On Saturday I came to the aid of a damsel in distress.
Today, it was doing battle with a computer virus.
It appears one of the computers at our small business had problems with bogus virus warnings popping up. Something called XP Anti-virus 2011 kept warning us about all kinds of trojans, keyloggers, and other sundry malware on the computer in question, advising us the only way to rid ourselves of them was to subscribe (and pay for) a copy of this XP Anti-virus 2011. It looked as if it was from Microsoft, even displaying a replica of the Windows Security Center app. But what this supposed anti-virus program was doing was trying to extort cash from gullible computer owners in order to shut it up...until the next time they wanted money.
One of the side effects of this virus was disabling some of our regularly used programs, including one that allows us to track our customers patronage and generate business statistics for use in making projections for the coming months and quarters.
This virus was so persistent and well ingrained that our standard anti-virus app, which shall remain nameless, didn't even touch it. And from what I understand many of the other anti-virus suites were just as vulnerable.
It took quite a bit of research to figure out how to get rid of it, including how to shut it down so the programs capable of purging it from our system would run. A number of third-party programs used to shut down malware processes, including one of my favorites called Rkill had no effect on it at all.
In the end I had to kill the process by creating a file that would prevent the virus from starting when the computer rebooted. I found that file here (I used Method 2).
Once the virus was disabled, I downloaded and installed one of the freeware applications capable of purging it from the system and repairing the registry. (I used Malwarebytes Anti-Malware application.)
All in all it took almost 2 hours to get rid of the virus, with the longest part trying to disable the virus long enough to allow installation of the program used to purge it.
From reading some of the forums, it appears this nasty little beast installs itself by a number of means, including links on fake e-mails. Probably one of the more common fake e-mails is one supposedly from UPS, FedEx or some other parcel delivery service informing you of a package en route to you. The e-mail includes a link to 'track' your package, but when you click on it it downloads and installs the virus while your web browser shows you some kind of message saying the server is busy or has timed out.
And so it went for me today.
Today, it was doing battle with a computer virus.
It appears one of the computers at our small business had problems with bogus virus warnings popping up. Something called XP Anti-virus 2011 kept warning us about all kinds of trojans, keyloggers, and other sundry malware on the computer in question, advising us the only way to rid ourselves of them was to subscribe (and pay for) a copy of this XP Anti-virus 2011. It looked as if it was from Microsoft, even displaying a replica of the Windows Security Center app. But what this supposed anti-virus program was doing was trying to extort cash from gullible computer owners in order to shut it up...until the next time they wanted money.
One of the side effects of this virus was disabling some of our regularly used programs, including one that allows us to track our customers patronage and generate business statistics for use in making projections for the coming months and quarters.
This virus was so persistent and well ingrained that our standard anti-virus app, which shall remain nameless, didn't even touch it. And from what I understand many of the other anti-virus suites were just as vulnerable.
It took quite a bit of research to figure out how to get rid of it, including how to shut it down so the programs capable of purging it from our system would run. A number of third-party programs used to shut down malware processes, including one of my favorites called Rkill had no effect on it at all.
In the end I had to kill the process by creating a file that would prevent the virus from starting when the computer rebooted. I found that file here (I used Method 2).
Once the virus was disabled, I downloaded and installed one of the freeware applications capable of purging it from the system and repairing the registry. (I used Malwarebytes Anti-Malware application.)
All in all it took almost 2 hours to get rid of the virus, with the longest part trying to disable the virus long enough to allow installation of the program used to purge it.
From reading some of the forums, it appears this nasty little beast installs itself by a number of means, including links on fake e-mails. Probably one of the more common fake e-mails is one supposedly from UPS, FedEx or some other parcel delivery service informing you of a package en route to you. The e-mail includes a link to 'track' your package, but when you click on it it downloads and installs the virus while your web browser shows you some kind of message saying the server is busy or has timed out.
And so it went for me today.
Yep, that's one of the nastier ones. Nasty in that it's just that much more difficult to nail down- the place where booting to the installation media and using the recovery console can be your friend.
I had problems even booting into safe mode. From what our corporate IT guy said there's more than one variant of this virus floating around out there.
Fortunately for us we do not leave System Restore running unless we're installing new software.
I also ran CCleaner to scavenge the registry (something I do on a regular basis in any case).
Should have called me- I spend half my billable hours scraping that little monster and its brethren off computers all over the state. The only AV I am aware of that has any success in preventing this one is Microsoft Forefront (Microsoft Security Essentials for home users).
Generally you can boot into safe mode and find the virus file hiding in the Local Settings>Apps folder under the infected user and/or the All Users or Public profiles (depending on the OS you are running). It will be in a folder with a long random character name, containing an identically named exe file- you can delete it, but that's just the beginning.
You also really need to shut off System Restore, as it likes to hide in the restore files and will lie dormant a day or two before striking again. After that, a full Malwarebytes scan, followed by a CCleaner Registry scan should do the trick.
There is also a registry fix file I like to use to correct entries some variants make to the registry that force all executables to load the virus as a shell.
All-in-all it's great fun, isn't it?