Virus Attack!

One of our computers, a 32-bit Vista laptop, recently became infested with a virus. Using either Google or Yahoo, and then clicking on a result, the browser would first go briefly to several other sites before going to the selected URL. It appeared that the virus may have been a money-earner, clicking on ads that brought someone a profit. I also got repeated popup messages that the computer was running out of disk, or out of memory, or out of "resources." None of that was true, but the computer did seem slow.

The antivirus software, Microsoft Security Essentials (MSE), looked green (OK) in the system tray, but it would not update itself, reporting an error. After reboots to "safe" mode, MSE looked red or didn’t appear at all, and the browser still misbehaved. Also, various system services would shut down, and the more I investigated, the more the virus seemed to react and shut things down.

I was able to download Malwarebytes anti-malware, update it, and perform a scan, which came up with three results:

• rogue.installer registry key
• spyware.passwords.xgen in the recycle bin, and
• rogue.hddscan in a temp directory

Malwarebytes attempted to clean them and said that it had done so. But the bug was still there after a reboot to “safe” mode. Another downloaded spyware scanner ran much more slowly but came up empty.

I reverted the drive to a previous time, before the symptoms had appeared, but that didn’t help. I eventually reverted the drive to the earliest available restore point, weeks earlier, and that didn’t help either. So:

• Either the bug had installed itself in the Master Boot Record, or
• It had attached itself to a program that always gets started at boot, and had done so without the change being noticed by the system restore software.

I suspect that it had attached to Java Updater (jusched.exe), which is started at every reboot. I can’t prove it - just a suspicion, based on a couple of observed symptoms.

Fortunately, I had made a complete disk image of that laptop on an Iomega 2 TB external drive just six weeks earlier, using Macrium Reflect (free). Macrium restored the drive in about an hour, including the Master Boot Record, and the problem was gone. Files in the lost six weeks were then restored from more-recent partial backups. Apparently nothing of value was lost, except a lot of my time.

The virus may also have posed other risks, of which we are not aware:

• It might have been a keylogger, sending keystrokes back to someone;
• It may also have tried to find personal data and send that;
• It could have tried to send virus-laden emails to our mailing list; and
• it may have tried to infect other computers on the network.

I did have the computer disconnected from the network except when downloading the virus scanners, and so far, no other computer has shown symptoms of the infection. There is no indication that emails were sent - no backscatter from virus checkers or bad email addresses. This particular computer does not contain much personal data, and we have taken steps to deal with the keylogger possibility, including changes in passwords and a new IP address.

How did the virus get in? Windows and Internet Explorer (IE) were entirely up to date. I checked recent emails, and that doesn’t seem to be the path. It may have come through Java, which was not quite up to date - I know for certain that the same computer was infected through Java a couple of years ago. Perhaps it did come in through Internet Explorer itself, or one of the many browser extensions - this computer was still running IE7 rather than the newer IE8. I’ll never know for sure, but Java is now up to date and Internet Explorer is now IE8. Was it a virus, or a worm, or a trojan? Who cares, it was destructive.

What a pain. Wouldn’t you just love to get hold of the cowardly creeps who write viruses like that and cause other people so much grief? What kind of "man" (woman?) is that intelligent, and yet so incompetent that they have to make a living by deliberately hurting other people?