web analytics

I has a virus :_(

No, no…not the pig flu kind. I was browsing Google Images earlier, and I apparently clicked on sumpin’ I shouldn’t’ve. Next thing I know, my screen explodes in a cascade of adorable Japanamations and ladies with ginormous breasteses.

It’s a bad mamajama, this one. It made SuperAntiSpyware run home bawling to its mama. It stole Trend Micro’s lunchmoney. Malwarebytes’ Anti-Malware wouldn’t even come out of its own setup icon when I double clicked it.

Using a combination of Safe Mode and Autoruns by Sysinternals, I’ve managed to wipe two of the bastards (b.exe and msa.exe), but there’s something bad still in there. Every five minutes or so, some damn thing disables Task Manager and Regedit. Every ten, an Explorer window pops up and reaches for the internet. There’s nothing obviously virusy in the process list, so it’s something masquerading as a legit component.

Oh, well. Screw it. It’s Friday night and I have this here Linux rig. It runs hotter’n a firecracker, but it’s clean as a whistle. I have Firefox and Freecell; I am golden.

Have a better weekend than mine, everyone. Let’s hope I get it sorted by Monday…

Comments


Comment from Scott Jacobs
Time: August 7, 2009, 7:32 pm

Out of idle curiosity, had Uncle B been hanging around your computer lately?


Comment from Can’t hark my cry
Time: August 7, 2009, 7:34 pm

In addition to two aspirin, I strongly recommend the hottest bath you can bear (just off boiling) for as long as you can stand it, and then you go to bed under LOTS of covers–with flannel pajamas and wool socks and. . .

Oh. Oops. Wrong kind of virus. Oh, well. Hope you manage to root it out and emerge victorious. 🙂


Comment from jwpaine
Time: August 7, 2009, 7:41 pm

Man, I hate viruses. Virii. Virim. Virusses. Whatever.


Comment from Richard
Time: August 7, 2009, 8:12 pm

Mmmmm I always reckoned ‘pooters could get piggy flu. Send it to bed with a lemsip.


Comment from francis
Time: August 7, 2009, 10:34 pm

When my Windows boxen get a bad cold, I backup and reload, I hate dealing with trying to fix that stuff and usually wind up burning down half the registry in the process anyway 🙂 Or just stick to the Linux box, that works too


Comment from armybrat
Time: August 7, 2009, 11:56 pm

As a non-tech person, here’s my take on the situation….blah,blah,blah…say “oh,SHIT!!!!!!!”…realize it’s Friday pm. Turn off the damn machine…ok. for morbid curiosity boot the damn thing back up (with beer in hand) just to see if it’s really shit the bed. If it still really looks bad……Well, it’s Friday afternoon! finish first beer and then pull the hard drive and beat the shit out of it there by removing all of one’s aggressions for the week


Comment from JuliaM
Time: August 8, 2009, 1:33 am

You’ll beat it.

Nothing, but nothing, gets the better of the mustelidae:

http://news.bbc.co.uk/1/hi/england/lincolnshire/8190343.stm


Comment from Dawn
Time: August 8, 2009, 2:06 am

Someone gave me a baby today. A human one. My hubber and I have been trying to adopt for months and we got the call this morning as we were traveling back from Hawaii. We sign the papers on Tuesday. Pretty sweet huh?


Comment from Gibby Haynes
Time: August 8, 2009, 5:00 am

Congratulations Dawn. You must be delighted.

I’ve never managed to properly get rid of a virus my comuter has caught. When it happens, it’s usually a format-HDD-and-reinstall-the-OS affair. Which is fine by me; I like to do that every once in a while anyway.


Comment from S. Weasel
Time: August 8, 2009, 5:34 am

Dawn! Congratulations!

We’ll see if we can find you some good recipes…


Comment from jwpaine
Time: August 8, 2009, 11:33 am

The only recipe I can remember is the one about two scoops of–on second thought, maybe that’s not a good one.

Anyway, congratulations, Dawn!


Comment from Войска ПВО
Time: August 8, 2009, 12:47 pm

..has ye been to any ‘Murriken Town Halls lately? You probably got reported by some union goons to flag@whitehouse.gov as being highly suspicious and The Boy King (the guy with the purple lips and dumbo ears) unleashed his goons on your IP address.

“Help, the paranoids are after me!”

“..just because you’re paranoid, it doesn’t mean they aren’t out to get you!”


Comment from Войска ПВО
Time: August 8, 2009, 12:48 pm

..and congrats to Dawn! If this is your first (‘spects ’tis) then you are in for one of the most rewarding 20-year adventures of your life. It’s what this is all about.


Comment from jdub
Time: August 8, 2009, 12:54 pm

sounds like a rootkit, weez.
burn it from orbit and rebuild. srsly.
your machine is now a contaminated instrument.


Comment from S. Weasel
Time: August 8, 2009, 1:18 pm

I have a problem with that, jdub. I’ve got several thousand bucks worth of software on it that I can’t replace.

See, it’s kinda, sorta legal, because they were my legal licenses from my ex-employer. And I know they haven’t replaced me, so nobody else is using them. Hence, they aren’t illegal at the moment. But they aren’t really mine, I no longer have the disks, and I’ve never ghosted this machine or anything.

Photoshop, Illustrator, InDesign. Oh, it would hurt to lose that machine…


Comment from thales
Time: August 8, 2009, 2:17 pm

And no system backup?

Seriously?

Ouch!


Comment from Alice H
Time: August 8, 2009, 4:42 pm

Stoaty, are you able to boot into safe mode? Try running MalwareBytes from there if you can.

Also, try installing HijackThis (change the executable name after you install, some programs hide from it but don’t seem to be able to do it if it’s running under another name) to see the real list of processes that’s running.


Comment from S. Weasel
Time: August 8, 2009, 7:28 pm

Thanks Alice — neither MalwareBytes nor HijackThis will install. I’ve downloaded them both multiple times. I’ve tried in in Safe Mode and not. I click the respective install icon, I get the hourglass for a couple of seconds, the program appears in the Task Manager and…nothing.

I’ve looked up all the running processes and none of them are suspect, which means it’s probably something that’s hijacked the name of a legit process.

It really did kill SuperAntiSpyware — “encountered a problem and must close”. It did that every boot until I uninstalled it.

Oh, it’s an asshole, this one.


Comment from Sockless Joe
Time: August 8, 2009, 8:06 pm

I ran into something like that once and I had to nuke it and recover from the crap-ass Dell recovery partition. (and then spend hours patching and re-installing…)

You could yank the hard drive, mount it under linux and ClamAV it. Or try one of those live cds with anti-nasty stuff on it, though I didn’t have much luck with those. Bottom line is you are probably not going to be able to recover from within Windows.

Weasel has OEM Windows disc? A windows install over the nastiness might allow you to keep your other programs.


Comment from Alice H
Time: August 8, 2009, 8:22 pm

Any luck with Spybot Search and Destroy?

I’m in agreement with Joe about pulling the hard drive and scanning it on another computer (hopefully a throwaway one, ha!)


Comment from S. Weasel
Time: August 8, 2009, 8:38 pm

I made a USB dongle into a Linux boot device, but my ThinkPad doesn’t boot off it and I don’t see an obvious way to get it to.

After jdub mentioned a rootkit, I did a Google search and tried the Sophos anti-rootkit product. It found some hidden things in the registry but said they couldn’t be deleted. I’ve used Spybot Search and Destroy on another machine, but not this one. I’ll try that. I’ll keep trying stuff. I’m not ready to give up yet.

The only thing that worries me is that many of these scanner thingies require me to be online and not in safe mode. It gives me the jim-jams to think what that thing might be doing during hour-long disk scans.

Reading my old love letters and trying on my lingerie, I bet.


Comment from Alice H
Time: August 8, 2009, 9:15 pm

maybe this will help, but at this point probably not 😉

http://www.geekstogo.com/forum/Malwarebytes-will-not-run-well-spybot-t246529.html


Comment from jdub
Time: August 9, 2009, 12:57 am

yeesh. that sucks, weasel, re: the [ahem] legacy [ahem] software. you may evade many of the problems posed here by doing as others have suggested: imaging and rebuilding under another OS.


Comment from David Gillies
Time: August 9, 2009, 3:37 am

Jeez, does it ever strike you as odd how much specialist knowledge it seems to take to operate some of these so-called consumer-level gadgets? Boot into Linux from a dongle? Ghost it in SafeMode? That’s about as abstruse as having a lever on your dashboard to futz with the retard of the carburettor in your fancy horseless carriage.

