palsgraf_polka: (Middle Finger)
palsgraf_polka ([personal profile] palsgraf_polka) wrote2010-03-24 08:40 am
Entry tags:

Fucking internet

I got hit with a massive computer virus this morning on reboot of my computer, and my computer is fuxored.

And you know, I'm so safe and I'm so good about not going to any websites that are questionable and I don't do anything weird on my computer at all. I am so pissed that this happened, and apparently, after doing research, this is a nasty trojan that slips in under ALL the antivirus/antispyware programs and hits you. You can pay a $70 ransom to get it to go away, or you can do battle like a true IT Warlord.

Well, I'm not fucking paying. And the worst part is that I was going to back up my hard drive tonight and burn my Windows XP disc tonight in preparation for my reformat on Friday, but now I have 45 pages of instructions on how to get rid of this thing and everything on my computer could be infected with this shit. I don't even know if I want to use the Windows XP file I got that I needed to burn to disc.

For you out there that are more tech savvy then I am, if I go through all the manual removal rigmarole to get rid of this piece of shit trojan, can I go back to using my files as I did? Would you trust the Windows XP ISO I have on my hard drive or should I go out and buy one to have a fresh disc for the reformat on Friday? Also, I have pretty much everything backed up from a month or so ago on my external drive, which has not been connected to the computer. Should I just say FUCK IT to everything and just reformat my drives without removing this thing, or should I remove it first, then reformat my drives? I don't think I'll lose anything major - any pictures I've posted since I did my big backup a month ago can be recovered from photobucket.

Advice please? I've not really dealt with something like this on my own computer. Travis had a similar virus on his computer but I just reformatted it and it was gone. But I'd kind of like to do one final backup of my documents folder before I reformat. Also, without that Windows XP ISO that's on my hard drive burned to a disc, I can't reformat without going and buying Windows XP again because my disc disappeared.

So, please let me know. Hopefully some of you tech peeps are reading this.

[identity profile] skywhisperer.livejournal.com 2010-03-24 04:38 pm (UTC)(link)
Telling us what it is would help. :)

But, in general: your ISO is likely fine. Your documents are likely fine, unless you have programs in there. I'd unplug the network cable (so it can't do bad things online), burn your documents folder to CD, burn the ISO to CD (you might be able to do this in safe mode), then reboot and reinstall Windows.

The "paying $70" makes me think it's one of the fake AV programs that looks sort of like the windows ones. They're not generally horribly vicious.

Are you running a real AV program? And by "real", I don't mean AVG. You need Norton/Symantec, McAfee, the CA one, or ThreatGuard - all the others are junk. If you need a copy of Norton, I get them very, very cheap with employee pricing, and I'll send you one.

[identity profile] palsgraf-polka.livejournal.com 2010-03-24 04:59 pm (UTC)(link)
It is one of those fake antivirus programs - it's called "Antivirus Soft". I googled it and got instructions on how to remove it manually because it has disabled all downloading and running of files. (You can't do anything because of the popups anyway) I'll have to go through the registry and everything to get rid of it, but I have the instructions how.

I am using Anti-Vir free antivirus, but the comments on the sites with removal instructions said it got around Norton and McAfee too, so it's not just the free antivirus software that failed.

If you want to send me a Norton, that'd be sweet. How much would I owe you?

And I'm glad that I'll be able to use the computer normally once I get that stupid trojan out of there. I'll unplug it from the internet when I get home. The machine is off right now. I'm actually going to use that internet connection in my laptop until I get my desktop fixed.

You're so awesome!

[identity profile] skywhisperer.livejournal.com 2010-03-24 05:21 pm (UTC)(link)
It looks like you can't burn CDs in safe mode, but you could probably back them up to one of those little USB key drives - I got a 2 gig one the other day for $5.

I put the order - it usually takes a few days to ship. I gave them your email address, so you'll get the tracking number - but that means I won't get any error messages, so let me know if there's a problem.

If you want me to throw the ISO up again, I can - maybe you could burn it from another machine?

[identity profile] palsgraf-polka.livejournal.com 2010-03-24 05:41 pm (UTC)(link)
Fucking LJ ate my comment.

Why don't you throw that ISO back up? I'll see if I can go over to [livejournal.com profile] kittylitter1's house and burn it.

You're so good to me. You're like the perfect wife. :)

[identity profile] skywhisperer.livejournal.com 2010-03-24 06:51 pm (UTC)(link)
*grin* It's back up, in the same place.

[identity profile] palsgraf-polka.livejournal.com 2010-03-24 07:14 pm (UTC)(link)
Thanks. [livejournal.com profile] kittylitter1 is going to snag it tonight, so I'll e-mail you tomorrow when you can take it down.

