JS/blacoleRef.Q Trojan
December 31, 2011 9:40 AM Subscribe
My computer was just infected with the JS/blacoleRef.Q trojan. Microsoft Security Essentials was able to flag and quarantine the infection and allow me to download and install the latest malware definitions, (mpam-fe.exe), disconnect from the web and do a full system scan.
Another computer was used to go online and research JS/blacoleRef.Q. This trojan was described as not being removable by (most?) anti virus programs. The registry changes that were expected from this infection were not present. A change in a quarantined Firefox file located in my Application Data file had been removed.
This system was infected when I clicked on a photograph while doing a Google Image search for plumbing fittings.
How can I find if this trojan is still present and active in my system?
How, if it is still active in the system, can it be removed? I am very uncomfortable about making changes in my registry. I am also uncomfortable with making random selections of malware removal tools on the web.
Help!
I am very uncomfortable about making changes in my registry. I am also uncomfortable with making random selections of malware removal tools on the web.
Unless you have a backup or wipe the hard drive, there's no good way to be sure that some remnant of the malware isn't in your OS or system registry (even) after running removal tools. If you have a full backup, recovering from that backup will help get you back to where you were before the infection.
posted by Blazecock Pileon at 10:18 AM on December 31, 2011
Unless you have a backup or wipe the hard drive, there's no good way to be sure that some remnant of the malware isn't in your OS or system registry (even) after running removal tools. If you have a full backup, recovering from that backup will help get you back to where you were before the infection.
posted by Blazecock Pileon at 10:18 AM on December 31, 2011
I have always had great success in dealing with friends and families machines with Hitman Pro (http://www.surfright.nl/en).
Just a data point for you.
posted by Morsey at 10:26 AM on December 31, 2011
Just a data point for you.
posted by Morsey at 10:26 AM on December 31, 2011
You may want to try a combination of GMER and OTL to help detect any rootkit like anomalies within your system.
One thing to keep in mind is that blacole is not the payload, but rather the exploit kit from where rootkits, trojans, and other types of malware are delivered. Since Alureon/TDSS is a common payload, try TDSSKiller (go under options and check the boxes for file system detection and unsigned drivers, which will pick up on and remove other similar rootkits...most unsigned drivers should be safe to remove, but create a restore point, or quarantine first if unsure)
At worst, you would have a banking trojan (zeus, spyeye, etc). It's likely the above tools will assist in detection. Another tool that looks for most common banking trojans is debank. It is also possible your antivirus stopped blacole before it was able to deliver a payload (the exploit kit relies on you having unpatched software for it to be sucessful.)
If you're unsure whether your system is kept up to date, try a program called Secunia PSI which is a free security tool. Also consider reducing your rights if you're on Windows 7 (instructions in my profile if interested).
posted by samsara at 10:46 AM on December 31, 2011 [1 favorite]
One thing to keep in mind is that blacole is not the payload, but rather the exploit kit from where rootkits, trojans, and other types of malware are delivered. Since Alureon/TDSS is a common payload, try TDSSKiller (go under options and check the boxes for file system detection and unsigned drivers, which will pick up on and remove other similar rootkits...most unsigned drivers should be safe to remove, but create a restore point, or quarantine first if unsure)
At worst, you would have a banking trojan (zeus, spyeye, etc). It's likely the above tools will assist in detection. Another tool that looks for most common banking trojans is debank. It is also possible your antivirus stopped blacole before it was able to deliver a payload (the exploit kit relies on you having unpatched software for it to be sucessful.)
If you're unsure whether your system is kept up to date, try a program called Secunia PSI which is a free security tool. Also consider reducing your rights if you're on Windows 7 (instructions in my profile if interested).
posted by samsara at 10:46 AM on December 31, 2011 [1 favorite]
Microsoft Security Essentials was able to flag and quarantine the infection ... The registry changes that were expected from this infection were not present. A change in a quarantined Firefox file located in my Application Data file had been removed. This system was infected when I clicked on a photograph while doing a Google Image search for plumbing fittings.
