And now for the scheduled failure.
I seem to have picked up a particularly invasive and tenacious virus on my laptop. It's just over a year old, so something like this was bound to happen.
I was just browsing away at work Tuesday night when, after going to the DA page for a Mosiac, everything just started going haywire. Weird system tray pop-ups, a sudden burst of porno ads, a bunch of obviously fake 'anti-virus scanners' and, most interestingly, a not at all obviously fake one called 'Rapid Antivirus' that popped up in the system tray and used dead-on accurate Windows style icons and everything... Until it popped up a 'purchase full version to remove problems' window, using the European style of having a comma represent the decimal. That and the fact that it ran itself after I told it to go the fuck away a few times kinda ruined the illusion.
The most insidious part of it all is that it's put in a lot of passive cock-blocks on just about all the real anti-viral programs I've got access to. AVG's losing track of its components, erroring out and at the start of scans, and then locking up so that you have to restart the computer to even close the windows. I tried installing CyberDefender as a replacement, but these weird DOS prompts popped up during its install, and when it runs a virus scan, it'll only get about a third of the way through when a really weird tone sounds, something flashes on the screen for a picosecond, and it skips off to the end of the scan. Even the Windows Security section was screwed up, with the 'Essentials' controls outright missing, and the link to their security webpage getting force-redirected to a giant adsplash page. Which was at least more interesting than trying to go to the AVG main page, which was outright blocked. As in, it won't even admit there's a server there.
Fortunately IRC was still working fine, and when I mentioned what was going on, AWA suggested that it might be a Vundo infection, and Monz sent me a few applications to try. The Sysmantec Vundo-killer didn't come up with anything, but a quick scan with Malwarebytes pulled up Vundo and a whole slew of other things, including our friend Rapid Antivirus, and killed a bunch of them. That seemed to get rid of the active annoyances, all the pop-ups and porn ads and so forth. However, there was still something left blocking me from AVG's site, Malwarebyte's update server, just about every Vundo-fix server I got linked to, and, while I could get to Microsoft's security page again, the download server for their anti-malware app was blocked too. AVG still wouldn't run, CyberDefender still skipped out. And most oddly, I was being denied access to MWB's log files. But my shift was nearly over, so I had to leave a full scan for later.
I had a completely dead shift last night, which gave me plenty of time for screwing around with the problem. I had grabbed a more recent version of MWB and the Microsoft app on the home PC and tossed them on the otherwise useless card for my (now quite dead) digital camera to see if I could get some more results. A quick scan with the updated version of MWB brought up a few new things, which I killed, but I was still having the same blockages. Started up a full scan and let it run, but while I was off reading and eating my lunch, I heard the computer restarting on me. I had missed what caused the restart, so I ran another quickscan. That brought up three things, which I killed, then ran the full scan again, watching the whole thing this time. At about 28 minutes in, a crash box came up declaring that the 'Generic Host Process for Win32 Services' had a problem and needed to close. Five minutes later, while I was copying down the info from the explanitory links, a new warning box of a type I've never seen before popped up, saying that a restart was being initiated by 'NT AUTHORITY\SYSTEM' because the 'DCOM Server Process Launcer' service terminated unexpectedly, with a sixty-second countdown before it force-restarted on me.
Did a quickscan with MWB again after that, and came up with the same three infections as before. To whit:
Malware.Trace - RegKey - HKEY_LOCAL_MACHINE\Software\Microsoft\MS Juan
Trojan.Vundo - RegKey - HKEY_LOCAL_MACHINE\Software\Microsoft\MS Track System
Trojan.Agent - File - C:\Windows\System32\senkalog.dat
Decided to give the Microsoft app a try. Its initial quickscan produced no results. Ran the full scan, and got 17 minutes into it when the Win32 crash box came up again, with slightly different extended information, and, five minutes later, the DCOM-forced restart. Ran the MWB quickscan again, got the same 3 infections. Removed them, did a proper restart, ran it again... Same 3 infections. Did this another half-dozen times, trying assorted variations and attempts to use the other anti-virals at hand, all with the same results. The anti-virals remanied borked, and these three infected files continued to reinstate themselves. Gave it up as a futile exercise. There would seem to be something hidden outside of the realm of MWB's quickscan that keeps propogating these effects, and manages to keep me from digging it out with anything stronger. So it's time for Plan B: Nuke Everything.
Luckily the majority of the stuff on my Laptop is completely redundant, serving as it does mainly as a means of viewing all the stuff I've downloaded at home while at work. There were a few things that I wanted to save, mostly images and bookmark lists, but it all fit quite comfortably on a single DVD. While burning that off, however, I found that the DCOM restarts weren't limited to when I was running anti-malware programs. Apparently it's now doing it more or less at random, but especially when I'm running particularly active programs for more than a half hour. (Before it started doing this I was getting a lot of those 'work offline' boxes popping up. I had the wireless physically turned off, but something evidently wanted to use it. Those vanished after the restarts started. Could it be related? Did something eat itself?) It managed to last just long enough on the second try to burn and verify everything, tho, and a specified scan of the disc with MWB turned up no hidden surprises, so hopefully that's good to go.
It was getting late in the shift by the time I managed to finish with that, so after that restart I did another MWB quickscan, found the same 3 infections, killed them, then started poking around in the system restore options, on the hope that they could provide a quick fix for at least some of the issues. Only to find that any restore points that might've been there aren't anymore. They ought to be- I'm pretty sure I never turned that off, and in fact had the space allocation for them set to the max, but no. Nada there. I can't positively attribute that to the virus, but given how pernicious it's been in every other respect, it wouldn't at all surprise me. I didn't have the discs or time to do a full reformat, so I just dinked around a bit in the various Dell scans and settings that I'd never bothered with before, then on a whim ran another MWB quickscan before shutting down. Oddly, the Trace and Vundo results popped up again, without a restart. And then the DCOM error came up again. I just shut down completely while it was in the middle of its countdown. God knows what effect that'll have.
So that's where I'm at as of now. Short any miracle apps, I'm stuck with wiping everything and starting over. Which isn't too much of a burden as, like I said above, the laptop's pretty much just used as a mobile extension of the desktop anyway. Dell even has a special little hidden application that'll do just that, burning out the entire contents of the drive and resetting everything to what it was when it shipped. But this kinda assumes that there's a limit to this virus' tenaciousness. From what I've seen thus far, I'm not sure if that's an entirely safe bet. And I have to admit that I'm tempted to turn this debacle into an opportunity.
Y'see, I've never been entirely happy with the drive that came in this thing. 150 gigs is surprisingly measly these days, especially when you've got movies and TV shows and comics and music competing for the space, and I've got all this leftover credit with Dell, so what the hell? Might as well just get a new one if we're gonna start all over again anyway. Of course, then we run into other issues, such as Dell's craptastic site design for every part of their store that isn't a computer bundle. They've got a 320GB drive listed for $99, but no indications that it'll work in my laptop. Or any laptop, since the picture seems to be a generic picture of a desktop drive, despite it being listed in the laptop section. Or, for that matter, how it differs from the other drive listed with the same specs, also for $99. Or how they differ from the other drive listed with the same specs, but for $110. Or why the only drive that's listed as specifically for the Inspiron 1520 is $95 for a mere 200GB. And so forth.
And even if I do get a new drive that works without any particular issues, there's the fun of reinstalling all the Dell-specific stuff onto it. I don't think I got an OS disc with this thing, or if I did, I've no clue where it ended up. I can probably sub in the XP disc for my Desktop, of course, and just hope that there's nothing on the drivers disc that has conflicts. I always kinda dread doing these sorts of things. You never know what kinds of little surprises you'll find. But assuming it'd work, and that I can get by on just books and DS games at work again for a couple of weeks, it seems like the best way to absolutely get rid of this virus. Unless, of course, it managed to hide itself on the salvage disc, but I'll have to risk that. Or maybe it managed to squirrel it's way into the BIOS or something. Honestly, at this point, I wouldn't be surprised.
