Tenspace
2008-11-01, 16:58
It happened again. Sitting on my computer this morning, I was browsing the news and such from various sites I visit each day. All my Interet Explorer windows were closed, when I decided to open IE again and visit another site. I was greeted with a dialog box that read, "Your computer might be infected." It went on to explain how I should download "Anti-Virus 2009", and how it was "recommended".
Sounds like typical malware. But I thought my system was clean. Here's why:
About ten days ago, I got hit by virtumonde. Bad. I don't remember the initial cause, though I'm guessing one of my son's friends was using my machine and either visited somewhere he shouldn't have, or attempted to download/install cracked software (as an aside, I'm not here to discuss the evils of downloading cracked stuff... my machine was clean and all MS and other software is properly activated and verified).
A few days before this happened, I couldn't get my sound card to work. Tried everything, including the plug-in-play software enumerator trick. It would work from within media player, but showed as "no device installed" in device manager. It had been over two years since my last reformat/reinstall, and I wanted to reverse my 80GB primary/250GB secondary configuration anyway, so what the heck, let's reformat. I backed everything important off to another machine via my network, physically swapped the IDE jumpers on the two drives, reinstalled Windows and a host of other software. Everything was fine, until the malware windows started popping up in IE (At this point, I did find an entry in my history to something like freecracks.ws, and a copy of some mapmaking utility for ultima online installed).
Regardless of the root cause, I immediately went into lockdown mode. I read the latest info I could find on virtumonde, and went through the steps to clean it off. I think I would have been successful, but my attempts were foiled by a corrupted lsass.exe, which wouldn't even let me log on in safe or recovery modes. Oh well, let's reformat/reinstall again. One thing I noted during this removal procedure, was, using a program called unlocker, that there were file locks associated with many non-executables, including .mp3 files. I'm a big fan of garageband.com, and have many files from upcoming artists I discovered on that site, as well as about fifty originals from my band.
After reformatting, reinstalling Windows and all my applications, everything was running great; it was almost like having a new machine. Until I started having sound problems again. Keep in mind, all Windows hotfixes were applied, all the executables like Media Player, JetAudio, Itunes, etc. were re-downloaded. I didn't install anything from the old backup. My sound problems "sounded" like encoding errors, like it was playing a 48Khz song at 44Khz. I fooled with codecs and sound card settings for about an hour in iTunes, then I decided to try Media Player and noted that the song played with no problems. This lead me to believe the ID3 tags on my songs became corrupted when copying them back and forth. Weird, I thought, but I've seen weirder things happen in my thirty years of computing.
Up until this time, I had been playing the first couple seconds of the song to determine if the problem was fixed or still occurring. I decided to let a song play all the way through in Media Player, and Bam! ten seconds in, I get about a dozen dialog boxes extolling the virtures of downloading anti-virus software. The damn malware was hiding in my mp3s, which is why they wouldn't play normally from iTunes or JetAudio (but they would with MP11). Luckily, I had a backup from several weeks ago of most of my music, so it wasn't a big deal to just delete the mp3s. Just to be sure things were clean, I again reformatted my system and reinstalled my software from original discs, redownloaded all the hotfixes and patches, etc.
I killed the offensive mp3s - note, the only infected files were those in My Documents>My Music. Game music files and files located in other folders weren't affected. Then, I ran several programs - ccleaner, spybot, malware malbytes, mgtools, etc - as per the specific instructions on cleaning a Windows XP machine found at majorgeeks.com. Everything looked clean, and I had no more system problems.
Until about fifteen minutes ago. I opened that window, and up came another dialog box for anti-virus 2009 (recommended), so I immediately went to Spybot S&D, grabbed the latest updates, and started a fresh scan, which came back, as expected, clean. I did notice last night that process explorer showed an instance of iexplore.exe running when I had no open windows. Then, it hit me. I ran cpu-z, from the old backups yesterday morning. Grr. It must've been hiding a copy of whatever malware is causing this.
Now, I haven't checked my mp3's, and I haven't attempted to clean everything again. I really don't want to go through a wasted day of reformatting and reinstalling, so I thought I would spill my guts to you (sorry for the length of the article, writing is keeping me from getting really angry and taking it out on the pet goldfish).
What I'm asking is, any advice on how to proceed from here? I'm about to do the majorgeeks.com thing again - you can find the link here and here.
Is there anyone out there willing to work with me on this, peruse my hijackthis file or whatever, and see if we can solve it so I don't have to do a complete reinstall?
