Monday, March 21, 2011

The Battle Continues (Defeating Viruses)

Well, apparently I spoke too soon. :) I was joking with a co-worker whether I'd be targeted by a hacker as a result of my previous post. I can't prove it however it's some coincidence that over the weekend I was attacked by a more virulent Trojan that seemed to trump all of the steps I outlined in the previous post. This is the ysh.exe hack virus. I may upgrade my firewall to something that monitors my ports. I used to have Zone Alarm but it was pain in the ass. Now I may need that pain in the ass:) I almost feel like this is like fighting "the Borg" which learns a little more with each battle and makes it harder to defeat. The ysh.exe plant is designed to do these things in addition to what I described previously:

1. To transplant itself at the top of the list in terms of processes. So it's running when your computer boots up windows. You can't beat it to the punch with ctl alt del early.
2. It can run in safe mode. So you still can't run your anti-virus software
3. Looks for any type of antivirus launch or install and runs its malicious fake antivirus programs instead.
4. Effectively trumps Malwarebytes because it cannot be run
5. Renaming Malwarebytes exe or install file DOESN"T work. That is often a recommended procedure
6. The malicious programs are NOT located in convenient places with C:Windows or C:Temp as I mentioned in previous post.
7. Some malicious asshole.dll files referenced in start-up process (run: asshole.dll)cannot be deleted without a special tool.

The only way to find it is to be able to know all the registry keys and delete them. If you don't know what you're looking for it's pretty hard. There is only one reasonable solution that I found. It's a dos kill process designed by a programmer that kills the virus exe load. I'm not even going to list it here for fear that the hackers might design a workaround. After that kill process Malwarebytes was able to get the rest of it.

In terms of not paying for a monitoring program. I've changed my tune. It's too difficult to prevent the virus from working once it gets in. You need a realtime virus monitoring program (or real firewall) that prevents the drop of the trojan. Avira free version is not up to that task. I'm now using Malwarebytes real-time monitoring. At $25 it was well worth it. Apparently either I had a hacker on my tail or was not fully rid of the virus. I was treading out on the Internet and all of the sudden noticed my search page was redirected from Google to MonsterBargains which is the sign of the hack, then the java6 launch started happening. Malwarebytes caught the trojan drop attempt and killed it. whew. This was after I killed all the trojans with Malwarebytes previously. After this I researched my registry thoroughly and deleted every rogue key I could find. This is not a process for the faint of heart. I think I am effectively virus free.

Round 3 I guess.

2 comments:

  1. Hi Raney,

    i tried message u earlier but not sue you have received my previous message.
    can you kindly send me an email flakes010@hotmail.com
    i would liek to ask you something regarding the book of Ron Daulton.Kind greetings,
    Sander

    ReplyDelete
  2. see this post
    http://otherraneyday.blogspot.com/2011/05/herniated-disc-follow-up.html

    ReplyDelete