T O P I C ��� R E V I E W
|
Nim
Member # 205
|
posted
Well, after seven uneventful years, and two weeks before I'll get the last components delivered to build a new computer, I've gotten a virus. It's called face*****.exe (i don't remember what it said after "face", and it renamed itself before i could copy-paste yesterday) and it seems to be impervious to any effort of removal by F-Secure, AVG, Lavasoft Ad-Aware and today also Eset Nod32 antivirus.
It masks itself as iexplore.exe and rundll32.exe in the activity manager list and spawns popups every second to third time I open up a web browser window. It also delete every 6 of my keypressings, making typing erratic. I can type in web adresses and go there but I can't use any search engine, as soon as I press "Search" in google or any other engine, it just stands there, loading indefinitely, never coming up with any hits.
Also, at random times, the computer starts beeping and doing a windows sound effect, though I don't have any windows sounds active, save for email notification (haven't had for years). It stops if I kill the fake "iexplore.exe" or "rundll32.exe" virus applications in the Activity Manager, though they bounce back up if I start a browser or other software.
I don't have the time to do a complete harddrive wipe and reinstall windows, I'll be needing my comp intact this coming week for a few events and I'm running out of options.
Anyone have a tip for busting this crap except for a total wipe, or those antivirus programs I listed above?
|
The Ginger Beacon
Member # 1585
|
posted
If you aren't using the latest version of F-Secure, they have a program called "backlight" you can download that detects this sort of shit, so that the program can remove it. I'm sure that other anti-virus software programs have something similar.
Or you might be able to use a live disk or find a copy of the pristine environment software for your OS to detect and kill it.
In my experience it's far easier to just wipe and reinstall the OS, but it is possible to fix it without doing this.
I don't realy know how though.
|
Daniel Butler
Member # 1689
|
posted
Unfortunately I agree with Ginger - in my experience an infection this bad has to be formatted. You can't really clean it out of any programs it's infected (like Internet Explorer for example, if it's detecting its launch it might have infected it) without having an inoculation database with a clean copy of the program. If you haven't ever inoculated, the best the antivirus could do would be to delete the program (which would probably be undesirable) and there still are probably files infected lying dormant somewhere random.
|
Nim
Member # 205
|
posted
Damn, I was afraid of that.
My only concern right now is if this virus can jump over into my next computer, since there are a few files I'll want to bring with me from my old one. I'll be taking some media files, documents and uniques with me. Anything I can reproduce I'll leave behind, including bookmarks.
Now, if I load these files into a USB RAM-stick and insert it into a neutral "middleman" computer, any eventual virus piggybacking on the files can't jump over into that computer just by being plugged in, right? It could only multiply if I open one of the files on the stick (which I won't)? So technically, I should be able to use F-Secure to scan the memory stick and kill any eventual virus before loading the files onward into my new comp?
|
Fabrux
Member # 71
|
posted
I actually once managed to transfer a virus using a USB stick. It was damned annoying, cause I then had to wipe both computers. Blah.
|
Daniel Butler
Member # 1689
|
posted
If it's the type of virus that infects files (as opposed to the boot sector of a bootable disk, which your USB stick probably doesn't have anyway) then yes, you have to open the file for the virus to activate. In fact you can mount the drive in read-only mode - I'm not sure how you do that in Windows, but there might be a write-protect switch on your USB stick (or not). That might help other files on the USB stick from being infected (although it wouldn't do anything to protect the PC you plug it into ;P). Anyway it's probably not necessary; just plug it in and scan it. The only files I'd be worried about would be documents which can contain macro viruses. Pictures and other data-only filetypes can't be infected in theory. Of course if your 'uniques' include programs or DLLs of any sort, you'd be better off not saving them, unless you happen to have the proper MD5 checksum of clean versions of those programs lying around
|
Nim
Member # 205
|
posted
I see, good info there. Yes, I'll only be moving images and text files, no games or dlls.
In fact, I'm kicking it up a notch (bam!), putting in a clean HD and have now installed Windows on it (using a ready-made ghost image), I'll attach my old HD as slave and do a full F-Secure 7.12 scan of the shit, hopefully that'll reach deep enough.
The Windows on the old HD still works, so I can still switch back to it until I've cracked this thing.
|
B.J.
Member # 858
|
posted
quote: Originally posted by Daniel Butler: The only files I'd be worried about would be documents which can contain macro viruses.
Yeah, those can be nasty. Just look what they did to Voyager & her crew!
|
The Ginger Beacon
Member # 1585
|
posted
Don't forget to use your spice weasel.
|
Pensive's Wetness
Member # 1203
|
posted
Do you have any idea how you aquired it (the virus) in the 1st place?
|
Nim
Member # 205
|
posted
I do indeed. Against better judgement I downloaded and installed LimeWire on a recommendation, I was trying to find a particularily rare TV-series from my early days ("Private Eye", 1987, Michael Woods, Josh Brolin). Upon downloading what I thought was a very cryptic but similarly-named file bundle (turned out to be some crazy asian soap opera also named "Private Eye") I noticed the processor fan was moving at 100% speed, for the last five minutes, which is rare since it autoadjusts. After rebooting, I had all these colorful popups every time I opened a browser window.
Originally it called itself Facetick.exe or Face(something), after the first antivirus software quarantined the file it renamed itself into both iexplore.exe and rundll32.exe, it looks like.
Long story short, LimeWire is a supertransmitter of digital STDs, it seems. Maybe it's because of the way it samples the search hits, drinking a bit out of every bottle it finds, even from the trainyard hobos (no offense to trainyard hobos, a stout breed).
|
Daniel Butler
Member # 1689
|
posted
P2P in general is like that, Nim. Just don't trust anything and be really suspicious. For example, it seems that for 2/3 the searches I try in LimeWire, the top result with several hundred peers is "*whatever I searched for* girl has orgasm on web cam." "Red Hot Chili Peppers girl has orgasm on web cam," "adobe girl has orgasm on web cam," etc. Always the same file size, too, usually well under what I'm searching for would be. I do not want to download this file and see what happens
|
Mars Needs Women
Member # 1505
|
posted
Nothing happens, just some posing. Stick to torrents, that's what I sez. I had a similar problem (unrelated to what happened in the first sentence)and I think I solved it by a mixture of root-kit cleaners and spyware search and destroy thingys. But of course different programs seem to find different things, so it might be a matter of finding that one program that specifically targets face***.exe files.
This might be of some help. http://www.greatis.com/appdata/d/f/face.exe.htm
|
Nim
Member # 205
|
posted
Great link, I went and used the "RegRun Reanimator" freeware, against rootkits. It took about 10 reboots, since it operates just at the pre-desktop load moment and kills the hardest files during the next reboot. I think I got them all, since at the tenth-or-so reboot the software didn't engage any more. I've been crashtesting the browser to try and bring out pop-ups but so far nothing. Will take a while before I feel certain though.
Thanks tiddy bear, and all of you who added your 2 cents.
|
|