Chances are you're fine. I expect the "quarantined Firefox file located in my Application Data" was the cached copy of the Trojan's installer. If you saw MSSE tell you about this thing when you clicked on the photograph, rather than at some later time, then you should probably be reading this as "my security software recognized and blocked a potential infection" rather than "my computer was infected".
posted by flabdablet at 4:45 AM on January 1, 2012
Chances are you're fine. I expect the "quarantined Firefox file located in my Application Data" was the cached copy of the Trojan's installer. If you saw MSSE tell you about this thing when you clicked on the photograph, rather than at some later time, then you should probably be reading this as "my security software recognized and blocked a potential infection" rather than "my computer was infected".
posted by flabdablet at 4:45 AM on January 1, 2012
By the way: for the greatest peace of mind available to those who insist on using Windows to host their web browsers, it pays to browse with Firefox augmented with Adblock Plus and NoScript extensions.
On first run of Adblock Plus, tell it to "use a different subscription" and then pick "EasyPrivacy+EasyList" from the great big list.
Leave NoScript in its default "block everything by default" mode, and allow only those web sites you have reason to trust to run scripts in your browser. This is kind of a nuisance at first, and you will need to get good at recognizing auxiliary sites you also need to allow. For instance, lots of streaming video sites need you to allow an associated domain with "cdn" (for Content Distribution Network) as part of the name. But it's definitely worthwhile working through the nuisance, simply because most of the drive-by crap that will try to infect your Windows box will use JavaScript or Flash to get its initial toehold.
Also, if you're not already using a limited Windows user account for all your day-to-day computing, you're doing it wrong.
posted by flabdablet at 5:01 AM on January 1, 2012 [1 favorite]
On first run of Adblock Plus, tell it to "use a different subscription" and then pick "EasyPrivacy+EasyList" from the great big list.
Leave NoScript in its default "block everything by default" mode, and allow only those web sites you have reason to trust to run scripts in your browser. This is kind of a nuisance at first, and you will need to get good at recognizing auxiliary sites you also need to allow. For instance, lots of streaming video sites need you to allow an associated domain with "cdn" (for Content Distribution Network) as part of the name. But it's definitely worthwhile working through the nuisance, simply because most of the drive-by crap that will try to infect your Windows box will use JavaScript or Flash to get its initial toehold.
Also, if you're not already using a limited Windows user account for all your day-to-day computing, you're doing it wrong.
posted by flabdablet at 5:01 AM on January 1, 2012 [1 favorite]
It's also worth checking out this recently posted list of offline Windows scanners. Rootkits need to be running to remain hidden, and if you've booted up into some live-CD-based scanning tool rather than from your hard drive, they won't get the chance.
I'd be quite surprised to find that any of these tools finds anything, though, because it really does seem likely to me that MSSE has already killed the thing for you.
posted by flabdablet at 5:04 AM on January 1, 2012
I'd be quite surprised to find that any of these tools finds anything, though, because it really does seem likely to me that MSSE has already killed the thing for you.
posted by flabdablet at 5:04 AM on January 1, 2012
One final thing:
This trojan was described as not being removable by (most?) anti virus programs.
might well be true if it has been allowed to install itself. If MSSE recognized and blocked it before its installation code could even run then your system was merely exposed, not infected, which would mean there's nothing further to remove.
posted by flabdablet at 5:10 AM on January 1, 2012
This trojan was described as not being removable by (most?) anti virus programs.
might well be true if it has been allowed to install itself. If MSSE recognized and blocked it before its installation code could even run then your system was merely exposed, not infected, which would mean there's nothing further to remove.
posted by flabdablet at 5:10 AM on January 1, 2012
« Older Help identifying rash on lower back | Flake on me once, shame on you. Flake on me twice... Newer »
This thread is closed to new comments.
posted by dfriedman at 9:55 AM on December 31, 2011