The first problem I ran into in cleaning up after my infested Windows XP image was this error message. One of the first things I do in cleaning an infested system is try to kill off running process that look suspect (or at least identify them.) On using ctrl-alt-delete I got the message “Task manager has been disabled by your administrator” To be honest I haven’t seen that one before and it sent me Googling…
Category: Windows
-
Cleaning up after the WMF exploit
OK, I mentioned that I infested a virtual machine with the current WMF 0-day exploit. First I should probably clarify. An exploit is a means of getting in to a system. The payload is the software that is installed. In the case of my experience there was a long list of pests installed. Given that the exploit enables any software to be installed, your experience may be different. That’s the first thing I want to make clear, depending on where and when you were affected you may see vastly different malware.
-
A Tip for cleaning up an infected PC
There’s a joke that many people bring out when new Windows viruses hit big…. it goes along the lines of, “download a fix here” and the link points to a knoppix linux livecd download, or a Mandriva download disk, fedora/etc… Some say linux isn’t affected by as many viruses because it lacks market share, I would point out that server market share (take a look at how many linux web servers there are…) would seem to tip the scales a bit, but that’s not the point of this post. What is the point is this…. When you have a Windows pc that is infested what you should do is disconnect from the internet. The problem is, that typically prevents you from getting the tools you need to fix the machine.
-
Disinfecting a PC… part 11
All in all, what I’ve documented was a bit over three hours worth of attention to the machine (much more for the full scans, but I didn’t have to stand and watch them.) I didn’t document a sidetrip to a second antivirus scanner. It’s nice to see a system cleaned up that had been so thoroughly infected. There are a couple other notes I should pass along though. When a system has been trojaned the BEST advice is to wipe the disc and reinstall from scratch. (Erase/reformate/install from scratch.)
-
Disinfecting a PC… part 10
Before I get things wrapped up, I like to scan rinse and repeat until the scans come up clean. So, this scan of AVG gives a chance to delete the archive entry I mentioned the first pass it took. And spybot get’s updated from the internet and re-runs. All looks clean there… Ad-aware get’s an update check and runs again. Everything there looks clean now. The next thing to do is disable and uninstall tightvnc, I don’t want to leave bhodemon running at boot or the tea-timer from spybot now that things are fairly settled.
-
Disinfecting a PC… part 9
Ok – about 22 or 23 critical updates for Windows ME. I’m suspecting it’s never visited the Windows update site. While it’s going I make sure that the adware scanners and antivirus scanner get to pull updates from the web as well. It’s also time to scan for running network services that shouldn’t be running. It may be a dialup machine, but we don’t want UPNP listening over the connection.
-
Spyaxe Spytrooper spysherriff et al removal
There are so many “wolves in sheeps clothing” or maybe I should say wolves in sheepdogs clothing… Anyway, so many nasty malware’s that pose as protective utilities. Spyaxe, spytrooper, spy sherriff, etc. There is a tool that is specialized towards removing these. Smitrem which is short for smitfraud removal. (After the viral name of one of the first of this class of rogue.)
-
Disinfecting a PC… part 8
All right, now it’s time to give ad-aware a spin. I like being able to use several spyware scanners to get full coverage and cleaning. Ad-aware and spybot s&d are usually my first two choices. Realize that I’ve already taken a pass at this machine with AVG, BHODemon (for the browser helper objects) and Spybot S&D. Ad-aware finds a total of 700+ items.
-
Disinfecting a PC… part 7
Ok, another reboot after the BHO cleaning. Things are a good deal more responsive now, less disc swapping going on. (I suspect that those three missing BHO entries may have been causing the slow down, but I don’t know.) Installing wintop so that processes can be monitored. Also, getting spybot S&D *(search and destroy) installed and copying update from disc. The system is pretty much won at this point, I don’t see anything running that I haven’t LET run at boot, everything that I had as suspect has been disabled, now it’s just a matter of cleaning up the remnants and leftovers.
-
Disinfecting a PC… part 6
Ok, it’s BHOdemon time… installed from cd and on starting:
BHOdemon bhotb-all.html not found, no web connection downloading on other machine.
Finally get it to work copying from another machine. But I had to change the Windows ME to show full filenames to help troubleshoot why it couldn’t find the file (naming problem.) (There seems to be a strange display problem on setting “don’t hide file extensions” menu, (I can’t see the check boxes or the checkmarks…. I managed to toggle them “blind” to show file extensions)…