Tuesday, April 17, 2007

The Viral Saga Continues

So I I was fairly satisfied that I had found the virus in my computer. But then Dad sent me a list of the top picks on anti-virus and anti-spyware software from Consumer Reports. I was thinking about whether or not to get one of the products when I noticed that Jon (or maybe me, I don't know) downloaded McAfee Freescan, but I had never seen the results of the scan.

So I ran it again.

It found something like 20 files infected with a new virus that was identified on April 12 for the first time. Of course, they wanted me to buy the software in order to remove the files, so I printed the list and removed them myself. The virus had embedded itself in Mozilla, which we downloaded AFTER the computer was infected, so that couldn't be the actual SOURCE it was reloading itself from. And, stupid me, in the process of finding the files (all images!), I clicked on one and accidentally unleashed all the viruses I'd already removed. Back to square one.

Aware that I had not solved the problem now, I went to the CR top pick for all-around security, the Zone Alarm Security Suite. Turns out they have a FULLY FUNCTIONAL 15-day trial version. So I downloaded it.

The computer panicked and made the download corrupt, and opened all kinds of screens, and more than once I had to pull the battery out and unplug the computer to force it to shut down. I had been intending to leave all the viruses that I knew how to remove as a test to see if Zone Alarm could find them, since most other software couldn't find all of them. But the viruses were virulent, and they wouldn't let me run the program or re-do the download, and they finally made it so my computer couldn't access the internet. I did a system restore to earlier that day. It said it couldn't restore: "There was nothing to restore", but it reset enough that I could access safe mode and delete the stuff I could find.

Then I fixed the download and ran the virus scan, leaving it going while we went to bed.

Zone Alarm found 376 infected files. 376. When McAfee found about 20. And the other programs found up to 455, but all spyware (400 tracking cookies, for example). It only found ONE spyware, but it was a vicious Trojan that was allowing someone else to see everything done on my computer (bills, filing taxes, etc.). So this is what we found: a new virus, VBS.Small, which had saved itself something like 350 times all over my computer. This was the one that, no matter how often I deleted it, it was somewhere else and reloaded. There were a dozen or so Trojans. A back door was open through NetMeeting, a legit windows program. A couple of "worms" or "trojans" I had identified before were identified again (including Scvhost.exe). So pretty much anyone could access my computer to get any information they wanted. Zone Alarm took care of everything.

But the little icon that started all this was still on the screen. And the c:\temp\svchost.exe by Sydinar Software that caught my attention in the first place was still running--putting up panic screens that showed every program I had opened in the last hour or so, and causing Windows to put up false error messages--so many that I had to unplug the thing again to get it to shut down. So, despite the 376 things removed, I knew the virus was still there. And angry.

I managed to get into safe mode and get the temp folder that held the viruses (at least 2 that I had previously identified) into the recycle bin and deleted. Then I used the windows search tool and searched my computer for all occurrences of the letter "svc" and "scv". I found the virus had hidden itself in a couple of other places, with another thing that looked suspicious and had the same icon as the DUP2 virus. SO I deleted all those nasties. In the process, I noticed that the first infection was recorded as being "created" around 9:22 pm on April 9. So I did a search for everything created on April 9. With what I learned from looking at the McAfee and Zone Alarm results, I had a pattern of how the virus hid itself, and I deleted probably a hundred more files created on April 9 and 10 that fit the pattern. Then I undid the changes in the config.sys (thru msconfig) that the virus had made.

Then I discovered that some more suspicious files were located in the Java folder. So, with some work, I found the right Java folder (there are tons of them scattered throughout the computer) and discovered that Java downloads and saves on your computer all the little images and sounds it finds in things like games kids might play. So I had multiple images of the train cars from Candy Train and the characters from Mummy maze. Zipped folders from Sesame Street games and coloring pages the kids had done and deleted online. Audio files of Spanish words from sesame street (or possibly dragontales.com). Sound effects from candy train. There were close to a THOUSAND of these taking up memory on my computer, plus the viruses that had hidden it the folder with them. So I wholesale deleted them all. I don't need that kind of crap taking up space. All these things SHOULD be in the temp folders for the internet (and therefore cleaned off when I do my daily disk cleanup), but they were made with javascript, so Java saved them in its own temp folder, which it recommends you don't delete unless you are a computer expert. Bah humbug to them. Besides, I read online that if Java isn't completely updated, it is an open door for viruses.

So then, hoping to speed it all up, I removed all the extraneous anti-spy and anti-vi software from the computer, leaving on only what CR recommended. And I redid the config.sys again so that Messenger doesn't automatically run on my computer, since I never use it and I read that it's also an open door for viruses--and, in fact, one of my viruses was masquerading as Messenger in the Task Manager's running processes, so I didn't know it was a virus running.

The computer is still running rather slowly, but a whole lot faster than it did (doesn't take half an hour to turn on anymore). I need to search for suspect sets of files from April 11-now just in case, and run defrag (we've had so much stuff on and off the computer in the last week--and it needed to be defragmented before!), and see if that helps. Also, now that I'm online again, I'll see if Zone Alarm really DOES catch the spyware.

I suspect that within a week Zone Alarm will be able to find all the occurrences of the virus that I've been digging up by hand. It's a brand new virus.

This has been a wacky week for computers. I went from "Oh, yeah--I've heard of safe mode!" to digging through files and modifying msconfig. And I'm STILL a beginning. Wow.

In the meantime, my recommendation: Always look at Consumer Reports. And everyone go download the fully functional trial of Zone Alarm (www.zonelabs.com) and run it on your computer, just in case.

No comments: