Drive-by infection!!

This has only happened to me once before (I think I posted a thread about it a year or two ago), but it happened again this morning. I was on a well known 'tech' web site, one of those sites that does hardware reviews, and was reading a review of a power supply. I run the full paid version of MalwareBytes Anti-Malware, and on page 4 or 5 of the review, MBAM barfed up a warning at the exact same time that Avira's Free AntiVirus popped up, calling one of the malicious items "Rootkit.Dropper". Then the Win7 UAC popped up asking if I wanted to allow "Microsoft Windows" to make a change to Windows. Since I know what I'm doing, I immediately shut down my browser (Firefox) and removed the ethernet cable from the back of my tower (just to be sure nothing would piggy-back in), launched the task manager and killed the offending processes, and told Avira and MBAM to remove/quarantine the offending items. I told the UAC "NO". While MBAM and Avira were doing their thing, Windows Defender popped up and I told it to also remove/quarantine the item. I then ran msconfig and sure enough, there were two new entries in the startup list, and I unchecked 'em. I used Explorer to find the files (their location was listed in the msconfig startup list) and I removed the folders (one of the folders was empty 'cuz MBAM or Avira had removed the file). I have the exact file names written down at home, they were of the 8-random-letters variety, and they were both .exe files. I then ran CCleaner, then rebooted. I went to regedit and ran searches for the file names I had written down and removed the 3 or 4 entries where they appeared. Then I ran full scans with both Avira and MBAM; the Avira scan was clean, and MBAM found two lingering "ghost" type files in C:\$RECYCLER$ or a similar location. So, essentially, I had manually removed the bulk of the malware before the scans. I plugged my ethernet cable back in, and promptly installed the newest version of Flash Player. I believe a vulnerability in Adobe's Flash Player is what allowed the malware to attack. I went back online (definitely NOT back to the same site LOL ) and surfed around and everything appeared to be OK. I was short on time; all this happened before I had to go to work, and once I get back home I'll post the exact names of the files and the locations where they were 'dropped'. I remember one was in the C:\Users\%username%\AppData\Local\Temp.

Anyway, the point of all this is that it simply shows that anyone can get nailed by malware any time, on any site. The site where this occured is one that I have visited dozens of times and have NEVER had a problem. It's a well known and somewhat respected tech site . . . I'm not going to post the name of the site, it really doesn't matter which one it is. Once I got to work, I visited the same site, the same review, and nothing happened, no drive by, no warnings, nothing. Again, it just shows that malware can be anywhere, anytime, and that nobody is exempt. It also shows the importance of running quality, up-to-date, anti-malware software with realtime active protection. Hopefully, my experiences will help someone in the future.
:major

 

Maybe just maybe you should name the site and then our mods can check this out and may even get in touch with the sites mods and tell them !

 

Glad you got it...

I (and I'm sure you guys, too) am constantly preaching to my friends/customers that malware/spyware doesn't have to come from the porn or hacker sites - they think if they never use anything except Google and Gmail, they don't have to worry about keeping anti-malware programs updated, or even running them on their machines...

I'll use your situation, dlb, to show them the error of their ways - thanks!

 

Nahhh . . . I checked the same site, the exact same part of the site less than 40min later using a different (yet protected) PC and nothing happened. I even ran some scans after visiting and nothing was found. I think it may have been a temporary payload buried in an ad delivered by ActiveX and/or Flash Player... whatever it was, it was gone or moved on. I don't want to post the name of the site as to avoid any type of conflict like "HEY! A dude over at MG said your site was full of viruses". You know what I mean?

That's the main reason I posted. If even one person reads this and takes something positive from it, if one person is helped or avoids an infection, or if this even helps someone remove some malware, it's all worth it.

:major


Oh yeah . . . I promised to post the exact file names . . . they won't mean anything since these types of infections are randomly generated on a 'per PC' basis, and it would be a freekin' miracle if another PC got infected with these exact file names, but for the sake of format recognition, here they are:
urierphshdw.exe
soawmcnrxe.exe
These types of infections used to be primarily 8 random letters.... it looks like the malicious code writers have moved up to 10-12 random characters. I do quite a bit of malware removal, and it seems lately most of 'em are 10-12 characters....