Nasty Virus

[Shaggy Hiker]

I had my main computer totally wiped out by a nasty virus yesterday afternoon. I got the virus from a site that I have visited for a year or so, ever since it was posted in a thread here (it's just jokes). I didn't click on an ad, or anything of that nature that I am aware of, and the three anti-virus/anti-spyware programs that I was running missed it almost entirely. One of them noticed it, blocked part of it, but let the rest through. The result of the virus was that the desktop was hijacked, and the TaskManager was shut down as quickly as it opened. The trojan then proceeded to attempt to connect to a series of malware/adware sites, though I had unplugged the cable by that time and just watched the URLs pop up one after the other.

Scanning in Safe Mode using all three programs found a couple things, including what I think was the main trojan, but the fixes all failed. The thing was highly polymorphic, as I could bring up the TaskManager when I logged in as a guest, and could see random processes (they were easy to identify), along with a couple other malignant processes, though destroying any of these didn't fix anything, so I would guess that the main problem wasn't being displayed.

Rather than mess around with it, I copied the few data files that I wanted to save, then restored the system with a disc image to its initial state. Now I'm in the process of restoring everything.

The issue, though, is that I was running three anti-virus/anti-spyware (Spybot, AVG, and the highly regarded PC Doctor), while only going to sites that I had frequented many times in the past (and only a couple of them), which were not in the gray area of the net, and none of that mattered. So what kind of protection will actually work? At this point, I'm contemplating building a computer (I was intending to anyways) for games and programming, but no internet access, then using my current main system as an internet portal with only guest access.

What else?

[RobDog888]

Sorry to hear that Shaggy. Maybe switch to Vista and always make backups of your important data. Using one system for gaming is a good idea and make sure you dont network the two systems together just in case one gets hit.

TrendMicro seems to be the best one for me so far. Although I havent been running an AV in 8-10 years now. Just got hit with a Jump drive virus and TM was the only one that detected and removed it. When TM scans it takes up some cpu but other then that it downloads updates every 3 hours

[EntityX]

I had my main computer totally wiped out by a nasty virus yesterday afternoon. I got the virus from a site that I have visited for a year or so, ever since it was posted in a thread here (it's just jokes).

I was just thinking maybe you should let people know what site it was if the site was posted here at VBForums so they can avoid having the same thing happen to them. You could post in the thread that you saw the site or here or wherever you think is appropriate.

[dee-u]

AVG has failed me for some years, Avast seem to be a lot better where it catches anything that AVG misses. I would recommend it together with ThreatFire.

[Shaggy Hiker]

I had TrendMicro until this spring when, though a boneheaded mistake of my own, I got the virtumonde trojan. TrendMicro couldn't even detect it, let alone clean it, and that was the first time the computer got re-built.

The reason I'm not posting the site is because there is some chance that I'd be slagging the wrong entity-X. After all, I had been reading stuff on that site for a year. The reason I suspect that was the culprit was that I turned on that computer, went to that site, then my one AV system alerted me that it had blocked an infection, after which the virus took over the computer. That makes a strong case that the infection came from that site, but there are other alternatives, such as it having come in at an earlier time, and was only activated at that time.

One question that I haven't really found an answer to (because I haven't really looked) is whether using a computer as a guest rather than an admin provides any real protection against kernel level malware (which this certainly looked like).

All important data (code) is stored on a non-Windows OS NAS. An infected file could be stored on the NAS, but I don't believe the NAS can be directly infected.

[RobDog888]

The NAS is just a hugge drive r raid of drives. It would be accessible from your computer via a mapped drive or such so it could get infected if the virus is one of those types that spreads to all your drives and systems that it can gain access too.

[Shaggy Hiker]

The NAS is just a hugge drive r raid of drives.

You either need to take more of those pills, or less of them.

