Saturday, February 23, 2008

How I Conquered a Virus

Today, I've outwitted one of the most formidable computer viruses that I've ever encountered.
I turned on my PC this morning when all of a sudden, my NOD32 Antivirus software detected a potentially dangerous malware called Adware.SecToolbar just a few minutes after the desktop loaded. It actually appeared twice, but the prompts noted that the file had been moved to quarantine, so I went on with my business as usual, confident with Mr. NOD32. However, I noticed that my PC was running unusually slow (unusual even for Windows Vista). Alas, I opened a My Computer window and out came a suspicious pop-up window which said something like:
NOTICE: If your computer has errors in the registry database or file system, it could cause unpredictable or erratic behavior, freezes and crashes. Fixing these errors can increase your computer's performance and prevent data loss.
Would you like to install SysProtect for free? (Recommended)
I knew right then and there that my PC had caught a bug, the nasty adware/spyware sort. I clicked on 'Cancel' on the pop-up. Regardless, my browser automatically opened a site for an apparently bogus PC-fixer software. To those who can't tell between legitimate and illegitimate software: you can always look up the name of the suspicious software on Google. Nevertheless it's always inadvisable to follow a strange pop-up's advice.
Later on, I noticed that whenever I opened My Computer, the window closes after a few seconds, and when I opened My Documents the Windows Explorer crashes and refreshes.
I resorted to scan my PC with NOD32, but it found no threats. I then tried System Restore and reset the system to an older time. But it did not disable the virus, and the pop-up thing started again.
I searched the net for some tips by typing in keywords related to the symptoms of the virus infection and found a forum dedicated to removing spyware called Spyware Warrior. There, I learned about an application that could log all running process on your computer and output it as a text file, for diagnostic purposes. It's called HijackThis, and it allows one to detect and stop running processes on your PC. However, it doesn't distinguish between good and bad processes, and so there's the risk that my PC could go into a worse situation if I mistakenly disabled the good ones.
I checked my startup files through MZ StartUp Manager, and saw a lot of entries with weird names. I disabled them immediately. I also checked the log output of HijackThis and saw some dll files with similarly weird names, so I disabled them also.
I then thought of seeking the help of AntiVir (a.k.a Avira), one of the more reputably effective anti-malware programs available. I downloaded the free version called AntiVir Personal Edition Classic from its developers' website, and installed it, despite my knowledge of a theory that one should not have more than 2 anti-viruses in one PC. To be safe though, I disabled my NOD32 while I started scanning with my new Avira.
However after installation the AntiVir On-Access Guard started to prompt about infections ceaselessly, and although I chose "Delete" in every prompt, another prompt would follow. The prompts got so many, I had no other choice but to disable the Guard. However, I was able to find out my foe's identity. It was labeled a Trojan variant called "Vundo", and it seemed to run on a system file called nnnno.dll. I checked the net and found out that the Vundo virus creates several bogus dll's in C:/Windows/system32. I tried to delete them, but they all produced an Access Denied error.
I stopped some more suspicious processes via ProcessExplorer, and disabled some more entries from the HijackThis log. I searched the net for Vundo-removal tips, and found a program specialized in removing this sort of virus called VundoFix. I downloaded and ran the application, and it searched for the fake dlls and other rootkits, and seemed like it crashed my system. But my PC just rebooted and afterwards, the pop-ups were all gone! My PC was back to normal and rid of the dreaded Vundo, save for some left-over system files (but were easily detected and deleted by Avira).
Whew, what a workout! It took me all afternoon to get rid of the damn thing.

So after all that, it seems necessary that I impart some of my updated knowledge about destroying malware and viruses in PCs:
  1. Some of the symptoms of virus infections include reduced PC performance, unwanted pop-ups, unusual behavior, and frequent crashes. If you notice any of these symptoms, search on the net for possible solutions using keyword related to the symptom, e.g. "my documents folder closes unexpectedly"
  2. Try first some of the local applications like System Restore and Disk Cleanup. If they won't work, download useful tools such as HijackThis, ProcessExplorer, and MZ StartUp Manager to detect suspicious or unwanted processes and stop them before they wreak more havoc.
  3. Although having two antiviruses running at the same time on your PC can cause instability and crashes, it's ok if one of them is disabled while the other one scans. Each antivirus software has its strengths and weaknesses, so it might be useful to test more than one software on a possible virus infection. In my case, it seems that NOD32 was powerless compared to Avira, but the latter was also limited by file permission restrictions created by the virus. However, once the virus was disabled by the specialized VundoFix, Avira was efficient in cleaning up the leftovers.
  4. Always backup your files in case of a virus infection such as this.
  5. Do NOT download software before researching its reputation in other websites.
  6. Do NOT mess with system registry files if you don't know what you're doing, else your PC could crash. If unsure, you can post your HijackThis log file on a forum dedicated to removing malware, such as SpywareWarriors, and let the experts help you.
  7. Be very careful when surfing sites you don't know. Although I'm not sure exactly where I got the Vundo, I kind of suspected it to come from a site that provided keygens and cracks. Talk about bad karma.

1 comments :

  1. Anonymous said...

    good for you