•Wednesday, December 24, 2008
So, I picked up this really nasty bastard Trojan called Rapid Antivirus. This has been one heck of a hard piece of work to beat and I've been doing work on it daily since last Tuesday.
First the thing pops up a few porn links on your desktop which upon deletion, instantaneously reappear. They're also setup such that they can't be rename or the destination link altered. After that, it brings up a popup on the task bar telling you that your computer has been infected either with itself or with other fake items. It dresses in Windows Defender getup to try and look legit. Paying attention to this sucker causes it to install the full blown program which then asks you to hand over money to remove itself. You can "uninstall" but it isn't really gone and if ignore continues to create error messages about viruses and other fake safety concerns. It even generates a false blue screen of death and pretends to shut your computer down.
But it gets better. Rapid antivirus then hijacks your browser. In the full blown hijack mode it basically prevents you from going to most websites, either redirecting you to something different somewhere within where you'd like to go or otherwise redirecting to a blog entitled "Why I hate Spyware". The makers of this little beast have done some research into the methods which are most commonly used to wipe out their little Trojan and extended its functionality such that it can prevent the two programs that will find and kill it from installing or running on the computer. Of course, the other eight programs I used didn't quite remove the whole thing.
I had managed to chop it down a fair bit. No registry entries (or so I thought), no porn links, no task bar annoyances, no error messages, no false blue screen of death and a semi functional browser. The semi functional bit was the last clue. I still couldn't access the Malwarebytes website along with anything that seemed to have a definitive answer to solving the problem and a few other randoms such as neopets (WHY?). That and when I did get my hands on a copy of Malwarebytes install program through other sources, it wouldn't open.
Fortunately, a clue from one site I did have access to and a little bit of the know how meant I could get it to work and sure enough, a stack load of DLLs and another two registry entries (one to kill my active desktop and the other to keep itself alive) were found and destroyed!
My goodness... the run around has been awesome. I've been installing all sorts of programs and looking at processes, active X, registry entries, combing dlls and jumping in and out of safe mode. Malwarebytes in safe mode was the absolute last line before a format and clean install of windows.
I may still do that anyway to clear out all the extraneous matter on the computer and speed her up but I didn't want to do that without first beating the virus. I'd done it once before but it was nowhere near this kind of drama! However, I can finally claim VICTORY!
In the meantime, I've got an infected callus on my hand (WTF?), I'm back at work and enjoying it, Christmas is tomorrow, my cousin found me on facebook, we got awesome cutlery from my sister's family for Christmas & a sandwich iron from mum & dad, I can now deadlift 80kg, got my interval timer & some interesting DVDs from ebay, got my favourite organiser diary for Christmas, finally used up the last of the Matrix Orange Cream and used our dryer for the first time!
First the thing pops up a few porn links on your desktop which upon deletion, instantaneously reappear. They're also setup such that they can't be rename or the destination link altered. After that, it brings up a popup on the task bar telling you that your computer has been infected either with itself or with other fake items. It dresses in Windows Defender getup to try and look legit. Paying attention to this sucker causes it to install the full blown program which then asks you to hand over money to remove itself. You can "uninstall" but it isn't really gone and if ignore continues to create error messages about viruses and other fake safety concerns. It even generates a false blue screen of death and pretends to shut your computer down.
But it gets better. Rapid antivirus then hijacks your browser. In the full blown hijack mode it basically prevents you from going to most websites, either redirecting you to something different somewhere within where you'd like to go or otherwise redirecting to a blog entitled "Why I hate Spyware". The makers of this little beast have done some research into the methods which are most commonly used to wipe out their little Trojan and extended its functionality such that it can prevent the two programs that will find and kill it from installing or running on the computer. Of course, the other eight programs I used didn't quite remove the whole thing.
I had managed to chop it down a fair bit. No registry entries (or so I thought), no porn links, no task bar annoyances, no error messages, no false blue screen of death and a semi functional browser. The semi functional bit was the last clue. I still couldn't access the Malwarebytes website along with anything that seemed to have a definitive answer to solving the problem and a few other randoms such as neopets (WHY?). That and when I did get my hands on a copy of Malwarebytes install program through other sources, it wouldn't open.
Fortunately, a clue from one site I did have access to and a little bit of the know how meant I could get it to work and sure enough, a stack load of DLLs and another two registry entries (one to kill my active desktop and the other to keep itself alive) were found and destroyed!
My goodness... the run around has been awesome. I've been installing all sorts of programs and looking at processes, active X, registry entries, combing dlls and jumping in and out of safe mode. Malwarebytes in safe mode was the absolute last line before a format and clean install of windows.
I may still do that anyway to clear out all the extraneous matter on the computer and speed her up but I didn't want to do that without first beating the virus. I'd done it once before but it was nowhere near this kind of drama! However, I can finally claim VICTORY!
In the meantime, I've got an infected callus on my hand (WTF?), I'm back at work and enjoying it, Christmas is tomorrow, my cousin found me on facebook, we got awesome cutlery from my sister's family for Christmas & a sandwich iron from mum & dad, I can now deadlift 80kg, got my interval timer & some interesting DVDs from ebay, got my favourite organiser diary for Christmas, finally used up the last of the Matrix Orange Cream and used our dryer for the first time!
|
0 comments: