The antivirus software, Microsoft Security Essentials (MSE), looked green (OK) in the system tray, but it would not update itself, reporting an error. After reboots to "safe" mode, MSE looked red or didn’t appear at all, and the browser still misbehaved. Also, various system services would shut down, and the more I investigated, the more the virus seemed to react and shut things down.
I was able to download Malwarebytes anti-malware, update it, and perform a scan, which came up with three results:
- rogue.installer registry key
- spyware.passwords.xgen in the recycle bin, and
- rogue.hddscan in a temp directory
I reverted the drive to a previous time, before the symptoms had appeared, but that didn’t help. I eventually reverted the drive to the earliest available restore point, weeks earlier, and that didn’t help either. So:
- Either the bug had installed itself in the Master Boot Record, or
- It had attached itself to a program that always gets started at boot, and had done so without the change being noticed by the system restore software.
Fortunately, I had made a complete disk image of that laptop on an Iomega 2 TB external drive just six weeks earlier, using Macrium Reflect (free). Macrium restored the drive in about an hour, including the Master Boot Record, and the problem was gone. Files in the lost six weeks were then restored from more-recent partial backups. Apparently nothing of value was lost, except a lot of my time.
The virus may also have posed other risks, of which we are not aware:
- It might have been a keylogger, sending keystrokes back to someone;
- It may also have tried to find personal data and send that;
- It could have tried to send virus-laden emails to our mailing list; and
- it may have tried to infect other computers on the network.
How did the virus get in? Windows and Internet Explorer (IE) were entirely up to date. I checked recent emails, and that doesn’t seem to be the path. It may have come through Java, which was not quite up to date - I know for certain that the same computer was infected through Java a couple of years ago. Perhaps it did come in through Internet Explorer itself, or one of the many browser extensions - this computer was still running IE7 rather than the newer IE8. I’ll never know for sure, but Java is now up to date and Internet Explorer is now IE8. Was it a virus, or a worm, or a trojan? Who cares, it was destructive.
What a pain. Wouldn’t you just love to get hold of the cowardly creeps who write viruses like that and cause other people so much grief? What kind of "man" (woman?) is that intelligent, and yet so incompetent that they have to make a living by deliberately hurting other people?