Tuesday, 19 August 2008

Fight, don't give up

I thought I had an impenetrable computer, that no viruses could go through my defences but I was wrong. About two weeks ago I realised my CPU consumption arrived to 100% even right after having started the computer and without having turned any programmes on. It was fixed by resetting the computer, but one day the famous Windows blue screen appeared before the OS was loaded. It gave the following errors:
  • Driver_IRQL_NOT_LESS_OR_EQUAL
  • Srosa.sys
I tried to restart the computer but it appeared again, so I used my beloved Linux (Ubuntu) OS and made a backup of all important files into an external USB drive, just in case I had to format the hard drive. Then I tried to access Windows using the safe mode, but I got the same error. Luckily, I could access Windows using the last configuration which worked mode. Once in my desktop again I realised that all my anti-virus/firewall software did not work. What is worse, I could not install any kind of security device in my computer, it said that it couldn't communicate with the kernel or that the anti-virus X was not a Win32 application (yea right). The solution I found was to run some on-line tests like Panda Activescan, Norton or Kaspersky, which found tons of viruses, which is to be expected since I had been without protection for quite a long time, but they could not delete the main source of contamination.

I had been infected by a virus called Begle or Beagle (hence the pictures), which is a trojan bastard son of his mother. It blocks all antivirus software and uses the computer as an e-mail server to spam as much as possible. Neither regular nor on-line antiviruses seem to be able to get rid of it. After fighting for a long time against it and not formatting the hard drive, though I was tempted to do so many times, I found a little piece of software which is marvellous. It's called ELIBAGLA and deletes the virus enough so you can install and run an anti-virus software which gets rid of all the remaining bits of the virus plus the ones which have entered after the AV software was shut down.

Even though, problems don't end here. When I tried to switch from LAN connection to Wi-Fi I found that my wireless didn't work. When I tried to select a network I read this message:
  • Windows cannot configure this wireless connection. If you have enabled another program to manage this wireless connection, use that software. If you want Windows to configure this connection, start the Wireless Zero Configuration (WZC) service. For information about starting the WZC service, see article 871122 in the Microsoft Knowledge Base on the microsoft.com Web site.
It turns out that the virus messes it up as well, so I had to fix it (be careful because it may be a symptom that your computer is infected). To fix it you have to (don't even read article 871122 in the Microsoft Knowledge Base on the microsoft.com Web site, is useless) :
  1. Type this in Start->Run... net start wzcsvc (this will activate your Windows wi-fi service)
  2. If now your Wi-fi works great, you don't have this awful virus. If you get the following message: 'Error 1068: The Dependency Service or Group Failed To Start' means that you are contaminated with Beagle, but don't worry, it can be fixed.
  3. Now to the tricky part. Go to Start->Run.. and type services.msc Then navigate your way to: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControl/SetServices/Ndisuio Once you find it open 'Start' and type a 3 (you may have a 4, which is wrong) leave the radio button in hexadecimal. In the same folder open 'Tag' and change whatever you find (maybe e?) by the letter C, again leave the radio button in hexadecimal.
  4. Restart the computer and everything should work fine again
To finish the cleaning process just scan the whole computer with as many antivirus as you can, local and on-line ones, and install good up to date antivirus, firewall and antitrojan software. I recommend Nod32, Outpost and TrojanHunter. Also a registry cleaning using an appropriate program like Wise Registry Cleaner is advised.

This virus is amazing, I've just received a letter from my Internet provider, Virgin Media, saying that I have been sending huge amounts of e-mails and that I am either a massive spammer or that I have a virus, so they may shut down my Internet access. Well, not any more, my computer is clean as it was when I bought it, so don't worry mr. Branson, I won't be jamming your network any more.

I hope that if you have the same problem I had this posts helps you to fix it. If you have any suggestions please feel free to comment.