I had to troubleshoot my good friend’s computer recently…
- Computer was slow, occasionally freezing for minutes on end
- Facebook account recently hijacked and spamming “friends”
- Yahoo!Mail malfunctions (read messages would show up as unread, messages could not get sent etc)
Machine used to have Avast! Free Antivirus, but I was quite hopeful of the new Microsoft Security Essentials antivirus software so I removed Avast and installed MSE.
The first full scan of MSE found one password stealer. I thought “good, it’s already doing a better job”.
Left it at that for a month, during which my friend continued experiencing the above symptoms.
So I had to dig a bit deeper.
1. Ran I few full MSE scans – they always found viruses:
2. I noticed that security sites were blocked. I could not browse to Microsoft Live One Care, ESET online scanner etc.
3. So after the latest MSE scan I removed WINDOWS/system32/drivers/etc/hosts (which was a massive 4MB!) and obviously planted there by the malware. You can find a copy “printed” to PDF below:
4. This made it possible to surf the net freely, so thinking I should get a second opinion, I tried the ESET online scanner. It appeared to work fine, did a full scan, it found stuff and said it cleaned it.
This is the report that ESET’s online scanner produced: 05-eset_scan_results.txt.pdf
All good stuff.
5. After the restart, I visited Microsoft Update (to be sure we have the latest security patches), and then asked MSE to update, again to ensure we had a working local antivirus.
6. Being the cautious type, I then did an online Microsoft Live One Care scan – which seemed to go fine, didn’t find anything, complained a bit about the registry, claimed it cleaned it.
(Screenshots in Greek as OneCare localizes the interface…)
It seemed that it worked fine:
7. After all that I was almost ready to believe that the machine might be clean. But I still couldn’t delete old System Restore points, which annoyed me because they (a) take up a lot of space and (b) they had been infected with a virus earlier. So I thought, let’s just get rid of them.
While troubleshooting why System Restore was not running, and why I could not delete restore points with Pirifom’s CCleaner, I decided to take manual look in the Windows registry. Starting the System Restore Service from within services.msc would always return the message “The service started and then stopped”. Hm. Dug a bit deeper to find a registry entry that disabled System Restore, removed it, rebooted, but it didn’t make any difference. So in the interest of time I gave up on that front.
8. During my rummaging in the registry I happened to notice a “facebook” entry. WTF? My friend’s username and password were there in plain text! Got rid of that.
9. I then noticed that the Security Center Service was stopped. Started it, rebooted, checked settings, noticed that both “Firewall” and “Antivirus” were “Green”, which is misleading, because the tickboxes that tell Windows to NOT monitor their status had been selected by the virus! Unselected those, rebooted. Seemed to be OK after that.
After all that, and repeated antivirus scans with MSE returning nothing, the system still acts as infected (slowness, all applications are liable to randomly freeze etc).
At this point I’m going to explore two alternatives:
a. Ask Microsoft for help via their MSE support portal
b. Take a snapshot of the full local disk and then scan the machine offline with Avira’s latest Rescue CD, telling it to automatically fix anything it finds. With aggressive settings, this might delete critical Windows files that are infected, rendering the whole machine unusable.
But what else is one to do?!
Will post back with results.
Further efforts would include:
- Booting Windows XP in Safe Mode and running a full scan with Microsoft Security Essentials. We tried that, but the system would BSOD (Blue Screen of Death) (i.e. crash) every time we tried to enter Safe Mode. So that was abandoned.
- Installing Malwarebytes’ Anti-Malware software and telling it to clean the system. I’ve never used this software before but apparently many people do. I’d be surprised if it worked on an already infected system, but I was willing to give it a shot.
- Open a Microsoft Security Essentials support case and see what the Microsoft people had to say.
- Scan with Avira’s Rescue CD.
Unfortunately my friend had had it after two days of trying to clean his computer, and being unable to use it in the meantime, so he decided to just wipe it out and install Windows from scratch…
Not a biggie, as he’s using DropBox to keep versions of all his critical files online. Also, this is really the only way to ensure the computer would be disinfected. Re-infection by USB keys, existing backups, external disk drives, browser apps etc is another issue I’d rather not get into.
Only thing is, that I will never learn what it was, how the system was taken over and what techniques were used to evade 2 of the latest antivirus scanners.
Perhaps this is the only reasonable defence left to end users nowadays. Keep your data as “in the cloud” as much as possible (DropBox, Google Docs, Flickr etc) and wipe out and reinstall your endpoint when it’s been taken over by others.
A sad state of affairs, really.