Life in the Land of the Rising Sun

Thursday, February 19, 2009

What...the...F...?

It all started when I noticed that Safari, the browser I use on my work laptop, was starting to act goofy. When I typed text for any length of time it would suddenly start running really slowly even when the Windows Task Manager said I was using hardly any of my available processor power and memory and the hard drive was quiet. The last straw was when it unexpectedly froze up on me twice in one day, both times when I was halfway through a new Wikipedia entry (i.e. all of it lost). Something was definitely up.

Mindful of Snabulus' recent infection troubles, I did a full virus scan, which came up clean, but that was also something of a dilemma. All computers connected to the LAN at work are obliged to use Trend Microsystem's Virus Buster, installed from and controlled by the server. (When I first connected to the network and registered, it automatically uninstalled AVG on my machine before inserting itself.) The problem was that Snabulus discovered that Virus Buster, for all its size, expense, and hype, proved the least effective when tested along with several other virus scanners on his impacted machine. Since it is a well-known product, it seems to be easily defeated by virus writers. That led me to take a cue from Snabulus' experience and try something different. I proceeded to download and install a free virus scanner available on the internet. (I won't say which one since it's a work rather than home computer, i.e. I'm not really supposed to use it.) I then ran an initial scan, and voila!

Two Trojan horse viruses found on my C drive, both of a lesser-known type that has mainly been seen in Japan and Germany.

I'm totally puzzled as to how they got there. Since it's my work laptop, I don't really websurf with it, sticking mainly to certain, trusted sites. The only e-mail messages I've accessed with it have come from people and locations I know well, and the only attachments I'm aware of were all official documents (and it has been a long time since the last one arrived). The only other possibility I can think of was that it arrived via an infected flash drive, since I had to use a couple to check students' work. At any rate, something got on my machine and downloaded things into it that I didn't want.

The free virus scanner removed the files without any problem. There also don't seem to be any suspicious entries in my running processes list. I haven't yet looked at my registry, so I don't know what evils might be lurking there. I hope that the problem is solved, but I can't be sure. How can I deal with a problem when I don't know how it got there in the first place? Especially when this particular virus is a bit more obscure and thus doesn't have much information available? At any rate, Safari is working properly now, and I've noticed that Virus Buster has gone back to conducting lengthy scans on bootup, something I'm surprised I didn't notice wasn't happening. (Maybe I was just happy that bootup time had been magically reduced to under fifteen minutes and therefore didn't look a gift horse in the mouth. My bad, I guess.)

Curiouser and curiouser.

11 Comments:

  • Sorry about the trouble.


    To disable Autoplay in XP:

    http://www.howtogeek.com/howto/windows/disable-autoplay-of-audio-cds-and-usb-drives/

    To disable Autoplay in Vista:

    http://www.howtogeek.com/howto/windows-vista/disable-autoplay-in-windows-vista/

    Hopefully you got the junque cleared out.

    Word Verification: cativit - I'll be the juditudge of that.

    By Blogger Don Snabulus, at 6:23 AM  

  • Moody, I'm on a Mac and fortunately it doesn't seem to be as susceptible to the nasty viruses. BUT a while back Firefox started shutting down regularly. This simply had not happened before. Then somehow I made the connection that this had begun happening after an HTML-formatted email had arrived from a gallery client. A perfectly lovely gallery client who was advising us of her new online morning meditation offering. Guess what? I deleted that email and so far--knock on my hardrive--no shutting down of Firefox. I don't know if her email was infected, or if her particular HTML was wildly incompatible with my internet connection. Or what (the f). Really weird.

    I'm glad your own machine has bounced back, full of vim, vigor, and downloads.

    By Blogger San, at 8:36 AM  

  • It is possible for a virus to become resident to a web page, especially if someone hacks the unsuspecting host and puts it there. In addition, various computers ping network addresses looking for holes or PC's that aren't sufficiently protected. That is why you need a decent firewall as well as antivirus protection. All though I had been using MCCafee for that I found that it was inadequate, so I switched to Zone Alarm Security Suite and Zone Alarm Forcefield. I also use Prevex which is fast and doesn't interfere with the Zone alrm antivirus.

    By Anonymous Anonymous, at 11:48 AM  

  • Well, I found out today that other computers connected to the school LAN suffered a similar infection, and the culprit is most likely those cheap flash drives they distributed to all the 10th grade students for their science projects. Basically, the students put all their work on their flash drive (pen drive, whatever) and submit that to their teacher supervisors for checking. The problem is that the students use those things with their home computers...which may be infected as the result of careless surfing. The students then unwittingly bring the viruses back with them and wind up infecting their teachers' machines.

    Trend Micro and Windows Defender are back to working normally on my work laptop, so I think the problem is cured for now.

    By Blogger The Moody Minstrel, at 10:43 PM  

  • Glad things are better. If you use the instructions for disabling Autoplay above, one avenue of attack on flash drives will be eliminated. MS Word/Excel/Powerpoint viruses can still get through, but those programs typically default to warning you before executing macros. If you say no, then you should be in much better shape.

    By Blogger Don Snabulus, at 4:19 AM  

  • I always shut down things that try to run without my permission.

    My Avast! Antivirus has taken good care of me so far. I did used to use AVG but find Avast much smoother and less intrusive while still getting the job done in the background.

    By Blogger Olivia, at 4:36 AM  

  • And then there is Goon's method of antivirus control. Reach into the case and start yanking wires!

    By Anonymous Anonymous, at 9:19 AM  

  • Hwah?

    You said you wouldn't say anything about that!

    By Anonymous Anonymous, at 8:52 PM  

  • Just a small trick I found out..

    For those geeks like me who wants a firewall-less computer yet free from virus / spyware / anything dirty..

    1) Disable AutoPlay on removable drives. Use Tweak UI (http://www.microsoft.com/windowsxp/Downloads/powertoys/Xppowertoys.mspx)

    2) Enable Show Hidden Files / Folders

    3) Enter removable drive (CD / Pendrives) by typing the drive letter in the address bar, and you WON'T get the virus.
    (Do NOT open the drive by double clicking it / right click open; those two TRIGGERS the virus in the drive.)

    4) Once you enter the drive through your address bar, you MIGHT see autorun.inf and an unknown executable file (If the pendrive's infected).

    5) Do NOT open the unknown exe. Instead, Shift+Delete it.

    And that's how I disinfect pendrives without firewall / AV. I'm still clean till now.

    Hope I didn't sound too cocky or something, I'm just sharing my little tip, :รพ

    By Blogger Ryo Helmenkalastaja, at 11:48 PM  

  • Thanks for all your helpful tips, everyone, and especially Snabulus and IceGlacial. I think this is worth passing on to other members of the faculty, since infected pen drives are apparently starting to become a problem. Thanks again to everyone.

    Everyone but Goon, that is. You suck.

    By Blogger The Moody Minstrel, at 9:56 AM  

  • Blimey! I totally forgot about Tweak UI. I used to have it on Windows 98.

    By Blogger Olivia, at 1:28 PM  

Post a Comment

<< Home