So I come in this morning to find some helpful "anti-virus" malware has taken over my computer. While three customers all come in insisting that they need help NOW NOW NOW.

Get those fires out, clean off the malware with safe mode + anti-malware cleaner. Now ready to do some CODING!

-- except Eclipse (my IDE) can't talk to our remote Subversion server anymore.

It can still talk to local subversion, but not to the remote system. OTHER subversion clients can talk to the remote system, but not eclipse.

Okay, let's rebuild Eclipse's connection to the server. No good.

Okay, let's re-install eclipse.

Subversion isn't installed with the basic package. Okay, let's go to the update sites.

EVERY LAST UPDATE SITE IS DOWN.

Go to the forums to ask for help.

Get this helpful message:

http://www.eclipse.org/forums/

"Eclipse Forums are offline for maintenance, and are expected to be back online Sunday, August 1. We apologize for the inconvenience."


AGGGHHH.

Time to try out Netbeans. My patience is at an end.


Respectfully,

Brian P.

Well, I have to officially exonerate Eclipse. It was not the problem.

The problem was these three lines added to my registry which anti-malware did NOT clean up.

HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings "ProxyOverride" = "<local>"
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings "ProxyServer" = "http=127.0.0.1:5643"
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings "ProxyEnable" = "1"

This messed up all my SSH sessions. Once I deleted those three little lines and re-booted, I was able to interact with Eclipse software normally. I was also finally able to talk to subversion again.

So Eclipse is not guilty.

But the makers of AntiVirScan pro are absolutely guilty of costing me a day's productivity.

Alas, my personal ethics allow me only to wish for their repentence. What I *want* is a perverted cthonic ceremony wherein powers are invoked to eat the intestines of the developers responsible ... ah, one can dream.

Respectfully,

Brian P.

ETA: Please don't if you happen to be of a belief that such things are possible. I'm sure things will sort themselves out in their own time without intervention -- BDP.

ETA: Please don't if you happen to be of a belief that such things are possible. I'm sure things will sort themselves out in their own time without intervention -- BDP.

*puts away cultist cloak and sacrificial dagger*

...nuts :smallannoyed:

Good to hear everything's fixed, or at least not completely borked anymore though.

But the makers of AntiVirScan pro are absolutely guilty of costing me a day's productivity.


I'm not clear on what this software is. It isn't one of those things that pops up when you're browsing a webpage and says, "INSTALL ME NOW TO FIX A VIRUS ISSUE", is it? And if so, did you actually go ahead and click yes?

I'm not clear on what this software is. It isn't one of those things that pops up when you're browsing a webpage and says, "INSTALL ME NOW TO FIX A VIRUS ISSUE", is it? And if so, did you actually go ahead and click yes?

It is one of those yes. I did not click "yes". In a fit of madness, I clicked "no".

The problem is, the label doesn't mean anything. The underlying logic will install the software if you interact with the pop-up AT ALL. The only safe thing to do is nuke it from the task manager.

What can I say? I was tired and thinking about something else.

Respectfully,

Brian P.

Sir, that antivirus illusion is actually a virus, and a nasty one at that. It installs a proxy dns server on your system and then adds those lines to your registry to point dns traffic to it. I'll bet the proxy dns server is still up on your system. If you let it work for a while, it will redirect random urls to it's own database of infected sites that then download less and less sophisticated but nastier viruses on to your system. When you think you've conquered it, if you haven't properly killed it, it will suddenly show up again, a few days later...usually after a windows update.

Some info, but I hear this just pauses the problem.
http://forums.malwarebytes.org/index.php?showtopic=38629
Dr Web's Cure It was what finally did the job for me.
http://www.freedrweb.com/cureit/?lng=en
Though I had to use Rkill to get control of my system (taskmanager and safe mode wasn't cutting it)

Well think of it this way. By what you have just gone through, if you see a friend that sees this pop-up and begins to click it you can take their computer and run with it as possible to the middle of no where and leave it there. So that this virus never is able to do this to another person again.

Although from watching movies you know this might not work because some idiot is gonna come along and say, " Hey look free computer!!". :smallannoyed:

I will say that after what I have just read, I thank you for this information you have shared with us because I never knew not to click on one of those pop-ups.

Sir,

NOTE: MASSIVE EDIT.


Sir, that antivirus illusion is actually a virus, and a nasty one at that.


I am well aware.



It installs a proxy dns server on your system and then adds those lines to your registry to point dns traffic to it. I'll bet the proxy dns server is still up on your system.


I am certain it is NOT, because such a dns would still be in the windows registry. You can't set up such a thing like that and NOT have it visible in the windows registry. Plus, a proxy server on my system breaks many of my processes and I noticed immediately.


Since the original post of this message, I went through the registry in safe mode TWICE and I am ABSOLUTELY CERTAIN that there is no proxy server on my machine. However, a scan with anti-malware after a windows update last night revealed that a similar program had inserted a "run" command into my registry, although it evidently had not gone active, because I had no proxy server or other symptoms. Anti-malware killed it, and now I'm clean again. Good catch!



Some info, but I hear this just pauses the problem.
http://forums.malwarebytes.org/index.php?showtopic=38629
Dr Web's Cure It was what finally did the job for me.
http://www.freedrweb.com/cureit/?lng=en
Though I had to use Rkill to get control of my system (taskmanager and safe mode wasn't cutting it)


Many thanks for the info, brewdude! Hopefully our mutual discussion will be of benefit to any readers who are bit by the same bug.

Respectfully,

Brian P.

If you want to be 100% sure about the proxy thing, use the netstat -ab command--that'll tell you all the processes on your system that are listening out, and which ports they're listening on.

Thanks!

Respectfully,

Brian P.

Sounds like you had a terrible, horrible, no good, very bad day.

Sorry man, happens to the best of us.