Malware Infestations

September 21, 2007 at 10:29 pm (Links)

A friend of a friend asked me (actually they asked my wife to ask me) to ‘clean up’ a computer that they had so that their daughter could use it for school stuff.  It was a relatively new machine, but was running VERY slowly – and was making quite a few attempts to load pop-ups from the internet.  I typically poke around a bit on any computer that I’m working on before I plug it in to my network, and in this case I’m glad that I did.

The first clue that I had was that there were frequent messages asking if I wanted to connect to the internet.  This is usually caused by some kind of malware trying to phone home, or retrieve a new ad to pop up.  I checked the task list, and killed what I could – some of the nasties just wouldn’t die.  The machine’s drive was running constantly – probably because of all the garbage running, and it only had 128 Mb.  Under normal circumstances (probably normal for other people – never, it seems, for me) the best course would have been to nuke from orbit and start fresh.  Unfortunately, they didn’t have the restore or OS discs, so I was forced to repair it.

I started by running the uninstall for the ones that were nice enough to provide one, and then removed the expired antivirus software.  I then installed AVG, updated it, and ran a full scan.

Here are the results from the first AVG scan – I’ve NEVER seen anything quite this bad before

That’s 95 threats – a total of 58 different malware apps.  AVG cleaned most of them with no problem.  There were a few that ‘outsmarted’ its clean mechanism – this time.

I ran the test again is safe mode and cleaned another dozen problems, leaving only three nasties.  To kill them, I had to boot the machine from CD to a linux OS, mount the NTFS drive, and delete the offending files. Booting back into windows, the next AVG scan came up clean – on to the lighter weight stuff.

I installed & updated spybot.  Here are the results from the first scan.

A few of the items it found were left over registry entries from what had already been cleaned – but there were still over 50 files containing malware of one form or another.  It was able to clean less than ten of them successfully.  Back into safe mode, scan again.

Wow- only 46 remain.  Spybot said that it had removed them, and an immediate scan showed clean, but when I rebooted, about 15 had come back.  No problem – I had written down the files – so I booted from CD again and killed them manually.  When I booted back into windows they were still there – so something was checking for and re-creating them at boot.  No problem – I’ve got a few more tools that I can use…

I next installed Ad-Aware and ran a scan.  It came up with 63 critical objects.

Again, it claimed to clean them all, but a reboot put some of them back again.  Here’s the results of the next ad-aware scan.

OK – I was getting annoyed with it now.  I wandered through the registry, and found a few instances of auto-runs that were getting kicked every time the machine booted. I changed the entries to a non-existant file name, and rebooted again.  That did the trick for all but one.

My next step was to run rootkit revealer – which showed not one, but two different rootkits.  The file names were apparently being randomly generated and changed every boot.  I was able to kill those by booting from CD and deleting the files.

Another reboot, and a re-run of all the anti-virus/anti-spyware turned up nothing.  Rootkit revealer still showed a problem.   I booted from CD again, and the files were once again there.  I killed the file, and renamed the entry in the registry that was calling it.  A quick scan in safe mode showed everything fine, but when windows was started normally, they were back.

At this point, I was irritated.  There was NO WAY some stupid virus was going to beat me.

To make an already long story at least a little shorter – the culprit was the simplest one I’ve come across – and the automated scanners didn’t catch it.  The nasty little critter had installed a blank titled shortcut in the startup folder (it looked like a blank line) that ran a BATCH file that checked for the existence of several of the executables.  If they weren’t found, it kicked off a reinstallation script.  Wonderfully elegant – so simple, and yet so effective.  I admired it for a picosecond and then killed every file referenced by the batch file – replacing them with 0 byte files with the same names, just in case.

A reboot and full scans showed everything was finally clear.  I rebooted and scanned twice more before I finally believed it.  The machine runs a lot faster too.

So – this was a bit more technical than I usually blog – but it should show you a few things:

  • ALWAYS have the system restore discs available
  • KEEP your antivirus up to date
  • BE CAREFUL with what you download – some of these virii came with a screensaver and desktop weather alert
  • SCAN REGULARLY – preferably with more than one app
  • BE NICE to your geek – you never know when you’re going to need them
Advertisements

4 Comments

  1. Elaine said,

    I thought that I had replied last night but I guess it got lost in cyber space so I’ll try again.

    That computer was really messed up, not as bad as the one w/all the bugs though. 😛 Glad that you were able to get it back to where it needed to be.

    I do try to do what you recommend here but have a couple of questions for you:
    1) What do you recommend for scanning programs? Both my hubby and son get very irritated when the computer that they are working on is slowed down by scanning and security programs. At this time we’re using Norton’s Internet Security, not System Works though.

    2) What other programs do you consider to be essential to a well running computer and are any of them easily available?

    Thanks for any help that you can offer.

  2. capitalggeek said,

    As a general rule, I only suggest free software (I’m a serious frugal-skate).

    For antivirus, AVG-free available from http://www.grisoft.com is good.
    For anti-spyware, Spybot from http://www.safer-networking.org/en/index.html as well as AD-Aware from http://www.lavasoftusa.com/products/ad_aware_free.php .

    I’ve found that you really need multiple spyware/adware removers, as they all seem to miss some that others find.

    The BEST protection is to be VERY careful what is done online – unsavory sites (pornography & gambling) tend to cause a lot of problems. Warez & crack sites (pirated software) also tend to have malware. Many ‘free’ downloads are only ‘free’ because they come with other software that pays the way – typically adware that will ‘enhance your browsing by displaying context relavent ads’. With anything that you download – especially screensavers & games, read the ENTIRE license agreement. If there is anything that sounds suspicious, don’t install it.

    You also should keep your machine updated with the latest patches from the OS manufacturer – Windows Update for Micro$oft products.

    As to speed problems, scans should be done when the computer will be idle. You can schedule the scans for a time that the computer isn’t being used, or in the case of adware/spyware scans, manually kick them off when the computer won’t be used for an hour or so.

  3. Elaine said,

    Thanks for the advice. I do appreciate it.

  4. ADRIAN said,

    it would seem in my travels that people have the best revelations from GOD
    at 3-4 am in the mornig.
    don’t stop writting

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: