How did my computer get this malware?
January 28, 2015 5:50 PM   Subscribe

My computer apparently picked up an infection while it was turned off. I know that's not right. What really happened?

I am usually the person other people go to with their computer problems. But this one has me completely flummoxed:
Today I went to work and turned on my computer as usual. As soon as I did my first Google search the cavalcade of crap began. Pop-ups, browser redirects, fake antivirus notification, the usual. This happened across Chrome, Firefox and IE.
I was able to remove the infection, but I am curious about where it came from.
I last used my computer Monday night. No one has used the computer since then. I checked the system log. Program manager showed that the offending programs were installed today, at the time I first logged on. They don't show up my downloads folder. I didn't see any installation screens.
The last thing I downloaded was a bunch of Creative Commons photos from Flickr. That was Monday. The last software I installed was on the 21st and I didn't notice anything amiss then. In fact I installed the same software on my home computer and it has no malware.
The building was closed all day yesterday and until 3pm today. As far as I can tell, my computer was off for that whole time. The only thing that makes any sense is that I downloaded these a while ago and something just triggered them to install today. Is this a thing? What gives?
posted by Biblio to Computers & Internet (8 answers total) 2 users marked this as a favorite
 
Browser plug-ins generally install on restart, so in all likelihood you caught it on Monday and the payload installed when you started your browser today.

Do you happen to remember anything googlable about the hijacks? There are whole forums dedicated to ferreting out where these things are coming from, though it is almost certainly from an infected website.
posted by Lyn Never at 6:06 PM on January 28, 2015 [3 favorites]


Best answer: The building was closed all day yesterday and until 3pm today. As far as I can tell, my computer was off for that whole time.

I know you said you checked the system logs but when I worked in a library and our computers "suddenly" came down with bizarre malware on start-up, the culprit was the maintenance guy who was surfing for porn (or something) after hours. Are you sure no one else has logged in to the machine?

And also corroborating that if there was some browser exploit that got installed it might only get going on restart of the browser. Sometimes Googling the name of the thing can let you know what the likely vectors for it are.
posted by jessamyn at 6:44 PM on January 28, 2015 [2 favorites]


Best answer: I last used my computer Monday night. No one has used the computer since then. I checked the system log. Program manager showed that the offending programs were installed today, at the time I first logged on. They don't show up my downloads folder. I didn't see any installation screens.
The last thing I downloaded was a bunch of Creative Commons photos from Flickr. That was Monday.


Then I'm guessing that you've been a little slack about applying Windows Updates and that one of those tempting photos included an exploit.

It didn't pick up the infection while it was turned off. It picked it up on the Monday, and the exploit created an auto-run Registry key to make Bad Things happen on next logon (super-easy to do).
posted by flabdablet at 7:04 PM on January 28, 2015


Check your Windows Update logs and make sure you have update KB2929961.
posted by flabdablet at 7:08 PM on January 28, 2015 [1 favorite]


The only thing that makes any sense is that I downloaded these a while ago and something just triggered them to install today. Is this a thing? What gives?

Yes, this is totally a thing. It is entirely possible to download some malicious software that, after installation, just checks in with a command and control network periodically - sitting silently until ordered to do something.

So, it is entirely possible your computer has been compromised for weeks or months, even.

You should absolutely be going around and changing all passwords to everything everywhere. I'd recommend using a different computer to do this - a format/reinstall is the only way to be sure.
posted by Pogo_Fuzzybutt at 7:18 PM on January 28, 2015 [1 favorite]


There are plenty of freeware apps that in their TOS allow them to install partners.. they may wait a while to trigger that. You should look through your existing apps carefully.
posted by nickggully at 7:48 PM on January 28, 2015


Response by poster: These are very helpful ideas. I will poke around some more when I get back to work this a.m. and see what I can find. I know I also downloaded a font last week (from a reputable source, but shit happens) that could be the culprit. At any rate, I saved the logs from Malwarebytes, so maybe that will give me some clues.
I'll let you know what I find!

(My first thought was that someone else had used the computer. If someone was using my machine for porn when we were closed then they have bigger problems than I do, considering they would have had to brave a big freaking blizzard to do so!)
posted by Biblio at 3:25 AM on January 29, 2015 [1 favorite]


Response by poster: I went through the logs from my anti-malware software and googled everything. Most of the names I found in my logs were misspelled variants of known malware. No real clue where they came from.

The biggest problem was probably that my employer had not renewed Symantec, but had not told me, so my anti-virus was out of date. I have installed Panda instead and so far so good.

I redownloaded the Flickr images in question and none of them triggered anything.

I install Windows updates regularly, so I wasn't missing any.

The most likely culprit is a Chrome extension I installed. I might have gotten careless and let something through.

After running Combo-fix, Adwcleaner and Malware Bytes it is hunky-dory.
posted by Biblio at 12:21 PM on February 12, 2015


« Older I know how to make electronic music. So how do I...   |   How does PayPal work? Newer »
This thread is closed to new comments.