How I Got Hacked... And Why You MUST Have a Backup!

I was wondering why you did not use combofix before you got locke dout of windows.

EDITOR'S NOTE: As I mentioned in the article, the virus was able to detect and shutdown almost any anti-malware software. I even tried renaming the EXE files.

You lost me on point No. 3. "Wear gloves" ... "don't touch the wires"... I don't understand that whole point.

EDITOR'S NOTE: The idea was to use a test environment, insulated from your everyday machine and files.

Holy Cow!

Thank you, Bob, for this eye-opening first-person true-life drama.

I've not done an image backup (I don't have an external drive with enough capacity), but I see it's time to spend the money for a 1 terabyte external drive and start taking care of myself.

Hard drives are inexpensive. With an old fashioned desk top job put in a new hard drive and use it to wipe and format the old drive? Might be faster for a person with less system knowledge than you have.

It is not so easy with lap tops. I think drive cases are available lap top sized drives. In either case, one should have backed up important addresses and whatever.

@foraminut . . . I have a 64-bit Windows 7 (Home Premium) computer and I use Sandboxie with ease. No Problem using this wonderful software!

TheRube

I do not want to do a commercial here, but my Husband found "carbonite" and we use it, since we had a blue screen of death a few years ago. We got rid of the external hard drive and we pay an annual fee for carbonite, peace of mind!

Would using an antivirus/antispyware boot CD have helped? I use those a lot and clean up most machines enough to be able to boot and finish up. Rootkits are a pain, but after being able to bootup, Combofix works. Have ti uninstall anti-malware software first, then reinstall after running Combofix. Kind of nuisance, but gets things back to normal.

EDITOR'S NOTE: It would have, if my hard drive was recognized. Every boot CD i tried told me there was no C: drive present.

Once again an eye opening article. Few days ago I installed a free photo editing soft and later my Yahoo home page was changed to that photo software's website. I immediately uninstalled the soft, but when I checked the other browser
Firefox, its settings were changed too.

I ran antivirus soft, Norton tools and I am back to track but do not know if something is left on computer or not. This is a lesson for me. I should have backup to avoid sudden problems.

I got a question and hope someone will clear it. What does image backup means? if I do image backup of my computer will it consume a lot of disk space?
If computer is not working how come recovery disk works?

well, i am not sure about windows update. I am using windows 7 ultimate edition with updated avg internet security. Win7 UAC selected on maximum level (i think ms made this for those dangerous application which is not caught by antivirus) and also using autorun blocker registry file. Thats all protecting me for 2 years without formatting. I dont have ext.hdd so i am using c drives image to d drive with acronis for my laptop. Anyway thank Bob for telling us about that kind of virus.

I have the feeling that on my system that malware would have been easily blocked by either ad muncher, Comodo firewall, or OpenDNS!!.

Is there any way to test that?

Ouch!!! Wince!!! Shudder!!!

Praise be to God you had a recent backup!!!

(I don't do incrementals -- only a full image about every month or so; too little changes on our system to make that much difference. Works for us.) Interesting that you had to "go back to 2006" briefly -- any nostalgia there?     :)

When I accidentally get on an iffy site with pop ups, I don't try to close the pop ups. I close my browser instead and if that doesn't work, I log off. Clicking anywhere on the pop ups, even to close them leads to trouble.

Interesting Bob and exactly what happened to me 8/21. I just lost my C: partition on a Seagate 1 TB 7200 32 MB. The D: partition was untouched. What I do remember was CHKDSK running after turning on PC and basically stating many clusters were bad. After that -poof-.

Ran the Emergency Repair Disk. Did the bootrec/fixmbr and other functions. Created a new partition and set up shop there. The C: drive never showed up.

A friend in a federal agency runs the data recovery shop and wants to see the disk. Will advise what he finds. FWIW, had paid AVG running.

Question: Would Firefox using noscript prevented the drive-by downloads? I'm ultra paranoid-I use Malwarebytes Pro and Nod32 Antivirus real-time. That combo seems to work without any slowdowns.
NoScript is a pain as you need to allow certain sites to use javascript, but the protection outweighs the hassle.
GREAT article as computer security is a hobby of mine.

Hey Bob, I'm sure you're not going to post this but maybe if you're not smart enough to check it out in a virtual machine, 1)You shouldn't have a tech blog 2) You shouldn't be blogging about a dumb mistake in which you got what you deserved.

EDITOR'S NOTE: Alyssa, we all make mistakes. As for my smarts, I'll let my body of writing speak for itself, and others can decide. As for blogging about my mistake, I think there is great value in telling people what happened to me, so they can avoid the same problem. Please feel free to tell others how stupid I was! :-)

Did you consider running "Microsoft Standalone System Sweeper Beta"? It has help me with some hard to remove items.

