Major Computer Damage

[WacoJohn]

I am not really sure what happened. I downloaded some freeware ... sponsored by CNET. Pretty reliable .. supposedly. In fact, I got it from this website:

 

http://www.geekydadsoftware.com/software/winfx-video-converter.html?gclid=CJWQjcDOrKsCFYiW7Qodek4BpQ

 

So I saved it to my desktop and executed it ..... WinFXVideoConverterInstaller.exe

 

I am not sure what all happened .. so many things and so fast, I am not sure. One thing that happened is some crapware known as WEATHER BUG installed with no control by me. Then various security s/w I have started going off like crazy. I sat there with my mouth open and then machine was completely locked up. Hit the button to shut down. Started back up in safe mode. Scheduled a boot chkdsk /f and rebooted. Hung at the Windows screen ( XP SP3 ). Hit the button again .. etc etc. Would only boot in safe mode .. hung in 'regular mode'.

 

Grabbed a bootable rescue CD (UBCD4Win) and looked at C: drive. System32 folder was missing along with a bunch of other OS files/folders. Ran UNERASE from the Boot CD and TRIED to recover .. but there was just too much damage.

 

Luckily, I had a DISK IMAGE backup that was not too old. Wrote that back onto the drive and all is back to normal.

 

Here is the problem ... I am not sure it was the file I downloaded .. I don't know what it was .. but I have uploaded that file to VIRUSTOTAL and it passed except for TWO exceptions that it has adware in it. I have scanned the file with Immunet FREE (NO , Panda Cloud, MS Security Essentials, Webroot, IOBIT Malware Fighter .. and all of them scan it as safe. I am wondering if I had a virus from ELSEWHERE (undetected) that simply triggered when I clicked on that .exe file. I know this, .. I ain't clickin' on it again.

 

Any comments as to what you think, or would do is appreciated in advance. I would really like to use the product.

[Rob.T]

Hey John, I grabbed a copy of WinFXVideoConverter from geekydad and threw it on to a XPsp3 image. I wasen't able to reproduce your crash, but it did install weather bug. I then reverted the image, grabbed a copy of WinFXVideoConverter directly from cnet and installed it - I got a newer version and it didn't install weather bug. ==> Don't download things that say there from cnet unless your downloading them directly from cnet's website.

[WacoJohn]

Thank you for all the cooperation. I submitted the file I downloaded to Symantec, Sophos, and McAfee. Just got this back from Sophos:

 

Thank you for submitting the sample to our Sophos labs, they have concluded that WinFX Free video converter is not malware and ran the file and it checks our perfectly fine, this includes the ffmpeg H.264 encoder etc.

 

However, It does include two toolbars (Weatherbug and ask.com toolbar) so those are flagging up as PUAs by other tools and believe those two are under application control.

 

Regards,

 

Nilesh Chauhan

Sophos Technical Support

 

So far .. nothing DESTRUCTIVE for that file I downloaded. I don't know what the heck hit my machine but it was brutal. I really (now) have no idea.

 

I will get the converter from CNET, Rob. Thank you for your trouble.

[ritchie58]

Wow WacoJohn, It sounds like you ran into a big hassle there! I think your assumption is correct, that you were already infected with something prior to running the installer. I'm glad you had a backup image to fall back on or I'm sure you would have had to reinstall your operating system! I've never ran into any problems with stuff I've downloaded directly from CNET. That installer didn't give you the chance to "opt out" of the weather bug app? If that's the case that's just not right in my book! If a software developer doesn't give you the option to choose weather you want the extra stuff included in the installer is just plain wrong.

[WacoJohn]

Wow WacoJohn, It sounds like you ran into a big hassle there! I think your assumption is correct, that you were already infected with something prior to running the installer. I'm glad you had a backup image to fall back on or I'm sure you would have had to reinstall your operating system! I've never ran into any problems with stuff I've downloaded directly from CNET. That installer didn't give you the chance to "opt out" of the weather bug app? If that's the case that's just not right in my book! If a software developer doesn't give you the option to choose weather you want the extra stuff included in the installer is just plain wrong.

 

Thanks to the backup, it really wasn't too much of a hassle. I was 'fully' recovered in about 45 minutes. Otherwise, it would have taken me .. oh 10+ hours to start from Dell Recovery CDs. I am more slammed by whatever caused this ... it was so sudden and the last thing I did was click on that installer I downloaded .. boom .. I sat there watching 'things happen' and then .. she came to a complete halt.

 

I do NOT (now) think it had anything to do with the download. For all I know, that installer might give the option to not install the extra stuff and the triggered agent prevented it. I don't know. I got it from the author's website .. but it had a CNET logo on it. Then, like I said, I did all kinds of things with it except execute it again (after I recovered) and nothing showed it as malware. Either something was waiting for a type of executable or SOMETHING. I have no idea. This is why I posted this thread here .. to illustrate the importance of protection.

 

By the way ..I got a DIFFERENT copy from CNET directly .. a different version (thanks to Rob). It is sitting on my desktop .. gun shy to run it ... HAH!!

 

The End of the story is .. I am rebuilt .. no scanning detection .. of anything ... and am simply left to wonder.

