Back to previous post: I find your lack of faith disturbing

Go to Making Light's front page.

Forward to next post: Beef Roast

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

December 26, 2008

Social Disease
Posted by Jim Macdonald at 12:06 PM * 72 comments

The Locus Magazine site recently was infected with malware of some kind that may have infected folks who visited.

Right now, on their front page, we see this notice:

Note, 25 December: After several e-mails reporting malware attacks from this site, Locusmag’s hosting service has done a security sweep and found no abnormal processes or files. Please contact us if such problems recur — they may be connected to the servers of one of the ad banners.

If you suspect you may have malware on your computer, may I suggest Anti-Malware from Malwarebytes?


[UPDATE: promoted from the comment thread]

#6 ::: Eileen Gunn ::: (view all by) ::: December 26, 2008, 04:05 PM:

I am one of the people who encountered a virus on the Locus site. It was probably a spyware called “XP Antivirus 2008/2009.” (This is new and particularly nasty trickware that tries to get you to download itself by popping up a message that looks like a Windows system message, telling you your computer is infected with a virus, and you need to download a fix. More here: http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008 .)

DO NOT CLICK ANYWHERE ON THE “SYSTEM MESSAGE” TO CLOSE IT.

Specifically: DO NOT CLICK ON THE “CANCEL” BUTTON IN THE MESSAGE and DO NOT CLICK ON THE X-BOX IN THE UPPER RIGHT-HAND CORNER. (It’s a trick: why would they let you cancel it? The cancel button installs it.)

Here’s what to do:

1. Hit Cntrl-alt-del to bring up the Windows task manager.
2. Find your browser in the task list (such as firefox.exe or iexplore.exe).
3. Select the browser and click the “End Process” button.
4. Make sure there is not another instance of your browser running. If there is, close that too. Do this until the message disappears. DO NOT CLICK THE MESSAGE.
5. Download and run Anti-Malware from www.malwarebytes.com, as Jim McD. suggests.

Thanks to Jim Bailey, Jeffry Dwight, and Chuck Rothman’s excellent advice about this virus in the SFWA Forum on SFF.net, I avoided downloading it, but it took me five hours of running A/V and anti-malware programs to be sure of that.

Good luck! If an advertising server is spreading this virus, you could encounter it anywhere.

Comments on Social Disease:
#1 ::: Mark ::: (view all by) ::: December 26, 2008, 12:48 PM:

I've been using the combination of Spybot Search & Destroy and AVG Free with good results on balance. And when the kid picked up an exceptionally stubborn Virtumonde Trojan horse, I was able to get all the help I needed from the Spybot forum admins.

#2 ::: P J Evans ::: (view all by) ::: December 26, 2008, 01:01 PM:

There are several ads on various sites that may trigger virus warnings. (Trend Micro, which is on my work computer, seems to be very sensitive to these.)

#3 ::: Russell Letson ::: (view all by) ::: December 26, 2008, 02:02 PM:

Back on 12/18, my wife got an e-mail warning from Mad Hatter's Review that their site might have been hacked and everyone should stay away. (Don't know why they didn't just close the site--maybe there's something about running an infected website I don't understand.) Unfortunately, she didn't open the message until after she had visited the site, and sure enough, the Norton AV on her office computer (which sits on a university network with, one would think, pretty good security) notified her that it had picked up some unspecified virus. The university tech couldn't get rid of it, so he had to reformat her drive. Fortunately, I keep redundant backups of her data files anyway, so it was an inconvenience rather than a disaster.

#4 ::: Spherical Time ::: (view all by) ::: December 26, 2008, 02:45 PM:

Another site that I belong to had similar problems, Fark, which serves hundreds of thousands of page views per day, and it was indeed being issued through their ads.

But, speaking of science fiction sites that are having issues, I haven't been able to reach Tor.com in the last two weeks, since traveling home to NM.

Normally I'd chalk that up to weird connection issues, but all my other sites work fine, and a few lines of each new post are appearing in my web based reader, but the links never work.

Good luck to Locus though . . . Fark is still having problems.

#5 ::: James D. Macdonald ::: (view all by) ::: December 26, 2008, 03:09 PM:

I also recommend Grr! (Greyware Registry Rearguard) which keeps your registry from being altered without your explicit permission.

If you go to a website (or open an email) and the Grr! popup pops up ... something's wrong.

#6 ::: Eileen Gunn ::: (view all by) ::: December 26, 2008, 04:05 PM:

I am one of the people who encountered a virus on the Locus site. It was probably a spyware called "XP Antivirus 2008/2009." (This is new and particularly nasty trickware that tries to get you to download itself by popping up a message that looks like a Windows system message, telling you your computer is infected with a virus, and you need to download a fix. More here: http://www.bleepingcomputer.com/malware-removal/remove-antivirus-xp-2008 .)

DO NOT CLICK ANYWHERE ON THE "SYSTEM MESSAGE" TO CLOSE IT.

Specifically: DO NOT CLICK ON THE "CANCEL" BUTTON IN THE MESSAGE and DO NOT CLICK ON THE X-BOX IN THE UPPER RIGHT-HAND CORNER. (It's a trick: why would they let you cancel it? The cancel button installs it.)

