Last year, I wrote about the perils of being an IT professional – namely being expected to fix family and friends’ PCs for free… well, for the last 24 hours, I’ve been removing malware from what was possibly the worst-infected PC I’ve ever seen!
Some time ago, I gave an old laptop to my Mum and her partner as they wanted to learn to use e-mail and the Internet. I set them up with Windows XP, Firefox and Thunderbird (on reflection I should have used Outlook Express – it may be a poor e-mail client but it’s what all the text books for Windows XP will assume) and they have become quite attached to it.
At first they had a dial-up connection but they recently upgraded to high-speed ADSL (as did my in-laws… how come all the silver surfers in my family have a faster Internet connection than I do?) and that’s where the trouble started.
First of all “a friend” installed some software for them. Nothing unusual, just stuff to clog up a system that was never going to be very fast (an aging Compaq Evo N410c with a 1GHz Pentium 3 Mobile processor and 256MB RAM) – free stuff like Google Pack and AVG Anti-Virus software. I got a call to say the PC was taking an age to start up and when I investigated, I found that AVG was performing a full scan on startup (which was probably causing conflicts with the copy of Symantec AntiVirus that I had already installed). I removed the offending software and startup times returned to normal.
Then, today, I was told that the PC was reporting that it had a “Trojan” installed and it kept on opening adult websites. “Oh dear”, I thought… “bring it over and I’ll take a look”, I said.
First, I disconnected all of my other computers from the network! Next, I removed all the unnecessary software. Then, I connected to the Internet and ran the Windows Live OneCare Safety Scanner… except that after 6 minutes it was only 6% complete, so I left it for a couple of hours, ignoring the pop-ups which kept appearing (in spite of Internet
Exploder Explorer 7’s pop-up blocker).
When I came back, there were 50 instances of Internet Explorer (IE) running – or more accurately 50 instances of IE that were hogging resources and had hung…
Time for plan B. Open Firefox and run Trend Micro HouseCall – using a non-Microsoft browser would mean no ActiveX and therefore I could safely crash IE if necessary without losing the results of the scan (HouseCall can use Java with browsers without ActiveX support). This time I stayed with the PC and was amazed at the popups that appeared – some of them could easily fool a novice user into thinking that they were real:
Fake security applications such as Live Safety Center, WinAntiVirusPro 2006 and DriveCleaner sound quite authentic really, as do notifications claiming to have detected fake malware such as Trojan-Spy.Win32@mx and NetWorm-i.Virus@fp, inviting the user to click and install “official security software”. Similarly, for many users, an ActiveX warning which reads This website wants to install the following add-on: ‘WinAntiSpyware2007FreeInstall.cab’ from ‘WinSoftware Corporation, Inc.’. If you trust the website and the add-on and want to install it, click here. would be pretty convincing.
Eventually, I realised that if I closed IE, leaving HouseCall running within Firefox, the popups stopped (although the fake notifications continued). Unfortunately, HouseCall failed at the cleaning stage, so time for plan C.
Plan C was to download, install and run AdAware SE Personal Edition. Normally this would have been the first tool I used but I figured that the malware on this system would detect something as well known as AdAware and prevent it from installing. Not so – after a few minutes it had identified 67 critical objects (including two Trojans with with TAC ratings of 10) and cleaned them from the computer. Then, just to be sure, I restarted the system and ran AdAware again (just two critical objects this time). Then, I ran the Windows Live OneCare Safety Scanner again to give a full system check.
It took a few attempts to finally remove everything (as well as manually removing a suspect registry entry from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\ and running
cleanmgr to launch the Windows XP Disk Cleanup utility and delete all but the most recent system restore points) but after getting the all clear from two separate tools, I was satisfied that the PC had been disinfected.
Cleaning up this mess has taken a whole evening, a good chunk of last night, and most of today too so how can I stop this from happening again? “Don’t click on anything that you don’t expect to see” is all very well but if you’re a novice then how do you know what is expected and what isn’t?
I don’t know the answer but it’s bl**dy annoying. Needless to say I’ll be removing the existing anti-virus software from that PC and installing something a little more comprehensive. Windows Live OneCare has a 90 day free trial – maybe I’ll give that a go.