Sunday, November 30, 2008

Anguish

I went to install the new wireless mouse on our peecee tonight, and I noticed that the peecee had recently rebooted. That's odd.

Well, suddenly I start getting all kinds of warnings from Windows Firewall about spyware attacks. But wait, Windows Firewall is disabled! Oh shit. Spoof warnings - a virus or somesuch. I try to google it, but both IE and Firefox both take me to a warning screen that says I am browsing unsafely, and do I want to continue on unsafely or try to remedy the situation?

I say to continue on unsafely. Then IE hangs and Firefox crashes. Shit. If I click that I'd like to remedy the situation, I get taken to Defender-Review.com, where they try to sell me some anti-spyware software.

So I start googling on my laptop and I quickly learn that defender-review.com is a hijacker that intercepts your internet and tries to sell you something to undo that. However, supposedly all the major anti-spy programs can remove it.

I run my Ad-Aware, top-rated freeware anti-spy program. It comes up empty.

The directions to remove it manually tell me all kinds of files and registry entries to delete - but none of those are there.

And I can't download a new anti-spy program cuz my internet has been hijacked. So I started downloading them on my laptop and burning them to CDs.

The first one that was suggested (Spyware Doctor) immediately tried to download the virus definition files, discovered that the internet was hosed, and then said, "No virus definition files have been loaded. It is not possible to scan."

Faaaaauuuuhhhhkkk

The second one installed (SpyHunter). It was really big and came with its own virus definition already as part of the install. As soon as it ran, it said, "A Rootkit trojan has been detected. It can only be disabled with a reboot. Do you wish to proceed with the reboot?"

Hell yes.

But just then, my Avast! anti-virus popped up a window saying, "Avast! has detected a trojan infecting svchost.exe. As this is a system file, it is unsafe to use this computer until a reboot and a scan is run before starting windows. Do you wish to schedule a scan to run after the reboot?"

Yes. OK, hopefully those two guys will both do their thingee.

The reboot scan ran for a little over an hour and found 8 infected files with 3 or 4 different trojans.

When it finally restarted windows, things were improved but not better. The internet worked, but the spoof firewall window was still popping up.

So I ran SpyHunter again, since it was the first one to report an error. It ran a bit, found a bunch of spyware, and then crashed.

GRRRRRR!!!!!

So Spyware Doctor gets another shot. It found 13 infections, most "low" risk, but three it deemed "medium". I clicked "Fix" and it said, "The free version of Spyware Doctor can only be used to locate infections. If you would like to remove them, you must purchase a license."

$29.99 for 6 months with an automatic renewal clause. Farq that.

Poked around a bit more, and found a guy with a very similar problem who was cured after using MalwareBytes' Anti-Malware. I got that installed, ran the "quick" scan, and it found 13 infections, 2 of which required a reboot. I rebooted, no more popup.

Now, I'm running the full system scan. We are 57 minutes into it, and has found 3 more infections. Good god, will this ever end?

[update: it seems to have ended. The official name of the thing that infected me was TDSSserv.sys. You can google it. It appears to be just a little over a month old.]

5 comments:

CherkyB said...

Ah, the three were in System Restore files. Evil.

Anonymous said...

did you get your wireless mouse?

Anonymous said...

The Russian Mafia did it.

CherkyB said...

I did finally get it installed. It went very smoothly, as do all Logitech installs, once the compooter was cleaned of trojans. It's a nice mouse. Has a laser instead of LED, so it works on almost any surface. It also has browser forward and backward buttons, a scroll wheel that tilts left and right to scroll left and right, and if you click down the scroll wheel, it zooms in/out.

Anonymous said...

I blame intel.