Here's what to do:

1. Hit Cntrl-alt-del to bring up the Windows task manager.
2. Find your browser in the task list (such as firefox.exe or iexplore.exe).
3. Select the browser and click the "End Process" button.
4. Make sure there is not another instance of your browser running. If there is, close that too. Do this until the message disappears. DO NOT CLICK THE MESSAGE.
5. Download and run Anti-Malware from www.malwarebytes.com, as Jim McD. suggests.

Thanks to Jim Bailey, Jeffry Dwight, and Chuck Rothman's excellent advice about this virus in the SFWA Forum on SFF.net, I avoided downloading it, but it took me five hours of running A/V and anti-malware programs to be sure of that.

Good luck! If an advertising server is spreading this virus, you could encounter it anywhere.

#7 ::: Eileen Gunn ::: (view all by) ::: December 26, 2008, 04:08 PM:

That's Windows-specific advice, of course. Reportedly, this malware will download to Macs, but will not run, so you can just delete it.

#8 ::: Eileen Gunn ::: (view all by) ::: December 26, 2008, 04:12 PM:

And of course most Mac users would just laugh if a Windows system message appeared on their screens.

#9 ::: Scott Taylor ::: (view all by) ::: December 26, 2008, 04:23 PM:

Eileen Gunn @ 6 -
... "XP Antivirus 2008/2009." ...

Oh god, I hate this malicious piece of sh*t. I hate it with the passion of a thousand burning suns, having had to clean it - by hand - off of several dozen machines now.

#10 ::: Jon H ::: (view all by) ::: December 26, 2008, 04:27 PM:

The XP antivirus thing popped up on my Mac the other day when I visited TNR.com.

Naturally, the ads rotate so it doesn't appear on the next visit.

#11 ::: Madeline ::: (view all by) ::: December 26, 2008, 05:42 PM:

Please tell me I'm not the only one now infected with the "Officer Krupke" species of earworm.

#12 ::: Lee ::: (view all by) ::: December 26, 2008, 06:26 PM:

Madeline, #11: Not any more, you aren't. :-\

#13 ::: Mark ::: (view all by) ::: December 26, 2008, 08:01 PM:

It's more insidious than you think. The Virtumonde Trojan I mentioned manages to reinstall a randomly-named browser helper object that at some odd interval redirects you to...you guessed it, XP Antivirus 2009. Isn't that lovely? The Trojan itself gets embedded in ways I don't fully understand and that took a good five hours spread over three days with professional guidance to root out; every time I thought I'd killed it with my own anti-malware it reinstalled itself.

#14 ::: Lenny Bailes ::: (view all by) ::: December 26, 2008, 09:09 PM:

I second the recommendation for Malwarebyte's Anti-Malware. It got rid of a series of Virtumonde strains on my PC when I caught them from a site that allegedly posted song lyrics.

TDSS is another relatively new browser nuisance that Anti-Malware helps to kill.

If infected, one of the symptoms is that crappy fake search engine windows start appearing in new browser tabs whenever you use a search engine.


The important points are 1) run Anti-Malware or something equivalent that removes all references to the crap you've contracted from the Windows registry.

2) Inspect the \Windows\System32 directory for hidden, invisible files. ("DIR /ah \windows\system32\" )

Anti-malware removed references to these files in the registry for me, but it didn't always delete all of the physical malware files from the hard disk. (Without references in the registry to launch these files, you're pretty much free of immediate threats.)

But take note of all the hidden files in the \Windows\System32 directory: run the "DIR /ah \Windows\System32" command. Write down names of files with weird names and repeating letters "aaa" "zzz", etc. You'll probably find some hidden files with the extension ".manifest" that are OK, but you'll definitely want to delete or rename anything with "tdss" in the filename.

If necessary, you can boot the computer into safe mode with the Internet connection turned off. It may be necessary to run the command-line command: "ATTRIB -R -H -S \windows\system32\*.*" This makes all files in the System32 directory visible and deletable in Safe Mode. If you found some filenames with really weird names when you ran the dir /ah command, it can't hurt to do a global search of your hard disk to see if there are other instances of these files lurking in temporary directories. Don't go wild and delete everything from the System32 directory. Keep your list of files that were hidden when you ran the DIR /ah command. If you have a second, uninfected commputer, you can run Google searches on "suspicious" filenames to see if you can get confirmation of their legitimacy.

Anti-Malware may do most of this work for you. In the past four weeks, I would guess that it's learned about more of this junk than it knew about when I got hit. If the \Windows\System32 directory seems to be clean of hidden files with weird names after you disinfect and reboot, you may be OK.

But sometimes iterations of malware files hide themselves in user temporary directories and in the repository used by the Windows XP System Restore utility. Whenever I know I've been infected by something, I generally turn off System Restore to wipe out the repository of old backups, then switch it on again to start over. This means you lose your time machine into the past, but it also means you won't have any malware system files hiding in the System Restore directories with names like AAAAAAA.DLL, AAAAAAA1.DLL, etc., which is how System Restore likes to rename things in its backups.

I retract any recommendations I've made for Webroot SpySweeper, which several years ago was a good cure-all for this sort of thing, but which I no longer find to be reliable. Avira Antivir is still a good and reliable free AV application, but it wasn't enough to deal with this crap when I got hit with it several weeks ago. (The commercial version of AntiVir is supposed to have more sophisticated Malware detection built in, but I don't have any information about its effectiveness.)

#15 ::: Jennifer ::: (view all by) ::: December 26, 2008, 11:33 PM:

My mom was visiting for the holidays, and I found, much to my dismay, that her laptop has been running on the internet *completely unprotected!* And she uses IE!

