VGMaps
November 19, 2017, 05:31:51 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
 
   Home   Help Search Login Register  
Pages: [1]   Go Down
  Print  
Author Topic: Laptop is infected(?) [solved]  (Read 6512 times)
0 Members and 1 Guest are viewing this topic.
Peardian
Hero Member
*****
Offline Offline

Posts: 627


Busy busy


« on: September 15, 2009, 11:44:14 AM »

For the past three weeks, my laptop has been infected with a nasty virus. The school stuck me with a Mac because of my major, so I run a Virtual Machine of Windows XP on it so that it itsn't completely useless to me. The virus only affects the Windows VM, and I've been using Mac's Safari to access the internet. The Saturday night before the school semester started, we checked into a hotel offcampus so I could spend time with my family. I used Windows only a little bit, just to check email and Fraxy and chat, but it was still enough to catch the virus. The symptoms are as follows:

  • Prevents almost all internet access, with the notable exceptions of Windows Live Messenger and Steam (only chat)
  • Causes computer to slow to a crawl when trying to open big programs (Fireworks, Flash, etc.); Task Manager shows that taskmgr.exe is using up 100% of the CPU, and IceSword shows no hidden processes at work
  • has caused it to bluescreen once due to using up all the memory
  • slow shutdown/startup times
  • No malware was found by AVG, Avast, Spybot S&D, or Panda Rootkit Scanner

As I mentioned in my other thread, this makes SNES emulation very slow and tedious, so I can't work on Yoshi's Island until this is solved. I'm thinking I got it from a malicious ad, as I found I also had a Trojan (AVG took care of it). Amusingly, it was one of those phony "you have a virus, download our program!" viruses, but it never had a chance to show it's face because the bigger virus was completely blocking it.


The guy at the campus computer store said that his friend recently had the same problem, that it's some kind of new virus that doesn't have a cure yet, and that a fresh reinstall might be the only solution right now. I'm hoping it doesn't have to come to that, but I will do it if completely necessary. I don't know if many people here are very savvy with this kind of thing, but I'm posting this here in hopes that someone can help me.


Edit: And don't worry, it doesn't infect files I have or people I talk to, so don't worry about catching it through my map submissions.

Edit: In case you stumble on this topic and are worried, this issue has already been resolved.
« Last Edit: October 27, 2009, 01:22:43 PM by Peardian » Logged

MM (10%) - SMA3 (33%) - DNS (0%)

Come check out the Nintendo 64 Mapping Workshop!
DarkWolf
Hero Member
*****
Offline Offline

Posts: 621



« Reply #1 on: September 15, 2009, 12:43:33 PM »

Unless it has replaced or latched on to a core system file you can usually use the Advanced Mode of Spybot S&D to prevent nasty things from running at start up.  Of course you have to know what you are looking for and sometimes booting into safe mode is required.
Logged
Revned
Hero Member
*****
Offline Offline

Posts: 1091



« Reply #2 on: September 15, 2009, 12:50:14 PM »

Virtual Machine snapshots are very useful for this reason. You might consider doing them weekly in the future if you have enough disk space.
Logged

Maxim
Hero Member
*****
Offline Offline

Posts: 972



« Reply #3 on: September 15, 2009, 02:09:14 PM »

The guy at the campus computer store said that his friend recently had the same problem, that it's some kind of new virus that doesn't have a cure yet, and that a fresh reinstall might be the only solution right now.
Given that, I suggest you offer him this diagram. A fresh re-install is the easiest solution; if you can access the VM's files without running it then all the better. Most files are not infectable, in particular images and emulator savestates, just leave behind the DLLs and EXEs.
« Last Edit: September 15, 2009, 02:10:11 PM by Maxim » Logged
Peardian
Hero Member
*****
Offline Offline

Posts: 627


Busy busy


« Reply #4 on: September 15, 2009, 04:54:20 PM »

I'm afraid I don't get the chart.


Either way, I'm afraid I never use snapshots, but I should have. I really have very little clue about computer processes and how they work, so I wouldn't know what to go in and delete/change/whatever. I could try checking the start-up processes, but again I wouldn't know what to look for. Oh, I forgot to mention that I tried running HijackThis as well, but nothing out of the ordinary came up.

One search I did suggested that the Taskmgr acting up could be related to a corrupted up winsock(?) or something, but I don't know if this case is the same.


Thank you guys for helping me. I'm glad I asked. Cheesy
Logged

MM (10%) - SMA3 (33%) - DNS (0%)

Come check out the Nintendo 64 Mapping Workshop!
Maxim
Hero Member
*****
Offline Offline

Posts: 972



« Reply #5 on: September 16, 2009, 01:12:23 AM »

The computer store guy's comment suggests he doesn't know his ass from his elbow, i.e. he is not very knowledgeable in this area. It is possible to undo whatever malware does, but it's hard work; the symptoms are in no way indicative of any one piece of malware, so his friend is unlikely to have the same thing; and two people are not sufficient evidence to state that there's a new virus going around that's undetectable. But a guy in a computer store can assume a position of authority whenever he is dealing with someone less knowledgeable than himself.

