Plz help me determine if my puter is infected.
March 23, 2011 6:31 PM   Subscribe

Malware. WIN7. Walked back into my house after UPS delivery gave me package, checked email, "Oh, look -- UPS is tracking the delivery. Cool." And I not only opened the email but clicked on the executable.

I cannot believe I clicked on it. I literally had just come in the door, package in hand, set down the package, checked my email, it was in my spam folder -- IN MY SPAM FOLDER AND I CLICKED ON AN EXECUTABLE after opening it in a .rar file. wtf. wtf. wtf. I can scarce believe I did this.

I had MS Security Essentials running w/updated definitions file. Immediately after clicking on attachment, I snapped, turned off my wifi connection, but pretty much too late by then. After shutting off my wifi I went to scan with MS Sec Ess -- it was turned off, I turned it on, started the scan, scan stopped midway, I rebooted, scanned again and it ran to completion, found nothing. I then downloaded all the other scanners I know of and found nothing other than about fourteen tracking cookies, the usual suspects.

I have scanned with MS Security Essentials -- found nothing. I've run AdAlert, MalwareBytes, Spybot Search and Destroy -- found nothing. All were run with their latest definitions. How do I 1) make double-dog sure there is nothing lurking on this puter and 2) get rid of it if there is anything on this puter.

I have not run anything in "safe" mode but will if you tell me to do so, I'm not even sure how to do that though I guess google is my friend.

Last -- plz keep any/all comments about my lame-o dumbo mistake -- believe me, I'm castigating myself enough for all of us.

about the only good thing in this story is that the bicycle seat delivered by UPS is as sweet as I'd hoped it'd be..
posted by dancestoblue to Computers & Internet (16 answers total) 8 users marked this as a favorite
Response by poster: Oh, and I will re-format, don't want to of course but I will do so, I'd go back to fresh install, using the restore partition put onto the puter when it was new.
posted by dancestoblue at 6:34 PM on March 23, 2011

If you're reformatting using the restore partition, you don't have anything to worry about.
posted by lizzicide at 6:37 PM on March 23, 2011

You can't prove there's nothing there.

What symptoms are you seeing?

If none: do nothing.
posted by toomuchpete at 6:45 PM on March 23, 2011

Response by poster: No symptoms at all. Blue skies, to all outward appearances.
posted by dancestoblue at 6:46 PM on March 23, 2011

Read deezil's profile.
posted by Obscure Reference at 6:48 PM on March 23, 2011 [5 favorites]

Best answer: Damn, ya'll are quick :) Things sound kosher. But Run MalwareBytes in safe mode. Also, go get RUBotted, run and see if it finds anything.
posted by deezil at 6:51 PM on March 23, 2011 [2 favorites]

It's *going* to be blue skies to all outward appearances, cuz some of these things chill on your hard drive until you're doing something with, oh, your online banking, say. Then they steal your credentials and send them off to people who spread these viruses, and then you get mysterious wires sent to Malaysia from your bank account.

If nothing else, uninstall your a/v software then re-install it. Update your a/v definitions. Open a secure webpage, like your internet banking's log-on site, but don't enter your credentials. Run a full/deep virus scan. If you find nothing at all, you should be ok. Please change your passwords, though, once you're sure there's no virus.
posted by Verdandi at 7:10 PM on March 23, 2011

Response by poster: Great info on your profile, deezil -- thank you so much for putting that up here for us. Supercool.

deezil, in your response here in this thread you suggested only MalwareBytes in safe mode and then RUBotted. That sounds like a lot less work than everything listed on your profile but, as Verdani suggests, due to banking, paypal, pretty much my entire Western lifestyle on a puter, I'd rather be safe than sorry, and I will absolutely run the whole show you recommend in your profile if you believe I ought.

So given that, and if you do recommend running through the entire series of steps in your profile: You suggest using a cd rather than a usb drive for these anti-malware programs -- do I just download all of them to a safe puter, burn them on a disk, then one at a time install them on the suspect puters desktop and unpack from there? Or do I need to (somehow) install them onto a cd and run off that cd or ?? This is new to me but it's actually a good experience -- the burnt hand and all that... Oh, and I absolutely will buy the full version of MalwareBytes; I don't mind paying for software, I'm one of the fourteen people who actually paid for Netscape when they were trying to go against microsoft....
posted by dancestoblue at 7:33 PM on March 23, 2011

Best answer: Only reason I cut down what was on my profile to that was because you've already done the scans yourself. Just cutting it down to what I would do if I was in the same situation.

If you like, go through the whole profile too. It can't hurt.

Download all the executables to the safe computer, burn the executables to a CD, and then run the installers from the CD.