So, she got a lecture from me, and I sent her links to install a few programs. I also told her very firmly what she'd been doing wrong, and why, and how to avoid it in the future.

Now she'll be using Firefox, and running Avast, Spybot and Ccleaner (all available for free thanks to the wonders of the 'net.) I also had her switch her gmail account over to https instead of http (and thanks to whomever it was who wrote about that here!!!)

I rather shudder to think of what she may have on her computer...

#16 ::: James D. Macdonald ::: (view all by) ::: December 26, 2008, 11:36 PM:

You might have her bring her laptop along, and let you clean it out.

#17 ::: Arthur D. ::: (view all by) ::: December 27, 2008, 03:29 AM:

In addition to Malwarebytes Anti-Malware, I would also suggest using Super Anti-Spyware. Starting out, using both in combination can seemingly catch everything. I used both recently to wipe out a bunch of trojans on a friends computer, following a recipe found on bleepingcomputer.com.

#18 ::: Charlie Stross ::: (view all by) ::: December 27, 2008, 04:42 AM:

Let me just add: one of the common vectors for malware is advertising servers. A solution to that problem is to run AdBlock Plus or a similar ad-blocking browser plugin: if your browser doesn't load the malware front end, you can't click on the "close" button and accidentally invite the infestation in.

AdBlock also reduces your bandwidth requirements, makes web pages load subjectively faster, frees you from eye-bleeding flash animations, etcetera.

Just sayin'.

#19 ::: Mark ::: (view all by) ::: December 27, 2008, 08:21 AM:

...and causes some video content to choke. Some of MSNBC's streams, but not all, will seize up if you block the ads, and Hulu will spend 30 seconds telling you to disable your ad blocker before running your video.

This, I must presume, is what the writers' strike was about last summer. :-P

#20 ::: Adam Lipkin ::: (view all by) ::: December 27, 2008, 08:48 AM:

Mark (#20): I've never had a problem with Adblock and Hulu. Are you on the latest Adblock/Firefox?

I'd consider killing MSNBC's video streams to be a feature, not a bug (in fact, I've used Adblock to kill ESPN's front-page videos, which has increased the latter site's usability). Then again, if you want to see the videos, I could see how that's a problem.

#21 ::: Charlie Stross ::: (view all by) ::: December 27, 2008, 08:52 AM:

Speaking of which, here's news to warm the cockles of your heart if you've been bitten by these bastards.

#22 ::: Charlie Stross ::: (view all by) ::: December 27, 2008, 08:54 AM:

Speaking of which, here's news to warm the cockles of your heart if you've been bitten by these bastards.

#23 ::: tykewriter ::: (view all by) ::: December 27, 2008, 10:09 AM:

I've been getting spam in my spam box which appears to come from me. Originally it showed as "Myname"at"Mymailprovider", then it changed. I was using XP, but after reading about the evil Genuine Validation Tool I switched to Linux, but retained the same email provider and address.
Have I got malware, and is my computer being used to spam other people? And what can I do about it?

#24 ::: Sam Kelly ::: (view all by) ::: December 27, 2008, 10:23 AM:

tykewriter: I've been getting some of those too, but Gmail dumps them straight into Spam. Looking at the full headers, it says:

Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning myaddress@gmail.com does not designate xxx.xx.xxx.xx as permitted sender) smtp.mail=myaddress@gmail.com

Which, being translated into Human, means "Ha. Your devious ruse does not fool ME, spammer."

The stuff inside that is specific to the authentication checks each server does, so it might well look different on yours, but checking it (with "view original", "view headers", "full headers", or some such) may give useful clues.

#25 ::: Raphael ::: (view all by) ::: December 27, 2008, 11:44 AM:

Tykewriter @23: Have I got malware, and is my computer being used to spam other people? And what can I do about it?

I don't think you have to worry; as Sam Kelly says, spammers can try to trick you into thinking that their spam comes from somewhere else than where it really comes from.

Speaking of spam, recently, there was something titled "IT consultant of perfect love making art." in my spam. Has the reputation of geeks really improved that much by now? And, of course, "Work is available in 2009".

#26 ::: Rick Owens ::: (view all by) ::: December 27, 2008, 12:28 PM:

Since I haven't seen it mentioned yet: NoScript is another piece of armor for your browser (if you're using Firefox, that is), which blocks javascript and plugins on untrusted web sites. Recommended.

#27 ::: Terry Karney ::: (view all by) ::: December 27, 2008, 12:30 PM:

Eileen, I think I got nailed with that thing last night. Spybot seems to be keeping it from installing the registry keys, but I can't seem to load Anti-Malware, and bleeping computer won't open.

I got nailed by bad timing. It popped up as I was clicking.

Happily I don't have Outlook, or other sorts of address book apps on my machine.

Now to try rooting it out.

#28 ::: Terry Karney ::: (view all by) ::: December 27, 2008, 12:40 PM:

doing some poking it appears I may have my work cut out for me, as the implications are this thing is why Anti-malware won't install, and I can't seem to run the active sweep of spybot.

When I have a better connection (the one here is slow), I'll poke about, but it may be flashdrives and safe mode to fix it.