Were you running Internet Explorer? It's unadvisable to use it anywhere where dodgy ads are possible, which is almost everywhere.
Logged
Peardian
Hero Member
*****
Offline Offline

Posts: 627


Busy busy


« Reply #6 on: September 17, 2009, 06:22:41 AM »

Oh... I see. Haven't heard that expression before. Listening to these kinds of people is how I got stuck with this overpriced laptop in the first place. Sad


Yes, I was using Internet Explorer, but I only use it to visit sites I trust (Jul, Fraxy site, here, etc). I wish I had checked the history to see exactly where I had been that day, but that probably wouldn't tell me anything. It's possible someone linked me to a DeviantArt page to show me something and I got it from there. (It's happened before.)


But if it's not malware, what else could it be? The first conclusion I came to when it started was that the hotel internet had changed my VM's internet connection settings or something. But, like I said, I know very little about this kind of thing. Would it have anything to do with ports? Obviously, the internet connection there still exists, because chat programs can connect, but all signals sent from other programs never leave the Virtual Machine.
Logged

MM (10%) - SMA3 (33%) - DNS (0%)

Come check out the Nintendo 64 Mapping Workshop!
Maxim
Hero Member
*****
Offline Offline

Posts: 972



« Reply #7 on: September 17, 2009, 09:57:18 AM »

Malware can get into ad networks. Reputable ad brokers sell space to less reputable ad brokers, who sell space to dodgy ad brokers, who sell ad space to malware pushers, who use browser bugs to infect you. Blocking ads and using Firefox gets you double protection - although I'm sure they'll target Firefox vulnerabilities sooner or later.

If the only internet access you do is web browsing then it's all going over port 80, or via a proxy server. Check in Internet Options; if I had IE8 to compare with I'd tell you where, but look for any proxy settings. Chat programs and Steam get past because they're not HTTP requests on port 80.

Being slow to start up and slow down, and to open programs, suggests there's some software on there doing bad things. If it doesn't show up anywhere then it's likely malware, and it's hard to remove something you can't see. In that case, copy off all the files you care about and install to a new VM. It depends to what extent you have configured the system and would find it a hassle to reinstall from scratch; if it's less work than cleaning the malware then it's the way to go.

For maximum safety, consider getting your VM all set up and configured, and then making a snapshot. Next time something goes wrong, restore to this snapshot.
Logged
Peardian
Hero Member
*****
Offline Offline

Posts: 627


Busy busy


« Reply #8 on: September 19, 2009, 08:23:51 AM »

Just checked the proxy settings, and the address for it is blank. I'm not sure how VMWare Fusion works its connection, so I don't know what to put there. When I checked the Advanced settings, all the fields were blank, and it notified me this might prevent me from accessing the internet. However, even if this solves the connection issue, it doesn't solve the issue of the system chugging while running programs like Word and Fireworks.


Setting up my VM would actually be pretty easy. The first time I set it up, I just used a file created from my desktop PC's migration program. Seeing as how I strive to keep my laptop in sync with my PC, there wouldn't be much change. Sure, there'd be a few things like XSI Mod Tool that I'd have to back up (I can easily just store it on the Mac desktop until then) but it wouldn't take too terribly long. And yes, I'll try to use Snapshots in the future to prevent this kind of thing.


Still, I'm afraid that if I reinstalled it, I'd forget something important. It's looking like I'll have to do it anyway, since none of the malware removers can find anything (not even IceSword found any hidden processes). If I can get my connection up again, I'll try one last scan with all the programs after updating their virus databases and whatnot. If those fail, then I'll reinstall.


So, what do I put for the Proxy address and port? I assume the Port is 80?
Logged

MM (10%) - SMA3 (33%) - DNS (0%)

Come check out the Nintendo 64 Mapping Workshop!
Maxim
Hero Member
*****
Offline Offline

Posts: 972



« Reply #9 on: September 19, 2009, 09:39:52 AM »

Leave the proxy blank and turned off. It's just a way for a program to get between you and the internet, for webpages but not IM.

There's no reason not to keep the old VM around in case you missed a file. It can be worthwhile to get into the habit of saving all your files in one place - maybe under My Documents, or whatever - so if you need to grab just the important stuff, it's all right there. The problem is apps that refuse to play nicely with that, and put their config in three different places.
Logged
Peardian
Hero Member
*****
Offline Offline

Posts: 627


Busy busy


« Reply #10 on: September 20, 2009, 12:20:50 PM »

Oh, well, then it looks like I'll just have to reinstall it.

I do generally keep everything in one place, but there are some exceptions (emulators and their savestates, programs, etc.) that I keep elsewhere. I'm sure I'll be able to save everything if I take long enough to prepare. Worst case scenario is I'll just have to completely reinstall some programs (XSI Mod Tool, for one). I'll probably do it in two weeks.

Thanks for all your help. I'll be sure to let you all know how it turns out.
Logged

MM (10%) - SMA3 (33%) - DNS (0%)

Come check out the Nintendo 64 Mapping Workshop!
Pages: [1]   Go Up
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.20 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!