<3 <3 <3
Edited 2010-03-24 19:15 (UTC)

[identity profile] wobblerlorri.livejournal.com 2010-03-24 04:58 pm (UTC)(link)
Yeah, knowing what it is would help. I got fucked hard by the Vundo/Virtumonde trojan about a year ago, and I was on the verge of wiping my machine. But then I went to Bleeping Computer and got excellent information on removing it. Took about a day, but it cleaned it beautifully.

What is your virus?

[identity profile] palsgraf-polka.livejournal.com 2010-03-24 05:02 pm (UTC)(link)
The trojan is called "Antivirus Soft". It's a nasty bugger that gets around apparently every antivirus software out there.

[identity profile] wobblerlorri.livejournal.com 2010-03-24 05:13 pm (UTC)(link)
Here's a link on Bleeping Computer on removing Antivirus Soft, current as of January 2010... Looks pretty uncomplicated.

I really like BC, lots of helpful people there and the directions are always clear and actually WORK.

[identity profile] palsgraf-polka.livejournal.com 2010-03-24 05:16 pm (UTC)(link)
Haahaha that link crashed my Internet Explorer here at work. I can't get the page to load.

[identity profile] wobblerlorri.livejournal.com 2010-03-24 05:42 pm (UTC)(link)
Can you receive documents via email? I can send it to you... drop me an email with the addy you want it sent to.

[identity profile] palsgraf-polka.livejournal.com 2010-03-24 05:45 pm (UTC)(link)
You can send it to aemilia_parker AT YAHOO DOT COM. That's good I can print it here at work.

[identity profile] wobblerlorri.livejournal.com 2010-03-24 06:28 pm (UTC)(link)
Sent. Hope it works for you...

[identity profile] jdack.livejournal.com 2010-03-24 04:59 pm (UTC)(link)
A format is the nuclear option.

The ISO image probably isn't messed with, and your photographs are very unlikely to be infected. Most malware goes after e-mail programs, address books, firewall software, and your AV stuff. It wants to spread itself.

Is there any chance you could post a screen-capture of your desktop when you're seeing all the evidence of the infection? It sounds familiar, if it's the one I removed for a friend recently, it's an easy fix.

I also have to disagree with the first commenter, AVG isn't great, but Norton and McAfee are absolute bloated crap that will fuck your system up worse than it is.

Fact is most AV programs are inadequate, but I use both AVG and/or Avast on all my company PCs and they work well enough if you keep them up to date.

[identity profile] palsgraf-polka.livejournal.com 2010-03-24 05:01 pm (UTC)(link)
I was going to install Avast after I reformatted. I was already planning on reformatting and reinstalling Windows on Friday becase I have new RAM and my Windows install is 4 years old and getting clunky. Thankfully I've alrady backed up most everything a month ago onto my external. I was going to reformat then but I couldn't find my XP disc.

[identity profile] jdack.livejournal.com 2010-03-24 05:03 pm (UTC)(link)
Gotcha.

Out of curiosity, do you use anything that specifically requires Windows?

Linux these days can do most everything Windows can, aside some games and certain office apps. Ubuntu is very easy to use and far less virus-prone.

[identity profile] palsgraf-polka.livejournal.com 2010-03-24 05:11 pm (UTC)(link)
Well, I really like all of my PopCap games and everything, and they all require Windows, so I have to stick with Windows, I think.

Also, I need to use my VPN for work with my RSA key.

I don't use Internet Explorer at home I only use Firefox.

[identity profile] jdack.livejournal.com 2010-03-24 05:19 pm (UTC)(link)
PopCap games are usually just flash aren't they?

VPN should be no problem.

[identity profile] palsgraf-polka.livejournal.com 2010-03-24 05:37 pm (UTC)(link)
Yeah but my VPN installer disk for Citrix is only for Windows XP and I'm pretty sure that if I asked my IT department for a disk that works with Linux they'd laugh at me.

I've been intrigued by Linux for years but after my experiments with Macs I gave up trying OSs tha aren't Windows.

[identity profile] palsgraf-polka.livejournal.com 2010-03-24 05:03 pm (UTC)(link)
And it's called "Antivrus Soft". It's a well known new trojan.

[identity profile] jdack.livejournal.com 2010-03-24 05:06 pm (UTC)(link)
Hm, that sounds a lot like (or just like) the one I removed from my friend's machine recently.

His wife got it by visiting a rigged classic rock radio web site using Internet explorer.

In his case the startup was slow enough that before the malware loaded I was able to install and run process explorer (a task manager replacement) and noticed a weird looking .exe with a random file name running, using up all the cpu/ram.

Deleted that and everything went back to normal.

These programs are usually dug in deeper than that though.

