Friday, April 13, 2007

Viral Saga

On Wednesday, I was really proud of myself. I paid the bills. Early, even. And checked my bank account to see how much money was left. I was so responsible. I even ran Spybot S&D to clean everything up.

Then I noticed the new icon on my taskbar--that had no name and wouldn't let me click on it or anything. Then I started getting Explorer windows opening randomly to Happy888 and Happy1000 webpages that were blank but always "logging in" or loading. Not so good.

So I opened my Windows Explorer and immediately noticed new files and folders that were mysterious. I googled the names (Scvhost.exe, svchost.exe, sydinar software, dup2.exe, etc) and discovered VIRUSES on my computer. Various websites cited them as annoyances, spyware, hijackers, viruses, trojans, or worms, and the security risk from negligible to "close all your bank accounts if you accessed them with this stuff on your computer". So I read and printed lots of stuff from Geek Forums telling other people how to get the same stuff off their computers, and I started to work.

First, I turned the computer on in safe mode and deleted all the files I found that were bad bad ones. But the popups (Happy888) kept coming. So then I started downloading free spyware and virus removers. Some even promised to get rid of the Happy888 virus/spyware that apparently is very difficult to remove because it keeps changing its name. I downloaded and installed and uninstalled TONS of stuff, and every program identified different problems. The ones the identified the most problems were the ones that you have to pay to access the solutions.

But they all agreed that I had a bad program: c:\Windows\scvhost.exe. There is a legit program needed by windows called svchost.exe, so this was hard to identify, and I had to be careful to only delete the right ones. The problem was, every time I deleted it, I rebooted the computer and it was back. I finally got wise and rebooted with the internet disconnected--and it STILL came back. That let me know I hadn't deleted the source of the problem. Plus, now my computer kept asking me to install drivers for "new hardware," called SBHR, which I had never installed. So I refused to put it on.

Thursday, Jon was in Denver so we went to get him. We'd intended to just visit, but he spent the whole time he was here working on my computer while we visited. That was really nice of him. He also got my kids convinced that Linux is the way to go with computers. They like the Linux penguins. He also introduced me to Google Home Pages, and Mozilla, both of which are very cool. Anyway, we discovered that the guy who sold me my computer (from Nephi, UT!), put a pirated copy of Windows on it, so we couldn't really update Windows, which was part of the problem. Downloaded more and more stuff, and cleaned off old stuff, and the popups were still there.

Finally, we thought we had it licked and Jon went back to Denver to his hotel. And I went down to the secure computer and changed all our online passwords, just in case. (Then today, I went to the bank and reported the problem there just in case it really was hijackers or a trojan or a hacktool (all variously cited) or a keylogger or any of those other tools to steal your identity.)

When I got home from Denver, I checked the virus scan we left running, and it found nothing. And the popups were there, and the Sydinar Software virus that attracted my attention in the first place was back. And the "control panel" on Windows had a new icon: Administrator settings. No more searching for new hardware, though. We did have to recover from a couple of fatal errors, unfortunately.

So I ran all my scans again, deleted the stuff I knew was bad, and let the computer work on finding stuff all night. Nothing.

After working on it most of today, too, I realized I would have to give up and pay someone to fix it, wipe the hard drive and go with Linux and hope it could do what I wanted, or get some help from someone who knows everything.

So I prayed about it. The computer and internet are important to me because they are my connection to other adults and the way I get to use my talents (writing). I figured Heavenly Father taught me how to fix the dishwasher, and the cooler, and the car. Surely He could teach me how to fix the computer. So I prayed, and then I got back on the web and googled all the stuff I now knew about the viruses (names, company names, etc).

This time, I noticed that there were a couple of companies that had the viruses catalogued in their "encyclopedias" and "research engines." Both companies had virus scanners. So, with a great deal of trouble because the viruses kept trying to stop me, I downloaded the programs and ran the scans.

One program was a great research tool, telling me my viruses occurred in 111 patterns (no wonder it's hard to find!). But it scanned my computer and only identified as "possibly dangerous" www.moosebutter.com and mozilla. No good. The other program was one that would scan for free but costs $30 to buy the software to clean any problems. I did the scan and got a screenshot of the results: 10 problems none of the other programs had identified. It cleaned the ones that were not dangerous, but insisted I buy the program to get rid of the bad ones.

