Java Exploit virus

[geminigod]

Man, I have been having a hell of a time the past couple days. I picked up some bs virus from some website that exploits java. It is apparently all over the place out there these days. The zero day for this thing was just a couple months ago. The virus inserts into a website's code, and infects any computer that hits it. Now I'm not suggesting I got it here. It could have been any number of sites, but if anyone is experiencing anything similar, please speak up. Also this is a potential vulnerability for macs and pc's.

My main symptom that alerted me to something being wrong was that any executable app I would try to download would fail and give me some message about files being corrupt or authentication failing or some other such nonsense. I think the problem first began when I updated java to a newer version that supposedly fixes the exploit, but since I was already infected, that was when my computer started acting funny. Prior to that, I'm guessing a remote hacker had access to my computer. Microsoft Security Essentials found a virus and removed it when I ran a full scan, but that didn't resolve the symptom described above.

The craziest thing is that I caved trying to fix the problem and reformatted my computer. At first everything was fine with a fresh install but then at some point re-setting everything up, the same problem started happening again! I am now in a very painful process of troubleshooting exactly what causes this to happen. Antivirus finds nothing new.

At this point I would advise folk to make sure you have the latest java update and maybe consider doing what security experts have recommended. Have two browsers. 1 with java disabled for general browsing and 1 with it enabled for trusted websites that require it. Apparently java is a security nightmare. Flash is also supposed to be pretty bad.

 

[TV's Frink]

I got a message from Norton several weeks ago telling me I was already protected from this. What antivirus are you using?

 

[geminigod]

microsoft security essentials. I have been told it is pretty good and hard to beat the price of free... It did find it and remove it, but failed to prevent the initial infection obviously. Maybe I should invest in some new security software... I am anti-Norton from the old days when it was notorious for being a memory hog and causing more problems than it fixed. Maybe it is good now.

interested in hearing any thoughts on antivirus/malware recommendations.

 

[nOmArch]

Malwarebytes kicks arse but isn't free but is well worth it in my opinion (professional hat on there). I also use MSE in conjunction with it and haven't had anything nasty for a good few years now.

I always set my browser to prompt me if anything Java related happens though and it's been turned off completely for the last couple of months since this exploit was discovered.

 

[reave]

Kapersky. AVG if you don't want to pay.

 

[geminigod]

(professional hat on there).

I forget, what is your profession?

 

[Cactus]

I concur about Malwarebytes, essential even in free version. Paid version lets you run it in the background all the time which is so worth it. http://www.malwarebytes.org/products/malwarebytes_free/

The anti-virus I use is Avast, which is available in a free fully functional version. http://www.avast.com

 

[nOmArch]

I forget, what is your profession?

Run my own IT repair/support business. Air lines rule.

 

[geminigod]

Run my own IT repair/support business. Air lines rule.

Sweet! I'll trust your advice. Should I roll with the advice above? Any other thoughts?

 

[nOmArch]

I think what's been said pretty much covers it. The most important thing about Antivirus is not paying for it.

I think the air lines comment I made was meant for a different thread. :-o

 

[geminigod]

The most important thing about Antivirus is not paying for it.

As my nightmare continues, I can't say I agree. I think I have now spent like $100 on programs. I have MSE, your recommended Malwarebytes program, plus a handful of programs that I stumbled upon at this site. http://www.uninstallvirus.com/download. They seem pretty good and have definitely helped make some progress. The main one is called spyhunter 4. I hate to spend the money but this nightmare has to end. I have now wasted days trying to restore my computer.

I am now on my 3rd fresh install of windows 7. Fingers crossed this time will be the winner. This is not my area of expertise, so I would love to hear any feedback from you experts. Check out these fancy terms that I am learning: My working theory is that some rootkit made its way into my windows 7 kernel, wherein it had absolute control and was undetectable. A fresh re-install of windows 7 should have eliminated it, but since I hadn't changed any admin settings for my computer and network, the remote attacker could noodle its way right back in again.

Now I have changed all my id and password stuff on this new install, plus I have multiple anti-malware apps running.

As near as I can tell, if this doesn't work, there are only two other possibilities. 1) Somehow my other NAS HDD that just contains a bunch files is reinfecting my windows, or 2) I have a rootkit in my firmware, in which case I don't know what the hell to do.

 

[Cactus]

I'm fairly certain that if your computer still gives you grief after a clean install on a formatted drive, then you either have troublesome files on your NAS or simply malfunctioning hardware. If your Malwarebytes is updated and fully scans all your files with no found problems, I would go with hardware problems. I do agree that you don't have to spend any money to get protection that 100% works.

 

[nOmArch]

Either your network drives are infected or you have a hardware problem.

One thing to try which is very simple to do and quick is move your boot HDD to a different SATA port (preferably different channel as well) on the motherboard and see if things return to normal. It a good way to check whether the drive controller on the mobo is functioning correctly.

The best thing to do is have an online virus scanner scan every single drive you have connected on your LAN to be sure the malware has been removed.

If it's hardware then you need to download a diagnostics boot disc like Hirens and run a full RAM test and then check the SMART info for your HDD and if that checks out then run a full surface scan.

 

[geminigod]

Either your network drives are infected or you have a hardware problem.

Definitely a malware problem and not hardware. The problem reveals itself by hikjacking my web browsers, switching DNS servers, and installing all sorts of other fun spyware as well as preventing me from successfully downloading and running any new executable files that might potentially help to solve the problem. Hardware works fine right after a fresh windows install. The problem creeps back in, often when I am not even at my computer.

The best thing to do is have an online virus scanner scan every single drive you have connected on your LAN to be sure the malware has been removed.

Did this initially. Online scanner and MSE found almost nothing. The tools mentioned from the website above got me back to being semi-functional by fixing some registry issues and removing a ton of spyware. Incidentally, Malwarebytes also failed to find anything.

If it's hardware then you need to download a diagnostics boot disc like Hirens and run a full RAM test and then check the SMART info for your HDD and if that checks out then run a full surface scan.[/quote

I have done a ramtest. Not sure hardware test will be helpful unless it is something that can find some kind of embedded virus at the hardware level. I did think it was interesting that the windows 7 setup disc doesn't provide an option for a deep reformatting of the hard drive. All it does is delete the partition.

 

[geminigod]

This is a cool website with resources for checking files for malware. http://www.techsupportalert.com/con...ous.htm#Check_If_File_Is_In_Comodos_Whitelist

 

[nOmArch]

Sounds like you're gonna have to start messing about with rootkit removers and other specialist tools.

Good luck.

e2a: I would also reformat your NAS and any other attached storage you have. oh and check all your USB pen drives they can get infected very easily.

 

[That One Guy]

Wearing my Windows sysadmin hat, these are the things I'd do:

burn a copy of the F-secure Rescue Cd, boot from it and run a full scan. Do this both on your machine and on your NAS if possible. It'll take a while, but let it run through. Hardwire network connection is recommended to ensure it can get the definiton updates prior to scanning, I've had mixed results providing these on a USB drive.

on a session on the local machine, use Msconfig and Sysinternals Autoruns (free download, google for it) to find out what is running on startup that shouldn't be, and kill it. You may need to boot from a Windows PE disc to be able to delete the files.

at a command prompt, run sfc /scannow to have Windows verify the integrity of system files and replace corrupt files if necessary.

download and run the sysinternals rootkit revealer.

Hopefully this will be of help in solving the issue.

 

[nOmArch]

Anti virus should catch anything in the run and runonce registry threads that shouldn't be there.

 

[geminigod]

Thanks [MENTION=15949]That One Guy[/MENTION] and [MENTION=4962]nOmArch[/MENTION].

So far nothing seems to be happening on my latest fresh install, and my 3 levels of anti-malware apps aren't sending off any red flags. (fingers crossed). Killing my NAS drive would mean losing all my data! Can't let that happen.

But I am definitely nervous that I am still infected at some level. Maybe I could move all that data over to my fresh windows hard drive and then figure out how to restore the GPT partition on the NAS drive back to factory or something?? At least if something is hiding there, it would be killed...

 

[geminigod]

On a related security note, while re-installing mediainfo, I noticed that it now has bs ad supported crap that it auto installs for a delta search engine. It also installs a plug-in called "browser protect" that appears to be commercial malware. I uninstalled browser protect and disabled delta crap. Then that got me thinking about legit plug-ins.

On firefox's bowser add-ons, there are two that look promising. I added BowserProtect 1.1.3 and DoNotTrackMe. So now I have 4 levels of protection! In theory.

Unfortunately I have abandoned Chrome, which I was a big fan of, but it seems harder to manually control and protect myself with. The settings menu is very confusing.