Posted by: reformedmusings | December 23, 2008

The agony of life with Windows

A friend on the PuritanBoard, I, and others have been exchanging some good-natured ribbing on Windows vs. Linux. Some take the position that Windows just works, whereas Linux presents greater difficulty for the average user. My point (and others) has been that Windows takes more maintenance and that the burden of support is borne by knowledgeable friends or commercial services like Geek Squad. If Windows “just works,” its because someone else is bearing the required burden. Been there, done that, bought the t-shirt, wore it out.

I was feeling prophetic just a day later when a local friend called to say that his Windows XP box had become a brick. He asked if I could help. Little did I know that would become the invitation to spend over 24 cumulative working hours of effort on his computer…so far. I’m still not finished.

The symptoms manifested as extremely slow operation and numerous ad windows popping up when browsing the Internet. He ran a virus scan with his up-to-date McAfee Anti-virus, during which the computer locked up tight. That’s when he called me.

Upon viewing the situation, two things were obvious: 1) the WinXP box had very nasty, multiple malware infections; and 2) McAfee had neither prevented the infections nor was capable of clearing the infections after the fact. I was shocked at the latter…just kidding. Many ISPs provide McAfee for free to their subscribers. In the commercial software world, you often get what you pay for. I’ve found both Avast! and AVG superior to McAfee and preferable to Symantec, the latter of which digs too deeply into the Windows system and often causing conflicts and lockups.

First step was to disconnect the network cable and isolate the box. Cut the enemy’s supply lines!

I next booted and used System Rescue CD 1.1.2 and Trinity Rescue Kit 3.3 (both bootable Linux CDs that can repair Windows issues) to assess the status and repair the Windows XP installation. Trinity also comes with ClamAV, which could conduct an anti-virus check on a Windows machine.

Sparing you hours and hours of tedious details, I was able to get Windows XP to boot, though not reliably. I found that access to regedit.exe and the ability to see hidden files and folders were both disabled. I then ran Lavasoft’s AdAware Personal and Spybot Search and Destroy multiple times to clean as much malware as possible. I was then able to uninstall the useless McAfee software and install the free Avast! 4 Home Edition. Upon installing Avast!, I set it to do a scan on Windows restart. That allows it to scan the system before most malware can load into Windows. I also went through the Windows’ service list and disabled suspicious ones. In combination, these measures found over 40 malware programs, including two trojan downloaders, a backdoor agent, a network hijacker, bogus Windows services, and a host of other virii and adware programs. (FWIW, McAfee claims to protect against all the threats I found. Judge for yourself: Avast! found and cleaned them all, McAfee both let them in and failed to clean them once in. Who do you trust?) Cleaning it all required a number of trips to Windows Safe Mode to manually delete malware files which loaded themselves in a normal Windows start. All this resulted in a more responsive Windows XP, terminated the primary threats, but it wasn’t the end of the road.

At this point, I clamped down the system further by installing SpywareBlaster and SpywareGuard. Together with Avast! and the resident Spybot functions, they should keep additional malware from getting in or from operating successfully if it’s already present.

After all this, all normal scans reported the system as clean, yet Firefox, and only Firefox, was still being hijacked and producing spurious website window popups when using any common search engine. Internet Explorer seems unaffected. Doesn’t matter which is set as the default browser. So, I created a new, clean profile for Firefox. That didn’t solve the issue. I then uninstalled a host of social networking plugins (video players, etc). That didn’t do it. I found that the number of Firefox extensions didn’t match the extension list. There seemed to be a phantom extension, which I found hidden in the All User’s directory.  After deleting that set of files, I completely uninstalled Firefox and wiped every evidence of Firefox from the disk and the registry. I uninstalled all plugins except a few iTunes related ones (for teen economic reasons), then reinstalled Firefox. It was still being hijacked and producing ad website popups like find-trip-now.com, faux sports blog sites, girlsinpoker, etc. NoScript was able to stop a number of the popups, but not all, and it kept any malware scripts from loading in the popup windows that did appear.

Worse, Avast! kept catching repeated attempts by some yet-unseen program to create malware executables and dlls around the hard disk. It also prevented access to a few blacklisted websites.  The resident portions of Spybot caught attempts to install malware BHOs and startup programs. I rechecked SpywareBlaster and found that something disabled its coverage of Firefox. Sheesh, this was one persistent and smart piece of malware! Since virus and adware scans didn’t find anything more, I suspected a rootkit.

So, I downloaded and ran Mark Russinovich’s Rootkit Revealer. It revealed a few suspicious items which I eradicated. But that still didn’t resolve issue. I then downloaded and installed the excellent HijackThis! 2.02. Its runs identified a few suspicious services that weren’t there when I culled the list much earlier. Yet the problem remained after this effort.

