Virus #2 (recommend reading Virus #1 posted earlier today first)

This one is all Peters fault. (I will explain later)

My computer got a nasty virus several days ago. It was found and deleted by Spybot 8 times in the last 5 days. Yesterday I discovered that every time I reboot the computer all of my protection software and firewalls are being disabled and have to be manually re-started every time, EVEN IF THEY ARE SET TO START AUTOMATICALLY ON START-UP!

Apparently with my firewall down the virus rewrites itself when ever it wants to. Today I decided to take the time to figure this one out. Here is the story of 6 hours of my life.

It all seemed so simple; if I can get my security to stop shutting off I will be fine. How naïve I was.

I started by researching the name of the recurring virus FakeMSN8beta. I found several references but all of them were from late 2006 and the only solutions were to remove it with Spy-bot and all would be fine. Obviously what I have is a new nasty incarnation of this virus. By searching several other terms related to my problem I found a mal-ware archive that included help for problems similar but not exactly the same.

The one constant thread was the suggestion that those requiring help use a program called HighJackThis. I decided to get a copy and try it. In doing so, I now learned how insidious this virus really was.

I typed “hijackthis” into yahoo search and explorer shut down. Weird.
I typed “hijackthis” into yahoo search and explorer shut down. Weirder.
I typed “hijackthis” into yahoo search and explorer shut down. Now I am mad.
I ponder this for a moment.
I typed “hijackthis” into the Google search and explorer shut down. Uhhhh?
I typed “hijackthis” into several other search engines and in each case explored shut down with in seconds. Now I am worried.

I returned to the site that suggested HighJackThis and kept reading. In one post I found the name of a site that offered it. I typed the URL into the top bar and within 3 seconds explorer shut down. At this point I figure that this virus is REALLY nasty and wants to live.

More research find a direct link to a download of the program. This means that I can directly link to and download the program without actually opening the parent site or typing the name. Finally I have the program. I run the program. I start reading the options I have and it shuts down. I try again with the same result. ARRRGGGHHHH.

I try to open it and start a scan as fast as I can. Sometimes it is able to reach 80% complete but it always shuts down. I am stuck. (and MAD)

I go back to the archive site I have been playing with and after several minutes I manage to figure out how to get back to the actual ongoing and up to date forum. This took awhile as there was no direct link. It turns out that the site I had been directed to was a PDA only archive site. I had to fist find the link to transfer to the normal archive site and then from there I could go to the present day forum.

It took 15 minutes, but I eventually found a person who was having nearly identical symptoms as me including the shut down security and the trouble getting HighJackThis to work. I read all 3 pages of the help file and then got to work.

I started by checking the version of HighJackThis and discovered that I did not have the newest one. Some further searching discovered a direct link to the newest copy and I tried running it. Same problem. To fix this problem for the other person the tech suggested a program called HostsXpert. I download and run this program, follow the instructions and nothing changes. Unfortunately it does change for the person in the forum.

In an attempt to bypass whatever program is seaching for references to HighJackThis I open my task manager and reopen HighJackThis several times until I dicover that the only process that shows activity everytime is one called lsass.exe. I try closing this process but get told that it is a required system process that cannot be shut off. I decided to switch to safe mode and try again.

In safe mode I am able to run HighJackThis and finally get a log-file of what processes are commands are present when I start my computer. I return to the normal mode to comare my log file with the one from the help session. I discover that even the log file won't stay open. I notice that the logfile's name starts with 'hijackthis' so I re-name the file so that it does not contain the phrase 'highjackthis' and now it stays open.

I compare this list to the one in the help session and discover that most of the problem areas are the same but I am missing all the ones that relate to the blocking process. The virus was not active in safe mode so it doesn’t get logged. I delete all the problem command lines that I do have and try to find a new solution.

I search for the file that was to be removed in the forum helpfile and can’t find it. I am not really surprised as I have also now learned that the virus has been changed to copy itself to a random file name which it then deletes form its memory. This is why Spybot can no longer delete it completely. It is able to delete the working file and all the components that it has written into the system but the virus core is in an unknown location with a random name.

HighJackThis still doesn’t work but having seen my safe mode log I know what cammand line to look for. I start running HighJackThis over and over and gradually read what it displays on the log screen before shutting down. I discover the missing lines about ½ way down the page and several more attempts, I get the folder name and location on my computer.

I am able to find the basic folder in the windows system but it is empty. I re-read the forum help file and discover that it is a hidden file. I follow the instructions to reveal hidden files and IT APPEARS!!!!!! Then it disappears.

Apparently it is also programmed to return to hidden status if it is ever revealed. (rat fink….mutter….beat you….dirty…@$#$%....get you!) On my fourth try it stays revealed long enough for me to right-click and choose cut. I then past it to a new folder in a different location where it appears…and then disappears. I verify that it has just changed to properties of its new location to be hidden again and after several tries I am able to open the folder inside I discover the suspected lsass.exe process.

Another re-start brings a chain of errors warning me that several processes could not be started as the requested folder no longer exist where they are supposed to. I try running HighJackThis and IT WORKS. I am able to remove all the virus created command prompts and then go an d delete the new folder I created along with the virus it contains.

A fresh re-start and HighJackThis check reveals that all the virus commands are gone. And what do you know…lsass.exe is also no longer listed as a running process. I guess it wasn’t really a required system process.

The final step is to run SDFix to correct the changed registry values that are causing my security to be disabled on startup. I load the program, switch to safe mode and then run it. It spends 10 minutes examining my registry and then tells me to reset my computer and that it will run again on boot up. This time the program seems to interrupt my normal log-in and compares what my log-in is trying to do with what my safe mode did.

After another 15 minutes it tells me that it has removed 2 lines from my registry and everything is back to proper windows registry mode. My favorite of the two was "C:\WINDOWS\system32\taskkill.com". The name seemed appropriate. I re-set again and discover that all my security now turn on properly. I re-run all my spy ware programs and nothing is found. 6 hours have passed.

The forum help file I used as a reference is HERE if any of you want to see it directly.

Now…This is why I blame Peter. Last week Peter tried to send me some pictures on MSN Messenger. I had to leave so I asked him to send them later. As I was getting ready to shut the computer down on Friday night messenger opened and I got a message that said “The pictures you wanted can be downloaded here.” Followed with a link. The message said it had been sent from Peters account. I opened the link which started downloading a program. When it finished it asked if I wanted to run it. I clicked yes and then nothing happened.

I then went to messenger to ask Peter a question and discovered that he was not listed as being connected. The next morning, when I turned the computer on, all my problems started. So even though he was not logged on the virus said it came from Peter.

Thanks Pete, I owe you one.

Hee, hee.