I do not post this with pride, but I post in the sincere hope that it will help someone else out.
TECHHEAD is a very small tech-support company located in the southern Rocky Mountains. In fact, the entity known as TECHHEAD is oftentimes just me. Other talented individuals cross my path from time to time but even then it is really more of a collaboration than an employer/employee relationship. And it usually doesn᾿t last long. Northern New Mexico is a very low tech area and a common harbor for hippies and corporate burnouts. However, even hippies get computer viruses.
As it so happens, I get called to clean up viruses A LOT. Interestingly enough, the client almost always has active virus protection, and I have come to think of programs such as McAfee, Norton, and AVG to be largely a scam. They slow down machines to a sometimes intolerable level and give the user an unfounded sense of security. No matter what kind of virus protection you have, don't open that Pamela Anderson screensaver, dips*#%.
Many other times, malware enters uninvited through an unpatched Windows system. Autoupdate is either off or broken or the shop they bought their computer from was giving away free Windows licenses (until Microsoft put an end to it) and now their computer fails the Windows Genuine Advantage check.
It was an unpatched system I ran into the other day. Usually these things are pretty straightforward. I run HijackThis to get a more targeted view of the Windows registry and try to discover where the baddie is hiding. Then, if it is a relatively uncomplicated attack, I simply remove the appropriate entries and see if Spybot S&D can find anything additional to cleanup. Whoala! Sometimes I throw in a run of CCleaner (formerly Crap Cleaner) just to, er, clean up the residual crap left in the temporary folders or registry. The aforementioned tools are all great and all free.
However, this time was not so simple. Whenever the malware files were deleted, they would simply regenerate themselves. There was a process running somewhere that would monitor these files obviously. Usually in this case, I would simply reboot the machine and use a bootable CD to run an alternative operating system so that I could safely remove the files. The Linux distribution, System Rescue CD is one of my favorite tools for this purpose. However, it was not an option, because in this case, I did not have physical access to the computer. These days I do most of my troubleshooting by remote using the fabulous LogMeIn Rescue.
So, while simply not booting up in Windows can be the easiest way to remove a Windows virus, I had to get a little more down and dirty with this one.
Process Explorer is a great tool I discovered a while back. It can show you what DLLs are actually involved with each running process. A quick look into the WINDOWS and WINDOWS/system32 directories easily revealed the culprit DLLs. The file names chosen by the attack were completely random and the timestamp revealed them to be created on the same day the client began having trouble.
Once I killed the processes utilizing these files, I was able to finally delete them. (The whole process was actually a little bit more complicated than that, but that's “pretty much” how it happened.) However, do not assume, as I sincerely wanted to, that this is the end of the story.
What do you do when your virus protection software finds nothing, Spybot (which is usually a great tool) comes up clean, and Hijack This doesn't appear to show anything out of the ordinary? Claim victory? Perhaps you might until you open up your web browser and find that sites such as Windows Update and Spybot᾿s update site seems to be selectively unreachable. Darnit.
We still have a DNS hijacker.
I know how to deal with a DNS hijacker. I've done it before. If it is a simple one, Hijack This will show it to me. If it is more complicated, surely resetting the TCP/IP stack with a program like WinSock XP Fix will do the trick.
Well, don᾿t call me surely. It didn᾿t work.
Now by this point, I had already spent far more time than I care to admit in fighting this particularly malicious foe (it had already deleted the customer᾿s System Restore points). I was ready for some help. I posted a description of the malware on Experts Exchange and within five minutes, some snooty (I picture him an acne-faced teenager) suggested that I had been dealing with an attack called “Windows Security 2008” and suggested that I use Malwarebytes᾿ (also free) Anti-malware program to remove it.
No, not an acne-faced teenager, but perhaps some angelic being sent from above, this kid was. It worked. In a matter of minutes, much faster than Spybot, Anti-malware had completely eliminated all traces of my mismatched foe. I probably could have saved hours just by using the program to begin with. I will definitely be adding the tool to my arsenal.
Footnote: This is not a paid advertisement. It is a true story, and all of the aforementioned resources in my article come highly recommended by me. Of course, it should (but unfortunately doesn᾿t) go without saying that I am not responsible if you bugger up your system by using any of them.
