Join 3,512 readers in helping fund MetaFilter (Hide)


NoScript failed me and left: what do I do now?
November 26, 2010 10:06 AM   Subscribe

How paranoid should I be about my Windows XP Pro machine after hitting a dodgy site with Firefox 3.6, scanning with Microsoft Security Essentials, updating NoScript, scanning with MSE again, and finally using Windows to restore to yesterday's restore point, about 18 hours before hitting that site? Firefox is now missing NoScript completely, but it's been installed for weeks and surely should have been here yesterday morning. Has there been a known issue with NoScript, or am I just a special (and dim) snowflake?

I usually have my copy of Firefox running for a day or 2 before I close and restart (one or more windows, many tabs). I update NoScript when prompted, but as I do keep FF running for days sometimes, I may not always update as promptly as I should.

I followed a link on a Google search very early this morning and wound up at a site that claimed I was at risk for malware, and even popped up a JavaScript alert with a confusing OK/Cancel choice. I don't know how the alert managed to work in the first place as NoScript was running. I know I was changing some permissions for other sites earlier, but I am just about 100% certain I didn't disable the add-on or allow all sites globally because NoScript generally makes a big fuss about that.

I wasn't sure what the alert would really do, and finally used the control panel to force a close of FF. (Dumb.) When I restarted, I got what looked like the usual prompt to update NoScript, which I accepted immediately. (Dumber) This could have just been a scheduled update that I missed, but the timing seems odd. Firefox then appeared as a tiny window in the middle of the screen, and when I enlarged it, I had all my original tabs and that damn page was running again. I finally hit the Cancel button on the alert, then closed Firefox completely.

The first MSE quick scan showed nothing. I tried going to istockphoto, but misstyped it as isockphoo dot com and wound up at a site that looked like the photo site but had a long, complex and completely untrustworthy-looking URL. I backed out immediately. Again, it could have just been a coincidence. but after that fake malware warning, I was totally paranoid.

I ran MSE again as a quick scan (nothing), I backed up my data, and I restored to Thursday morning with Windows Restore. But when I started FF this morning, a trusted site was full of ads, and I saw that NoScript had been completely uninstalled.

So:

1) Should restoring to yesterday morning's restore point have completely wiped out any malware that may have gotten to my machine any time between Thursday morning and now?

2) Has anyone else seen NoScript just disappear like that after a restore following an attack, or under any circumstances, really? (It may be possible it was removed after the attack and I just didn't notice right away. I can't positively say I saw NoScript in place before the restore.)

3) In addition to running MSE as a full scan now, are there any other trusted malware scanners I should try?

4) Or should I just nuke from orbit?

5) Should I ever trust NoScript again?

(Looking at my history, I can see the Google searches leading up to the attack, and the isockphoo visit shortly afterwards (URL starting with trellian.com), but I can't see an URL that seems to match the time I hit the bad site. I see the Google search at 4:22, then the NoScript site visit after the update at 4:28, but nothing in between. I guess that was an immediate attempt to cover its tracks.)
posted by The True Wheel to Computers & Internet (14 answers total)
 
For what it's worth as a tiny bit of reassurance.. I'm not on windows, but I had a noscript update on two of my machines this morning. So maybe that bit was real, and something about the update just borked the existing install?

You should be able to check when they pushed their updates for windows somewhere. But I've no idea where exactly.
posted by Ahab at 10:19 AM on November 26, 2010


I've been using AVG (the free version) for a long time and have been very happy with it. On the rare occasions when I feel like I might have been compromised, I'll use Malwarebytes (at the computer place I used to work for, we caught and cleaned up a lot of stuff with this), and Spybot Search & Destroy. There's also HijackThis, BUT that doesn't tell you what's good or bad, it just tells you what's running and you need to either be able to recognize bad registry entries, etc., or know someone who can interpret the results for you.

I have also been using NoScript for a long time and have never heard of anything that was able to uninstall it. I know you said you're just about 100% certain, but is it really completely uninstalled and not just disabled?
posted by Gator at 10:21 AM on November 26, 2010


I can see on NoScript's changelog that the last update was 2.0.7, but I don't see a date and time.

It's completely uninstalled: I checked the Add-Ons panel right away and it wasn't listed there.
posted by The True Wheel at 10:26 AM on November 26, 2010


Huh. Are you using a different FF profile than the one you were using before, an older one (or a brand new one) in which NoScript was never installed? Info on managing profiles here.
posted by Gator at 10:41 AM on November 26, 2010


Thanks for the links. I can confirm that I have only a single default profile.

I've never heard of an update completely uninstalling NoScript, either, so even though I can't remember disabling, uninstalling or allowing global permissions in NoScript before I hit the site, that seems to be the only way that JavaScript could have run on the site and, possibly, killed NoScript. Or perhaps accepting a NoScript update while JS was running on the attack site was enough to kill it.

I guess my main question is: how much can I trust my machine now? I will try to scan with the advised software, but as much of a pain as reinstalling is, the nuke from orbit plan is looking better. I don't think I can buy from Amazon or do online banking while I feel this insecure about my computer in its current state.
posted by The True Wheel at 10:50 AM on November 26, 2010


You can boot to Linux and run ClamAV (clamscan).

There's a LiveCD just for this:

http://www.volatileminds.net/opendiagnostics/index.php/OpenDiagnostics_Live_CD
posted by stovenator at 12:14 PM on November 26, 2010


Looking around, I did notice that last year, the guy who created NoScript posted on his blog about an issue some people had with NoScript seemingly disappearing. Apparently the solution (at that time) was to uninstall the .NET Framework Assistant and fix the possibly corrupted FF extension files. Maybe that's all that happened here, the extension was corrupted?

