A Malware Adventure
or
"I Told You So..." © 2005 - 2017 By Viking
NOTE: This was written many years ago. Malware has evolved significantly since then. If you're not highly proficient with anti-malware tools and techniques, take your machine to a reputable computer technician for malware remediation. And, of course, back up all your data regularly!
A few years ago, someone I know was "gifted" with a computer due to circumstances that we won't get into here... The lucky recipient was informed it was "trojan-infested." (A very thoughtful gift, yes?)
It may be of interest to note that I had spoken to the giver of that gift a year or two previously. I gave them the rundown on how to protect their computer, and provided the link to my PC Security page. Apparently none of my advice was heeded... otherwise we wouldn't be telling this tale, would we?
Well, I volunteered to undertake the "disinfecting" of that computer, and the tale of that adventure is what follows... I think I got all the steps in there, maybe not in the exact order, but close enough. As you will see, an ounce of prevention really is worth a pound of cure.
Important Note: In some cases a computer can be so overrun with malware that the only safe option is to reformat the hard drive and do a clean install of the operating system. You would also possibly lose valued documents. This is important to keep in mind. If you're not completely certain you can handle cleaning an infected machine, take it to a reputable computer service technician. It's better to be safe than sorry.
I unpacked and set up the computer, plugged in all the peripherals like mouse, keyboard, monitor and speakers. I did not plug it into the internet or my Local Area Network (LAN). That would be silly at this point... no need to risk infecting any more computers!
I started the computer in Safe Mode... it seemed we were running Windows 98 SE on this machine. I started off by seeing what there was for anti-virus software. Hmm, Norton AntiVirus (NAV) 2002. A bit out of date, but it's all we have... This old machine running in Safe Mode couldn't see the CD ROM, so I couldn't use anything newer. So let's run the old NAV 2002...
Well, the definition subscription had expired about two months previous, but that will have to do for now. So I started a full system scan to see what we could find. After a while it finally finished. Only 6 trojans were found, it said. Two of them could not be cleaned, so that means doing it manually. No big deal... I then checked NAV's activity log file to see what it had caught before. A few other trojans, downloaders and backdoor programs in there. I made note of the names of those as well.
I then went to my computer and surfed to Symantec's site to see what their virus database had to say. I printed out the info (complete with removal instructions) and started my work.
I had to use the Windows Registry Editor to clean some entries. I actually didn't find the entries that those trojans normally leave behind, so NAV must have stopped them before they got anywhere. However, there may be things in the registry that warrant further investigating. So investigate I did. I removed a few entries I knew to be of no good use, but there were likely more elsewhere. Too tedious to hunt for them all in the registry, so time to use another tool.
I clicked Start, Run... and typed in msconfig and hit Enter. msconfig is a tool that will let you, among other things, see what is set to run when Windows starts up, and disable certain things if need be. Some other good (and more accurate) tools are Autoruns by Sysinternals and HijackThis - see my Links page, security section. Anyway, I found a few suspicious items and disabled them. Time to boot Windows up normally and install some extra software... I burned a few goodies to a CD ROM and got busy.
One of the programs I installed was TrojanHunter 4.2, available from Mischel Internet Security. A thirty-day trial is available, so that's what I got. I ran that, and lo and behold, 3 trojans were running in memory. Lovely! Trying to clean them with Windows 98 in normal mode gave us the dreaded Blue Screen of Death (BSOD as many call it). Well, I guess we go back to Safe Mode... Once in Safe Mode, TrojanHunter had no troubles cleaning all the nasties off the computer. It found 21 nefarious little items and cleaned them up. I booted Windows back into normal mode, with TrojanHunter's TrojanHunter Guard set to run revealed no more malware running at start-up. But I don't trust just one program's opinion, so time to install more toys.
Spybot Search & Destroy, SpywareBlaster, and Lavasoft's Ad-Aware came next. (Note that SpywareBlaster isn't a removal tool, it's for preventing the installation of malware in the first place. Very good to have.) Spybot S&D and Ad-Aware found over 400 more items. So we cleaned all those up. Spybot S&D's tool to check start-up programs was also used. A few more things were cleaned up. I also manually installed the latest virus definitions for Norton AV. A newer version of Norton would come later...
Ironic Note: Some of the malware removed were programs that claim to be spyware and adware cleaners. Before you decide to download and try some free or cheap software from that little advertising banner you see, visit Spyware Warrior first. They have a listing of what's good and what's questionable.
Next came a firewall. Since this computer was a little old and slow, we installed Sygate's free version of their Sygate Personal Firewall (SPF). (Note: Symantec has purchased Sygate. Sygate Personal Firewall is no longer available as of November 30, 2005.) ZoneAlarm from ZoneAlarm has less-forgiving system requirements. If anything wants to call out, it will have to get permission from SPF first!
At this point it was time to hook up to the LAN and the internet. To be safe, I unplugged all but my PC from the LAN, set ZoneAlarm to treat this new member of the LAN as an outsider (block all incoming traffic...), plugged the Win98 machine in and restarted it. As I have my router set up to keep logs of all inbound and outbound traffic to the whole network, I could keep an eye on where our project PC was calling to. Just in case...
