Disaster machine

[plonq]

One of the guys in my office brought in his computer for me to have a look at.  It's been running sluggishly for a while, and more recently he got a fairly large phone bill for calls that he knows he didn't make, and he suspected they originated from his computer.

When I took it home and hooked it up, the first thing it tried to do when I powered it up was dial in to the net.  It was very persistent, and after clicking the CANCEL button a couple dozen times I finally called up the task manager and began killing any tasks that had names like "oo1Ax809v".  Once I had killed the dozen or so rogue tasks it became less aggressive about trying to dial out.

Perhaps I should back up a bit; the first thing I did was reinstall Windows because the machine would not even boot up by the time he brought it to me.  Two and a half hours later, when I finally had a Windows 98 screen in front of me, I was forced to concede that this was not the fastest computer that I had ever seen.

I ran it through the latest Ad Aware (just over 100 hits) and then - against my better judgement - slapped a NIC into it and plugged it into our home network so that I could do an online virus scan (since this guy didn't have a virus scanner on the machine).  I used the Trend Micro scanner (it was the first one to come up in a Google search for online virus scans), and it found 40+ infected files that included four viruses/worms and one back door Trojan.

I cleaned and removed all of those, then began the task of installing every upgrade and patch on the Microsoft site.  That took the rest of the evening (like I said, it's a sloooow machine).  The last problem is a pesky homepage hijacker that won't go away (4-counter.com).  I have done some online research and I think I know what needs to be done to purge this bugger, but if any readers out there have suggestions I am open to anything (short of reformatting).  Before he gets it back I will install the latest PC-cillin firewall/anti-virus combo.  It's not my top choice in products, but we have a site license through our company that gets us the latest consumer version for free.  Something for nothing - w00t!

Comments

Nasty!

[duncandahusky.livejournal.com]

I'm probably not adding anything to what you already know, but I tracked down a bit more info on the 4-counter thingy. Man, that is a nasty bit of work, particularly since in some incarnations it attempts to block access to detection and removal tools. Apparently the general name for this thing is CoolWebSearch.winproc32. There's a description of how to get rid of it manually here, or you can use CWShredder. Hope this helps!

Re: Nasty!

[plonq.livejournal.com]

Anything helps when it comes to trying to get rid of this little bastard. I've heard horror stories from others who have run up against this page hijacker.

I know what you mean about it's ability to fly under the radar. AdAware can spot - and fix - what it does to the registry, but it can't detect or remove the application that's doing it so it gets reset back on each reboot. I'll check out both those sites when I get home tonight.

Re: Nasty!

[unciaa.livejournal.com]

Is it an IE or a general HTTP exploit? If the first one, it might do your coworker much good to switch to FireFox and prevent further such problems [and drop Outlook Express in favour of something like Thunderbird]. I only use IE to load badly coded IE-centric pages once or twice a month and it still gets various exploits inserted regularly that Ad-Ware takes care of; bloody POS.

Re: Nasty!

[plonq.livejournal.com]

This guy is really tight for hard drive space on this old computer, so I don't want to load it up with anything more than I have to.

I think this one is a general HTTP exploit. Even if I disable IE the Trojan will still be running. The Firefox idea interests me - though from the state of his machine it should be obvious at this point that he is marginally computer-literate, and I don't feel like trying to train him in using a new browser. ;p

I don't see much benefit in swapping mail programs. OE has all the features he needs, and with a couple of easy tweaks the newer versions can be made comparatively secure - especially when coupled with the virus scanner I'm installing.

Re: Nasty!

[unciaa.livejournal.com]

Well, OE will become a security hazard again in 2 months when new exploits are discovered (unless you can teach and convince him to keep Windows up to date); some 90% of all trojans and worms depend on exploiting IE through OE, so even if OE is safe, you might get screwed because IE was last updated a month ago. Just less hassle, but from the sound of it it's prolly best to just patch it up and hope for the best. :3

[furahi.livejournal.com]

Why is reformatting /completely/ out of the question? Does he have a gazillion programs for which he doesnt have an installer?
The firefox/Thunderbird (or Mozilla?) idea sounds good, it's really not that different to use than IE, especially for a regular user who "just" browses..
I mean, he won't need a 3 month class with a MSCIE certificate at the end or anything, the diferences are diminute, especially if you install an IE skin to Mozilla or similar, he may not even know it's not the original one ;)

[shockwave77598.livejournal.com]

At a certain point, wiping the machine is the only solution. Some of that spyware is persistant and sneaky and not even the best work will remove it.

[atara.livejournal.com]

If there's one thing I've learned about my snow leopard, it's that he can be very persistent when it comes to fixing a computer problem HIS way. :)