It could happen to you! (A warning to the curious)
It’s almost embarrassing to admit but my shiny new laptop has got a cold.
It’s my own fault, really, as I wasn’t paying attention. I also was doing something fairly – but by no means hugely – risky. Let me start at the beginning. Last weekend I got the urge to revisit an old game called SWAT 3 which is a tactical police squad shooter that’s set in real-life LA locations and can be quite entertaining. It’s an old game – released in 2000 or something but I still have the CD so installed it. Next task was to get patches for it which is not as easy as it sounds because a lot of the links to patches and a lot of the fansites which gave comprehensive patch information no longer exist but anyway, I managed to get that done. One problem remained: the game wouldn’t recognise the CD in the drive (which, I reiterate, was a genuine, shop bought, original CD). I was faced with two options: 1) Try to fix it or 2) find a no-cd hack for it (which, for those of you unfamiliar with these things, is a hacked file which allows you to play the game without needing the original CD in the drive).
Perhaps unwisely, I went for option 2 reasoning that a) I’ve installed the game on a laptop and it would be far more convenient to not have to lug the CD around with me and b) I really couldn’t be arsed trying to research and resolve the issue myself.
One Google search later and I find a file that might be what I’m looking for. I navigate to the site and start to download it.
I should mention that the laptop is reasonably secured although I will admit that I hadn’t got around to replacing the anti-virus software that was installed by the manufacturer (which was Mcafee so not great but respectable at least). Having a machine without anti-virus or a firewall is like drink-driving without a seatbelt. You can do it but you’ve only got yourself to blame when things go horribly wrong. Sure enough, as the file was being downloaded, an alert popped up from my antivirus and I immediately killed the download.
Except this is where things started to go wrong. I can’t tell if you I actually began to run the file I downloaded because I don’t think I was paying attention. I also can’t tell you if the anti-virus message box I clicked on was actually from my anti-virus software because I definitely wasn’t paying attention. The next thing I know is that my screen is flashing and my wallpaper has been changed to a bio-hazard logo and I’ve been told that Antivirus XP 2008 has located an infection on my computer and that I should do a scan and dispose of it and, by the way, the virus definitions are out of date.
Antivirus XP 2008 is not a safe program. It is malware, a rogue program that masquerades as necessary software, hacks your registry file to place false positive alerts in order to encourage you to buy the full version of the software and Christ only knows what that would do to your system. It’s a bluff, a scam, a con, a trick, a corrupt police officer planting 6 grams of Columbian finest in your room just to extort protection money from you. It’s very clever in a I-want-to-kill-the-fuckers-who-did-this-to-me kind of way.
Through judicious use of HijackThis, AVG antivirus, AdAware and Malawarebytes’ Anti-Malware software, I seem to have rid my machine of most of the problem. I think. One of the side effects of this fucking viral trash was being able to search on Google. I can’t. If I load up Google and do a search, it brings up the correct results but clicking on any of those results actually launches a different (undoubtedly unsafe) site. Even in Firefox. It is annoying as fuck.
The real downer is that it’s several days later and I’m still getting problems. I thought I’d managed to clear everything from my system but last night I found that the Google hijack was back in place and this morning various things are being shown up (including a Trojan that, according to websites, was first seen a couple of days ago). I suspect that now the door has been opened, it’s never going to get fully closed again and worms will always worm their way. I don’t want to do a full system wipe and rebuild but I’m currently wondering if that’s the only solution to ensure I’m totally rid of everything. (Suggestions at this point are welcome but in addition to the above list, I’m also now using Spybot S&D, SpywareBlaster and Vundofix. The anti-malware software turned up a whole load of new infected files but also tags things like some of my webdesign software – Crimson Editor, TopStyle and PHP Designer all make it go into a tizzy so I don’t know how many false positives I’m actually getting and how much of my system that I may be cleansing that is benign and, indeed, necessary.)
The lesson to learn from this is that when presented with virus alerts, it’s absolutely necessary to verify that the alert is genuine and not a rogue alert that will get you into more trouble than simply ignoring it. There’s also a lesson about nostalgia and wanting to play very old games with a cracked .exe but let’s not go there right now.
I don’t know when it comes to the Malware registry, but I use Crimson and TopStyle all the time with no hassles at all, so I figure they’re safe to use, and thus throwing out false positives. (Unless of course the Malware is very clever, and hiding in known-good files)
Never used PHP Designer, so can’t vouch for that one at all.
If all else fails, uninstall Crimson et al as well, then see what gets thrown up as potential Malware. At least with Crimson etc. you know where you can get a clean copy. Hell, I can email you crimson.
Comment by Lyle — August 6, 2008 @ 1:59 pm
Oh I know that Crimson, TopStyle and PHP Designer are all perfectly kosher - it’s just that this particular software seemed to flag them. I uninstalled them for now anyway as it’s not a problem to re-install and far easier than trying to add them to this particular softwares (Malaware Anti-Malware fyi) “safe to ignore” list for now. I just meant that I recognised what those were but have no idea if some of the system dlls it flagged were also benign or actually infected.
Comment by Tom — August 6, 2008 @ 2:19 pm
Just out of interest, and to provide decent linkage, The Register has a big article about Antvirus XP 2008, and what it does (and how)
Also, AVG now apparently removes it completely (according to the same article)
Comment by Lyle — August 27, 2008 @ 2:31 pm