#29 ::: tykewriter ::: (view all by) ::: December 27, 2008, 01:02 PM:

I looked into my latest spam (although I have an aversion to clicking on anything in my spam folder), and found that it appears to come from MyName at Gmail dot com, whereas my email address is My dot Name etc. Gmail (which I keep typing as Gamil, and I may start to call it that in fun) thinks it's me. It even puts "Yes this is you" after it. It may be harmless, but it makes me feel uneasy, as though I'm being watched. Thats why I said a big FO to Microsoft, after all.

#31 ::: Terry Karney ::: (view all by) ::: December 27, 2008, 01:23 PM:

tykewriter: It seems the "." in names for gmail accounts, aren't needful. If I send something to my.name, or myname, both arrive.

#32 ::: joann ::: (view all by) ::: December 27, 2008, 01:27 PM:

The vile thing popped up, I did not follow Eileen's instructions on what to do about it because they hadn't appeared yet, and I downloaded Anti-Malware. It found no problems, so I'm proceeding like I believe it.

#33 ::: Bruce Cohen (SpeakerToManagers) ::: (view all by) ::: December 27, 2008, 01:29 PM:

I'm only moderately paranoid with the wind from the northwest, but I keep both NoScript and Adblock turned on with scripts turned off by default for all but a few sites, and with popups blocked. I've done a fair bit of Javascript and Ajax coding, and I know what I could do with those things myself, so there's no way I'm going to leave myself open to the kind of black hat who's been doing nothing but coding malware.

Right now I feel reasonably safe, since I'm running Mac OS X (on an Intel processor to be sure, so there are at theoretically things that could be done to my system by OS-agnostic nastyware), but as Macs become more popular with users, they'll become more popular with abusers, and I hate to find out about the latest infestation the hard way. I'm seriously thinking of doing most of my "frivolous" surfing in a Linux virtual machine, communicating between that and my main computer only by cut-and-paste and manual file transfers. That ought to make the job of cleaning up when I do get hit a little easier. I wonder if there's a market for a virtual appliance that does that, with a simple install and cleanup utility.

#34 ::: Terry Karney ::: (view all by) ::: December 27, 2008, 01:34 PM:

Jim. If I can get there. This is a clever piece of work. It's disabled regedit, and seems to be blocking various anti-mal/spyware sites.

Nope, it seems I can't download it. Barring a separate machine, or getting it as an email attachment that seems to not be an option.

I have read people saying it corrupted the system restores, so there are no dates, but I think that's the next thing I'm going to try.

#35 ::: Terry Karney ::: (view all by) ::: December 27, 2008, 01:37 PM:

Well, I'm heading home. Later I'll see if part of the problems are the connection here, but the regedit disabling has me worried.

#36 ::: Andrew Plotkin ::: (view all by) ::: December 27, 2008, 02:36 PM:

"as Macs become more popular with users, they'll become more popular with abusers"

On the one hand, that's true. On the other hand, that's been true since OSX came out in 2001. (And people have been reciting that line continually since then.) It's not like Macs started getting popular last month.

#37 ::: Lenny Bailes ::: (view all by) ::: December 27, 2008, 03:33 PM:

Terry

I don't know whether this will help, but TomsHardware.com, a well-known site has a link in its reader forum to something from a Microsoft engineer (Doug Knox). This is an emergency utility package that installs useable copies of Regedit, MSConfig and Taskmgr on systems infected so the regular versions won't open. The direct link to download this is here. (Knox apparently developed this in 2005, so I don't know if it will still work against contemporary malware.)

#38 ::: Epacris ::: (view all by) ::: December 27, 2008, 05:50 PM:

Terry @31, I read somewhere on Google/Gmail that tho' they allow two email accounts using the same letters with & w/o dot, they ignore the dot when delivering mail.

So my.mail@gmail.com and mymail@gmail.com get the same mail.

I discovered this when my Gmail account started getting someone else's mail as well as mine. Presumably they get mine as well as theirs.

Useful to know if any private information might be in your mail. Worrying that unscrupulous types might deliberately set up matching accounts to harvest private information.

They might have changed something to make it more secure since.

Good luck with fixing your malware problem.

#39 ::: Graydon ::: (view all by) ::: December 27, 2008, 06:56 PM:

Every time I see one of these notices, I do what I usually do, which is to go and tweak selinux's paranoia up a bit.

Lots more spam, of a sudden, though; 1.5 MB in about 12 hours.

Bruce @33 -- various of the linux netbooks work, or can be caused to work, like that. You can put the whole shipped image and your bookmarks on a 4GB USB stick.

#40 ::: Suzanne ::: (view all by) ::: December 28, 2008, 11:40 AM:

#3: which sits on a university network with, one would think, pretty good security

Bwahahaha, no. Quite the opposite in my experience, at least at public universities. There just isn't the funding and manpower for the size of the user base, and often decisions higher up are made by people who are there for political reasons, not practical ones.

#41 ::: Scott Taylor ::: (view all by) ::: December 28, 2008, 12:29 PM:

On the OS X front - while there have been security flaws found in OS X (the definition of an "absolutely safe computing environment" - that being a computer that is shut off, all cables unplugged, and then locked in a safe that is then buried in concrete - is as true today as fifteen years ago), there are some fundamental architectural differences between OS X and WinXP that make it more difficult for crap to get as pervasively bad as it does on a Windows system.

This is less true for OS X vs. Vista, at least in some configurations of Vista, and it is possible to bodger up the security settings in OS X to make yourself as vulnerable as WinXP is - although even then, you have the advantage (currently) that the system is not as targeted as WinXP is.