The NAS has it's own OS, but basically it is just a raid array of drives, so, if the malware was a virus that attached to exes, or other file types, then it could end up there, but in this case, I think the major activity was something more like a kernel-level injection or root kit-like behavior. It appeared to be creating its own polymorphic processes that were not always hidden from the active process list, which was why it was shutting down the Task Manager as soon as I opened it, as it didn't want to allow me to terminate the processes it was spawning.

[Jenner]

It could have busted in via one of those wonderful programs that like to update themselves on bootup like Quicktime, Realplayer, Acrobat, etc... or come in via some browser exploit. It might not have been the site.

I remember once getting a persistent virus alert just from turning my machine on. I find out that the worm was tunneling through Window's cruddy firewall and writing itself to disk without me doing a thing.

[Shaggy Hiker]

Yeah, which is why I don't really want to blame any one site. Time will tell, I think.

[mendhak]

From the thread title, I thought you wanted to warn us about the swine flu.

It's a little surprising and frustrating, I'd imagine, to have that happen to you - we do consider ourselves smart users.

While your protection may have helped you, what I also like to do is have a list of sites I block in my hosts file - sites that you know contain malware or sites that you know you won't ever visit. Look at this example here - http://www.mvps.org/winhelp2002/hosts.txt

I have a similar list, but much smaller.

Having a PC just for gaming won't help you one bit - a lot of games will ask you for Internet access anyways, what's the point? Just ramp up your security a bit, ensure you have a firewall, you know the usual. You can also surf with javascript disabled.

[TheBigB]

You could use firefox...
WARNING: this is not a fanboy comment

No, seriously. It's just a simple fact that IE has a lot more security issues to address than firefox...

But hey, you can have the best virus protection in the world and it still won't stop a virus like that. Because as best as they try to make the virus scanners, the protection is like a door. If you open the door, you're simply not protected. They can account for almost every automated action, but not the human factor, which is a problem also in other sorts of technology.

Now I must say that clicking a link could've been hooked easily... But if a scanner were to hook to every human interaction with a pc, the pc's performance would go down drastically.

And by the way, what I think was Rob simply trying to point out, is that to a virus a NAS is just an array of drives and that anyone of us here could write an app that could locate the network drives an wipe all your contents.

[VBFiEND]

Honestly man, Those are horrible Virus scanners, I don't even know why people still use them.

[TheBigB]

I disagree. They are pretty decent scanners.
First of all avg is free and the 7.5 version (deprecated though...) is from what I've experienced the lightest scanner I've ever used.

So what would you suggest then?

[VBFiEND]

http://www.freeav.com/

Best AV out there.

[Psyrus]

A website that I've been going to for over 3 years sent out a worm not too long ago. The server became infected with the nimda worm or a version of it. Any time a page would load that was infected you would get a windows pop up asking to install a Chinese language pack. It also rewrote many of the links on the website pointing them to a Chinese webpage.

[VBFiEND]

Yah, You have to be careful, They hack into websites and upload links with virus's in them, Or anything to cause damage, Just like those hackers that hacked into that National Epilepsy Foundation Forum, Made all the link redirect into a web page that would flash and blink like a strobe light, It made like 13,000 people to have headaches, & small and mild seizures... Only hack in history to cause psychial harm.

Not to mention pretty messed up too.

[Shaggy Hiker]

I read an article the other day that stated that of all the viruses that Symantec has seen in the few decades it has been in the AV business, 60% of them have come out in the last two years. We're experiencing the Cambrian Explosion of malware.

[TheBigB]

Financial crisis is hitting geeks and as a result they start trying out scams to make a little money...

I've had like three clients who had actually bought this Antivirus 2009 crap for licenses of almost $100 dollars (note I only live in a small town; imagine the numbers world-wide). It's a very simple scam. This one only needed ten idiots in a thousand infected pc's to make a thousand dolars...

[VBFiEND]

Plus, Don't forget about the "conflicker" virus or whatever it was called that crashed 1 million computers on April 1st because they hacked Microsoft and put a virus in the latest update, Microsoft has a $250,000 Dollar bounty out for the author of it.