« WBW #6 - Warwick "Old Bush Vines" Pinotage 2003 | Main | Frosty Tiger Mountain »

Malware Wars

I got hit by a 'driveby download' on Sunday. Yes, it was an unlucky 13th. I naively was reading a message board (not SlowTalk) and clicked on a link. It took me out to a site to provide song lyrics. Those sites are notorious downloading malware/spyware to your PC. If I had only known....

Suddenly, a windows installer box popped up along with lots of different popups. Crap. The dirty little popups also wouldn't let me close them safely by clicking on the upper right corner or right clicking and choosing close. Grrr... Next thing I knew, Norton was popping up left and right telling me a trojan was trying to run. Double grrr.. I checked Add/Remove programs and several pieces of junk software had been installed. My toolbar was changed to MySearch and there was a lot of junk on the tool bar.

I unplugged my connection from the network and started to do some scans. I already had Ad-Aware and SpyBot. They caught quite a few. Next I ran Norton and it found some items but couldn't delete them. Sigh... It was taking at least an hour to scan my machine with Norton. I did some manual deletes. Okay. I thought I was clean. I plugged back into the network. Damn. There went Norton again. They were still on my machine. 4 hours later and several scans, I was back where I started. So I decided to load on XP sp 2 that I fortunately had on disk.

Monday, I mentioned it to a couple of co-workers and did some searches on the virus, etc. One of the coworkers mentioned safe mode. Right... now I remember, I need to boot into safe mode so those little buggers don't load and then I can get them. I also remembered reading a great newsletter by Brian Livingston at Windows Secrets. His January 27th newsletter went into details how many anti-spyware software would miss most malware. It mentioned the new Microsoft Anti-Spyware Beta being one of the best.

I went home early. I downloaded the MS Anti-spyware beta and installed it. It found even more. I spent about 4 hours scanning and cleaning. Everything was looking good. Okay... I booted out of safe mode and plugged back into the network. EEEeeiiiii. There goes Norton again. They haven't left. Time to load on Zone Alarm so even if the bugger is on my machine, I'll keep it in a small cage. I also had a program name to search on.

Now it was time to pull out the big guns. The Windows Secret Newsletter mentioned a great study by Eric Howes. He gives some right-on tips on his page comparing the different anti-spyware programs. It also has a great part on what to do when you have been infected. I did a bit of googling on the offending program. The next step was to run HijackThis and have someone knowlegeable analyse the log. He lists several different forums to get help on the Hijack This log. I used and highly recommend Techsupportforum.com. I posted a log in their Hijackthis forum and within a few hours I had a reply. They were right on the mark at getting rid of most of what was lurking. They give clear instructions on what to do and I've seen them stick through some tough cases. I am in support and I work on a message board. I know what the job is like. My hats are off to them. They do a remarkable service. I am also going to send them a donation.

I followed their instructions and thought I was fine. But something was still lurking. I configured my machine to startup with Norton, ZoneAlarm and the MS Anti-spyware software loading automatic on startup. Yes, it takes almost 3 minutes to boot up but it is keeping it at bay.

Shortly after booting up, the MS Anti-spy told me that My Search Bar was trying to change my browser toolbar. It would catch it and I'd delete it. But it was happening everytime I logged in. Hmmm.. They recommending running anti-spyware and anti-virus again. I downloaded a new version of Ad-Aware. It got several items but it was still there when I logged in. I also tried Trend Micro's Housecall anti-virus scan. No luck.

I've had spent almost 15 evening hours to try to kill this. I decided to give it one more try tonight. Whenever I got the message about MySearch bar trying to make a change, I would also get a pop-up about Norton making changes to my browser. Hmmm.. This seemed strange. I was also getting pop-ups for Norton's automatic update. I decided to check the IP address. It went to a strangish location. So I decided to do the Live Update via the software instead. Low and behold, it had a virus definition update. So scanning began again.

I booted into safe mode. Ran updated Ad-Aware. I was clean. I also went though my Windows\System32 folder and noticed an unusual name exe from the 13th. I noted it. Then ran Norton. It found two threats and sure enough one of them was the suspicious file, winbhgk32. It couldn't delete it but I knew where it was... I deleted it from the folder, rebooted and logged on. Nothing. Loaded the browser. Nothing. Woohoo! I think I might have it.

It took 5 days and almost 20 hours!

Lessons learned? A lot!

Keep Up with Windows Update I hadn't kept up with the Windows updates and I suspect that some of the malware took advantage of the vulnerabilities.

Apply Windows XP sp 2 Service pack 2 would have probably helped. I would have at least had a firewall to prevent any attacks on other ports.

Run a commercial Firewall The Windows XP sp 2 firewall is okay at preventing things from coming in but does absolutely nothing once you have something on your PC. A real firewall such as ZoneAlarm will alert you to both programs trying to get in and get out.

Get help I work in support and I couldn't have done it alone. Find a good support board on line or someone who regularly deals with this to help you if you are infected.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

This page contains a single entry from the blog posted on February 18, 2005 7:03 PM.

The previous post in this blog was WBW #6 - Warwick "Old Bush Vines" Pinotage 2003.

The next post in this blog is Frosty Tiger Mountain.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.33
© 2004 - 2014 Slow Travel