Saturday, May 24, 2008

Computer hell

Friday night was a damn crummy night for me and my computers.

The first pile of crap I had to deal with was the 64 bit server version of Ubuntu. I have a powerhouse AMD X2 machine with 8GB of memory and 900 gigabytes of disk (500, 200 and 200). This machine will be dedicated to running VMWare Server and various groups of virtual machines for developmental purposes. I had the new 8.04 LTS edition. I installed using LVM leaving extra space for expansion of logical volumes if necessary.

The first problem was GRUB wouldn’t do anything. Reboot, black screen, nothing. I altered the installation to install LILO and things worked this time. It was a minor annoyance but foreshadowed pain to come. I needed a desktop for VMWare so I decided to try KDE by installing the kubuntu-desktop package. There were four warnings issued during the installation. When I rebooted, LILO simply puked a bunch of 99’s on the screen then died. Great. I’ll try again later.

I just purchased a 24” wide screen LCD to replace the LCD one of our cats puked on and rendered non-operational. One of the problems with the large surface area of the desktop is that the styles that come with Windows XP are dull and look like crap. Some people at work have some really nice desktops so I figured I would find a nice them online, install it and bask in my coolness.

I went to a place called ThemeXP. I’m not going to provide a link, you’ll find out why later. I downloaded two themes in the form of executables. I assumed they were installers. When I tried installing them I was greeted by a pop-up window that explained these files had been “wrapped” and that you had to agree to services, etc. In short it was “f***-no” terminology.

I did some more investigation and found a link buried at the bottom that indicated some files were “wrapped” to defer operational cost through advertisements. Nice. We can really trust those advertisers. They have a stellar history of not trying to f*** over computer users. I cancel the install and look elsewhere. Then I noticed my hard drive just chattering away. Then AVG pops up a virus warning. I quickly do a process list and kill a msin.tmp process that was spawned by this “wrapper” program. More and more AVG pop-ups with files infected with the Win32/Gaelicum.A virus. My hell was just beginning.

I unplugged the network cable and booted a clean machine while scanning the infected one. The Win32/Gaelicum.A virus is a nasty little bastard that infects .exe files and is network aware. Grisoft had a cleaner utility to download and run in safe-mode. The problem, however, was that Grisoft AVG anti-virus had moved all infected executables to their virus vault; including the executable to manage the virus vault. So I can’t get the executables out of the vault to run the cleaner utility on them. Well that was just great.

I had to sleep on it. I was beyond furious.

So how did I fix it? In short: remove the infected drive from the computer and place it in a portable enclosure. Attach that drive via USB to a clean computer running the same software, copy AVG and Windows executables from the clean machine to the infected drive, copy vcleaner to the infected drive, detach the drive, install the drive back into the machine, boot, run the virus vault utility, take the infected executables out of the vault, reboot in safe mode, run vcleaner, reboot, scan again, test executables.


Damage was minimal. Some things won’t uninstall due to corrupt binaries and I had to reinstall 7-zip.

I am a computer professional and I almost had my entire computer f***ed because I wanted a nicer looking desktop. I sent a mail message to themexp explaining what happened and haven’t heard back from them. Rot in hell. There is so much garbage out there that if you see a screen saver or theme or program somewhere just don’t install it. Don’t let your kids install screen savers or programs. If they do then punishment is no games and no Internet unless you need it for school. Don’t let you parents click on things unless you put them there to click on. If you are using a work computer just don’t install anything and if you employer blocks sites don’t bitch about it. Also, consider installing WOT (Web of Trust) or similar browser plug-ins.


Mongo said...
This comment has been removed by the author.
Mongo said...

I just got the win32/gaelicum.a virus from themexp. It spread to all my hard drives and i lost permission to run anything. So i was not able to rum a scan or anything. It also made it so i can not log in, and by that i mean i can get to the log in screen but as soon as i type in my password it says logging in then automatically logs me out. I managed to log into my computer in safe mode. Then i ran a scan using AVG, it said it found everything and cured all but 13 which it deleted. I restarted my computer after doing an additional scan, just to find out i still could not log in, so i try again in safe mode.....still could not log in. At this point i have no idea what to do. I have tried booting to my second hard drive and i have no luck. I am trying to avoid a complete system reform. So if you can help me that would be really great.

Grouchy said...

My infected computer is still not one hundred percent functional. The only way I was able to recover was to get clean executables from a totally different computer with mostly the same software installed. I copied a small group of executables to the infected drive (attached via USB). If you do not have an uninfected computer to either copy uninfected .exe file from then you might need to re-install the operating system to a clean drive then copy data files from the infected drive.

You should consider taking your computer to a professional support center. I got lucky that I was able to restore most functionality because I stopped the virus before it could infect all the executables on the computer and because I had another clean computer to help rebuild. As mentioned above, I could not repair everything.

Lynsay said...

Came across this site while trying to find more information on gaelicum.a because I had the same thing happen to me this morning as well. I was looking to change the look of my desktop so I went over to themexp and I did think it was odd that the theme files were .exe installers. Before installing them, I scanned the files with avg which seemed to say they were ok.

Soon after, I realised something was very wrong...every time I tried to open a program, an virus warning would appear. I ended up popping on to my other laptop and downloading VCleaner from the Grisoft website, rebooting the infected laptop into safe mode and ran the file. Took ages but it seems like it's sorted (here's hoping anyway).

Grouchy said...

The win32/gaelicum.a is definitely a bad one. It took the VCleaner quite a while to clean everything out on a workstation so I bet it took forever on a laptop. I hope your laptop recovers.

ThemeXP is blocked as a known distributor of malware both where I work and through the WOT (Web of Trust) Firefox plug-in. I hope the word is getting out that this site is bad. Of course, nothing is stopping them from simply registering another domain name and continuing with their distribution.