cirric]

Great info on this nasty program. My wife had the same experience with one of the older fake anti-bad guy programs, in that she clicked the red X to close the warning only to find the bad guy got in anyway. Next time it happened she called me and I tried most of the tricks to prevent installation. She asked if we could just power down manually (5 second power button hold) and this solved the problem. Works if you do not have unsaved work that you care about.

[wgmeisheid]

After clicking the Red X I was fortunate to have Taskmanager open and I noticed an explosion of numerically titled .exe processes launching. I spent several minutes closing the processes, then did a search on the filename and found it in my browser temp files. I deleted it, but it also corrupted my registry and regedit would not allow me to delete the entries - telling me I did not have permission. I had to run everything using the right-click Run As option.

I tried several antivirus tools in addition to my normal VIPRE without them finding anything.

I finally found a free Registry repair tool that removed the corrupted entries (Free Window Registry Repair) from CNET. It did the job and now I am back to normal.

Next time something like that appears, I will go directly to Taskmanager and close the IE process, then delete all of my temporary files by hand. In addition, I create a restore after every software installation.

[jep]

I have seen variants of this scumware that will proceed with its attempt to install even if you press Cancel OR click on the red X.

One of the more amusing things I've seen is when the false "Virus Scan" pops up begins scanning my "C:\Windows" drive... on my machine that is running Ubuntu 10.10.

The non-amusing thing is the number of friends' and coworkers' infected home PCs I've had to clean this scumware from.