Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some unanswered questions I have; post experience


  • Please log in to reply
3 replies to this topic

#1 vanillagod

vanillagod

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 18 December 2011 - 07:07 PM

Recently my work laptop fell victim to the rogue scareware SystemFix, completely out of the blue while working at home. Having sorted it out via a tutorial here and looking further into prevention methods and possible reasons, props and thanks to contributing members/ authors; I have some unanswered questions of how I fell victim to it.
Looking at the malwarebytes log (supplied below) of the scan that cleaned it off my system and connecting possible related dots together from knowledge gained here, I suspect that I could've fell victim to a java exploit through my browser (current at time of posting, Firefox 8). This being said in the clean up of the aftermath, I realized my Java was outdated at version 6, update 27 (current being update 30); partially my fault as Java update did not work properly and I let it go the way side considering this was not my own computer.

Would this theory of mine be plausible? Any comments and insight would be appreciated.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8390

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 9.0.8112.16421

12/17/2011 6:13:36 PM
mbam-log-2011-12-17 (18-13-36).txt

Scan type: Quick scan
Objects scanned: 176771
Time elapsed: 2 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rLNROuKwEHaS.exe (Rogue.SystemFix) -> Value: rLNROuKwEHaS.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\rlnroukwehas.exe (Rogue.SystemFix) -> Quarantined and deleted successfully.
c:\programdata\mekofjivwzrwpo.exe (Rogue.SystemFix) -> Quarantined and deleted successfully.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,602 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:23 PM

Posted 18 December 2011 - 11:17 PM

System Fix is a fake computer analysis and optimization program from the FakeHDD family of rogues.

Rogue security programs are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. They typically use bogus warning messages and alerts to indicate that your computer is infected with spyware or has critical errors as a scare tactic to goad you into downloading a malicious security application to fix it. The alerts can mimic system messages so they appear as if they are generated by the Windows Operating System.

Rogue antispyware programs are responsible for launching unwanted pop ups, browser redirects and downloading other malicious files so the extent of the infection can vary to include backdoor Trojans, Botnets, IRCBots and rootkits which compromise the computer and make the infection more difficult to remove. For more specific information on how these types of rogue programs and infections install themselves, read:
IMPORTANT NOTE: Your Malwarebytes Anti-Malware log indicates you performed your scan in safe mode. Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. Why? Malwarebytes is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, Malwarebytes loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of Malwarebytes. Doing a safe mode scan should only be done when a regular mode scan fails or you cannot boot up normally. If that is the case, after completing a safe mode scan, reboot normally, update the database definitions through the program's interface (preferable method) and try rescanning again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 vanillagod

vanillagod
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 19 December 2011 - 02:20 AM

Thanks for the reply, I have already done all of those and the details are of my knowledge (you might want to update your links through as the majority of them has since changed when you originally created that response); including rescanning malwarebytes in normal mode; I was forced to scan in safe mode as system fix encumbered my system to a unstable crawl. For the record, my system is now up to date and thoroughly inspected.

What puzzled me primarily with this experience was I did not get any ads or pop ups regarding this fake system "fixer" and I do not have recollection of clicking anything or of anybody else using my work issued computer, as I mentioned this infection came completely out of the blue; as I have ad block plus installed on my computer which would prevent these ads from showing up in the first place. I did manage to get a preemptive notice of its presence in my system and was able to prevent the following onslaught of further infection by having nod32 warn me of this malware under the cover of a suspicious executable tried to access the internet before it launched entirely on my system.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,602 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:23 PM

Posted 19 December 2011 - 11:26 AM

I fixed those links. Thanks for letting me know.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users