[identity profile] palsgraf-polka.livejournal.com 2010-03-24 05:13 pm (UTC)(link)
It puts about 50 exe files on the HD and about 10 registry entries. I have to boot in safe mode and get them all out that way.

And yes, it disabled my task manager, and I can't install anything new.

[identity profile] jdack.livejournal.com 2010-03-24 05:20 pm (UTC)(link)
Does it say it put 50 or you found 50? Mileage varies.

Yeah the task mgr thing sucks. Process explorer is a self-contained exe, no install. I think I had to put it on in safe mode first. In my situation, the trojan thing didn't run in safe mode.

[identity profile] palsgraf-polka.livejournal.com 2010-03-24 05:25 pm (UTC)(link)
I only had this all happen this morning when I fired up my computer for my morning LJ and FB while eating brekfast. I imediately shut the thing down and all the research I did was here at work. The instruction pages give a list of the exe files you might find. I'll have to get the system in safe mode when I get home and see what it did. But I printed everything to take home with me.

[identity profile] jdack.livejournal.com 2010-03-24 05:26 pm (UTC)(link)
Ahh. OK.

[identity profile] wobblerlorri.livejournal.com 2010-03-24 05:20 pm (UTC)(link)
I also have to disagree with the first commenter, AVG isn't great, but Norton and McAfee are absolute bloated crap that will fuck your system up worse than it is.

I wholeheartedly agree. I've been using F-Secure for years, and I absolutely love it. It's cleaned everything I've ever asked it to clean (except that fucking Vundo/Virtumonde excrescence, but then nothing cleans it), and I have Spyhunter 3 for my backup spyware/malware scanner.

Shelby, you always want to have 2 spyware/malware programs, because none of them catch them all. But with two, you're pretty sure to get them all.

[identity profile] jdack.livejournal.com 2010-03-24 05:23 pm (UTC)(link)
I never heard of F-Secure. I'll look into it.

Agreed re: 2 spyware programs. I used to have to run both spybot s&d and ad-aware at the same time.

[identity profile] palsgraf-polka.livejournal.com 2010-03-24 05:35 pm (UTC)(link)
That's what I always ran - both SpyBot & AdAware. But my computer has just been getting slower and slower this last year, and I think it's just bogged down with 4 years of crap in the registry, not enoug RAM to handle Firefox and general sluggishness. And of course it is 2 DAYS bfore I'm scheduled to reformat that this happens. Fuckin' A.

[identity profile] wobblerlorri.livejournal.com 2010-03-24 05:39 pm (UTC)(link)
NO NO NO never Ad-Aware!!! It's just a spyware/malware of it's very own!! Spybot S&D is a good one. The F-Secure suite I run has antispy/malware included, so the SpyHunter 3 is doing a good job side by side.

I let it run every morning when I boot up, and it cleans all the crap out of my browser history nice and neat. I have FS set up to run a full scan every Friday morning at 1 am, and it's generally finished by the time I get up the next morning.

[identity profile] skywhisperer.livejournal.com 2010-03-24 07:22 pm (UTC)(link)
I don't agree with using 2 AV programs - they all hook the file system, and you can get some really weird interactions. One of the worst computer messes I ever cleaned up without re-installing windows involved _6_ AV programs - and a virus.

I know I'm coming across as a Norton fangirl, but it works. And the performance today is amazing compared to where it was 5 years ago. It really doesn't bog down a machine any more - especially not in comparison to running 2 free AV programs!

[identity profile] palsgraf-polka.livejournal.com 2010-03-24 07:36 pm (UTC)(link)
I'm having such a big nerd crush on all of you right now. :)

[identity profile] wobblerlorri.livejournal.com 2010-03-24 10:43 pm (UTC)(link)
Not antiVIRUS, antispyware/malware. Two completely different things. And not free -- you get exactly what you pay for with a free AV or AS/M program. As much as it killed me to do, I actually bought my F-Secure and renew it every year, and I bought SpyHunter as well. My two AS/M progs are the one that comes with the F-Secure Security Suite, and SpyHunter.

No, you don't want to run two different AV programs, because yeah, they don't play well together. This is mostly because they both like to TSR themselves, and they don't like someone else running in their space.

But two spyware scanners work fine, as long as you only have ONE of them TSR'ing. You let one of them sit around on the box and scan all the incoming traffic and email, run a formal scan with it whenever you like, as often as you like, then you nuke that one and fire up the other one, and run a formal scan with it.
Edited 2010-03-24 22:45 (UTC)

[identity profile] wobblerlorri.livejournal.com 2010-03-24 05:03 pm (UTC)(link)
Oh yeah, I like F-Secure for my anti-virus/anti-spyware all around program. It catches things Norton and McAfee don't even know about. But nothing catches/cleans everything...