Action stations
The problem with this sort of infection is that, even if you're reasonably careful about what you run and where you go online, there's still a strong likelihood that sooner or later you're going to get hit by something really unpleasant and that, when it happens, you're going to be completely unprepared for it.
You can have all the antivirus you want; the AV people are still fighting a running battle against endlessly inventive dickheads who'll regularly get the upper hand in their ongoing quest to steal control of your PC.
One day you'll get unlucky and a shiny new piece of malware will sail through your antivirus without so much as a second thought – and I can guarantee that you absolutely won't have the tools you need to deal with it at hand.
So, I restarted in Safe Mode and ran a full AVG scan. It took over an hour and pulled up a few files for removal – files that it hadn't prevented from landing on my system in the first place, I might add. Once that was done I ran Microsoft's Malicious Software Removal tool, which had some good news and some bad news for me.
The good news was that it identified the culprit in reasonably short order. The bad news was that it couldn't actually do anything about it. Malicious Software Removal Tool? Malicious Software Identification and Removal If You're Lucky Tool, more like.
Then I had a brilliant idea – why not just run System Restore and roll the PC back to its blissful, uninfected state of a few days ago? A truly awesome idea, I'm sure you'll agree – or it was until I discovered that where there should have been a smorgasbord of restore points to choose from, there was nothing. This evil little bit of code had trashed them all.
Bigger guns
By now it was about two hours down the line and I was getting a bit cross. Everything in my limited antiviral arsenal had failed me and I still had a PC that was quarantined off from the rest of the world.
So, to my number one tip for dealing with viral armageddon: always make sure that you have a spare PC handy, because you're going to need it. And, with at least a name to pin on my special new malware chum, I got out the laptop and started researching.
I quickly discovered that the generally recommended course of action in this situation is to format your hard disk and then burn your PC just to be on the safe side. This seemed a little extreme, but thankfully there were other options on offer, the most promising of which was Malwarebytes Anti-Malware.
I downloaded it, copied it onto a flash drive and over to the PC, where I ran it – only to discover that it insisted on downloading an update. To hell with it; I was getting tired and seriously annoyed by now, so I plugged the network cable back in and let it get on with updating itself.
Only it couldn't connect. It turns out that whoever coded my infestation had anticipated this particular move and was blocking access to the Malwarebytes site. You have to respect that kind of sheer malevolent ingenuity, don't you? I mean, I'd still happily waterboard the culprits, but I'd respect them at the same time.
However, what they didn't anticipate was me finding Google's cached version of the page, where the latest update lived, nabbing it from there and then applying it manually, so perhaps a little less respect is due. Patch applied, I pulled the network cable out again, set Malwarebytes to work and had some dinner.
By the time I returned to my desk, Malwarebytes had done a lot of cleaning and appeared to have caught and cleaned everything. Everything, that is, except for our old friend, the indestructible JimMcCauley.exe.
Deleting locked files
But Malwarebytes had another trick up its sleeve; alongside its standard Sweep and Clear mode, tucked away in its More Tools section was the impressive-sounding FileASSASSIN. FileASSASSIN, I was told, can delete locked files on your system, so I gave it a shot. I pointed it at my evil digital namesake and with a couple of clicks it was assassinated.
Job done? Nearly. Just to be on the safe side, I ran HijackThis and had a quick comb through the registry to check for anything untoward, before restarting and then, to be on the extra safe side, I downloaded Sophos's Anti-Rootkit app and let it give my PC a good once-over.
Clean as a whistle, as demonstrated when I opened a new command line window, ran Netstat again and found that all those Russian mailserver connections were gone forever. After five hours I finally relaxed and poured myself a very large glass of wine.
Live and don't learn
So then, what have we learned? Most importantly, don't ever believe that you're fully protected. The only truly secure system is one that's not connected to anything; beyond that you're taking your chances. And to be honest I'd rather not submit to layer upon layer of unnecessary security, so despite what happened, my settings remain unchanged.
I do, however, have Malwarebytes ready and waiting on my desktop, so I can sleep soundly in the knowledge that should I get hit again sometime in the future… Well, I'll probably have a new PC by then and I'll have forgotten to reinstall the software, so I expect I'll be just as boned. So it goes.
