Our home computer got infected even though it was protected with K9 and a good fire wall

I will be rounding up flash drives and scanning them to make sure that wasn't the infection route. I suspect a drive-by attack on the IP address instead of a web attcak. Well, this was the longest the computer has remained clean in years.

I will not fool with it for a while. I have a few low end computers sitting around collecting dust. Actually the replacement is a better computer than the infected one. I had been on part of that govt furlogh except I will not get back pay. I cleaned up and/or fixed a few computers so I have a line up. I may scan the infected C: drive when I get a chance maybe I will find something.

 

Hi Mez, sorry you got infected

Run OTL when you can and I'll help you get it Clean!!


--OTL--

Please download OTL by OldTimer to your Desktop.

If you already have a copy of OTL, delete it and use this version.

Double click OTL.exe to launch the program.

Check the following.
Scan all users.
Standard Output.
Lop check.
Purity check.
Under Extra Registry section, select Use SafeList
Click the Run Scan button and wait for the scan to finish (usually about 10-15 mins).

When finished it will produce two logs.
OTL.txt (open on your desktop).
Extras.txt (minimized in your taskbar)

Please post me both logs


2oG

 

It is good to know about OLT.

I have resorted to having several computers for the family computer. There is nothing of value on the infected one but I will keep it in quarantine till I get around to doing a postmortem mostly to see what got it than fixing them. I fix them by re-imaging. I will delay the re-image just in case someone saved something that they want. My wife uses a flash drive for her stuff. The kid still at home does the same.

When I get around to it I will follow your instructions but it might take a month or so. Even if the new one gets infected there are more spares but that will push the timetable up.

The sh1t hit the fan when I did something as the admin and applied an update from the tool bar. I guess the update was from a hacker.

Thanks for the reply.

 

Yeah, I suggested OTL because it doesn't fix anything on its own and we can find out what and how you got infected so you are able to block the next one that comes along.

2oG

 

I concur. It will come again... I will be out of town for the next 2 weekends that will have me backed up for a while. Plus I am getting pretty lazy I like to relax on the weekends. As long as this computer doesn't get infected I am good.

OTL used to be very effective I will be interested to see how the new sophisticated version works.

 

I spent 6 months learning how to use it back in '09. I have been brushing up on it and there are not really many changes from the original. The best program for cleaning a computer around IMHO. There are some new ones that do a lot of pre cleaning before using it that makes it a lot easier though. like AdwCleaner, JRT and RogueKiller.

 

Oh I am sorry to hear that... It is really not common to meet situation like this. I usually will skip the "scan" process and jump directly into the "re-install" part.. I thought it would be time saving for me. And usually I will keep a backup of my current data by using backup software like partition clone before I do the disk wipe-out.. And sometimes amazingly I found out that the system works with no problem after I restored the backups ... Dont know why.

 

I was only going to scan the flask drives to make sure they were not the problem which they were not. This was only being thorough. The infection may have been a drive by. The AV disables the autorun so it is unlikely they were the problem in the first place. I do not know how you would "re-install" a flash drive. I do not use software on them.

I have several 'clean' computers just waiting for use. They are alternatives for the family computer. I have given up on trying to prevent infections. All data on the family computer is considered disposable. Homework is saved to a flash drive. I keep the infected computer in quarantine for a month or so just in case some one left something on the computer. Then I re-image the C: drive.

That computer is not considered secure so no web transactions can take place on it.

 

Hey Mez,
Long time no hear, hope you're having a Merry Christmas.

You don't need to re-install flash drives.. Just run the following program to block Autoruns:

Download Flash_Disinfector.exe by sUBs and save it to your desktop.
• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
• Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

2oG

 

I have actually asked people with more computer knowledge than me about virus's and such they say it doesn't how secure your computer is,you go online and you will get infected eventually and you will have to run scans and clear it.


the ignorant ones which there head stuck up there bums annoy me,Use a usb drive on there computer (a recently scanned usb drive) virus scanner pops up straight away (when you go to copy a file to the usb) detecting stuff and they deny there computer is infected and blame you.They are in denial until they get fully hijacked & have to pay someone to fix the computer even then they don't tell anyone and deny it ever happened.

 

Thanks 2old!

There wasn't anything wrong with the flash drives. I was just having fun. There isn't any software on my flash drives so there is nothing to install.

I had a great and busy Xmas. All the kids were home. I do not know how many of those were will continue to have.

Yes xbox that is a real problem! My experience with botnets is after you clean your computer they try to breach your firewall the second you plug the cable into your computer. I learned that before I learned to stealth my ports but after I learned to get a fire wall that would block all incoming traffic. The setting would let you decide to let the connection in. It only took a few of those to realize nothing that comes from the outside is wanted.

Anyway, all the security software needs to be installed after you connect to the internet. I feel fortunate that I have old versions of the software I can get up and running before I connect. Then I can install a newer copy. I suspect the 'hive' wants to either give you a to-do list or reacquire your computer if it 'strayed'. With modern security, that might be 100% effective.

Our biggest problem is the white hats get dumber and dumber while the black hats get smarter and smarter.

BTY, this computer doesn't get infected even once a year and I do not have K9 on this one. I browse sandboxed with sandboxie and end the session by dumping the sandbox. I like it because it is simple and I can inspect the sandbox before I dump it. I am getting fat and lazy cause I this one hasn't been infected for maybe 14 months. Things died down after I did some research then reconfigure my firewall. I have these lulls then the black hats will learn some new tricks. Then I have to adjust.

 

With a software firewall, ports are stealth but the front door is open. The WAN connection, port 80 is always open to the real world of scanners. Use a Router with SPI firewall to close that door and nothing can initiate a connection with your LAN unless you request it..

Router is my first line of defense then K-9, MBAM Pro., Avast and others....

Glad you had a merry Christmas, we did also.

 

I believe my router has a SPI firewall.

Thanks - I did not know that 80 the 'browsing port' stays open but that does make sense.

 

80 is open as long as you are on an internet connection. The router SPI keeps intruders out unless they are on the invited list. lol

 

That is why you need to block fragmented traffic for your personal firewall. Hackers know how to forge an invite as a delayed fragment. I have not needed to re-image c: since I stopped taking in strays. I am not naive enough to believe this will last for much longer.

 

That is why I have a heavy layered protection regiment.

Router w/ SPI firewall
Open DNS
Firefox w/ Adblock Edge and WOT extensions
K-9
MBAM Pro
Avast 9

If anything ever falls through that, I have a restore point and Reg backup set each day before I go on line. Also have an Acronis Image, scheduled daily. Have never had anything make it through the gauntlet unless I let it in so I could play with it. LOL

 

I have a closed DNS where I can only use Comodo DNS. Similar but maybe not as good as open DNS. I say this because I was duped into going to a fake Adobie reader site and maybe Open DNS would have caught the error as a misspelling.

What is the WOT extension? I could look it up but posting it here will be more educational for others.

Our family computer is configured close you yours thanks to your preachings. This computer is less protected but I browse in a Sandboxie sandbox which is always emptied at the close of the browsing session. A bit of discipline goes a long way.

 

WOT = Web of Trust
When you search it will place a Green, Yellow or Red light next to your findings to indicate Go, Caution or STOP.. Based on reputation. it will block the sites with a Bad rep but you can over ride it if you choose. Sometimes I over ride but with extreme caution.

I also use Startpage HTTPS for searches.. The most private and safe search engine available.

p.s. I just wanted to add.. If I over ride a Red site and it's really Bad, K-9, MBAM or Open DNS will block it for good.. lol