![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
orikesMy computer has caught a virus. Or a trojan. Or malware. Or all three.
It happened yesterday. At first I started experiencing problems with windows explorer crashing on me as I was doing some things. I rebooted the machine and it wouldn't let me log in properly. After some fiddling and a panicked call to a couple of friends more technically adept than I and I got back in. That's when I started getting invasive pop up windows. Crap.
I did the usual steps to try and get rid of it, so it didn't help. I got ahold of another tech friend and he walked me through doing some more serious cleaning steps. Nope, didn't get it all. I even deleted things from the registry, which is scary. No luck.
This same friend came over today before our work party. He discovered that while he could clear out most of the pieces, there was a .dll that had attached itself to something that MUST be running while the machine is booted up, so it can't be deleted because it's in use. He's doing some research to see if he can find a way to remove that file. If we can remove that file, it should clear up the problem.
Until then, I get to deal with an infected machine. I'll clean it off every day, but that's still going to make simple tasks like surfing the web annoying. Hopefully it doesn't grab anything even more nefarious while we're working on what to do about it. I don't want to do a wipe of the computer because I've got files on it that aren't backed up. All my sims stuff is backed up, but I've got characters and artwork and other stuff on there I would be sad to lose.
As near as I can figure, the trojan either came from one of the Store Stuff downloads on MATY or from TSR (The Sims Resource). I was looking at TSR when I got a couple of warnings from my anti-virus program. After that is when I started having problems, so I'm leaning towards blaming TSR. GRR. Another reason to hate the site.
The most irritating thing about this whole mess is that it killed the time I'd allotted to work on the next Pseudo update. I'd intended to shoot some scenes and some filler I know I need, but by the time I could get into the game and do anything, it was too late. Guh.
If I have to wipe the computer, it's what I'll have to do. I'm sure I can save what I need to, it'll just be a pain in the ass. Irritating, but not life ending.
So, tell me something good to make me smile. :)
It happened yesterday. At first I started experiencing problems with windows explorer crashing on me as I was doing some things. I rebooted the machine and it wouldn't let me log in properly. After some fiddling and a panicked call to a couple of friends more technically adept than I and I got back in. That's when I started getting invasive pop up windows. Crap.
I did the usual steps to try and get rid of it, so it didn't help. I got ahold of another tech friend and he walked me through doing some more serious cleaning steps. Nope, didn't get it all. I even deleted things from the registry, which is scary. No luck.
This same friend came over today before our work party. He discovered that while he could clear out most of the pieces, there was a .dll that had attached itself to something that MUST be running while the machine is booted up, so it can't be deleted because it's in use. He's doing some research to see if he can find a way to remove that file. If we can remove that file, it should clear up the problem.
Until then, I get to deal with an infected machine. I'll clean it off every day, but that's still going to make simple tasks like surfing the web annoying. Hopefully it doesn't grab anything even more nefarious while we're working on what to do about it. I don't want to do a wipe of the computer because I've got files on it that aren't backed up. All my sims stuff is backed up, but I've got characters and artwork and other stuff on there I would be sad to lose.
As near as I can figure, the trojan either came from one of the Store Stuff downloads on MATY or from TSR (The Sims Resource). I was looking at TSR when I got a couple of warnings from my anti-virus program. After that is when I started having problems, so I'm leaning towards blaming TSR. GRR. Another reason to hate the site.
The most irritating thing about this whole mess is that it killed the time I'd allotted to work on the next Pseudo update. I'd intended to shoot some scenes and some filler I know I need, but by the time I could get into the game and do anything, it was too late. Guh.
If I have to wipe the computer, it's what I'll have to do. I'm sure I can save what I need to, it'll just be a pain in the ass. Irritating, but not life ending.
So, tell me something good to make me smile. :)
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
(no subject)
Date: 2008-12-15 07:27 am (UTC)However, if you do a full system scan with Malwarebytes (or Spybot, or better still, both, as they've got slightly different detection rules), it should catch any malware regardless of location. If you're worried about a specific site or sites, do a scan after any batch of downloads. The downloaded file itself, unless it's an executable, should not be capable of infecting the computer... at least in theory, although if there's any kind of scripting on the download site, that changes. Self-extracting archives should always be treated as suspect, however. And, due to some boneheaded decisions at Microsoft, JPGs should be treated as suspect as well.
Incidentally, for those who might be curious, Virtumonde is particularly hard to clean off because it attaches itself to winlogon, which is a vital part of startup even in safe mode and cannot be disabled. Malwarebytes has the capability to change and remove programs in memory (tricky proposition, but if someone knows what they're doing, very handy), which is why it can defeat it. A few registry entries might be left behind, but those can be safely deleted -- you can look for either narujanu or the random-8 DLL in all possible fields (both is safer). Even I'm a little wary of deleting registry entries normally but in this case there is no reason not to, because you WANT to screw up its ability to re-execute or recopy itself into memory. However until the actual executables are totally eradicated you will not be able to do that, which is part of why it's pernicious. Windows won't let you delete a registry entry that's "in use", as it were.
If you want to be sure you've got all the possible entries, a copy of HiJack This could also come in handy. It'll list all automatic startups. That's a trousers-and-suspenders sort of thing, but it's a really handy program to keep around anyhow.
Some malware specifically looks for and hides from or tries to disable both Malwarebytes and HiJack This (but to the best of my knowledge, not Spybot, oddly). You can circumvent this by renaming the executable.
(no subject)
Date: 2008-12-15 03:46 pm (UTC)