NO ... Not
that kind of fun, and not
those kind of trojans. Sicko!
But before I tell you about my weekend fun, I should mention that today was delightful. Well, this afternoon was anyway. After work I went for a ride on the
Silver Comet trail. Since it was the end of the day I abbreviated my ride somewhat compared to what I do on the weekends, but I still managed to get in 23 miles.
OK, back to the weekend fun. Names have been ommitted to protect the guilty. I got a call from ComputerUserX who was having computer problems. Random reboots, crashing, blue screens, the works. I suggested some possibilities over the phone, including misbehaving software or hardware problems, maybe bad memory, or perhaps an Internet worm attack of some kind crashing the system, or even a virus. We ruled out the Internet worm pretty quickly because the system continued crashing even when physically disconnected from the net. So I decided to investigate in person.
The first thing I noticed was that no antivirus software was installed. I had brought some just in case, so I installed it and ran it. It immediately found viruses in memory (I didn't make a note of which ones) and ran for a couple more minutes, then the computer spontaneously rebooted. I tried running the virus scanner a couple more times but the computer wouldn't stay running long enough. I still wasn't sure if there was a hardware problem and the viruses were just a seperate problem, or if the viruses were the sole culprit. It was obvious the only way I was going to be able to scan the system was to be able to boot into a clean environment. So I offered to take the box back to Asberry Labs for further testing.
First, I downloaded one of the coolest tools I've found recently,
Bart's Preinstalled Environment. It uses your Windows XP/2000 install CD to create a custom, bootable "rescue" CD, complete with GUI and quite a few diagnostic tools. You can also add several plugins that aren't included with the main download, including McAfee VirusScan, SpyBot Search and Destroy and AdAware 6. You can even install SSH. There are a ton of different plugins available. So I made my boot disk and went to work.
The first thing I did was run VirusScan. Boy was this system infected! There were literally hundreds of executables infected, mostly with a virus called
W32/Pate.b. This virus has a low severity rating but any time you are modifying executables there are bound to be problems.
I also ran AdAware, and, as I suspected, there was a ton of spyware that it found (and cleaned up). I should also note that these scans ran overnight and the system never crashed once, so there didn't seem to be a hardware problem.
After all these were done the next morning, I attempted to boot into the existing Windows installation. Everything looked pretty good, up until I loaded up Internet Explorer. It went to some homepage, "searchexe.com" or something like that (I won't link to it -- God knows what kind of exploiting JavaScript/ActiveX/whatever smack is on their page). It also opened up a banner window at the bottom of the screen with links to Online Casinos, sex sites and other lovely stuff. I decided to run SpyBot to see if it could find anything AdAware didn't. Hmmm ... SpyBot wouldn't run. It launched, but then it would just freeze up. I wondered if maybe there were still some goodies installed on the box that were interfering with SpyBot somehow.
I went back to my boot disk, rebooted in a clean environment, and ran SpyBot from there. It found more smack. So I rebooted back into the regular environment, but IE was still screwed up.
Next I found another helpful utility,
HiJack This!. It will show you the processes running on the system, as well as identify non-kosher registry keys. It corrected several registry entries and allowed me to identify several suspcious-looking processes. I unfortunately can't remember what all of them were, except for one. It was a haxx0red version of one of the utilities from
this toolkit ... basically a back door into the system. These utilities apparently have some legitimate use, but ComputerUserX sure didn't install them. They were installed by some sneaky thing downloaded from the web, or perhaps, some sneaky malcontent member of the household. Hmmmm. I eliminated that and the other suspicious files.
Finally I was able to boot into the environment without problems. After all this, I decided to check Windows Updates. ComputerUserX had mentioned trying to run them but the computer would always crash. As I suspected, there were lots of updates not applied. I went ahead and updated everything, rebooted, and everything still looked OK. I then configured Windows Update to download and install the updates automatically.
I still wasn't (and am not currently) convinced that I had found everything, although nothing obvious was wrong. I decided to back up the data (which was all in the "My Documents" folder). I started up Nero, which immediately complained that it had been modified and steadfastly refused to run. Although VirusScan had fixed the infected EXEs, the infected files were permanently altered to be larger by some number of bytes, so any program that ran a sanity check on its binary like Nero wouldn't run. I then discovered that the "My Documents" folder was much larger than what would fit on a CD anyway. ComputerUserX also wanted their computer back. So, I informed them of the progress I had made, and recommended that the data be backed up, the drive reformatted and Windows cleanly installed. Since that would take some time, and since it was now Memorial Day and I wanted to do something besides work on computers, I offered to go ahead and bring it back as-is, since it was basically functional, and reinstall Windows next weekend.
So, this story is ... to be continued ...
Oh, one last thing. Movie review time: The Day After Tomorrow. It was preachy, unrealistic, thin on plot and laden with special effects and catastrophic destruction. In short, I enjoyed it quite a bit! The illegal immigration at the Mexican border must have been one of my favorite moments.
