Friday 20 June 2008
Crazy ORZ - begone!
In the past few days, my Grisoft AVG started interrupting my work and browsing with alarming pop-ups saying "THREAT DETECTED!"
I immediately ran a full test scan (a long one), and was somewhat surprised that the test results showed no infection.
And yet the pop-ups continued to pester me... until today.
Because I never had any malware before - and because Grisoft is phasing out their wonderful free AVG program (updates will only be available until June 28) - at first I suspected that it was a cunning device by Grisoft to lure more paying customers. (Not nice of me, I know, I am very contrite.)
Then I ran one of my favourite (and regularly updated) applications: Spybot Search & Destroy.
Nothing.
Then I ran a full test at PC Pitstop (the OLD battery, I find it much better than the new Overdrive version)...
Aha!
There was no mention of any virus or malware on their list of programs and processes running on my PC - but there was an "unrecognised" program: ORZ.exe.
I ran a search to find out more about it.
It turned out to be a keylogger - a Trojan.
Aghh!
Not stopping to waste anger on my faithful daily "protectors" (AVG and S & D), I ran another search to find out how to remove it. A quick look at the various forums (I know: it should be fora, but this is not time to engage in dead-language speak, please!) showed that millions of computers have been affected by it since late May and (especially) early June - and the one thing that kept popping up was the supposed inability to remove it effectively.
There is nothing I enjoy more than a challenge - especially if I know I can win, relying on my own resources.
But it wasn't that difficult at all.
Here's what I did:
I used the Windows "search" function to find the EXE itself.
It was - as Orz is supposed to be - located in the Temp folder.
Obviously, I clicked on it and selected "delete".
It didn't work.
So I thought of renaming it - specifically, changing its extension.
I did: I changed it to BMP (don't ask why, it was the first one that came to mind).
And then, I tried to delete it again.
It didn't work. The file was reported to be "in use".
(It figures!)
So I renamed it again, this time to DOC.
Then I opened the newly created "document" and deleted everything in it (it wasn't actually readable, as you can imagine).
then I tried to delete it.
Again, it didn't work.
So I did what you should NOT do (unless you're a dreadnaught hothead fool like myself, obviously) and opened the register (prompt command REGEDIT). I searched for "ORZ.", found a few entries, carefully read their data (location ettc.), and deleted them.
Then I emptied the "bin" and ran another search on my PC, to find any other possible files with the name ORZ.*
There was the ORZ.doc (previously BMP) again!
So I did what I should have done many minutes earlier: I opened the Device Manager (hit CTRL + ALT and DEL at the same time) and checked the list of running processes...
There it was: ORZ.exe, as if I had never renamed it!
I terminated the process.
Then I tried deleting the renamed ORZ bugger - and this time, of course, it worked.
Then I emptied the trash again and ran another search to find any ORZ. files on my PC.
None were found.
And the AVG has been keeping quiet ever since, too: no more pop-ups, no more "threat detected".
I hope you find this rambling of some use.
And remember: if you're looking for advice on removing ORZ today but you only find this entry a week from now, thank Google snaily crawl for it...
IMPORTANT:
I am NOT recommending anyone to proceed as described in this entry. If you do so and something - anything - goes wrong, do not blame me.
Subscribe to:
Post Comments (Atom)
7 comments:
I had orz.exe on my computer today, I could easily delete by going to the temp folder and clicking delete, but I couldn't delete it from my antivirus program. Luckily my orz didn't run, so it was easy to delete, but one time, I couldn't delete a virus file in use because my virus scanner was repeatedly trying to clean it and kept on failing. I disabled my AV software and I could delete it easily. Sometimes those antivirus programs can be really stupid.
Zone Alarm notified me that orz.exe was trying to access the internet - my first inkling that it existed. (NOTE: had run virus and spyware scans the night before and found no threats.) Naturally, I denied internet access and went hunting. Found the offender, failed to delete it, went online, and eventually found your advisory - the ONLY useful one in 2 Google pages! THANKS! And congratulations on your excellent writing style.
I am now encouraged to spend more time exploring your site, but I wanted to express my appreciation first. Keep up the good work
Best wishes, RJP
thank you for the help!! :)
i just had this same experience, thanks very much for your efforts in explaining your solution....
Brayman, Erin, Adam, kind Anonymous - thank you all SO MUCH for dropping by! ;)
Believe it or not, we had forgot about the comment options.
So, we're not really asocial - just senile! -;)
Thanks for reading!
It makes it all worthwhile.
I can't thank you enough!!! Much appreciated! Yes, after 2 pages of nonsense, your page and comments were the only thing that helped! Now I can say,.... finally,... orz begone!
Take care, and again, thanks.
PostalCraig
PostalCraig (and all others):
you people really warm my heart! No, really. I am so glad that at least I wrote SOMETHING that could be of use to someone else besides me.
Thanks you for telling me, folks. ;)
And take good care of yourselves!
Post a Comment
TELL ME!