Monday, March 21, 2011

The Battle Continues (Defeating Viruses)

Well, apparently I spoke too soon. :) I was joking with a co-worker whether I'd be targeted by a hacker as a result of my previous post. I can't prove it however it's some coincidence that over the weekend I was attacked by a more virulent Trojan that seemed to trump all of the steps I outlined in the previous post. This is the ysh.exe hack virus. I may upgrade my firewall to something that monitors my ports. I used to have Zone Alarm but it was pain in the ass. Now I may need that pain in the ass:) I almost feel like this is like fighting "the Borg" which learns a little more with each battle and makes it harder to defeat. The ysh.exe plant is designed to do these things in addition to what I described previously:

1. To transplant itself at the top of the list in terms of processes. So it's running when your computer boots up windows. You can't beat it to the punch with ctl alt del early.
2. It can run in safe mode. So you still can't run your anti-virus software
3. Looks for any type of antivirus launch or install and runs its malicious fake antivirus programs instead.
4. Effectively trumps Malwarebytes because it cannot be run
5. Renaming Malwarebytes exe or install file DOESN"T work. That is often a recommended procedure
6. The malicious programs are NOT located in convenient places with C:Windows or C:Temp as I mentioned in previous post.
7. Some malicious asshole.dll files referenced in start-up process (run: asshole.dll)cannot be deleted without a special tool.

The only way to find it is to be able to know all the registry keys and delete them. If you don't know what you're looking for it's pretty hard. There is only one reasonable solution that I found. It's a dos kill process designed by a programmer that kills the virus exe load. I'm not even going to list it here for fear that the hackers might design a workaround. After that kill process Malwarebytes was able to get the rest of it.

In terms of not paying for a monitoring program. I've changed my tune. It's too difficult to prevent the virus from working once it gets in. You need a realtime virus monitoring program (or real firewall) that prevents the drop of the trojan. Avira free version is not up to that task. I'm now using Malwarebytes real-time monitoring. At $25 it was well worth it. Apparently either I had a hacker on my tail or was not fully rid of the virus. I was treading out on the Internet and all of the sudden noticed my search page was redirected from Google to MonsterBargains which is the sign of the hack, then the java6 launch started happening. Malwarebytes caught the trojan drop attempt and killed it. whew. This was after I killed all the trojans with Malwarebytes previously. After this I researched my registry thoroughly and deleted every rogue key I could find. This is not a process for the faint of heart. I think I am effectively virus free.

Round 3 I guess.

Tuesday, March 15, 2011

Fighting Computer Viruses and Getting the Last Laugh

Over the years I've gained some experince in how to defeat some nasty computer viruses. Some virtually prevent you from using your run command and your antivirus software. The most recent ones I've seen transplant themselves on your system tray as antivirus programs. And they often can't be shut off with the task manager. They keep running and telling you your computer has a virus.

Here are some of the most useful programs I have found. I don't use the paid for antivirus programs (they're overpriced and often ineffective):

1. Hijack This - This basically is for detecting browswer hijack but it can also tell you about registry entries designed to run at startup (autoload programs), browser helpers, toolbars, and other things. Using the "fix this" process should be done with care. Look for (unknown) entries. Don't delete programs you are unsure of. I have been somewhat fearless with my hunches about suspicious programs and have not been burned. But I don't recommend this. There are also some free log analyzers out there that can make recommendations. Be aware though that in the case of browser hijack, they can often prevent you from navigating to the known hijackthis pages. You'll need to save the log to your thumb drive and try it on an uninfected computer at hijackthis log analyzer page.

2. Killbox - This has a very specific purpose. It deletes files that seem to keep growing back because the rogue program manages to exploit Windows to regenerate it. You have to know exactly what the file is and the path. It gives you some options for killing- delete on reboot, rename, standard kill etc.

3. Avira - IMO, the best free antivirus program available. Better than AVG and Avast! it generally detects viruses the others cannot. I've run tests with several programs present. Sometimes Avira cannot get rid of the virus and keeps redetecting it. But it at least gives you a clue about what and where it is.

4. Malwarebytes - This can find and delete many viruses that others cannot including (sometimes) Avira. Generally it can get rid of anything it finds. Full scan takes a long time so be patient, because it sometimes finds viruses way towards the end. But sometimes it can't find viruses and trojans. No program is perfect.

There are some 1 time applications and programs I have used called CC Cleaner and Spybot but generally the programs above in concert are generally enough to defeat the problem.

Some horse sense methods:

Sometimes you can beat the virus before it starts up. If you invoke the task manager early (ctl alt del) you sometimes can catch the program loading and stop it by looking at the PC activity. This can buy you time and ability to defeat the program before it defeats you. However be aware that it may not be listed there. This step can be helpful if the rogue program is designed to defeat the run: program: msconfig.

Make sure to disable your Internet connection. You don't want your computer connecting to the Internet if you have a real hijack happening that is communicating with your computer. Check your Tools/Internet Options Homepage. In particularly nasty cases it can be redirected to a specific IP. In extreme cases (after you have defeated the rogue processes), you may have to use "reset" on your browser to get it to navigate properly again.

Presuming the rogue program hasn't disabled it. The run commands, msconfig and regedit. msconfig can show you what programs are designed to run at startup. You can uncheck any suspicious entries in the startup panel. Look for wierd names that are unsigned. Regedit is direct registry edit. Most people would advise extreme caution with monkeying around with this. If possible back up the registry before changing anything there. You can find and delete an entry that was found by Antivirus programs or from your hijack this log.

Explorer/Search. As Windows O/S systems upgrade it seems like they let you see and find files less and less (don't get me started on Vista). If you're trying to find files in Temp or Windows (often places were rogue programs are hidden) but somehow the path doesn't show them after you navigate to my documents/all users etc then make sure your that your view/folders options is set to show hidden folders and files. Look for files that were created within the last week or few days. Or look for *.exe. If you know your activity you can often find programs that you didn't have a hand in downloading and delete them.

Be careful with deep searches on lesser known webpages. I often have found I get a quick virus attack just by navigating to a search result or someone's blog page that turns out to be fake(sometimes in a foreign language page that is translated). These places can be hornet's nests. A recent problem seems to be a Java 6 pop up exploit that transplants itsef in the registry processes immediately. This is often a prelude to the phony Antivirus transplant on your system tray. Deletion of this entry via Hijack this/fix this (look for the java6 entry) is usually enough to start the process of getting control of your computer back. It's not everything. you have to find the program it's referencing as well (usually somewhere in your .tmp internet or mydocuments/`/temp directory).

Make sure to get a good thumb drive. Sometimes you need to find programs on the Internet on another computer and load them on the infected computer with the Internet connection disabled. In worse case you have to use all of your available options and work quickly before the trojans take hold of your processes. I've literally restarted dozens of times and used each time as a learning process to figure out which programs to invoke. I ran into a trojan that disables some popular antivirus programs and hijack this. If you run in safe mode sometimes this can prevent the rogue program from running which may require full blown Windows to do it's dirty work.

Good luck! (you're gonna need it)