Since getting home from Arapaho, I’ve been fighting a trojan that has affected my primary data server. My Microsoft-hating friend Tony said that he didn’t even have to worry about it when he had Windows because he didn’t use Microsoft products like IE and Office, which have been known to invite virii.

Actually, it looks like in this case, Firefox itself was to blame. Or rather, the Trojan that nailed me (and has attempted to nail me twice since) was aimed specifically at the non-MS browser.

So if you use Firefox, be aware of this: Firefox crashes. When Firefox comes back up, it asks you if you want to restore the Windows as it has since FF 3.5. However, if you look carefully, you’ll notice that the yes/no button is itself a unilink. Meaning that even if you don’t have the cursor over a button, it shows the hand as though you’re clicking on a link. That’s because the entire thing is an image, and clicking on it will install the malicious software. The other giveaway is that the pop-up shows up as a different Firefox Window. So if you see two Firefox windows on your taskbar, the second could be inviting bad things into your computer.

The nature of the infection is that it will act as though Windows has discovered one security breach after another and will ask you if you want to run a scan. Notably, the screen it shows you copies the Windows Vista Security screen to the letter. This is a bit more conspicuous if you’re running XP, which I am, and fortunately that’s one of the ways I was able to prevent the situation from getting worse. I’ve read up on the pusher of this software, called “Malware Defense”, and apparently what it will do is pretend to scan your hard drive, find a bazillion breaches, and then ask you for money to “fix” them.

Removing it was a hassle-and-a-half. Malware Defense apparently knows what most of the tools are for rooting it out and it will prevent them from running. Or it will make it seem like something has gone horribly wrong. One tool that I used rkill.com, would result in Windows locking up, the computer rebooting, or the taskbar disappearing. The latter is the ineffective one because you can bring it back by going into Task Manager. Run it enough times (it took me six) and eventually rkill.com will temporarily kill the file.

The next step is to run an application to kill the trojan while it’s down. My friend recommendend Malwarebytes anti-malware program, downloadable for free. However, Malware Defense fights back against this, too. It blocks you from running any application with the name of this one downloads as (mbam-setup.exe). I discovered this inadvertantly when I downloaded the program twice and it worked on the second one (which Firefox had renamed mbam-setup(2).exe). However, even once the application is installed, it does the same thing again. So you have to rename mbam.exe to some other filename (anything without the four letter “mbam” should work) and you have to take it out of Program Files and run it from somewhere else.

Once I did that, it took care of most of the problem. I still get IE popping up every couple hours with some site on it. I’m not sure what I can do about that. It’s probably past time I formatted and restored the computer in question.

I should add that I am not the only one that has been experiencing problems lately. The friend who recommended rkill.com said that he’d been nailed once or twice recently, as well. I’ve also been hit three times with the Firefox “crashes”. I’m guessing that some site I’m visiting has a bad advertiser. I’m going to monitor the situation closely. In every instance, it’s been a Firefox crash. In all instances but one it was a window asking me if I wanted to restore my tabs. In the last instance, it was a window asking me if I wanted to make Firefox my default browser.

Until recently, I’ve not had to worry too much about infections. I mostly do this by not downloading and running software that I am unfamiliar with or that I haven’t checked out. I also avoid a lot of the scams that other people fall for. Clancy is unadventurous with the computer and that helps, too. This time I simply overlooked the slight symptoms that something was wrong. It was late, I was tired, and Firefox has been cracking up on me so it’s crash did not cock my eyebrow. I almost got burned by the question of whether or not I wanted to make Firefox my default browser because the intermittent IE pop-ups hijack the file association and so I’m asked that question legitimately every time I open Firefox.

So with some due diligence, this can be avoided. Tony would point out that this can also be avoided by running Linux.


Category: Theater

About the Author


3 Responses to Don’t Catch The Bug

  1. web says:

    I had a similar instance happen a while back (culprit actually disguised itself as a similar button, only copying those annoying Netflix ads… doubly annoying since I was on a site that also legitimately pops up Netflix ads, namely CNN).

    Solution was to use my laptop. Went into the hard drive via a USB cage, deleted the offending files I had identified, then reloaded the machine and ran Malwarebytes to clean out the leftovers.

    Short of that, well, you’re heading for a rebuild anyways.

  2. Brandon Berg says:

    I got that, too, on Sunday. Which is weird, because I haven’t had a virus for almost ten years. Still not sure where it came from, as I hadn’t downloaded any executables or visited any iffy sites.

  3. web says:

    Brandon,

    A number of non-iffy sites have been getting hijacked recently, and they’ve changed their tactics. The faked popups are coming up in the form of either screenshotted messages (like Will saw) or even copies of “legitimate” ads like Netflix lately.

    It’s sort of the computer equivalent of what happened in Memphis when they tore down the “projects” and the gangs and troublemakers got exported into the “good” neighborhoods instead…

Leave a Reply to web Cancel reply

Your email address will not be published. Required fields are marked *

If you are interested in subscribing to new post notifications,
please enter your email address on this page.