Cautious Optimism
May. 2nd, 2010 01:08 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
kevin_standleeMy main computer is behaving normally again, and is no longer constantly stopping with "spyware" warnings from programs I know I never installed. (That was an immediate danger sign, which was why within a few minutes I had the machine completely off-net and was using a separate machine to search for answers.) It's lucky for me that I've used MSCONFIG before, although it had been a while, and was able to get it running on reboot before the bug got itself reloaded, which allowed me to intercept it.
First, following some of the advice I've seen on this "AXWIN Frame Error" issue, I disabled nearly everything a rebooted. No problem, although of course no services run in this state. I then examined the startup list and found a program whose name was essentially a random string of letters. (Foolishly, I forgot to write that down, so I can't list it here, although I expect the virus randomly renames itself on each installation.) I found the directory in question, noted that its last-change date was that evening, and -- know that I'd not installed any software -- deleted the directory. I also dumped all of the trashes, temporary files, internet search history, and saved passwords. With luck, this would mean the program could try to load itself but wouldn't be able to find the program files.
On reboot, I had no problems, but that program was still showing up in the list of attempting-to-start files. I haven't done this sort of thing before, but a few searches led me to running REGEDIT to look for instances of this randomly-named file. I was pretty confident that this wasn't "real" software in the sense of something I wanted, but I'm aware that mucking with the Registry and hose your machine badly. I decided that at worst we'd have to re-image it, and I don't think I would have lost much in the way of significant data, thanks to my backing things up so often. Paranoia is my friend here.
I found several registry references to this suspicious file, and deleted all of the keys that seemed to contain it. It took several tries. (Yes, I made a backup of the registry before starting.) Finally, some hours after the machine first began acting badly, I got a reboot that neither loaded a suspicious file nor showed that file in the list of startup files. With my mind more at ease, I shut the computer off and went to bed.
Today, the machine is acting properly. There's no sign of the original problem. It was a half-decent try, though. It put an icon into my system tray that sort of looked like the Microsoft Security icon, and it had plausible-sounding warnings; however, it wasn't quite right, and besides, one of the error messages had grammar that suggested that whoever wrote it didn't actually know much English. (I wish I'd written it down, but at the time, I was in too much of a hurry to get the computer offline and shut down to take those kinds of notes.) And beyond that, most programs go away when you say No and Close and Exit, and none of the legitimate security software I have refuses to let you bring up the Task Manager (alt-shift-escape) to see what's running. Fortunately the program appears to have not been quite bullet-proof and I was able to power-down the computer without even having to do a "hard" power-off.
Fingers crossed that I stopped it in time. I've re-connected it to the internet and we'll see how it works. Thank goodness for all of my backups!
First, following some of the advice I've seen on this "AXWIN Frame Error" issue, I disabled nearly everything a rebooted. No problem, although of course no services run in this state. I then examined the startup list and found a program whose name was essentially a random string of letters. (Foolishly, I forgot to write that down, so I can't list it here, although I expect the virus randomly renames itself on each installation.) I found the directory in question, noted that its last-change date was that evening, and -- know that I'd not installed any software -- deleted the directory. I also dumped all of the trashes, temporary files, internet search history, and saved passwords. With luck, this would mean the program could try to load itself but wouldn't be able to find the program files.
On reboot, I had no problems, but that program was still showing up in the list of attempting-to-start files. I haven't done this sort of thing before, but a few searches led me to running REGEDIT to look for instances of this randomly-named file. I was pretty confident that this wasn't "real" software in the sense of something I wanted, but I'm aware that mucking with the Registry and hose your machine badly. I decided that at worst we'd have to re-image it, and I don't think I would have lost much in the way of significant data, thanks to my backing things up so often. Paranoia is my friend here.
I found several registry references to this suspicious file, and deleted all of the keys that seemed to contain it. It took several tries. (Yes, I made a backup of the registry before starting.) Finally, some hours after the machine first began acting badly, I got a reboot that neither loaded a suspicious file nor showed that file in the list of startup files. With my mind more at ease, I shut the computer off and went to bed.
Today, the machine is acting properly. There's no sign of the original problem. It was a half-decent try, though. It put an icon into my system tray that sort of looked like the Microsoft Security icon, and it had plausible-sounding warnings; however, it wasn't quite right, and besides, one of the error messages had grammar that suggested that whoever wrote it didn't actually know much English. (I wish I'd written it down, but at the time, I was in too much of a hurry to get the computer offline and shut down to take those kinds of notes.) And beyond that, most programs go away when you say No and Close and Exit, and none of the legitimate security software I have refuses to let you bring up the Task Manager (alt-shift-escape) to see what's running. Fortunately the program appears to have not been quite bullet-proof and I was able to power-down the computer without even having to do a "hard" power-off.
Fingers crossed that I stopped it in time. I've re-connected it to the internet and we'll see how it works. Thank goodness for all of my backups!
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2010-05-03 03:37 am (UTC)no subject
Date: 2010-05-03 03:52 am (UTC)