My CRT monitor is in its death throes. Percussive maintenance (smacking it) keeps it up for a few seconds but then zilch. So I have to replace it. Can you buy a CRT capable of 1600×1200 these days? Can you bollocks (at least in Costa Rica). You can get an LCD that can do 1600×900 for peanuts. Or you can get some freakish monstrosity for $500. And then you have to do a voodoo dance and intuit the frickin’ XFree ModeLine. Jeez I hate computers.

a) I am a software engineer b) I am typing this on my Mac


Comment from jwpaine
Time: August 9, 2009, 5:07 pm

CRT? Those run on kerosene, right?

…or was it tallow?


Comment from jwpaine
Time: August 9, 2009, 5:22 pm

BTW: Anybody looking for a CRT could probably use a 1200-baud modem. State of the art*; I’ll even toss in hand-written directions on setting the DIP switches and jumpers.

* if you were not rendered comatose back in ’84 and only recently woke up, this may not apply


Comment from Sockless Joe
Time: August 9, 2009, 5:29 pm

the (previously mentioned) only time I saw virus nastiness of this magnitude the person was running as a privileged user all the time. That’s partly my fault since I sort of allowed that situation to persist, but it’s such a pain in the ass to run certain stuff as a non-privileged user. I find the situation wholly unacceptable that so much windows software written relatively recently (not just legacy Win98 stuff) expects privileged user status.


Comment from S. Weasel
Time: August 9, 2009, 6:55 pm

Wellll…I think I got it all. It was a real booger, though. Whatever this thing was, it recognized most of the antivirus software I tried to pit against it and biffed it before it could load. Very evil.


Comment from David Gillies
Time: August 9, 2009, 11:56 pm

jwpaine: if I get an LCD monitor that my old graphics card is guaranteed to support, it will almost certainly not support the vertical resolution of my old CRT (i.e. I can get 1600×1200 or 1920×1080 but not 1920×1200). If I get a card that will support a bigger screen, it might not be supported by my OS or by my PC. If I upgrade the OS, it probably won’t support my old machine. I don’t see why I have to either buy a new computer or accept a smaller monitor or pay $500-600 for a monitor with decent vertical resolution. I’ll probably end up getting a refurbished 21″ CRT or suck it up and get an inferior LCD. My machine is very old, but it works and has years of configuration spent on it. I hate being locked into upgrade cycles.


Comment from porknbean
Time: August 10, 2009, 10:13 am

Big congratulations Dawn!!

And the rule is, if you adopt any critters, you must post pictures. I, for one, will be looking forward to them.


Comment from porknbean
Time: August 10, 2009, 10:14 am

When it comes to computer problems, if I get one, I just holler for Mr. Beans or Beans jr.

I’m hopelessly computer illiterate.


Comment from Blast Hardcheese
Time: August 10, 2009, 10:29 am

For future backup purposes, I recommend Acronis. I was a little, shall we say, casual about backup (as in, “I saved some of the files to an external HD last year. Should be good enough”). Then my hard drive decided to start dying. Starting with the section w/ the OS on it. After much tears, I was able to get it up and running (or up and limping), enough to do a proper backup. Acronis is nice, and pretty intuitive to use.


Comment from Schlippy
Time: August 10, 2009, 1:51 pm

I use Kaspersky Labs. Haven’t had an issue yet despite going to places that are known to carry some very bad ‘uns. It’s saved me more than once! ’tisn’t free though.


Comment from Allen
Time: August 10, 2009, 5:48 pm

Whatever it was I didn’t do it Weasel. Even though the temporal proximity of the virus and the picture I sent of the NewPup.

My moochine is clean.


Comment from apotheosis
Time: August 10, 2009, 9:24 pm

We put our faith in Blast Hardcheese.


Comment from jdub
Time: August 11, 2009, 12:05 pm

Wellll…I think I got it all. It was a real booger, though. Whatever this thing was, it recognized most of the antivirus software I tried to pit against it and biffed it before it could load. Very evil.

mmmm. I wouldn’t use it for online banking, etc., until you back up what you need, format the drive, and hire an exorcist.

some of your rootkits are absolutely anthrax-like in their ability to persist.

assuming you had one, of course.

still, i’d think reeeeeeeeeal hard about how many russians i want to have my bank information before using that machine.

/chicken little


Comment from Cloupeexece
Time: November 25, 2009, 5:32 pm

Credit you representing details. It helped me in my responsibility

Write a comment

(as if I cared)

(yeah. I'm going to write)

(oooo! you have a website?)


Beware: more than one link in a comment is apt to earn you a trip to the spam filter, where you will remain -- cold, frightened and alone -- until I remember to clean the trap. But, hey, without Akismet, we'd be up to our asses in...well, ass porn, mostly.


<< carry me back to ol' virginny