Sygate Personal Firewall didn't see any nefarious exit attempts, and nothing showing in the router logs. All appeared okay, so it was time to do some updating. Spybot S&D, SpywareBlaster and Ad-Aware were all run again to get the very latest updates. TrojanHunter was also updated manually. And we scanned again... and came up clean.
Next we went to visit Windows Update to see if any critical updates and such were missing. As it turns out, a lot was missing... It seemed no updates had been done in a few years. Not good. So that kept me busy for a while, installing updates, rebooting, going back for more updates...
At this point I'm thinking I should not have volunteered to do this. I should be charging by the hour... Mental note for future reference.
Since Microsoft Office 2000 was installed on this machine, we also need to visit the Microsoft Office site and look for the Update link... Not surprisingly, no updates had been installed. To make matters worse, I could not run the update. The updater didn't like my Office 2000 CD ROM. The installation CD is required to install the update... So that meant uninstalling Microsoft Office, and reinstalling it. Then we could install all the updates. Which, of course, means installing, rebooting, installing more updates...
Now I am pretty sure I should not have volunteered... Exclamation mark added to mental note.
Next we need a fresher version of Norton. All I have that I can use is Norton SystemWorks 2003. (Now called Norton Utilities.) Not much newer, but still better than 2002. I thought about a freebie like AVG, but SystemWorks has some other tools I want to use. My other PC's are running Norton AV 2005, but I had used all the licences for that already. Well, I ran into some issues trying to install that, too. My fault partly, but it wasted a bunch of time. I did get it all fixed eventually. And of course, with Norton you have to run LiveUpdate, reboot, run LiveUpdate again... until you have it all updated. Which is why it's called LiveUpdate, I bet.
Now I am certain I should not have volunteered. Mental note underlined heavily. Extra exclamation marks added.
So, we get Norton SystemWorks up and running. Let's do the "One Button Check-up" and see what we get. Well, we get a few invalid registry entries (not a surprise), a disk error, and it also seems that the hard drive is fragmented. Hmm. We click the fix button, and quickly fix the registry entries. The disk error takes a bit longer, but it's done. Now for defragmenting the hard drive... (For a nice little explanation of fragmentation, see https://en.wikipedia.org/wiki/Defragmentation. Another is at https://www.bleepingcomputer.com/tutorials/the-importance-of-disk-defragmentation/
Windows 98 does have a defragmentation utility. However, it is very slow, and most often has to be run in Safe Mode, as it has a bad habit of having to restart itself because some little program somewhere did a disk write. Norton SystemWorks has a quicker and friendlier tool, so we ran it... Normally, your hard drive should not be more than 5-10% fragmented at best. This computer's drive was 50% fragmented. That is not good. So we let Norton take care of that for us.
Defragmentation is done in under an hour. Now we should check that registry out a little more, as well as a few other things. Time to install and run TweakNow PowerPack. It has a nice utility for cleaning the registry of even more unneeded things, and a utility to clean up unnecessary files. There were about 181 invalid registry entries, and a few unneeded files, so they were removed.
Somewhere in all of this fixing and cleaning I discovered that the Search function of Internet Explorer was no longer working... it would seem that one of the previous bits of malware had usurped it, and now that the malware was gone, we were missing the ability to search. Well, that required going back into the registry to fix. Not something most people can do, so unless you know what you're doing, best not to try. I ended up taking a shortcut, exporting the required registry entry from another computer and importing it to our little project one.
The final step was to run Norton AntiVirus one last time. Nothing was found.
So, after an entire day and then some, I pronounced the computer clean. The firewall wasn't seeing anything unusual, nor the router. No browser hijackers, no more spyware, no strange behaviour, everything was running smoothly.
Some may ask why I didn't just wipe the drive and reinstall Windows... well, if you don't have all the disks for installing drivers for ethernet cards, sound cards, video cards, and whatever else you may need, then you really don't want to go that route... You may end up spending more time than it took me to clean it "the hard way." And if you no longer have the installation files or disks for any installed programs, you're out of luck there, too!
However, in some cases a computer can be so overrun with malware that the only safe option is to reformat the hard drive and do a clean install of the operating system. You would also possibly lose valued documents. This is important to keep in mind.
Lastly, if you're not completely certain you can handle cleaning an infected machine, take it to a reputable computer service technician. It's better to be safe than sorry.
So if you actually made it this far, I hope you have found some useful information in my little tale. Maybe a good link or three to some good information or software. I also hope that those who don't take computer security and maintenance seriously have a new perspective on the matter. If that computer had been taken to a computer repair shop, one could expect to be paying out about $250 Canadian to clean and repair it.
Of course, if the original owner of that computer had taken the proper steps to secure it in the first place, as had been strongly suggested to them... it would have cost nothing more than the price of a few hours and whatever they want to spend on anti-virus software. Which is sure a lot less than $250. Protect your investment. You wouldn't leave your car sitting in a dark alley, unlocked, with the keys in it overnight. So why do the same by leaving your computer unprotected?
Safe and happy computing, everyone!
Viking