On Friday, Feb 20th, my computer blew up. And as late as today, I am, figuratively speaking, still pulling shards of motherboard from my face, and digging out bits of memory chips from the walls. At first I blamed entrecard & the blogs associated with it, because that was what I was doing when all this began. Turns out I was probably wrong. The further way you get from an event, the more you know about what happened (this is the history major in me). So, now that stability hopefully reigns again in my computer world, I'll attempt to relate, at a more or less high level, what happened. A detail by detail blow would be much to long, and draining to go thru.
Just for reference, I have an old HP Pavilion desktop, running Windows XP & I use Internet Explorer 7. We have a wireless network set up, used by two desktops and a occasionally a laptop.
My wife and I run a little eBay business. We use a site called "Auctiva" to host our pictures, create & schedule the listings and such. This has saved hundreds of dollars over time, because eBay used to charge for extra pictures, and still charges for scheduling listings. So, the morning of the 20th was a normal morning. I was editing and uploading pictures for the items (postcards and photographs) we were listing, Patti Anne was writing the initial descriptions, then I give them a once over for errors etc, and schedule them to be listed. On my end everything was working fine, but Miss Patti was noticing strange things on Auctiva. Response was slow, she was getting strange messages asking her to open Real Player (there should be no reason to open Real Player in this process), download stuff and other unusual messages. She mentioned that she thought Auctiva was having problems, and suggested we might want to stop using it for the time being. So we did - and we did not list anything on Friday.
Later that afternoon I got out on entrecard and was dropping & had plans to update my blogs when the computer froze up. No response to anything. So I punched the button and reb00ted. I didn't think it was going to come back up. When it finally did, there was no response when I clicked my desktop icons. So I booted again. When it came up this time, things responded, but I started getting some ugly messages. The first was "Generic Host Process for Win32 Services has encountered an error and needs to close. We are sorry for the inconvenience." I thought, WTF? Another message on the heels of this, which I think may be related was, "svchost.exe - the exception breakpoint. A breakpoint has been reached. The instruction 0x66fd6dc8 referenced memory at 0x00000000. The memory could not be written". Another WTF moment. Both of these messages knocked me out of the water, the computer would stop responding. I had never, in my years of using this computer, received either of these messages before.
I run Norton 360, which is a resource hog, but it's what I have, and at this point it had not alerted me to any problems. I looked at my processes, and noted a process called "soxpeca.exe", that I had not seen before. I googled it, and found that it was a nasty thing to have on your computer, and needed to be removed asap. I had no idea how it got there. I ran a "smart" scan, then a "full scan". Norton scanned soxpeca - I saw it. It did not see it as a threat, all it found was a couple of tracking cookies.
Meanwhile, whenever I went online, I was guaranteed to get a svchost breakpoint error or a Win32 error. So I thought I'd reboot in safe mode, and try to get rid of soxpeca once and for all, tho I wasn't quite sure yet how. (I thought they might be related problems - I still don't know if they are or not). Well somehow I screwed that up, but I did have an option to reboot in "the last known good configuration", which I did. That may have been a mistake, I dont know, but things did seem stable for awhile. Later I found that the computer had lost all its system restore points. I dont know if what I did wiped them out or if the malware wiped them out.
Fast forward to Saturday. Saturday I logged on to Auctiva and scheduled all our listings to post to eBay. Shouldnt have. I went out to entrecard again, and that's when Norton started yelling at me. It found in quick succession while running in the background, the following malware, and told me to reboot: Downloader, Trojan.zlob, Bloodhound.Sonar.1 (twice). So I rebooted 3 times in the space of 30 mintues or so. I looked and soxpeca.exe was running again. I ended it, but I knew it would come back. I ran a full Norton scan, Spybot Search & Destroy, Windows Defender (full scan), none found anything worth mentioning. This took hours, by the way. & if I tried to go online, I had to deal with the svchost errors. Sigh.
At some point we received an announcement from Auctiva that their servers were experiencing problems, and they were running on fewer servers than normal. Later, we received another announcement saying that they were experiencing malware attacks, and had taken the effected servers offline. Later we received another announcement saying that they had taken the whole site offline until they could solve the problem. I think I know where my trojans and viruses came from. And forgive me entrecard community, for my evil thoughts.
Fast forward to Sunday: Patti Anne and I both have computer backgrounds, and she's especially good at digging out & fixing problems. She's doing her research and found that soxpeca.exe is associated with Trojan.Refpron, and it is bad, bad, bad. She also found that some free software called Malbytes Anti-Malware (MBAM) was successful at removing it. So she downloaded it and ran the "quick scan", and it caught Trojan.Refpron. We checked the running processes and soxpeca.exe is no longer there. Then we ran the full scan, and it came back clean.
Believe me, I've skipped over a lot here - Patti & I were at this for hours, and getting very close to giving up and taking the computer to a geek.
Well, the viruses and trojans seem to be gone at this point, but I'm still getting svchost or Win32 errors, every 5 to 8 minutes when I'm online.
