Category Archives: Virus Removal

The Devil Made Me Do It

The Devil Made Me Do It

The Devil Made Me Do It

Remember Flip Wilson and his skit where he said “The Devil Made Me Do It?” Well, I can’t help but think of that whenever I hear someone reacting to a pop-up on their screen.

First, I thought pop-ups were all but gone.  You used to go to a particular site and suddenly like 50 windows would pop open – mostly pictures or ads.  Once browsers became more intelligent, they caught all of that in the background and we really didn’t notice them anymore.  The new pop-ups are more insidious than those.  The are in the form of message boxes or just off the screen chat looking windows or nasty skull and crossbones warning messages telling you you are infected or something awful has happened to your computer.   Personally, whenever I do see one of these messages I usually investigate it a little trying to see where the message is coming from, or instead I just open up task manager and kill all of my Chrome or Internet Explorer tasks and start over.

What I am actually surprised about, however, are the number of people who follow-up with whatever the message told them to do.   I was involved in two similar stories lately and heard about a third.  The first two were almost identical.  The user sees a popup telling them something is wrong or that their banking password is goofed up or that they have some similar issue, but instead of closing out the browser or just turning off their machines, both people actually called the number on the screen!  The first case ended with “someone moving my mouse all around and then my machine wouldn’t boot up anymore” and the second ended with “the guy was in my machine working and said I needed to pay him $300 to finish up”.  While I know you might be thinking this really can’t happen, let me assure you – both of these really happened.  I couldn’t believe what I was hearing.

Here are a two 30,000 foot tips for most users:

#1 – NEVER call numbers that randomly pop-up on your screen.  Who does that?  Microsoft isn’t going to ask you to call them for anything.  It’s probably not them.

#2 – DON’T let people into your computer if you don’t know who they are.  I really wasn’t even up on the idea that random strangers could get into your system in the first place.  Certainly, I’ve used remote access software before, but I didn’t really expect people to randomly connect.  If you ever get a notice like this and you don’t know the person – DON’T let them connect to your computer.   You can always hit the power switch in a pinch if you can’t otherwise disconnect them.

Vista BSOD ATAPORT.SYS hang on CRCDISK.SYS

What a nice cryptic name for a blog post!  If you found this via a search, then I’m sorry for you.  This was a really, REALLY frustrating problem.

Symptoms Prior: Browser would randomly bring up an ad filled website which is obviously a virus of some kind.

I treated the system with scans by Spybot, Microsoft Security Essentials (which was installed) and AdAware.  They said everything was fine.  I felt better.  Maybe it was just some script in Firefox?   I did find that my firewall was disabled, which was odd.  I turned it back on and shortly after, I had:

New Symptoms: a BSOD (Blue Screen of Death) relating to ATAPORT.SYS.  It cycled like this for a bit and I attempted to go into safe mode.  Safe mode hangs up everytime at CRCDISK.SYS.

After a few articles – everyone is convinced the hard drive is bad.  I took the drive out and put it on a USB/SATA adapter on another machine and ran chkdsk.  The hard drive appears fine – survived all five levels of CHKDSK.

I found this article: http://forums.techarena.in/operating-systems/1127074.htm

and followed it.  Removing the files isn’t easy since Vista protects them, so you have to use advanced security to “TAKE OWNERSHIP” of each file and then you give yourself permissions and then you can delete them.  Took a while, but I had high hopes.  (note if you are doing this from XP, you have to turn on ADVANCED Security.  I’d never heard of this option until running through this procedure). 

[How to disable simple security in XP:

  1. Click Start, and then click My Computer.
  2. On the Tools menu, click Folder Options.
  3. Click the Viewtab.
  4. In the Advanced Settings section, click to clear the Use simple file sharing (Recommended)check box.
  5. Click OK.
    ]

Plugged the drive back into the laptop – no difference.  Exact same lock up at CRCDISK and in non-safe mode, gets almost booted up and I get a BSOD with ATAPORT.

After more articles, I found that it isn’t CRCDISK.SYS causing the problem, it’s whatever driver is loaded AFTER CRCDISK.SYS.  I tried a boot logged bootup and found that TUNNEL.SYS comes after CRCDISK.SYS.  I actually don’t know if the log I found was the one I just created because it always locked up right there and the log I found was from a complete bootup.  In any case, I researched TUNNEL.SYS and found it it sometimes infected with a virus.  I used the USB adapter again to locate TUNNEL.SYS and replaced it with another one on the drive.  Yes, probably dangerous – but did it really matter at this point since I was facing a complete reinstall (and trying to avoid that).  I booted in SAFE mode and TA DA – no difference. 

I booted the Vista CD again and was able to get to the command prompt and ran the SFC /SCANNOW (I’ve never used this).  It took a while and said it repaired some files.  I checked the log and it turns out, it corrected TUNNEL.SYS.  Now, did it just put the same one back?  I don’t know, but I rebooted into safe mode and it made it.  Unbelievable.

I had downloaded another scanner that looks for TDSS called TDSSKILLER which I had also come across in the 50+ articles I read.  I followed the instructions and I had the TDSS virus.  UGH!  But it all made sense.  It cleared it and now the system booted up normally – not in safe mode.

I ran Spybot again and it found a few random files which it fixed. 

So TDSS is the culprit – it was not a bad drive (which I read so much about) and it wasn’t the SATA interface (which I read so much about).  Just another old virus. 

What I learned:

  1. Download all the latest Virus scanners (including root kit scanners) before you need them – put them on a USB
  2. Make sure you have some method of reading your drives on another machine.  I usually have no problem with IDE, but I had to buy this SATA cable which was only $29 at BestBuy (you can get them online cheaper).  (honestly – I’ve had machines that wouldn’t boot and running a CHKDSK on my drives on another machine works 90% of the time.)
  3. Don’t stop reading after one article (including this one).  It’s certainly possible that your problem, while it looks JUST LIKE this one, might be different. 
  4. Learn how to take ownership of files and change security. 
  5. People who create viruses might be smart – but they actually suck.  The fact that SpyBot years ago used to search for about 45k issues and now it looks for 750k issues – I mean really – is this the future we were looking towards?