3

Possible Duplicate:
Computer is infected by a virus or a malware, what do I do now?

I've been infected with the "System Check" scareware not once, but twice -- after a reformat. It's now clear that I must absolutely find out how I got infected.

Some information:

  • I've been on the internet for 12 years now and this is the first time ever I get infected with any sort of virus.
  • After my reformat I didn't open any untrusted executables. In fact, I did very little such as installing firefox, Visual Studio, and a few other programs.
  • I downloaded and installed all windows updates.
  • I control which TCP ports I have open for inbound connections.
  • I did visit a lot of websites since the reformat.
  • My E:\ hard drive, which contains all of my data and was not reformatted, wasn't mounted.

In short: the infection couldn't have come (for the second time at least) from user error or cross-contamination.

This leaves exploits in software I use. And it leaves me completely lost as everything I personally installed I re-downloaded and is thus updated to the latest version.

3 anti-viruses out of 4 that I tried (including AVG) couldn't detect "System Check" even though it wasn't removed yet and was still running. The 4th finally detected it and it also detected an infected file in: C:\Users\MyName\AppData\LocalLow\Sun\Java\Development\cache\6.0\56\6a3c9ff8-68fce308.

Java is not updated to the latest version (Version 6 Update 21; latest is Update 30). I didn't personally install it, it must have come with something else I installed (probably NetBeans), and I'll be damn sure to install the latest version myself on the next reformat.

However I'm still worried. That file may have been a false positive. Version 30 could still be vulnerable. It may have nothing to do with java and just be some place the malware decided to install itself to be kept hidden. It may be 1000 other things.

What can I do?

Community
  • 1
Anonymous
  • 31
  • 1

1 Answers1

1

The two most common vectors of infection for System Fix are fake online scanner pages and through the exploitation of vulnerabilities in browser plugins, like Java, or possibly in a browser scripting language like Javascript or VBScript (IE only.) When you think about it, it makes sense since a plugins/scripts allows the attacker to run his code on your machine as soon as you visit an infected website; all he needs is a vulnerability that allows him to escape the sandbox.

Given that the malware was detected in the Java cache, it seems likely that the out-of-date Java plugin you have served as the means of infection. You would only need to have visited a malicious or compromised website to become infected. If it was done well, you would likely not have even noticed anything strange happening.

The best protection against plugin- and script-based attacks is, of course, not to allow them to run. This can be done selectively with a browser addon like NoScript, or globally by disabling plugins and/or scripting.

Andrew Lambert
  • 7,805