Hell, at this point, I'd be more surprised by a lack of absurd complications.
I was just browsing away at work Tuesday night when, after going to the DA page for a Mosiac, everything just started going haywire. Weird system tray pop-ups, a sudden burst of porno ads, a bunch of obviously fake 'anti-virus scanners' and, most interestingly, a not at all obviously fake one called 'Rapid Antivirus' that popped up in the system tray and used dead-on accurate Windows style icons and everything... Until it popped up a 'purchase full version to remove problems' window, using the European style of having a comma represent the decimal. That and the fact that it ran itself after I told it to go the fuck away a few times kinda ruined the illusion.
The most insidious part of it all is that it's put in a lot of passive cock-blocks on just about all the real anti-viral programs I've got access to. AVG's losing track of its components, erroring out and at the start of scans, and then locking up so that you have to restart the computer to even close the windows. I tried installing CyberDefender as a replacement, but these weird DOS prompts popped up during its install, and when it runs a virus scan, it'll only get about a third of the way through when a really weird tone sounds, something flashes on the screen for a picosecond, and it skips off to the end of the scan. Even the Windows Security section was screwed up, with the 'Essentials' controls outright missing, and the link to their security webpage getting force-redirected to a giant adsplash page. Which was at least more interesting than trying to go to the AVG main page, which was outright blocked. As in, it won't even admit there's a server there.
Fortunately IRC was still working fine, and when I mentioned what was going on, AWA suggested that it might be a Vundo infection, and Monz sent me a few applications to try. The Sysmantec Vundo-killer didn't come up with anything, but a quick scan with Malwarebytes pulled up Vundo and a whole slew of other things, including our friend Rapid Antivirus, and killed a bunch of them. That seemed to get rid of the active annoyances, all the pop-ups and porn ads and so forth. However, there was still something left blocking me from AVG's site, Malwarebyte's update server, just about every Vundo-fix server I got linked to, and, while I could get to Microsoft's security page again, the download server for their anti-malware app was blocked too. AVG still wouldn't run, CyberDefender still skipped out. And most oddly, I was being denied access to MWB's log files. But my shift was nearly over, so I had to leave a full scan for later.
I had a completely dead shift last night, which gave me plenty of time for screwing around with the problem. I had grabbed a more recent version of MWB and the Microsoft app on the home PC and tossed them on the otherwise useless card for my (now quite dead) digital camera to see if I could get some more results. A quick scan with the updated version of MWB brought up a few new things, which I killed, but I was still having the same blockages. Started up a full scan and let it run, but while I was off reading and eating my lunch, I heard the computer restarting on me. I had missed what caused the restart, so I ran another quickscan. That brought up three things, which I killed, then ran the full scan again, watching the whole thing this time. At about 28 minutes in, a crash box came up declaring that the 'Generic Host Process for Win32 Services' had a problem and needed to close. Five minutes later, while I was copying down the info from the explanitory links, a new warning box of a type I've never seen before popped up, saying that a restart was being initiated by 'NT AUTHORITY\SYSTEM' because the 'DCOM Server Process Launcer' service terminated unexpectedly, with a sixty-second countdown before it force-restarted on me.
Did a quickscan with MWB again after that, and came up with the same three infections as before. To whit:
Malware.Trace - RegKey - HKEY_LOCAL_MACHINE\Software\Microsoft\MS Juan
Trojan.Vundo - RegKey - HKEY_LOCAL_MACHINE\Software\Microsoft\MS Track System
Trojan.Agent - File - C:\Windows\System32\senkalog.dat
Decided to give the Microsoft app a try. Its initial quickscan produced no results. Ran the full scan, and got 17 minutes into it when the Win32 crash box came up again, with slightly different extended information, and, five minutes later, the DCOM-forced restart. Ran the MWB quickscan again, got the same 3 infections. Removed them, did a proper restart, ran it again... Same 3 infections. Did this another half-dozen times, trying assorted variations and attempts to use the other anti-virals at hand, all with the same results. The anti-virals remanied borked, and these three infected files continued to reinstate themselves. Gave it up as a futile exercise. There would seem to be something hidden outside of the realm of MWB's quickscan that keeps propogating these effects, and manages to keep me from digging it out with anything stronger. So it's time for Plan B: Nuke Everything.