A couple of things you might want to do is make a backup of your Boot Sector and Partition Table. These need to be kept on a read only media not on your HD.

You might want to really take a look at why you use RAID. It has caused me more trouble that it is worth. HD are so cheap now just double up on them.

When you hover over a link it is displayed in the lower left line of most browsers or mail managers. You should get in the habit of looking there before clicking. You will soon get used to re-thinking if you should click. If in doubt just sandbox your browser, and yes noscript is a pain, but worth it.

Last, you do not have a backup unless you have three copies, in two different medias, and stored in two separate locations.

On a typical machine, an antivirus / antispyware boot CD would usually do the trick to allow you to get rid of the main infection so that the system could be booted and run ComboFix (which, by the way, I always run in safe mode), but the author's system would not recognize drive C using one of these boot disks. That is because he has his system set in a RAID configuration, and these boot disks do not load the RAID drivers. BartPE might have worked for him had he loaded the RAID drivers when Bart asked. Also, some systems use ACHP for the SATA drives, and unless these drivers are loaded, boot CDs will not recognize their drive C either.

EDITOR'S NOTE: Good point about the RAID drivers. RAID adds a layer of complexity that's just not necessary for consumer-level computers like mine. Gateway gave me two 250GB drives and put them in a RAID config to make it look like a single 500GB drive. I've never used more than 80GB, so that wasn't the best option for me.

Try downloading Hirnens (14.1 latest ver). Run utility @ power on from DVD Drive or Flash Drive. Sort out the problem b/f loading Windows, if you can. Great HDD scanware and MBR repair utilities amongst many other progs. Remember. Back up regularly!

Thank you for this lesson about a typical drive-by infection-- currently one of the most damaging attacks possible, and increasingly prevalent. By now, most people have had first-hand contact with this type of virus, or know somebody who has.

As a computer support staffer, I can attest that everyone from physicians to PhDs has been hit, and they remain vulnerable even afterward. No matter how careful or professional the user, and no matter what real-time ("shield") protection is installed, this is malware written by professional criminals with world-class expertise, and very hard to defeat-- let alone prevent.

So, contrary to reader Alyssa (who keeps her pantaloons entirely too tight for her own good), there is little that can be done beyond running high-quality anti-malware real-time protection, and hope to avoid accidentally starting a malware installation.

Since this kind of malware is often made by professional coders for organized crime, it is sometimes called "extortionware". Typically, after extortionware comes on board, it displays a series of bogus messages claiming detection of infection. Next, the malware solicits a "repair" operation, and sends an endless stream of obtrusive reminders every minute. Eventually, all the messages take a toll of the user's composure, who may relent and click on a message panel in an attempt to remove the plague. Of course, that desperate measure does not work.

And now, the trap has been sprung. As the infected machine progressively loses its functions-- no anti-virus scans, no internet, and sometimes not even email-- the user is told the computer can be cleaned for a certain amount of money. The user is given no guarantees, but on offering the criminals a credit card number, the system may visibly improve. Unfortunately, from all field experience, the malware itself is not removed. Worse, the criminals have their objective, and quickly put the victim's credit card number on the black market.

Extortionware is always under rapid development to defeat commercial anti-malware protection, so users must make sure they use the very latest version of protection, and keep it updated daily.
For those users lucky enough to detect the symptoms of an infection-in-process, escape is sometimes possible. Extortionware is like a "booby trap"-- it needs a triggering action like a mouse click, the ENTER key or another key to install itself and do damage. Left alone, this type of malware can do nothing except display messages.

So, the remedy for malware can be simple-- when a message displays, ignore it and shut down the computer immediately. Above all, DO NOT CLICK on the message-- not even to close the message box, and no matter how authentic the message might seem.

Again, no damage can occur unless the user starts installation by clicking on the screen area and/or pressing a keyboard key to start installation of the malware payload to the hard drive.

To shutdown, go to START, click on TURN OFF COMPUTER, and wait for normal shutdown. If shutdown does not occur after about two minutes, press in and hold in the computer's POWER button until the computer turns off. After two minutes, simply restart the system normally, and the offending messages no longer should be visible.

Since extortionware is only a variant of this malware class, and new versions are constantly developed, behavior and results may vary.

Great article Bob, although I just removed to adspy viruses from a customers computer that came from the Uniblue registry booster so you made want to reconsider them as a sponsor here.

I was just curious if you had a Mac or a linux/unix machine running Ubuntu or RedHat? That is how I would have visited your friends website.

Whenever I get a complaint about a suspected virus attack or suspicious problem complaints, I just use one of my two computer Bulldogs, the Mac or the Linux PC, because you are 100% correct, there is no virus protection that is 100% accurate.

As for anyone confused about the mystery of my comment, 99.9999999% of all known virus are written for a windows machine and can't infect a Mac or linux/unix operating system.