Thursday, January 06, 2011

A Public Service Announcement

This is the second time that I've been nailed by a "drive-by" malware attack. The first time, I knew what caused it. I went to a website that hosted an infected advertisement, and bam, I had XP Security 2010 on my computer, which was apparently a variation of Total Security 2009. At the time, it was exploiting a hole that prevented Task Manager from opening. As such, I wasn't able to see what the name of the program was and go and delete it. That hole has apparently been fixed as no later "editions" have had this power.

This time, I was nailed while I wasn't even doing anything. I hadn't touched the mouse for at least a minute, I was reading, suddenly Firefox disappeared. Not crashed, disappeared. Then, audio started playing, and I had five or six invisible instances of Internet Explorer running, according to Task Manager. I tried to use Firefox and found my searches and link clicks being re-routed to a variety of ne'er-do-well websites like

I ran through all of my running programs and was able to shut down and delete most of what was running, but the virus was directly affecting both explorer.exe and wininit.exe. The modification dates indicated that neither file had been changed, so there was some addition to calls for these programs being made somewhere in the registry.

Norton's free scan worked, but since Norton sucks and only tells you about the virus, this didn't help much. I was able to learn that the virus was called the Bamital Trojan, and this variation was brand new. Very little info at Symantec, Microsoft, TrendMicro, or AVG. It prevented me from installing any antivirus except for the TrendMicro Housecall, which didn't detect it.

If your security definitions are up-to-date, Windows should detect the virus before it can do any damage. My virus definitions on my laptop were a month old. A month! That's all it took. My girlfriend's computer had fresh virus definitions when the virus attacked her computer two days before mine. It was actually pretty easy, if time consuming, to get rid of it. Windows blocked it from doing anything and a two, not-so-quick virus scans with Housecall cleaned it out. I was unable to determine how the virus was affecting Wininit and Explorer, and was going to run Kaspersky off of a USB stick, but my computer crashed completely before that could happen. Possibly because I was killing registry entries like quirky-yet-somewhat-famous actors in a Tarantino movie.

I don't know the specific vector of infection, but it came through Firefox on both my computer and my girlfriend's computer. Kudos to Chrome, which the virus was unable to hijack. Instead, it just prevented Chrome from working at all. This is insane. Back in my day (2006), you had to actually be stupid to get a virus. You had to open the "I love you" e-mail or click "yes," or SOMETHING. Now, the fuckers can just come in and rape your poor computer.

Recommendations from my experience:

  • Update virus definitions constantly.

  • If you're a Windows user, download Microsoft Security Essentials. It's the lightest-weight antivirus program out there, easy to use, and is completely free.

  • Use Firefox and install both the Adblock Plus and NoScript add-ons. It makes browsing a bit less seamless, but you're leagues safer. You'll also get used to the control allowed you.

  • If you're infected and you know things are wrong, open up Task Manager with ctrl+alt+delete and start Googling the processes that are running. Make sure you click the "show processes from all users" button/box. This will help you with the nature of the beast. Once you've determined if a program is a virus or not, try to shut it down. Usually, there will be multiple programs that will reopen other programs, just to make this even more difficult for you.

  • Determine the location of these programs that were running and go and delete them. Try to shut it down in Task Manager

  • If you don't have antivirus, try to install some. Try MSE, AVG, TrendMicro Housecall, Malwarebites, and Norton's free scans. As I mentioned, the Norton scan won't fix things, but it might at least tell you what the infection is.

  • If the programs successfully run, run ALL OF THEM. If one of them misses the infection, another might find it. Then run them multiple times. Just accept that you're looking at multiple hours. Start up Lord of the Rings Extended Editions! Those take forever to watch.

  • If you can't run the antivirus programs, even after deleting some of the running programs, you're left with either digging through the registry, which is dangerous, or running antivirus off of a bootable disc or USB stick. Kaspersky Rescue Disk is good for this.

  • If this fails, you're left with the nuclear options. Combofix is a powerful tool that will leave your computer functional, but will likely kill some of your installed programs. And finally, a complete reinstall of Windows.

  • If your computer is functional, copy and save all of you files to a usb stick or external hard drive. Insert your windows disc, restart your computer, and when prompted, hit a key to boot off of the disc. Then follow the instructions to format your hard drive and install Windows fresh.

  • If your computer is non-functional, you're going to need to boot up an operating system from a disc or USB that will recognize your external storage. I used Knoppix. Either download or have a friend download Knoppix, burn it to a DVD, then start up your crap computer with Knoppix in the disc drive. Boot off of that disc. This will take awhile, but once it loads, you'll have a fully functional graphical operating system that will let you search through your hard drive, then drag-and-drop your files onto external storage.

  • If you don't have a Windows disc, which is common with shitty pre-built computers from the likes of Sony and Dell, you might have to request a disc from your manufacturer. Just make sure to tell them that the "rescue" disc that they provided didn't work, you tried it multiple times, and the virus remains.

  • You can also ask around to see if you have anyone who pirates software a lot and have them download your version of Windows again. Make sure it's the same version or your serial number won't work.

  • Once you reinstall, reactivate Windows, and begin the long quest to reinstall all of your software.

No comments: