UGH

[orikes]

My computer has caught a virus. Or a trojan. Or malware. Or all three.

It happened yesterday. At first I started experiencing problems with windows explorer crashing on me as I was doing some things. I rebooted the machine and it wouldn't let me log in properly. After some fiddling and a panicked call to a couple of friends more technically adept than I and I got back in. That's when I started getting invasive pop up windows. Crap.

I did the usual steps to try and get rid of it, so it didn't help. I got ahold of another tech friend and he walked me through doing some more serious cleaning steps. Nope, didn't get it all. I even deleted things from the registry, which is scary. No luck.

This same friend came over today before our work party. He discovered that while he could clear out most of the pieces, there was a .dll that had attached itself to something that MUST be running while the machine is booted up, so it can't be deleted because it's in use. He's doing some research to see if he can find a way to remove that file. If we can remove that file, it should clear up the problem.

Until then, I get to deal with an infected machine. I'll clean it off every day, but that's still going to make simple tasks like surfing the web annoying. Hopefully it doesn't grab anything even more nefarious while we're working on what to do about it. I don't want to do a wipe of the computer because I've got files on it that aren't backed up. All my sims stuff is backed up, but I've got characters and artwork and other stuff on there I would be sad to lose.

As near as I can figure, the trojan either came from one of the Store Stuff downloads on MATY or from TSR (The Sims Resource). I was looking at TSR when I got a couple of warnings from my anti-virus program. After that is when I started having problems, so I'm leaning towards blaming TSR. GRR. Another reason to hate the site.

The most irritating thing about this whole mess is that it killed the time I'd allotted to work on the next Pseudo update. I'd intended to shoot some scenes and some filler I know I need, but by the time I could get into the game and do anything, it was too late. Guh.

If I have to wipe the computer, it's what I'll have to do. I'm sure I can save what I need to, it'll just be a pain in the ass. Irritating, but not life ending.

So, tell me something good to make me smile. :)

Comments

[writeraissa.livejournal.com]

Aww, that really stinks. The prospect of getting virused freaks me out, big-time--hopefully your friend can help you without having to resort to wiping the hard drive.

As for good stuff? Well, my cousin (who is my age) had an itty bitty baby girl yesterday morning :). Her name is Eden (and whenever I see it I think of Heroes).

Also, Chris and I are pretty much all a-twitter because our friends/gaming group got together and bought us a PS3 for Christmas. For reals. Kinda still in shock/awe about that one.

[orikes13.livejournal.com]

That is such an awesome thing. Your friends rock. :)

[leaths.livejournal.com]

Geez. That sucks. I've gotten irritating infections before, but nothing that bad. I was usually able to clear the problem by doing a system restore to a point the day before or something.

Good news? I really don't have any. Things are just boringly normal around here. Um, I put up all my Christmas decorations yesterday. Oh, and my daughter (5) saw a red light in her window last night and when my husband explained it was probably just someone's car lights, she insisted that it was Rudolph out for a test run. That's not news, of course, but it was kind of cute.

[orikes13.livejournal.com]

That is absolutely cute. Five is a wonderful age for Santa. I took my friends' daughters (5 and 8) to see a movie over Thanksgiving weekend and the five year old was going on about how hard it must be for Santa to get to everyone and how important it is to leave him cookies because he's working so hard.

[penguingirl03.livejournal.com]

Oh man! You are not having much luck with computer problems right now. I hope that your friend is able to figure out how to remove it quickly!

Good news? I'm almost done with my last paper and I've been getting to sim a whole bunch. I've come up with some good ideas for some things to do in the next couple of Penguino chapters and I'm hoping to get an update out sometime between Christmas and New Years. And I finally figured out which hack was messing up the nanny, headmaster, and woohoo in bed options in my apartment. So that made me happy.

Also, Sarah I am very jealous of you and Chris's new PS3. That is a very awesome Christmas gift.

[orikes13.livejournal.com]

Yay for Penguino ideas! And congrats with being almost done with your last paper. :)

[ndainye.livejournal.com]

Ugh sorry he hasn't been able to get it cleared up for you, I'd been keeping my fingers crossed.

Good news is that I'm about 1/2 way through my update. Bad news is that I'm running out of time to work on it.

[orikes13.livejournal.com]

YAY FOR FAMILIARS! BOO FOR NOT HAVING TIME TO WORK ON IT!

[fireflower314.livejournal.com]

I'm sorry, bb. :( I am always here to provide moral support!

As near as I can figure, the trojan either came from one of the Store Stuff downloads on MATY or from TSR (The Sims Resource).
And that is why I'm scared of downloading much of anything onto this computer. >.<

My good news? Um. I'm done with the semester!

Here, have a look at my Frank icon. I know that makes me happy. :P

[orikes13.livejournal.com]

Read down below to Tina's entry and her response to Snoot. It sounds like it wasn't the cc itself, but more an invasive pop-up ad on a cc site. Probably TSR, IMO.

Congrats on finishing the semester, by the way. :)

[leilia.livejournal.com]

Um I got a virus/malware after looking at no-cd downloads on MATY and I never go to TSR.

It happened just last week. It was a malware masquerading as a windows security center alert that was trying to get me to download an even worse program. The fix I used was Malwarebytes' Anti-Malware program. It was accessing the internet through a svchost.exe and the main problem file was in Application Data/Google Toolbar.

I don't know if it is the same thing, but try the Malwarebytes's Anti-Malware it worked for me. After you get yourself set up, you can get Spybot S&D which has teatimer which watches for changes in programs.

I don't know if it will make you smile but it may help...

[wtsims.livejournal.com]

Did your friend say it was either Virtumonde or Vundo? (And is the DLL apparently some random 8 letters?) If so--actually, either way--I second the recommendation for Malwarebytes, which is what I needed to pull the damn thing off and eradicate the stupid registry entries. I'm going to find the person who wrote Virtumonde and shoot them in the head. And I hate guns.

[orikes13.livejournal.com]

THAT is exactly it. And yeah, the dll is some random eight letters. My friend wrote it down. I'll give that program a try.

Thanks Tina!

[snootcb.livejournal.com]

I had a pretty bad trojan not too long ago. I may still have it, but I've done everything I can think of to clean the computer save a full wipe. Time will tell whether or not that worked. I hope your computer is all fixed up. Since I am the only user on this computer and the only things I download (besides official software updates) are TS2 things, well, it had to have come from some CC. I talked to someone on MATY a couple of days ago who had a similar problem, and that person had also downloaded TS2 things from the booty (incl. TSR stuff) & MATY. This probably means that there is malware being passed around (perhaps by accident) in innocent-looking CC.

Good news... I made a B in Biochem! It doesn't sound like much of an accomplishment, I know, but considering the class average was a D I'm pretty damned proud. Also, the SO graduated on Saturday, and his parents are down for the week. I'm slightly terrified of his mother, but they are both really sweet people. We're going bowling tomorrow, yay!

[orikes13.livejournal.com]

Congrats ont he B! Hey, I never scoff at B's. :)

I wish there was a way we could figure out what piece of cc was the culprit. It really irks me to think someone might have put it up purposefully like that. I've never had a problem with downloads and I've been playing for over a year and a half. I've been very careful about the sites I go to. It's going to suck not to download the snagged store stuff any longer.

[wtsims.livejournal.com]

For the record, my best guess is Virtumonde being spread via at least one ad site, so you could've gotten it from casual browsing anywhere that's got embedded ads. I'm not 100% sure on this, but I managed to get it twice and I haven't downloaded anything at all recently (except my savior Malwarebytes, and obviously that was after), but both times were after something defeated my popup blockers, so that's why I suspect an ad site. You could in theory turn off java and javascript for an extra level of safety, but considering the sheer number of legitimate sites that use it, that might be more trouble than its worth. (But make sure your java is up to date!)

However, if you do a full system scan with Malwarebytes (or Spybot, or better still, both, as they've got slightly different detection rules), it should catch any malware regardless of location. If you're worried about a specific site or sites, do a scan after any batch of downloads. The downloaded file itself, unless it's an executable, should not be capable of infecting the computer... at least in theory, although if there's any kind of scripting on the download site, that changes. Self-extracting archives should always be treated as suspect, however. And, due to some boneheaded decisions at Microsoft, JPGs should be treated as suspect as well.

Incidentally, for those who might be curious, Virtumonde is particularly hard to clean off because it attaches itself to winlogon, which is a vital part of startup even in safe mode and cannot be disabled. Malwarebytes has the capability to change and remove programs in memory (tricky proposition, but if someone knows what they're doing, very handy), which is why it can defeat it. A few registry entries might be left behind, but those can be safely deleted -- you can look for either narujanu or the random-8 DLL in all possible fields (both is safer). Even I'm a little wary of deleting registry entries normally but in this case there is no reason not to, because you WANT to screw up its ability to re-execute or recopy itself into memory. However until the actual executables are totally eradicated you will not be able to do that, which is part of why it's pernicious. Windows won't let you delete a registry entry that's "in use", as it were.

If you want to be sure you've got all the possible entries, a copy of HiJack This could also come in handy. It'll list all automatic startups. That's a trousers-and-suspenders sort of thing, but it's a really handy program to keep around anyhow.

Some malware specifically looks for and hides from or tries to disable both Malwarebytes and HiJack This (but to the best of my knowledge, not Spybot, oddly). You can circumvent this by renaming the executable.

[snootcb.livejournal.com]

Thank you for the advice. My main problem was with Sinowal (and a couple of other minor malwares) rather than Virtumonde, so they were likely from different sources. It managed to evade Norton & Webroot, but I ended up using Trendmicro's housecall and it did a pretty good job of catching the stuff that made it past my apparently pathetic first-line defenses. I can't find any lingering traces of it in the registry, but I'm still suspicious. I really need to just get rid of Norton b/c it causes more problems than it solves.

[cori-chronicles.livejournal.com]

Sorry to hear about this. How frustrating!

You have my sympathies!

[profbutters.livejournal.com]

Agh, sucks. I'm terrified of downloading something freaky. I don't even have too much protection on the computer. Macs are usually pretty good about not having trouble, but I don't like being complacent.

The Store Stuff could have been the problem, too: Pescado doesn't put those up, they're just uploads from somebody else's computer on mediafire.

Anyway, I've been finishing up grading, and today I met up with a bunch of people from a book club I started years ago and retired from. We went to the Huntington Gardens, had a nice tea with little sandwiches, scones, and pastries, and then we went and sneered at a cow creamer.

http://cow-creamers.net/silver.htm

It's a PG Wodehouse joke. So that was a nice thing.

[orikes13.livejournal.com]

I have these really fond memories of a big plastic cartoon cow creamer that a chain of local restaurants used to have. I remember it being a really happy thing. :)

Glad to hear grading is done, though.

[docnerd.livejournal.com]

Ugh, that sucks. I've heard that the TSR downloads aren't the cleanest things ever.

Good news? Vetinari update within the next couple of days?

[orikes13.livejournal.com]

I am both looking forward to and dreading your next update. :}

[lauriempress.livejournal.com]

::hugs:: I hope you get it fixed. Sounds like you've gotten some advice and I hope it works.

Good news? I spent the day with good friends and got to see pictures and hear stories of their trip to England. That was really nice.

Lauri

[orikes13.livejournal.com]

Good friends and cool pictures are always made of win. :)