[duncan]

sounds like a rootkit has slowly mated and spawned.

I don't have to worry about that stuff these days (linux)

but I had a similar experiance last year, it was more devastating though and took a couple of days to get fully back up to where I was.

[WacoJohn]

sounds like a rootkit has slowly mated and spawned.

I don't have to worry about that stuff these days (linux)

but I had a similar experiance last year, it was more devastating though and took a couple of days to get fully back up to where I was.

 

Yeah, ... all this is typical of a rootkit invasion. I will agree with that .. smells like rootkit to me too. After the image restore, everything seems OK .. at this time.

 

You are right about Linux .. my two Linux boxes hum along problem free .. as long as I keep 'em updated with Update Manager. I have to keep some Windows machines running .. for things like my auto GPS updates (maps etc) and some other 'services' not available through Linux. Also, I bought two new computers recently .. and obviously paid for the W7s ... so I am going to use it (W7) .. not to mention, I need to 'know' W7 for my own satisfaction.

[ritchie58]

Could have been a root-kit. It's also possible it was a worm. Some worms, when triggered, are just too happy to start munching away on your OS and stored data files. I seen one in action once. I was at a friend's house when he mentioned to me his PC might be infected with something. His music files were disappearing he claimed. So we took a look at the folder containing the tunes and you could see the MP3 & WMA files disappearing one by one right before your eyes but it was already too late! To make a long story short he ended up having to re-install his OS after the worm starting eating those files as well with the inevitable subsequent blue screen of death. The stuxnet worm was running rampant right at that time (2010). You got some Win 7 machines now Waco? Cool!

[WacoJohn]

Could have been a root-kit. It's also possible it was a worm. Some worms, when triggered, are just too happy to start munching away on your OS and stored data files. I seen one in action once. I was at a friend's house when he mentioned to me his PC might be infected with something. His music files were disappearing he claimed. So we took a look at the folder containing the tunes and you could see the MP3 & WMA files disappearing one by one right before your eyes but it was already too late! To make a long story short he ended up having to re-install his OS after the worm starting eating those files as well with the inevitable subsequent blue screen of death. You got some Win 7 machines now Waco? Cool!

 

Heh .. yeah .. rootkit, tootkit, worm, scorpion ... I dunno .. but whatever it was was pretty uh .. whut ... awesome. Of course I have been thinking about it ... and am wondering something ... I am running a LOT of 'stuff' in the background:

 

Immunet

Panda Cloud

MS Security Essentials

Zemana Antilogger

Webroot Secure Anywhere Beta (testing it for them)

IOBIT Malware Fighter

IOBIT Advanced System Care PRO

Folding@Home Windows CPU client.

 

plus all the other stuff that XP Home SP3 normally runs in the background (Windows Update etc). Also, this is a dual core AMD Athlon but running 32-bit XP with only 2GB of memory.

 

Of all those, the two that took the most resources were FahCore_a4.exe and iexplore.exe. After doing the image restore, I checked resources and one was using 90% of CPU and a TON of memory and the other was hogging also. I checked Fahmon config and its default setting was to use 100% of the CPU. I bumped that down to 60-70% and machine IS running better (DUH). Sooooo, I am wondering if executing that installer was the straw that broke Bin Laden's Cadillac's back and as it tried to install Weather Bug, a bunch of things tried to scan it, resources maxed out, and the hurricane blew in. Besides lowering Fah cpu allocation I also changed a few things that ran automatically to run on demand .. and this machine is now running quite well.

 

I suppose there WAS a log somewhere that would tell me some of what happened, but I would not know where/what is was or how to read it (probably) and besides, it is gone now .. .with the image restore I did.

 

Yeah .. this one laptop XP, a new high end laptop W7 Pro on it, a new netbook W7 Basic on it, and an old ME desktop machine running Xubuntu Linux. You can also install Linux (Ubuntu distros) INSIDE Windows ... with what they call WUBI. It essentially doesn't create a LINUX partition but does a wrapper inside Windows ... and it all behaves like a DUAL BOOT, but without the partitioning. Soooo, with that on the XP and W7 Pro machine, in a sense I have two more LINUX machines (total of 3) .. if ya wanna look at it that way.

 

I know it seems like I am some kind of 'pooter' geek, .. and MAYBE I am .. but I got WAY too comfortable with XP ... I skipped Vista, and when 7 came out, I felt I was way behind in my knowledge of OS's ... so with XP going off support REAL SOON, I decided to buy a new laptop .. though I really did not need one. I just felt in the dark about anything beyond XP. So I bought it and have been trying out 7 PRO ... lots of nuances ... face recognition, voice recognition/dictation, XP virtual machine, ... a lot of stuff that was new to me.

 

I had MAGICJACK running on an OLD Dell running XP ... really old laptop. Worked great for MJ. Then, the CPU fan died and it was not worth fixing (more to the system than just a little fan .. some expensive/hard to get sensing h/w) ... so since MJ has to be running 24/7, I bought the netbook .. mostly just to host MJ .. but it is pretty cute. It will probably be my traveling machine.

 

Sooo, now you know more than you ever wanted to. I am sorry this is so long.