Luckily the majority of the stuff on my Laptop is completely redundant, serving as it does mainly as a means of viewing all the stuff I've downloaded at home while at work. There were a few things that I wanted to save, mostly images and bookmark lists, but it all fit quite comfortably on a single DVD. While burning that off, however, I found that the DCOM restarts weren't limited to when I was running anti-malware programs. Apparently it's now doing it more or less at random, but especially when I'm running particularly active programs for more than a half hour. (Before it started doing this I was getting a lot of those 'work offline' boxes popping up. I had the wireless physically turned off, but something evidently wanted to use it. Those vanished after the restarts started. Could it be related? Did something eat itself?) It managed to last just long enough on the second try to burn and verify everything, tho, and a specified scan of the disc with MWB turned up no hidden surprises, so hopefully that's good to go.
It was getting late in the shift by the time I managed to finish with that, so after that restart I did another MWB quickscan, found the same 3 infections, killed them, then started poking around in the system restore options, on the hope that they could provide a quick fix for at least some of the issues. Only to find that any restore points that might've been there aren't anymore. They ought to be- I'm pretty sure I never turned that off, and in fact had the space allocation for them set to the max, but no. Nada there. I can't positively attribute that to the virus, but given how pernicious it's been in every other respect, it wouldn't at all surprise me. I didn't have the discs or time to do a full reformat, so I just dinked around a bit in the various Dell scans and settings that I'd never bothered with before, then on a whim ran another MWB quickscan before shutting down. Oddly, the Trace and Vundo results popped up again, without a restart. And then the DCOM error came up again. I just shut down completely while it was in the middle of its countdown. God knows what effect that'll have.
So that's where I'm at as of now. Short any miracle apps, I'm stuck with wiping everything and starting over. Which isn't too much of a burden as, like I said above, the laptop's pretty much just used as a mobile extension of the desktop anyway. Dell even has a special little hidden application that'll do just that, burning out the entire contents of the drive and resetting everything to what it was when it shipped. But this kinda assumes that there's a limit to this virus' tenaciousness. From what I've seen thus far, I'm not sure if that's an entirely safe bet. And I have to admit that I'm tempted to turn this debacle into an opportunity.
Y'see, I've never been entirely happy with the drive that came in this thing. 150 gigs is surprisingly measly these days, especially when you've got movies and TV shows and comics and music competing for the space, and I've got all this leftover credit with Dell, so what the hell? Might as well just get a new one if we're gonna start all over again anyway. Of course, then we run into other issues, such as Dell's craptastic site design for every part of their store that isn't a computer bundle. They've got a 320GB drive listed for $99, but no indications that it'll work in my laptop. Or any laptop, since the picture seems to be a generic picture of a desktop drive, despite it being listed in the laptop section. Or, for that matter, how it differs from the other drive listed with the same specs, also for $99. Or how they differ from the other drive listed with the same specs, but for $110. Or why the only drive that's listed as specifically for the Inspiron 1520 is $95 for a mere 200GB. And so forth.
And even if I do get a new drive that works without any particular issues, there's the fun of reinstalling all the Dell-specific stuff onto it. I don't think I got an OS disc with this thing, or if I did, I've no clue where it ended up. I can probably sub in the XP disc for my Desktop, of course, and just hope that there's nothing on the drivers disc that has conflicts. I always kinda dread doing these sorts of things. You never know what kinds of little surprises you'll find. But assuming it'd work, and that I can get by on just books and DS games at work again for a couple of weeks, it seems like the best way to absolutely get rid of this virus. Unless, of course, it managed to hide itself on the salvage disc, but I'll have to risk that. Or maybe it managed to squirrel it's way into the BIOS or something. Honestly, at this point, I wouldn't be surprised.
Hell, at this point, I'd be more surprised by a lack of absurd complications.