And I really like the paid version of MalwareBytes for the on access scanning and frequent updates without intervention.
posted by deezil at 8:27 PM on March 23, 2011

I got the same message this morning, purporting to be from UPS. Real UPS notifications are in open text. When I saw that the attachment had an .RAR extension, I scanned it with Norton Utilities, which said it was an attack site.

I'm awaiting a package that's being shipped via UPS. It seems probable that UPS's server has been hacked.
posted by KRS at 6:07 AM on March 24, 2011

It seems probable that UPS's server has been hacked.

Just to ease worries on that front, I don't think UPS has been hacked. I think this particular email/virus is just really wildly distributed so it's inevitably getting to people that are expecting packages. We're getting this email coming in to a lot of our email aliases at work (you know, generic emails we create for our website like that no one would use for a UPS order.
posted by misskaz at 6:30 AM on March 24, 2011

Do you still have the executable? If so you can upload it to here and see what it was. From my own testing I've found that a lot of malware is recompiled several times a day and as such you may need to wait a few days before any virus scanner picks up the signature. I find the major vendors are at least 48 hours behind.
posted by damn dirty ape at 7:07 AM on March 24, 2011

We see tons of that fake UPS email at work. Our mailserver strips the attachments and leaves an explanation, and we get a lot of calls asking for the attachment. Perhaps viewing the SNL Landshark clip will cheer you up.
posted by theora55 at 7:57 AM on March 24, 2011

Best answer: How do I 1) make double-dog sure there is nothing lurking on this puter

I'm afraid you can't be double-dog sure without either going back to the recovery partition or doing a flat out re-install. Sorry.

Deezil's profile is a great list and it's great if you absolutely cannot do one of the two options above - but it's a lot of work and if you can re-install then it'll probably take just a much time as following his steps.

If you do re-install, check out ninite which will re-install your favourite applications without any interaction from you. It has saved me about 3 hours worth of sitting there going through each installer and I wish I'd found it sooner.
posted by mr_silver at 9:58 AM on March 24, 2011 [1 favorite]

You may have accidently installed a recent variant of w32.pilleuz which currently has a low detection rate, so will not be picked up on by a lot of virus scanners at the moment. Here is some more details on the trojan yours is likely based on, which may not be exactly as described. You will want to ensure your USB drives are clean however if they were in the PC at the time of the infection, and before inserting them into any other PCs.

You should submit the file to VirusTotal as dirty ape recommended, which will run it through the gambit of 30+ other virus scanners to help you narrow down the type and variant of the trojan.

You should look for rootkits using GMER or rootkit detectors others have mentioned. The most damaging ones are the kind that steal your bank or personal information as you enter it, such as mebroot/torpig/sinowal, tdss/alureon, zeus, spyeye, etc. Kapersky has a excellent set of free tools to help with these types of infections.

To help protect you in the future, I would make sure your normal login account is set to normal user privileges (non-admin). Then create another account you can use for "runas" that is an administrator. What typically happens on Windows 7 is, if it needs elevated rights, it'll ask for the password of the last administrator account used. (This helps prevent a plethora of malware from even getting started). You may have lucked out with your UAC kicking in and stopping this particular infection, but UAC is not 100% effective and some malware is written to explicitly circumvent it.

Along with that, I'd recommend the following free packages to help keep things running smoothly:

Avira Anti-Virus (There's also Microsoft Security Essentials, AVG, Avast!, Immunet, and Panda Cloud. However Avira has had some of the best detection rates for awhile now)

Secunia PSI (Windows Updates for everything else. This will help close the vulnerability gap that 3rd party products, like Adobe Reader etc, usually present.) Ninite is also effective for patching as others have mentioned, it won't look out for those updates on your behalf however. But Ninite is great for its simplicity if you know the updates are needed.

Web of Trust (A community driven site advisor. Excellent for warning you of malicious search results before you click on them)
posted by samsara at 11:31 AM on March 24, 2011

Response by poster: Still using the old puter now for anything of import (email banking insurance etc), only using the (possibly) compromised machine for browsing here, couple other sites.

Wanted to wait to see what answers I got here before totally determining course of action; I'm leaning toward grabbing off my needed files and wiping it down, starting fresh, and then as soon as I get everything how I want it, burn an image of *that* so I can just go from there.

Whatever it is I do, it's not going to happen tonight, tomorrow soon enough ...

Great answers, I want to mark all as best answers; yet again, MetaFilter comes through in the pinch -- thanx gang.
posted by dancestoblue at 10:25 PM on March 24, 2011 [1 favorite]

« Older How old is this Marshall amp?   |   How do I get 32-bit only software to work on... Newer »
This thread is closed to new comments.