OS X vs. (*NIX - Linux variations, FreeBSD, etc.) is an open question - a poorly configured Linux system is highly vulnerable if exposed to the internet, simply because "poorly configured" means doing stupid things with what is allowed to access Root. But out of the box, the two are pretty comparable - and both can be locked down pretty durn tight.

There are high-security versions of Linux (and FreeBSD) that are going to be pretty much immune to anything but dedicated, sustained attacks - but they take a lot of tweaking and poking to get really secure (and keep there), and still are at the ground levels of "trusted security" as such things go. Then again, for most people, they are (way) more than enough secure for daily computer use.

#42 ::: Graydon ::: (view all by) ::: December 28, 2008, 12:59 PM:

Scott @41 --

The Ubuntu family of linux distros, and (though I do not recommend it for web-browsser-and-email installations) Fedora ship in a tolerably tight state. Selinux is on in enforcing mode, the repositories use reasonable crypto to sign packages, and the standard kernel packet filtering firewall is deeply and appropriately sullen about who it wants to talk to. So for the standard user case, any of the Ubuntus aren't going to be any worse than OS X.

Absolutely no one, irrespective of operating system -- not even if they are running OpenVMS -- should be connecting to a service provider's network without a hardware router with firewall, that's doing NAT ("network address translation"), and the NAT set to something other than the shipped default settings. That way, the router has the address your ISP assigns to you; your computer gets its address from the router. Anything external has to suborn the router before it can even find your computer. (If you leave it on default settings, the attacker can safely guess that your computer's IP address is 192.168.0.2.)

Generally getting low-end SOHO gear is better than the consumer stuff; it will have options to turn off external configuration. (The stuff your ISP gives you will often have external configuration hardwired on; try to avoid that.) Nothing that uses WiFi is, or can be caused to be, secure. You ideally want a router that has no WiFi at all. (If you want to use WiFi, put that router inside the firewall.)

#43 ::: Terry Karney ::: (view all by) ::: December 28, 2008, 07:04 PM:

Well... the saga of failure continues. I was able to get the programs from a remote server (on a linux box).

They won't install. The one gets a fatal error and has to shut down on install. The other (anti-malware)locks up and doesn't actually finish installing.

The reg-edit backdoor is blocked.

I thought I could use another computer, and take advantage of having media I know to be both clean, and cleanable (CF for my camera. 2 gigs, and I can reformat, and overwrite, then reformat again; that ought to clean it off... esp if I get a trifle paranoid and do it three or four times. Since the system doesn't treat it as a drive when in the camera (as opposed to in the reader) I'm pretty sure I can avoid it recontaminating), but it happens the secondary computer I was going to use does't have a PCMCIA slot, but rather something which looks like one.

I wonder if I can swap out the C drive from my dead computer, load in safe mode and install the apps, clean the D drive (which I think is probably safe), mount the this machine's C drive in the D drive slot, launch in safe mode and clean it.

Otherwise I think I need to reformat, which is a different set of problems and hassles.

#44 ::: Terry Karney ::: (view all by) ::: December 28, 2008, 07:41 PM:

For amusement's sake, one of the symptoms seems to be a google redirect. I can cut paste, but if I click the link I get sent to commercial sites (for things like tanning salons, and job ads).

#45 ::: Graydon ::: (view all by) ::: December 28, 2008, 08:11 PM:

Terry @43 --

Formatting vfat (pretty much all USB keys, CF cards, etc.) isn't guaranteed to get something; it can be clever, and hide pointers and a teeny amount of boostrap code in the partition table.

I'd be considering taking the data drive, sticking it an enclosure, and trying to do data recovery on a machine that doesn't run Windows at this point. Whatever you've got seems exceptionally determined.

#46 ::: Terry Karney ::: (view all by) ::: December 28, 2008, 08:20 PM:

Graydon: Part of what I need to keep is the OS (the machine didn't come with disks), which is a problem.

What I want right now is way to scrub the thing. If that fails, then I can try to isolate the individual app, clean them and autoclave the drive.

This would be a lot easier if my DVD/CD drive hadn't recently died.

#47 ::: xeger ::: (view all by) ::: December 28, 2008, 08:44 PM:

Scott Taylor @ 41 ...
This is less true for OS X vs. Vista, at least in some configurations of Vista, and it is possible to bodger up the security settings in OS X to make yourself as vulnerable as WinXP is - although even then, you have the advantage (currently) that the system is not as targeted as WinXP is.

I'd stress the some configurations of Vista. The security model for it is a bodged together horror with far too many work arounds for the sake of backwards compatibility.

OS X vs. (*NIX - Linux variations, FreeBSD, etc.) is an open question - a poorly configured Linux system is highly vulnerable if exposed to the internet, simply because "poorly configured" means doing stupid things with what is allowed to access Root. But out of the box, the two are pretty comparable - and both can be locked down pretty durn tight.

s/a poorly configured Linux system is highly vulnerable if exposed to the internet/a poorly configured system is highly vulnerable if exposed to the internet/

There's a sucker born every day, unfortunately -- and the only reason there seem to be more of them using windows is the number of folk that use windows, vs other operating systems *sigh*

At any rate -- in the hands of somebody who knows what they're doing, the least secure OS is almost certain to turn out better than a secure OS in the hands of the perilously naive.

#48 ::: Graydon ::: (view all by) ::: December 28, 2008, 08:56 PM:

Terry @46 --

Oh, that does suck rocks.

I consider that sort of situation a really good reason to install Kubuntu, myself. You may need specific software that makes that a bad idea, but the "pay us twice" thing makes me a trifle peeved.

#49 ::: James D. Macdonald ::: (view all by) ::: December 28, 2008, 08:58 PM:

Terry, have you tried Trend Micro's Housecall?

http://housecall.trendmicro.com/

#50 ::: Terry Karney ::: (view all by) ::: December 28, 2008, 09:15 PM:

Graydon: If I have to I can install from the previous version of XPPro, but I'll have to get a drive to spin them in.

Jim: Page won't open. I have a couple of other way to try working around the problem, before I have to try the hard drive switch.

One of the things I intend to do if I have to resort to that is make sure I have an installed version of several apps (and that will be added to the list) on the flash drive, and the flash drive seated when I fire the machine up.

I am not yet willing to concede defeat.

#51 ::: Lenny Bailes ::: (view all by) ::: December 28, 2008, 09:58 PM:

Terry:

A couple of other things:

1) You haven't mentioned whether the infected computer allows you to do a Ctrl+Alt+Del and open the Windows Task Manager.
If it can do this, you might try the instructions
here: kill the processes described on that page and see whether you have better luck installing Anti-Malware or the Regedit backdoor.

2) Any scenario that involves loading the disk as a D-drive in another computer that's booting Windows is going to involve some risk, as Graydon says. (There is a commercial version of Anti-Malware for $24.95 that says it provides real-time protection against Antivirus/2009.)

If you can access the infected partition that way as a D-drive (or through another OS that permits you to access it and manipulate files on an NTFS partition) there are a couple of other tricks.

Depending upon how comfortable you are with manipulating Windows, you may find the following to be more work than simply recovering the data partition, but I've done it and had it work. You need the Windows Product CD for the infected computer and there are a number of steps involved. You do have to take the risk of accessing the infected partition as a D-drive from some OS that has the ability to manipulate the files on the infected partition.

The basic idea is that if you have the Windows product CD for the infected computer, you can do an upgrade-in-place (keeps the existing settings, but reinstalls the operating system) after first taking this precaution:

With the infected partition accessed from another computer (or possibly from an Ubuntu LiveCD in its own case), its [d]:\Windows\System32\Config folder (the Windows registry) will contain an infected file called "System." You rename this to "SystemBAD" (or any other name).

On the infected drive in the [d:]\Windows\Repair folder there should be another much smaller copy of the "System" file that was created during the initial Windows installation. There's a good chance that this file hasn't been infected -- particularly if you notice that it has a much older creation date.

Copy "System" from \Windows\Repair to \Windows\System32\Config after renaming the infected version. (Don't delete the infected System file. Just rename it. You can actually clean it up later and re-import it. See below.)

Don't try to boot from the infected drive after doing this, but put it back in a machine as the primary drive, boot that machine from the Windows Product CD and perform the "Upgrade In Place" procedure. (It should tell you that there is already a Windows OS on the drive and ask if you wish to repair it. Also, if you've got Windows SP2 installed on it, you can only reinstall it from a Windows Product CD that's SP2 aware. (There's a way to convert an older non-SP2 Windows product CD into an SP2-aware one, but that's an added operation that I'm skipping for now.)

I've done this and had the upgrade-in-place succeed, preserving existing user accounts and application information. This resultant partition will most likely still be infected, because you didn't replaced the SOFTWARE file from the original registry (with all your application information). But the odds are significantly better that you can boot into Safe Mode, now,, install and run Anti-Malware and remove the crap that's left in the registry and on the hard disk.

If Anti-Malware is successful, you've got a bootable copy of Windows that retains the bulk of the information necessary to run your already-installed applications. The now disinfected system should now boot, possibly with some error messages about Windows system devices or missing system files. The error messages can be remedied as follows:

Regedit has a feature that permits you to temporarily load and edit unused "registry hives." With all the virus files gone from the disk and booted in Safe Mode with no Internet connection, you can open Regedit, temporarily load the SystemBAD file into the registry (choose File->Load Hive in Regedit with the HKEY_LOCAL_MACHINE key highlighted) and assign the imported hive a temporary name such as "OLDSYSTEM."

Now try running Anti-Malware again, or else follow all the manual instructions on BleepingComputer.com to manually remove all the bad registry entries from the OLDSYSTEM key in the (temporarily) merged registry. If/when you're certain this has been done, the temporary OLDSYSTEM hive can be exported in Regedit to an .REG file.

Once this is done, unload the OLDSYSTEM hive from Regedit (File->Unload Hive). Load the OLDSYSTEM.REG file that you exported into WordPad.

What you'll see in Wordpad is a textfile that substitutes the string "OLDSYSTEM" everywhere it should say "SYSTEM"

For example:

[HKEY_LOCAL_MACHINE\OLDSYSTEM\ControlSet001\Control\ContentIndex\Catalogs\System\Scopes]
"C:\\"=",,5"

In Wordpad, you do a global replace operation replace OLDSYSTEM with SYSTEM everywhere and resave as a text document, preserving the .REG extension.

You can then go back to Regedit and import the cleaned-up .REG file, leaving you 99% at the same place you were before the infection occurred.

(We're presuming that the partition is only accessed inside another computer when you're running a Windows OS that has real-time protection against Antivirus/2009 installed or which uses another operating system that's unaffected by Windows malware. I believe the current version of Ubuntu may have a LiveCD feature that lets you access and manipulate the files on a Windows NTFS partition. You could try booting such a CD in the infected computer to avoid the infection risk of having it be the D-drive in a Windows computer.)

After the initial operation of substituting the old SYSTEM file from the \Windows\Repair folder into the \Windows\System32\Config directory, you're playing with it in the infected computer, so you have nothing to lose but a few hours.

#52 ::: Terry Karney ::: (view all by) ::: December 28, 2008, 10:14 PM:

Graydon: re the CF Card. Since the thing resides in a system this can't infect (nikon camera) and I can do dozens of overwrite/reformats (and those in the camera, not the computer) before I ever let it connect to the computer again (and it doesn't load as a drive unless I physically mount it as one), I think the risk is low.

What I really don't want to do is expose any of my secondary hard drives to this thing, which is pretty much the only other option.

Lenny: Yes I can run the task manager, but none of the processes in that list (or on any of the other viruses I was looking at there) are on the list of active processes.

As I said to Graydon, one of my problems is the CD/DVD drive went tits up about three weeks ago. Not a big deal; all in all, except for this problem rearing it's ugly head.

#53 ::: Graydon ::: (view all by) ::: December 28, 2008, 10:18 PM:

Current Ubuntu live distros (and most other current live distros) can do anything to an NTFS partition and its files that a Windows machine can, and a few things Windows can't.

#54 ::: Graydon ::: (view all by) ::: December 28, 2008, 10:29 PM:

Terry --

In principle, if you have got a largish (4 GB or so) USB key, another computer with net connectivity, and a bios that will boot from USB, you can download and create a USB image and boot from that.

If that seems like a good idea, this distro is probably the place to start. It's got what appear to be complete instructions for getting the USB key set up using a Windows machine, and how to do things like run virus scanners from Linux.

#55 ::: Lenny Bailes ::: (view all by) ::: December 28, 2008, 10:30 PM:

Footnote: Terry, if you try that procedure, you might want to back up data files, (photos, documents, etc.) first, before starting. I haven't seen malware that enters through web browsers trashing the partition table and making other partitions unreadable when I've done the reinstall trick, but you probably don't want to risk that.

#56 ::: Terry Karney ::: (view all by) ::: December 28, 2008, 10:42 PM:

Lenny: If I have to do that the plan is... pick one drive I can risk losing.

Back the D Drive off to that. Format the D Drive (I need to do that anyway, because of some oddities which have locked up about 4 gig I want back).

Move the program files/data on C to D.

Swap drives, proceed.

But spyhunter loaded (though SpybotSD told me it was malware). It told me there was a rootkit trying to block protective software, and I needed to reboot.

After the reboot Anti-malware is willing to run, and even now is scanning the drives, C, D, and E (the restore partition).

Here's hoping.

#57 ::: P J Evans ::: (view all by) ::: December 28, 2008, 10:51 PM:

Terry, I have my fingers crossed. (For one thing, I never want to have to do all that, although I have done 'format c:' and reinstalling the system to try clearing stuff out, on one or two occasions. With much smaller disks and systems .... Also, at least one big-box office-supply place has 8-gig thumbdrives on sale for about 20 dollars right now.)

#58 ::: Lenny Bailes ::: (view all by) ::: December 28, 2008, 10:58 PM:

No CD drive. Sorry, I missed that. In re killing processes with Task Manager, you might try DIR /AH \Windows\System32 and see if there are any DLL or EXE filenames listed there that do appear in the Task Manager task list -- and kill those. (Also, maybe dir /ah c:\documents and settings\username\Local Settings\Temp and also see if there are any weird foldernames in \Documents and Settings\Username\Application Data

The malware is probably too smart for this, but if you can get to Control Panel->User Accounts, you can try creating a new user, rebooting (in Safe Mode, if it will let you) logging on as the new user and see whether you can open regedit or install Anti-Malware, then.

#59 ::: Terry Karney ::: (view all by) ::: December 28, 2008, 11:02 PM:

Lenny: Where do I enter that string?

#60 ::: Lenny Bailes ::: (view all by) ::: December 28, 2008, 11:02 PM:

#56 slipped in. Good luck.

#61 ::: Lenny Bailes ::: (view all by) ::: December 28, 2008, 11:09 PM:

Lenny: Where do I enter that string?

The DIR command's run from a command line session.

Use Start->Run and enter cmd /k (if it will let you). If the command prompt opens, then enter the DIR command from the root directory of the infected partition.

DIR /AH \Windows\System32

DIR /AH \documents and settings\username\Local Settings\Temp

DIR /AH \Documents and Settings\Username\Application Data

#62 ::: Terry Karney ::: (view all by) ::: December 28, 2008, 11:16 PM:

That's what I thought, I must have made a typo.

#63 ::: Lenny Bailes ::: (view all by) ::: December 28, 2008, 11:19 PM:

Also this (which I just remembered): From a good computer, you can download the PSTools package. The PsKill and PsService programs in that package can sometimes detect and kill processes that the Windows Task Manager doesn't see.

#64 ::: Terry Karney ::: (view all by) ::: December 29, 2008, 12:21 AM:

Some progress is being made. Anti-malware is still running (with two identified problems). The google redirect seems to have been killed at the same time as th blocking of apps was defeated.

I can't seem to get housecall to download, which is a problem, because the web-based version says it will take abother 14 hours to scan the machine.

I'll see about killing various processes with PSTools, and look into getting the other apps to load.

#65 ::: Lenny Bailes ::: (view all by) ::: December 29, 2008, 12:45 AM:

I haven't had much luck with the U.S. Housecall. It sometimes takes forever to run. The European version may be more robust than the U.S. one. (I haven't tried this in awhile, but it used to be.)

If you're able to download and install Antivir, I've found that it's a pretty good complement to the free Malware Bytes Anti-Malware. (It mostly removes more traditional viruses rather than web hijackers, but it does detect and remove some of them and includes free real-time protection. (My German isn't good enough to figure out whether they guard against Antivirus/2009 yet. (They weren't stopping it several months ago.)

#66 ::: Lee ::: (view all by) ::: December 31, 2008, 12:56 PM:

I want to say a huge THANK YOU to Making Light in general, and specifically to Eileen @6. I was doing a Google search, and one of the websites I clicked on popped up that "you have a virus and need to install this update" message. Thanks to this thread, and that comment in particular, I knew not to click on either the Cancel or the Close button, and what to do instead. Result: a couple of tabs lost that I can re-enter, instead of a massive hassle.

#67 ::: FungiFromYuggoth ::: (view all by) ::: January 01, 2009, 04:21 PM:

Thanks for the recommendation of the MalwareBytes program. I was cleaning off a relative's computer over the holidays and they had a particularly unpleasant remnant that I couldn't clear off without boot media. Anti-malware identified it as Rootkit.DNSChanger.H and cleared it off, though it needed a reboot to do it.

The symptom I was seeing was that the registry was set up to run an atypical program in C:\WINDOWS\SYSTEM32, but that program didn't exist as far as the filesystem was concerned. I didn't realize Windows programs could hide like that; definitely a learning experience.

#68 ::: Constance ::: (view all by) ::: January 01, 2009, 07:53 PM:

Vaquero just used that same program to try and kill an infestation of his laptop that took demonic possession early yesterday. But it didn't get it all.

This is a real bugger. Nor does he use the IE browser either.

Still working on it.

Love, c.

#69 ::: Constance ::: (view all by) ::: January 01, 2009, 08:08 PM:

Vaquero is now reading this whole discussion. He says, "Thank you."

Love, c.

#70 ::: Constance ::: (view all by) ::: January 02, 2009, 12:29 AM:

He's finally found what the virus is, and he's not alone -- sagipsul virus, it's not yet entirely killed. He's been fighting it since 12/29/08! None of the programs he runs has taken it out completely.

Love, C.

#71 ::: David Dyer-Bennet ::: (view all by) ::: January 05, 2009, 02:08 PM:

I'm looking again at switching to doing my mail reading and web browsing in a virtual machine (Linux or Solaris, I think; I'm already working with both), so as to perhaps avoid more attacks, and make it easier to clean up (if it's Linux, new kickstart install and I'm running). I'd export the simulated disk via SMB so I could pull files from there to other systems if I actually needed to (and for things like copying archived email into my long-term archive), but the virtual system would not have write access to any external disk.

(I already run xming X-server on my main desktop machine, so windows from the virtual box can live on my desktop along with everything else.)

(I need to keep Windows for Photoshop, Thumbs Plus, printer and scanner drivers, color calibration and management, various plugins, and so forth. Not willing to spend the time and money to convert to Mac, and in fact at least one of my core photo tools doesn't have a Mac version anyway.)

(I've had exactly one Windows system infected with a virus, and that one was an Office document virus that came from a fellow concom member more than a decade ago I think. I don't run IE or Outlook in any form, I've got noscript in Firefox, I'm behind NAT, I don't browse really bottom-feeding web sites, and I run AVG free antivirus and Spybot search and destroy; they've never blocked a virus, though, so far. I don't know why I have such good luck; but following pretty-good practices is no doubt a big part of it. My household has been on-line 24/7 via broadband since 1996 (if you'll accept ISDN as broadband).)

#72 ::: Syd sees spam at #72 ::: (view all by) ::: February 09, 2014, 05:02 PM:

Different spam, but still spam.

Welcome to Making Light's comment section. The moderators are Avram Grumer, Jim Macdonald, Teresa & Patrick Nielsen Hayden, and Abi Sutherland. Abi is the moderator most frequently onsite. She's also the kindest. Teresa is the theoretician. Are you feeling lucky?

If you are a spammer, your fate is in the hands of Jim Macdonald, and your foot shall slide in due time.

Comments containing more than seven URLs will be held for approval. If you want to comment on a thread that's been closed, please post to the most recent "Open Thread" discussion.

You can subscribe (via RSS) to this particular comment thread. (If this option is baffling, here's a quick introduction.)

Post a comment.
(Real e-mail addresses and URLs only, please.)

HTML Tags:
<strong>Strong</strong> = Strong
<em>Emphasized</em> = Emphasized
<a href="http://www.url.com">Linked text</a> = Linked text

Spelling reference:
Tolkien. Minuscule. Gandhi. Millennium. Delany. Embarrassment. Publishers Weekly. Occurrence. Asimov. Weird. Connoisseur. Accommodate. Hierarchy. Deity. Etiquette. Pharaoh. Teresa. Its. Macdonald. Nielsen Hayden. It's. Fluorosphere. Barack. More here.















(You must preview before posting.)

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014 by Patrick & Teresa Nielsen Hayden. All rights reserved.