After over 24 working hours worth of effort spread over three days, it was time to get back to my life. I have more yet to do on that XP system, but in the meantime it runs fine when not using Firefox. My next step will be to completely uninstall Firefox, cleanout the system of all references to it again, and run MalwareBytes and ComboFix. I’ve found a number of references around the net to this type of infection (e.g., here), but no answers. Either this is something too new to be covered by anti-malware programs or is some kind of very smart and stealthy rootkit. At the moment, it’s being kept at bay by the combination of Avast!, Spybot Resident (Tea Time & browser protection), SpywareBlaster, and SpywareGuard.

Before anyone states the obvious, I realize that the ultimate answer here is to reformat the hard drive and start over. That would have been my next step after the initial scans repaired the system but yet that one last problem remained. Unfortunately, my friend, like most people, doesn’t have a backup of his or his kids data, music, etc.  Nor does he have a good way to back them all up. I am encouraging to back everything up to CDs ASAP in case we need to reformat as a last resort.

If I didn’t like my friends so much, I’d just walk away from Windows’ problems. All the time that I spent learning all the stuff on which I’ve posted on Linux here on this blog doesn’t add up to the time I’ve spent on this one Windows malware incident. And I used to do a lot of this Windows recovery in the past. It reminds me in the most graphic way of why I left Windows for Linux. The most amazing part from where I sit now is that Windows users seem to accept these incidents as the price of doing business.

And if any average user is saying to themselves that this has never happened to them, knock on wood. This particular user had the right approach – hardware firewall, XP SP2 firewall set up, and current anti-virus protection that supposedly also included adware and spyware protection. Still, the malware got through – perhaps through some social engineering approach that wasn’t even noticed, but also got past the McAfee anti-malware program that is widely used, even in the U.S. government. Do you really think that you’re immune?

If you run Windows, time is not on your side. Switch to Linux before your sensitive data winds up in Russia, China, Pakistan, or simply the bit bucket.

BTW, if anyone knows what this threat is and/or how to clean it out, please leave a comment here. If I find out what it is, I’ll write a follow-up post with that info and how to clear the threat.

Advertisements

Responses

  1. Next time, using system rescue disc, mount the windows partition as ntfs-3g and cd into it, then:

    mkdir old
    mv * old

    Then reboot and install windows using a non-system restore windows disc (if they weren’t provided one, just download tinyxp or tinyvista off the internet – your friend doubtless has a valid windows key, and if this isn’t ‘business’ for you then it doesn’t really matter if you use ‘hacked’ copies of windows to install, ethically speaking – just disable auto updates). If you choose not to format the filesystem while installing then all the content from the old drive will just be in a subfolder of the C: drive, c:\old … in fact, you can boot back to linux and delete all but that folder then move its contents back up a folder and reboot and be back in your previous installation – it’s that simple. I’ve done the above hundreds of times with both XP and Vista.

    So, install a clean copy and then import the documents/music/favorites/desktop items/etc from c:\old\documents and settings\… etc. You can even point the new installation’s device manager driver updates to the old c:\old\windows\inf folder to pick up the old driver copies. It makes a reinstall pretty trivial. You can also use jellybean keyfinder and choose “load hive” then point it to the old Windows folder to pull the old serials for office/etc.

    Once the system is all set up again, you can clear out the c:\old directory to free up the space.

    Oh, and Adaware isn’t really very good nowadays… the best things out presently are Superantispyware (it’s incredible) for spyware removal and Kaspersky for an antivirus. Kaspersky isn’t free, but if someone is prone to infecting their machines it’s the best that’s out there. The best antivirus windows users could ever have, though, would be a commitment to avoid browsing ‘bad’ websites and frivolously installing random junk software/shareware games when they don’t need any of that.

    I agree, though – I use linux. But I repair windows machines for a living at the moment, so I guess I can’t complain too much – lol.

  2. Thanks for your suggestion. I hadn’t thought of that approach. I’ll see if there’s enough room on the hard disk to back up the data elsewhere on the drive. I doubt if there’s room to backup the whole install.

    I’ll checkout superantispyware. I appreciate the recommendation. For commercial AV, I prefer FProt. I’ve visited their facility in Helsinki and found their methodology and motivation to be outstanding.

    I’m sure that the infection came from his teens’ use of social networking sites. If we could only ban those things, we’d all be better off.

    You have my deepest sympathy on the windows repair, but I know it provides you a steady living! In the meantime, here’s to freedom in Linux!

  3. Well, I finally had a chance to get back to this problem. I ran full superantispyware scans twice on the subject computer. It cleaned out a bunch of malware. After that, I didn’t see any more redirections or popups.

    I then applied XP SP3 which is still installing. I think that these measures will resolve the issue. Thanks so much for your excellent suggestion, gmiossi!

  4. […] I wrote some time ago about a friend victimized by Windows malware on a Dell desktop in The agony of life with windows. Well, another friend was recently hit harder by Antivirus 2009 (morphed form Antivirus 2008) and a […]


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: