Malware Woes

A few weeks ago, my PC was some­how infect­ed with some nasty thing that tried to turn it in to a spam­bot via dri­ve­by down­load. I had the cur­rent ver­sion of Syman­tec AntiVirus run­ning, set to the absolute high­est para­noia lev­els and updat­ed dai­ly. I also had Spy­bot Search & Destroy run­ning, again, updat­ed dai­ly and care­ful­ly con­fig­ured. I had both do full sys­tem scans every day, as well as keep­ing them mem­o­ry-res­i­dent at all times.

Nei­ther pro­gram ever gave so much as a peep. In fact, when I found the orig­i­nal file that was to blame and checked it man­u­al­ly with Syman­tec AV, it passed as though it were as inno­cent as a babe. If I had­n’t had the antivirus soft­ware con­fig­ured to show me an icon in the systray when it was check­ing out­go­ing mail, who knows when I would have real­ized that the sys­tem was com­pro­mised? As it was, I knew with­in sec­onds. (Hey, I notice “out­go­ing mail” when my email pro­gram isn’t even open.) I end­ed up pulling out the eth­er­net cable to stop com­mu­ni­ca­tions ’til the sys­tem was clean.

Of course, after that hap­pened, I knew that the two main secu­ri­ty pro­grams sucked. I tried a few oth­ers that I keep installed to do scans just to check how well the main ones are doing, and they thought my sys­tem was clean, too. Well, clean but for every cook­ie I’ve ever allowed into a brows­er. Those, they scream about. <snark>That’s reas­sur­ing, because you know it’s far more wor­ri­some that some­body using a free site counter might know if I’ve vis­it­ed her site before than that my machine has become a zom­bie, spew­ing out spam and let­ting who knows who use it for nefar­i­ous purposes.</snark>

I was able to find the progress name and ser­vices that the tro­jan was using and removed those man­u­al­ly, so I could go back online to get more help. I tried four times, and was final­ly able to com­plete the online scan pro­vid­ed by Trend­Mi­cro. It claimed to have found 171 prob­lems, but crashed yet again when it was sup­posed to start try­ing to remove them. I went back to the site after a reboot and went through the whole dan­ged process again, only to be told that the sys­tem had only four pos­si­ble prob­lems (and none of them the guilty file!)

I final­ly cleaned out the infec­tion man­u­al­ly, search­ing for and exam­in­ing every file cre­at­ed or changed on the date in ques­tion. I found the ser­vices that were installed and removed them, too. I went through my reg­istry and every­thing else with a fine-toothed comb in a process that made my obses­sive-com­pul­sive traits a gift. The nasty is gone, and I ver­i­fied that it did­n’t get a chance to spread to any oth­er PCs on our LAN.

So, back to secu­ri­ty soft­ware research! I chose Bull AV this time, on the basis of inde­pen­dent test results. They rat­ed Bull, Nod32, and McAfees VirusS­can Enter­prise as best. I already hate McAfee, which left just the first two.

I found the Bull suite very sexy—it includes back­up capa­bil­i­ties with some free online stor­age space. It also had a two-month tri­al, which was nice. And Bull iden­ti­fied a fright­en­ing num­ber of prob­lems in old email archives. Syman­tec and sev­er­al oth­er pro­grams nev­er spot­ted them. These days, our mail serv­er has its own antivirus soft­ware and does a very good job of keep­ing such things away. 

Bull was­n’t been so good about actu­al­ly clean­ing email infec­tions. It sup­pos­ed­ly works with Thun­der­bird, but it does­n’t do it very well. If there’s one sus­pi­cious email mes­sage in a fold­er or “mail­box,” Bull puts the entire fold­er into quar­an­tine, or just deletes it! That is not ide­al, to say the least.

It was also slow­ing down my sys­tem ter­ri­bly, so I moved on to Nod32. It does­n’t have the back­up, and only has a one-month tri­al. It does have attrac­tive pric­ing that is com­pa­ra­ble to Bul­l’s, and which takes the fact that most of us have mul­ti­ple com­put­ers in our homes into account. I like that.

It has­n’t slowed down my sys­tem appre­cia­bly, even with the fire­wall (and that’s rare). It has caught every test bit of nas­ti­ness I’ve tossed its way. It also deletes only the ques­tion­able mes­sage from mail fold­ers, rather than the whole fold­er that con­tains the message. 

We’ve still got Bull run­ning on anoth­er PC, and it works just fine there with no appre­cia­ble slow­down. That machine is com­pa­ra­ble to this one, so I don’t know why there’s such a big dif­fer­ence. Right now, I’d hap­pi­ly rec­om­mend either Bull or Nod32.

A few days ago, a friend got hit with some­thing that sounds like a vari­ant of the mal­ware that hit my machine. He and his wife had a lot of trou­ble get­ting rid of it, and the tech sup­port peo­ple they spoke with claimed that none of the anti-mal­ware ven­dors have put out any updates that are real­ly reli­able against this par­tic­u­lar trojan.

I use Fire­fox, not MSIE. I’m very care­ful with its secu­ri­ty set­tings. Out­look does­n’t live on my machine at all. I don’t vis­it warez or porn sites. I do install and try a fair amount of soft­ware, but I’m fair­ly care­ful about mak­ing sure it comes from rep­utable sources. I kept the pro­grams I men­tioned mem­o­ry res­i­dent, ran full scans dai­ly, and used oth­er pro­grams to scan on a week­ly basis. I still got hit by a tro­jan. My friends are tech-savvy and very secu­ri­ty con­scious, too.

Please take a lit­tle time now to check your sys­tem and be sure your secu­ri­ty soft­ware is good (not just pop­u­lar), con­fig­ured prop­er­ly, and up to date. And that you use it!

2 Replies to “Malware Woes”

  1. I just got done clear­ing a very sim­i­lar prob­lem. The only A/V app I tried that would even see part of the prob­lem was Kasper­sky. Nor­ton, Trend, Macafee, spy­bot, and ad-aware were all obliv­i­ous. I end­ed rip­ping out most of it by hand using Hijack­This, autoruns, and got a lit­tle bit of help from super­spy­ware remover, and a cou­ple of scripts from Very nasty, very time consuming.

  2. I’m sor­ry that you had to deal with it, too. I hope we’ve seen the last of it here!

Comments are closed.