Instead, with the screenshot available, I turned the computer on in safe mode and found the files they identified as evil and deleted them myself. It was the same files I had deleted a million times, plus two others hidden in a "system" folder and with a slightly different name (svchost). My research had let me know that the necessary svchost was in the system32 folder, so these were NOT real. So I deleted them. Rebooted. Ran an hour long scan to identify if the problem was gone--and it was.

I rebooted the computer and checked again. Still gone. No popups yet. No running slowly. No annoyances. So far it looks like I licked it, with help from Someone Who Really Knows Everything. Now I just have to find out if I can delete the dangerous entries from the register if I know exactly what they're called (apparently you can really screw up your computer if you delete the wrong things from the registry).

So, a review of the software I tried. I don't remember all of it, but here's what I found:

Spybot Search and Destroy: Catches some stuff, but didn't even notice this stuff.

Dr. Cureit: Caught other stuff than Spybot did, but not my virus. Also slow.

CounterSpy: Caught a few things, but not my virus AND it has no uninstall option, so you have to use windows uninstall and then search out the individual folders and delete them, too. The "found new hardware" message appeared after I installed this, which is run by a company that includes the initials SBHR, and the "new hardware" messages stopped once I finally got rid of the program.

Ad-Aware Away: Their ads promised to get rid of the Happy888 popups. Found some stuff, but not my virus AND you have to pay to get rid of things.

Ad-Aware SE Personal: Found a lot more stuff than most programs, but not my virus. DID clean everything off for free, though. It cleaned off 455 things that no other program identified as evil, but left my virus.

Spyware Doctor: Found some things. Not my virus. Installed itself to load on opening the computer and loaded REALLY SLOWLY. Could only remove the thing in Safe Mode because it wouldn't stop working even if I asked it to, and it's uninstall program stalled multiple times.

XsoftSpyXE: Found a lot of stuff. Makes you pay to remove it, so I wrote down what it found and deleted it by hand. Found most of the sub-viruses (the ones that deleted but reloaded by themselves), but not the source virus that was letting them all reload when I rebooted.

ATF Cleaner: Does the same thing as "Disk Cleanup" on Windows

AVG Suite (Anti-Spyware, Anti-Virus 7.5, and Anti-Rootkit): Highly recommended by EVERY forum I found. Didn't find a single thing. Not anything.

System Spyware Interrogator: Great research tool. Identified moosebutter.com as potentially dangerous. Didn't find my viruses even though they were in SSI's encyclopedia, with all 111 variants.

Microsoft Malicious Software Removal Tool: I had to download a nag screen reminding me that my copy of windows is pirated (not my fault!) and let the computer update windows, which took over an hour, to get this. It doesn't work with Mozilla turned on, even though it's supposed to run in the background all the time and do an additional scan once a month. (Typical of microsoft, you can't even access the help page for their download programs without running them through Internet Explorer). Didn't find ANYTHING, and you have to download a different version in addition in order to scan through their online page OR scan more than once a month--and downloading the programs froze the computer. Typical microsoft quality and thinking.

SuperAntiSpyware Free Edition: The second one that identified my virus, calling it the "scvhost worm". It also found 32 MORE things that Ad-Aware Personal missed (I ran the scans one after another). Removed the "worm", but not the core program that was installing it. Very slow, but thorough.

e Trust PestPatrol: The only program that identified the REAL problem. I only did the quick scan, even! It scanned for me, but wouldn't clean everything for me (only inocuous things) unless I paid them. Couldn't block and copy the list of problems they found, but I could get a screen shot and open that in Word and use it to delete the source virus, as far as I know. So far so good. Now if I can just get rid of the registry keys it found.....

There may have been a few more. I also read a few reviews of software that said the best on on the market is called Max-something (maximillian?). The free ones are not any of them very thorough (the best only catch 70% of the problems). Most people recommend running more than one anti-spyware program in order to catch everything if you insist on using free stuff.

So there you go. I'll let you know if I'm really done working on this problem or not.

3 comments:

morelightthanburden said...

RRRRRRRRRRRRR.

Linux really is the way to go :)

morelightthanburden said...

Of course, what I really want to know as I read everything you do is, how are you doing so much? You are amazing! I'm happy if I accomplish half what you do! Do you have superpowers or what? (And, no, I am not exercising hyperbole there . . .)

Becca Jones said...

If you saw my house, you'd know how I do it.

I don't do the house.

My mom used to say you can do 2 of three things: house, kids, and church. Take your pick.

I picked.