As far as nuking from orbit, I would consider that to be an extreme last resort to be used only after all other things have been exhausted, but I am not you and your threshold for broken trust may be lower.
posted by Gator at 12:49 PM on November 26, 2010


Thanks for digging, Gator. I have a pile of .NET cruft installed, but just the 1.1 to 3.5 Frameworks and Service packs, no Assistant. His problem seemed to arise immediately after a Windows update, but maybe a similar weakness in NS made it vulnerable in the situation I described (installing an update while under attack).

But I tried reinstalling NoScript and it came back fine, even remembering my previous settings, and I'll try some additional malware scans (MSE full scan came back absolutely clean). I still really don't like that a JS alert showed up at that site even with NS running, so I'm still not sure which way I'll jump after the next set of scans. Everything is running smoothly, no signs of browser hijacking, but still, I'm giving this look to my computer right now. Thanks!
posted by The True Wheel at 1:47 PM on November 26, 2010


I get those pop up alerts all the time on a couple sites I use for work. I thought they were a No Script feature? Applies you to toggle between clicks and has a very confusing OK button?
posted by fshgrl at 1:55 PM on November 26, 2010


What, exactly, does your pop-up say? I think I've gotten pop-ups from NoScript before, but they usually say something like "NoScript detected badness. GTFO".

In this case:

1) The site showed a big, scary animation "counting down" the seconds before some nasty malware got on my computer.
2) The alert said I'd have to click OK to be safe, and that clicking cancel would expose me to danger.
3) The URL isn't showing up in my history.

So this was a strange site I'd never been to before that tried to scare me into clicking OK on a JS pop-up that didn't say it was from NoScript. My mild mannered computer seems fine now, but even though I never clicked OK on the alert, it did get by NoScript, then something uninstalled NoScript and my browser history has a gap. Thus my concern.
posted by The True Wheel at 2:07 PM on November 26, 2010


And an Adobe pop-up just warned me that the HTML file I use on my desktop as a Firefox home page is trying to run some Flash at gigya.com. Cancelled out, but there's a big scan or a nuking imminent.
posted by The True Wheel at 2:37 PM on November 26, 2010


I don't have much faith in system restore. I'd try scanning with a few other free malware scanners: malwarebytes, superantispyware, eset online scanner, rootkit revealer
posted by DarkForest at 2:49 PM on November 26, 2010


The True Wheel, I am unclear. Why would you "nuke" your machine?

Unless you are:
-doing super-high security work;
-doing incredible amounts of banking and finance tasking;
-doing extra-legal things;
-or have no reason not to erase your machine,

...then I don't understand. Being so concerned about spyware oddens me out. Perhaps your work is of a nature where your concern is so heightened. But instead of wiping machines, I regularly repair machines using a combination of tools. Wiping machines could be an irretrievable loss of data and software for some.

Primarily, I use superantispyware with malwarebytes on stand-by. I used to use AVG for anti-virus, but most of the time I use Microsoft Security Essentials. Run Malwarebytes full-scan in Safe Mode. (That should take hours, even up to half a day or thereabouts.) I supplement these three with ccleaner.

When there are bigger problems, I use clamav (as stovenator recommends).

What more, I use HijackThis and post the log or review it automatically here. Beyond this, here's the hardcore thorough technique here.

There are some basic things to check and correct with internet connections. This video is strong with insight and instruction to that end.

And of course running chkdsk at boot-up using chckdsk /f from a command window is a winner. And running repair install from your Windows install disk is really good. (Make certain it is the correct version of Windows. Home for Home, Professional for Professional. Service Packs are sort of irrelevant; you can always update.)

Lastly, I have taken to running AVG PC Tune-up. It is somewhat pricey (annual fee) but first time use is free for 24-hours. I uncheck the defrag feature because I use Defraggler for defragging.

And a great place to get many of these is ninite.com, which is really a god-send. If you DO use Flash or Java, be sure and keep them updated.

I appreciate your seriousness and it's possible it is for good reason. However, if it is your reaction is tuned high, following these instructions is fun and pretty much always work and to my knowledge .
posted by Mike Mongo at 12:20 AM on November 27, 2010


Reporting back after a successful nuking. I really appreciate the detailed advice on using non-destructive tools to diagnose and fix malware (thus the best answers), but I went for a full formatting and clean install because:

1) I just reinstalled a couple of weeks ago after a hard drive failure, so the process was pretty fresh in my mind and didn't take very long at all. I had Windows running happily with all patches and drivers within a couple of hours, and adding applications took a little more time. I'm going to image my install now, too, so the next time I have to wipe and replace should be even faster and easier. (All my data is kept on separate drives and backed up redundantly).

2) This is both my work machine, with some important client info on it, and the personal machine I use for online banking and some purchasing. My "incredible" amounts of banking = "any amount" of banking.

Tracking down malware and similar varmints looks like a lot of fun as a puzzle and an intellectual challenge, but I have to balance that against my need to use my computer immediately with a high level of confidence in its security. I'm going to add some malware tools as added protection at runtime (as NoScript and MSE alone let this little bastard slip by), but when it comes to recovering my machine, it's sea of glass time, fast and easy.
posted by The True Wheel at 7:38 PM on November 28, 2010 [1 favorite]


« Older What are some organizations in...   |  I need book suggestions for an... Newer »
This thread is closed to new comments.