Categories

A sample text widget

Etiam pulvinar consectetur dolor sed malesuada. Ut convallis euismod dolor nec pretium. Nunc ut tristique massa.

Nam sodales mi vitae dolor ullamcorper et vulputate enim accumsan. Morbi orci magna, tincidunt vitae molestie nec, molestie at mi. Nulla nulla lorem, suscipit in posuere in, interdum non magna.

Malware Woes

A few weeks ago, my PC was some­how infect­ed with some nasty thing that tried to turn it in to a spam­bot via dri­ve­by down­load. I had the cur­rent ver­sion of Syman­tec AntiVirus run­ning, set to the absolute high­est para­noia lev­els and updat­ed dai­ly. I also had Spy­bot Search & Destroy run­ning, again, updat­ed dai­ly and care­ful­ly con­fig­ured. I had both do full sys­tem scans every day, as well as keep­ing them mem­o­ry-res­i­dent at all times.

Nei­ther pro­gram ever gave so much as a peep. In fact, when I found the orig­i­nal file that was to blame and checked it man­u­al­ly with Syman­tec AV, it passed as though it were as inno­cent as a babe. If I had­n’t had the antivirus soft­ware con­fig­ured to show me an icon in the systray when it was check­ing out­go­ing mail, who knows when I would have real­ized that the sys­tem was com­pro­mised? As it was, I knew with­in sec­onds. (Hey, I notice “out­go­ing mail” when my email pro­gram isn’t even open.) I end­ed up pulling out the eth­er­net cable to stop com­mu­ni­ca­tions ’til the sys­tem was clean.

Of course, after that hap­pened, I knew that the two main secu­ri­ty pro­grams sucked. I tried a few oth­ers that I keep installed to do scans just to check how well the main ones are doing, and they thought my sys­tem was clean, too. Well, clean but for every cook­ie I’ve ever allowed into a brows­er. Those, they scream about. <snark>That’s reas­sur­ing, because you know it’s far more wor­ri­some that some­body using a free site counter might know if I’ve vis­it­ed her site before than that my machine has become a zom­bie, spew­ing out spam and let­ting who knows who use it for nefar­i­ous purposes.</snark>

I was able to find the progress name and ser­vices that the tro­jan was using and removed those man­u­al­ly, so I could go back online to get more help. I tried four times, and was final­ly able to com­plete the online scan pro­vid­ed by Trend­Mi­cro. It claimed to have found 171 prob­lems, but crashed yet again when it was sup­posed to start try­ing to remove them. I went back to the site after a reboot and went through the whole dan­ged process again, only to be told that the sys­tem had only four pos­si­ble prob­lems (and none of them the guilty file!)

I final­ly cleaned out the infec­tion man­u­al­ly, search­ing for and exam­in­ing every file cre­at­ed or changed on the date in ques­tion. I found the ser­vices that were installed and removed them, too. I went through my reg­istry and every­thing else with a fine-toothed comb in a process that made my obses­sive-com­pul­sive traits a gift. The nasty is gone, and I ver­i­fied that it did­n’t get a chance to spread to any oth­er PCs on our LAN.

So, back to secu­ri­ty soft­ware research! I chose Bull AV this time, on the basis of inde­pen­dent test results. They rat­ed Bull, Nod32, and McAfees VirusS­can Enter­prise as best. I already hate McAfee, which left just the first two.

I found the Bull suite very sexy—it includes back­up capa­bil­i­ties with some free online stor­age space. It also had a two-month tri­al, which was nice. And Bull iden­ti­fied a fright­en­ing num­ber of prob­lems in old email archives. Syman­tec and sev­er­al oth­er pro­grams nev­er spot­ted them. These days, our mail serv­er has its own antivirus soft­ware and does a very good job of keep­ing such things away.

Bull was­n’t been so good about actu­al­ly clean­ing email infec­tions. It sup­pos­ed­ly works with Thun­der­bird, but it does­n’t do it very well. If there’s one sus­pi­cious email mes­sage in a fold­er or “mail­box,” Bull puts the entire fold­er into quar­an­tine, or just deletes it! That is not ide­al, to say the least.

It was also slow­ing down my sys­tem ter­ri­bly, so I moved on to Nod32. It does­n’t have the back­up, and only has a one-month tri­al. It does have attrac­tive pric­ing that is com­pa­ra­ble to Bul­l’s, and which takes the fact that most of us have mul­ti­ple com­put­ers in our homes into account. I like that.

It has­n’t slowed down my sys­tem appre­cia­bly, even with the fire­wall (and that’s rare). It has caught every test bit of nas­ti­ness I’ve tossed its way. It also deletes only the ques­tion­able mes­sage from mail fold­ers, rather than the whole fold­er that con­tains the mes­sage.

We’ve still got Bull run­ning on anoth­er PC, and it works just fine there with no appre­cia­ble slow­down. That machine is com­pa­ra­ble to this one, so I don’t know why there’s such a big dif­fer­ence. Right now, I’d hap­pi­ly rec­om­mend either Bull or Nod32.

A few days ago, a friend got hit with some­thing that sounds like a vari­ant of the mal­ware that hit my machine. He and his wife had a lot of trou­ble get­ting rid of it, and the tech sup­port peo­ple they spoke with claimed that none of the anti-mal­ware ven­dors have put out any updates that are real­ly reli­able against this par­tic­u­lar tro­jan.

I use Fire­fox, not MSIE. I’m very care­ful with its secu­ri­ty set­tings. Out­look does­n’t live on my machine at all. I don’t vis­it warez or porn sites. I do install and try a fair amount of soft­ware, but I’m fair­ly care­ful about mak­ing sure it comes from rep­utable sources. I kept the pro­grams I men­tioned mem­o­ry res­i­dent, ran full scans dai­ly, and used oth­er pro­grams to scan on a week­ly basis. I still got hit by a tro­jan. My friends are tech-savvy and very secu­ri­ty con­scious, too.

Please take a lit­tle time now to check your sys­tem and be sure your secu­ri­ty soft­ware is good (not just pop­u­lar), con­fig­ured prop­er­ly, and up to date. And that you use it!

2 comments to Malware Woes

  • GarlG

    I just got done clear­ing a very sim­i­lar prob­lem. The only A/V app I tried that would even see part of the prob­lem was Kasper­sky. Nor­ton, Trend, Macafee, spy­bot, and ad-aware were all obliv­i­ous. I end­ed rip­ping out most of it by hand using Hijack­This, autoruns, and got a lit­tle bit of help from super­spy­ware remover, and a cou­ple of scripts from MajorGeeks.com. Very nasty, very time con­sum­ing.

  • cyn

    I’m sor­ry that you had to deal with it, too. I hope we’ve seen the last of it here!