Wow. Wiped out.

[Toy4x4]

I was searching form a blog that my sister was on on google and on the third try, I saw the Java symbol pop up. I didn't think too much of it...just that the website was running some sort of Java script.
NO! After a couple seconds, this window pops up like its scanning my hard drive and showing errors...something like S.M.A.R.T. HDD in the title. I try to close it...no go. Ctrl/Alt/Del doesn't work. I fire up Malwarebytes and it locates 5 items and I delete them and it says to restart computer after they're deleted.
Desktop come up black with only "My Computer" and "Trash". Nothing else comes up at all and not allowed into anything.
So, I had to reformat and lost everything on the desktop. Everything REALLY important was backed up on an external, but there is stuff I can't get back that I'd rather not have lost.
Avast didn't catch the "thing" until after I rebooted, so I guess its fairly new.
Now that I'm thinking about it, I have a second internal HD for storage and it shows that 15 gigs is taken up, but when I try to open it up it says its empty. What gives? I tried restoring it to a previous date and still nothing.

I'd also like to take a bat the the culprits computer hardware...do an "Office Space" to his stuff!

 

[Nick R]

The 15GB of used space might be pagefile used by windows.

 

[Rand]

usually thats a backup.
I had a 47gb windows 7 backup on my old laptop

the drive swore nothing was on it.. but was 93/140 gb free


Also make sure you update java.. there are alot of driveby exploits that will molest your computer unless its updated.

 

[daves87rs]

Ouch!

 

[RedCorvette]

I had the same malware hit my computer. It's a trick where they are trying to get you to buy a fix.

It hasn't actually deleted anything, it's just hidden everything.

I found a couple of documented fixes for it which included a couple of specific tools outside the spyware scans to undo some of the things that it has done. It took me a few hours, several reboots and scans to get rid of it (some of the documented procedures online were not as good as others).

I wish you had posted earlier and I could have saved you from reformatting.

 

[wkcars]

just curious on what browser you were using?

 

[Loobed]

Download a copy of Puppy Linux, nd burn it on CD. Put it in you CD drive and boot it up, You cn then search for any viruses or missing files since it isn't a windows based system. You could also try Mint Linx, Ubuntu Linux, or Knoppix. They all allow you to boot from the CD without installing the system on your hard drive. Puppy is the smallest.

 

[RedCorvette]

Originally Posted By: Loobed


Download a copy of Puppy Linux, nd burn it on CD. Put it in you CD drive and boot it up, You cn then search for any viruses or missing files since it isn't a windows based system. You could also try Mint Linx, Ubuntu Linux, or Knoppix. They all allow you to boot from the CD without installing the system on your hard drive. Puppy is the smallest.


Can you put that on a memory stick instead?

 

[Toy4x4]

Nick,
When I did the restore thing, I saw the files zipping through as it was doing its thing. I could recognize song titles.

RedCorvette,
I couldn't get online. No IE. NOTHING worked. I wish I had my last computer I gave to my sister then I could have gone online.

Internet Explorer was used.

 

[antiqueshell]

@Toy4x4:

Was your OS fully patched with ALL the latest WINDOWS security patches?? (not talking about your security suite)

Was your Java the lastest version?

Always best to use a browser other than IE if you have any doubts about a site of any kind.

Also if I may ask which site was this so we can avoid it.

 

[Toy4x4]

Windows was fully updated.

I don't know when Java was last updated (maybe a few months ago?).

I've never really had too much of an issue with IE. I think this is the second time something like this has happened since having a computer ('99). Antivirus software has always caught the rest.

I don't know which site it was. I clicked through fairly quickly when I didn't see what I was looking for on the first two sites and the third got me. I believe I did a search on "blog lists" and it was on the first page of results. Anyone want to test them?

 

[uc50ic4more]

I'd suggest an Ubuntu CD. You'll be able to find and transfer everything to safety. Then you can re-install Windows and get it all patched up... (Or you could just install Ubuntu and never worry about this happening again.)

 

[OVERKILL]

I've got some experience with this one. It literally just hides everything, you don't lose it. It can all be brought back. Or could have been unless you wiped the drive when you did the reinstall.

 

[Toy4x4]

Where does it hide it? "C" drive has been reformatted so thats done, but I'd like to know how to get the info back on "D".

 

[Volvohead]

That's a shame.

I'm seeing more and more Java exploits lately. NOD is catching them all, and keeping current on updates helps, but still . . . it only takes one to sneak through.

 

[OVERKILL]

Originally Posted By: Toy4x4
Where does it hide it? "C" drive has been reformatted so thats done, but I'd like to know how to get the info back on "D".


Yes, it hides the contents of your user profile. You have to take ownership of it and replace the permissions on it.

 

[buickman50401]

Originally Posted By: RedCorvette
I had the same malware hit my computer. It's a trick where they are trying to get you to buy a fix.

It hasn't actually deleted anything, it's just hidden everything.

Yep. It moves the start menu items around in this fashion:

http://www.bleepingcomputer.com/forums/topic401172.html
Quote:

This is a manual fix for XP users:

1. Copy the entire content of this folder:
C:\Documents and Settings\user_name\Local Settings\Temp\smtmp\1
and paste it to this folder:
C:\Documents and Settings\All Users\Start Menu

This is a manual fix for Vista/Windows 7 users:

1. Copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\1
and paste it to this folder:
C:\Program Data\Start Menu


Originally Posted By: Toy4x4
Windows was fully updated.

I don't know when Java was last updated (maybe a few months ago?).


And therein lies the problem. Most of the malware getting on machines these days is in the form of java exploits. The most "virulent" and recent threats target Java 6 update 28 or earlier. The current Java is 6.31. The Java exploits are dropping in bootkits. The bootkits hide in the MBR and load just after the bios queries the hdd when the machine powers on, hooking into one of the miniport drivers for the hard drive - this is all prior to the OS starting.

You didn't have to format and reinstall. I just fixed another one of these messes this afternoon for a friend.

Computer bluescreened at boot (XP). Booted the recovery console from CD and ran fixmbr and fixboot. (Vista/7 uses Bootrec.exe with fixboot and fixmbr switches).

Next step was booting Mint 12 and copying all the info from the user folders related to the desktop and start menu to a flash drive. Those files were then scanned on a separate machine to ensure a clean bill of health when copied back to the infected machine.

Then I booted in safe mode. Windows wanted to run a scandisc because of fixboot and fixmbr having been used. I then ran rkill and Malwarebytes. MWB stripped out 5 entries and wanted a reboot to clean up the rest. After MWB I ran Hitman Pro which found 2 more entries and promptly deleted them.

The final step was to copy the files from the flash drive back into the appropriate directories to restore the start menu and desktop.

MSE has caught quite a few of these java exploits hanging out in the java cache on my machine within the last 2 months. However, I haven't been infected because I was running the latest Java which was immune to the exploits.

I've fixed so many of these at this point that I've got a little "kit" in the form of a ziplock bag with an XP, Vista, and Win7 disc in it to run recovery console from. A Mint disc. 2 flash drives - one preloaded with MWB and the latest definitions, Avast and MSE (whichever the owner prefers I install if need be), rkill and HitmanPro. The other flash drive is for copying the desktop and start menu data from the hidden directories. It takes about 90 minutes to fix and most of that time is spent waiting for MWB and HitmanPro to finish their scans.

Moral of the story. Set Java for auto update and don't keep ignoring the little orange Java icon in the task bar that's screaming at you "HEY HEY! UPDATE ME PLEASE!!"

 

[buickman50401]

Originally Posted By: RedCorvette

Can you put that on a memory stick instead?

Yes.
http://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/

The only problem with that is you have to have a machine with BIOS that supports booting from USB.

 

[Tom NJ]

Originally Posted By: Rand
Also make sure you update java.. there are alot of driveby exploits that will molest your computer unless its updated.


How does one set Java to automatic updates? I do not have any Java icons in my control panel (XP) or start-up tray. Could it be that it is not installed???

Tom NJ

 

[uc50ic4more]

Looks like Mozilla is taking some steps to keep Java from having too detrimental an impact on the world at large:

LINK