Monday: We continued to research the svchost problem. Found a site called www.pchell.com, which addressed a very similar problem. It had clear concise directions for updating service settings, re-registering windows update dlls, removing corrupted update files and so on. While Patti Anne went to a doctor's appointment, I wiled away the minutes following their steps. I was amazed that their instructions seemed to be perfect - usually the author manages to leave out a step or you don't get an expected response, or they make an assumption about your level of knowledge and you end up getting lost. But this worked fine - and it had me at the "C" prompt entering dos commands, just like the old days. Felt good. Only problem was, it didnt work. After I was done, I went on line, 8 minutes later, svchost.exe breakpoint error.
Patti Anne returns, and we have a good laugh about the pchell instructions. So she researched some more, and she found this - there is a setting the bowels of the control panel which might stop this problem. So off to the control panel we go.
Go to: Control Panel, Performance & Maintenance, System, Advanced Tab, Performance Settings button, Data Execution Prevention Tab, Select the button for "Turn on DEP for all programs and services except those I select", check the box next to "Generic Host Process for Win32 Services". This seemed to solve the svchost.exe breakpoint, and the Win32 error problems. I don't know what the side effects are tho, maybe none, but I don't know. I don't advise changing the default settings for this unless you have to.
Now, it's not lost on me that Patti Anne's computer is running just fine. We're on a wireless network, and I'm wondering why her's is running fine and mine is in a death struggle. It was very convenient to have her computer running, because a lot of the research we did was done there, since mine didnt function too well..
Tuesday: From Monday around 3 PM till Tuesday around 3 PM the old computer seemed to run fine. Very good response time, no problems. Then for some reason, Patti Anne could not print from her computer. The printer is physically attached to my computer, so I'm thinking, cripes. I booted again. After I came back up, guess what? Patti could print. But I took a Win32 error again, and had to reboot. I checked the setting in the control panel, and it was still checked, so I don't quite understand, and it scares me a little. Then Norton informed me that it had found something called "infostealer.gamepass" and I needed to reboot in order to complete the fix. Sigh. So I did. When it came back up I checked the control panel setting again - still set. I checked for soxpeca - not there. We ran a couple of programs to clean up registries, ran MBAM again, found nothing, ran Windows Defender, nothing again.
Wednesday - today: This morning, Norton found something it simply called "Trojan Horse". I had to reboot to remove it. Ran various quick & smart scans, came back clean. And Patti Anne decided it might be a good move to downloaded & install Mozilla Firefox, and use that instead of IE7, at least for now. So that's what I'm using. It takes a little getting used to. But everything has been stable since this morning.
No svchost.exe or Win32 errors since yesterday. Hopefully tomorrow will be a virus/trojan/malware free day.
So, this is what we've been up to. I've learned stuff. One thing I learned is what a heuristic algorithym is, but I'll leave my thoughts on that for another day.
I hate computers. Almost as much as cars.
Subscribe to:
Post Comments (Atom)
Posts
6 comments:
All those scans and scans and reboots and reboots and scans and reboots and scans... reminded me of some of my own horrorible experiences with windows. I'm so glad I left the windows world.
But welcome to firefox at least! Although my for entrecarding I specifically use Opera (seems much faster) and firefox for everything else.
What a saga, and the time factor must have been frustrating to say the least.
It has been one hek-of-a week, alright. I'm glad you married that smart little Patti Anne, though!
Well, hopefully, it's done and over with. Good write up and maybe it will help someone else!
Oh my! I would probably give in already on Saturday and called the Geeks :o)
Hope it's the end of the trojan trouble for you!
Ms. O.D.: I wrote Opera down, maybe I'll try it. Right now I'm adjusting to Firefox - it's different enough that things arent quite the same, if you know what I mean.
Martin: Frustrating is an apt description. Irritation is another one.
Patti Anne: Smart little Patti Anne. It was a lot of work, thanks!
Ivanhoe: If hadnt been such an inconvenience to call a geek, we'd may have just done that.
Well, nothing bad has happened computer wise, since yesterday morning. Fingers are crossed. Thanks for all your comments!
A co-worker dropped off her computer and I started to work on it.....that was last Thursday night. I have been running scan after scan including in safe mode and still every time I turn around there is another infected file. this time I have it down to the stinking Refpron trojan but like you have found, it is hard to do anything with. One thing I was able to do to get rid of the .dll error messages that popped up every time I rebooted or even the empty command line shell boxes that would replicate for ever was run CCleaner. I ran the cleaner to empty all the temp files, etc but then I also ran the registry cleaner multiple times. Now I can reboot without the pop up error messages. But I still need to get rid of the trojan.
as to your comment about turning on DEP and the side effects. I used to run with DEP on all the time. The only real side affect will be when you try to launch a program and nothing happens, no error message no nothing. If that happens, then add that application as an exception and try launching it again. This will usually fix the problem.
Post a Comment