Thanks for taking the time to read this, and I hope some of you learned a few things from my experience. Like mp3 files can store malware, which is something I didn't know.
Sounds like typical malware. But I thought my system was clean. Here's why:
About ten days ago, I got hit by virtumonde. Bad. I don't remember the initial cause, though I'm guessing one of my son's friends was using my machine and either visited somewhere he shouldn't have, or attempted to download/install cracked software (as an aside, I'm not here to discuss the evils of downloading cracked stuff... my machine was clean and all MS and other software is properly activated and verified).
A few days before this happened, I couldn't get my sound card to work. Tried everything, including the plug-in-play software enumerator trick. It would work from within media player, but showed as "no device installed" in device manager. It had been over two years since my last reformat/reinstall, and I wanted to reverse my 80GB primary/250GB secondary configuration anyway, so what the heck, let's reformat. I backed everything important off to another machine via my network, physically swapped the IDE jumpers on the two drives, reinstalled Windows and a host of other software. Everything was fine, until the malware windows started popping up in IE (At this point, I did find an entry in my history to something like freecracks.ws, and a copy of some mapmaking utility for ultima online installed).
Regardless of the root cause, I immediately went into lockdown mode. I read the latest info I could find on virtumonde, and went through the steps to clean it off. I think I would have been successful, but my attempts were foiled by a corrupted lsass.exe, which wouldn't even let me log on in safe or recovery modes. Oh well, let's reformat/reinstall again. One thing I noted during this removal procedure, was, using a program called unlocker, that there were file locks associated with many non-executables, including .mp3 files. I'm a big fan of garageband.com, and have many files from upcoming artists I discovered on that site, as well as about fifty originals from my band.
After reformatting, reinstalling Windows and all my applications, everything was running great; it was almost like having a new machine. Until I started having sound problems again. Keep in mind, all Windows hotfixes were applied, all the executables like Media Player, JetAudio, Itunes, etc. were re-downloaded. I didn't install anything from the old backup. My sound problems "sounded" like encoding errors, like it was playing a 48Khz song at 44Khz. I fooled with codecs and sound card settings for about an hour in iTunes, then I decided to try Media Player and noted that the song played with no problems. This lead me to believe the ID3 tags on my songs became corrupted when copying them back and forth. Weird, I thought, but I've seen weirder things happen in my thirty years of computing.
Up until this time, I had been playing the first couple seconds of the song to determine if the problem was fixed or still occurring. I decided to let a song play all the way through in Media Player, and Bam! ten seconds in, I get about a dozen dialog boxes extolling the virtures of downloading anti-virus software. The damn malware was hiding in my mp3s, which is why they wouldn't play normally from iTunes or JetAudio (but they would with MP11). Luckily, I had a backup from several weeks ago of most of my music, so it wasn't a big deal to just delete the mp3s. Just to be sure things were clean, I again reformatted my system and reinstalled my software from original discs, redownloaded all the hotfixes and patches, etc.
I killed the offensive mp3s - note, the only infected files were those in My Documents>My Music. Game music files and files located in other folders weren't affected. Then, I ran several programs - ccleaner, spybot, malware malbytes, mgtools, etc - as per the specific instructions on cleaning a Windows XP machine found at majorgeeks.com. Everything looked clean, and I had no more system problems.
Until about fifteen minutes ago. I opened that window, and up came another dialog box for anti-virus 2009 (recommended), so I immediately went to Spybot S&D, grabbed the latest updates, and started a fresh scan, which came back, as expected, clean. I did notice last night that process explorer showed an instance of iexplore.exe running when I had no open windows. Then, it hit me. I ran cpu-z, from the old backups yesterday morning. Grr. It must've been hiding a copy of whatever malware is causing this.
Now, I haven't checked my mp3's, and I haven't attempted to clean everything again. I really don't want to go through a wasted day of reformatting and reinstalling, so I thought I would spill my guts to you (sorry for the length of the article, writing is keeping me from getting really angry and taking it out on the pet goldfish).
What I'm asking is, any advice on how to proceed from here? I'm about to do the majorgeeks.com thing again - you can find the link here and here.
Is there anyone out there willing to work with me on this, peruse my hijackthis file or whatever, and see if we can solve it so I don't have to do a complete reinstall?
Thanks for taking the time to read this, and I hope some of you learned a few things from my experience. Like mp3 files can store malware, which is something I didn't know.