atomic_fungus (atomic_fungus) wrote,
atomic_fungus
atomic_fungus

#2493: Not a trojan; not a succession of trojans. ROOTKIT.

FUCK SPACE.COM FOREVER!!!

The machine has continued to act up, and I've been killing a trojan or two every day since Tuesday, when the system got infected by a page at space.com.

I've had one or two trojans on this system before; every other time they only got on the system in the first place because I'd done something really stupid, and they were fairly easily removed after a bit of tedium. It happened seldom enough that I had to re-learn how one removes a trojan each time it happened.

See, as most of you know, I was a PC technician for most of a decade. What a person like me in his brain is not so much a huge encyclopedia of computer stuff such as it is a pamphelet titled THIS IS HOW COMPUTER SHIT WORKS. We understand the underlying logic of the machinery and its programming, so that if someone asks us, "How do I make this program do X?" we might not necessarily have ever even seen that program before but can make an educated guess that if you want "X" to happen, it's probably in a menu somewhere, and all you need to do is find it.

That's why--if you ask a PC technician a question like that--he'll take over the mouse for a few moments and click through the menus, perhaps while muttering, "Let's see, where was it...." (Particularly when you're an on-site tech costing the customer $90 an hour, they want to believe you know everything.)

The non-computer-literate will struggle desperately to figure out how to do X. They might look at one menu and they might look at two; they might even try the help menu. But the PC tech has seen all kinds of software in operation, and knows the most likely place to find X; and, more, knows the logic of how the system and software were designed.

(...though plenty of software is meant to be used by the average person, the software is written by a computer guy. So it might make sense to him to put X under "file"; but the average person thinks X would be under "tools" or "options" or something else. Gad, if I had a dollar for every time someone asked me why X was there instead of this other place, I could be retired right f-ing now.)

The point is, I have this bag of mental tools for solving computer problems. It didn't make sense to store, long-term, the procedure for eliminating trojans from my computer, because I got perhaps one infection per year.

Until this week.

This week, I've been (as I said above) stamping out at least one trojan per day, sometimes two. I couldn't imagine what the hell was causing it. I removed the space.com feed from my email home page. I ran antivirus and malware scanners back-to-back. I scanned the registry. I booted to the command prompt and manually deleted the offending files. I did everything I normally do in this situation; and each time the computer came back clean. And each time, within twelve hours the computer was infected again.

Firefox wouldn't run unless Windows Task Manager was running. I'd double-click the icon two or three times, then run Task Manager, and see two or three instances of Firefox running, invisibly. End those processes and then try again, and Firefox would then run--but only if I kept Task Manager open. WTF.

And Windows Update wouldn't work.

That last was, by the way, the clue; but I didn't understand it until I found the registry key referring to "Whitesmoketranslator".

See, when the computer got infected, this install screen for "White Smoke Translator" popped up. I hadn't downloaded or invoked any such damn thing, of course, and I could not get the damn program to close. Turns out that was the source of my troubles. Why?

Because it installed Rootkit.Win32.TDSS.

That is the infamous rootkit which made Windows XP dump to a blue screen on boot after an update.

So, while we're at it, FUCK MICROSOFT FOREVER TOO!!! Because the OS knew enough not to try to update itself (lest it lead to BSODs) but the error code was typical Microsoft bullshit: a ten-character error code which not even Microsoft itself could decipher. I had to put in a tech support ticket (which is still pending; and the tech who contacts me is going to get an earful).

The damn updater couldn't just say, "Looks like you've been rootkitted! Better fix that!" Oh no.

ANYway--

White Smoke Translator was installed, and I de-installed it at my first opportunity, yet I found a registry key in its name. I tried to delete it; Windows couldn't do it...and when I refreshed the screen, it was back. That is how you know you've got malware: if it refuses to die, it's malicious.

Googling "whitesmoketranslator" led me to the link, there; the program removed the rootkit and I'm now finally downloading updates from Microsoft.

It feels like maybe--just maybe--I've reached the end of my little malware saga. I'm going to make sure; and then I'm changing my WoW password, because right now the only thing keeping my account secure is the authenticator.

Thank God I got that after my guild got hacked.
Subscribe

  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 1 comment