By Brian Krebs, Washington Post, June 12, 2005.
I just spent nearly seven hours doing emergency surgery on a Windows PC that belongs to a dear, longtime friend. The experience was so harrowing that I decided to blog it.
So it’s 2 p.m. Sunday and after a cursory examination of my buddy’s two-year old Windows machine, it is clear that the thing is missing patches going back to mid- to late 2003, just months before Microsoft released Service Pack 2, a massive set of security fixes and operating system tweaks for Windows XP. Needless to say, the computer did not have Service Pack 2 installed.
The software updates from the antivirus engine inside his install of Symantec’s Norton Internet Security 2002 are way out of date, with the subscription several months overdue for a one-year renewal. Defying the nettling notice that we really should go online and purchase new updates for the program, I counsel my friend and his wife against punching in their credit card and other private information into a Web browser just yet. “Let’s see what we’re dealing with first,” I say.
I fire up Internet Explorer and am peppered with pop-up advertisements for supposed anti-spyware software, Vicodin painkillers and invitations to play Internet poker. It is obvious the machine has some serious spyware problems. Ad-Aware finds three pages of awful scary-looking toolbars, start-page hijackers and pop-up generators that constantly drag on his Internet connection. It manages to delete all but a handful of threats, and the stragglers it promises to annihilate on the next pass upon reboot. I send IE over to download the latest “software update” tool from Microsoft.
There’s also some yellow triangle thingee with a red exclamation point in the middle of the taskbar that keeps flashing. If you click on it — or wait long enough — it will periodically launch an IE browser Window that takes you to a sleazy-looking search engine hawking generic drugs, “free games” and Instant Messenger cartoon characters.
Though I am a veteran witness of such atrocities, I remain awestruck by the juxtaposition of those two offerings. Somewhere out there, a diabolical marketing machine is reaching through cyberspace offering wide-eyed kids all kinds of goodies, including their very own custom-made smileyfaces or “emoticons,” for use with AOL’s chat program, AND their choice of highly addictive narcotics and sexual-performance enhancement drugs, with a selection of adult Web sites to boot!
I note with mild amusement that some intrusive program has changed his monitor’s background wallpaper from a photo of a recent family adventure to a blue screen with a dire message warning that the system has suffered multiple, critical Windows crashes. However, I am unsurprised to see underneath a hyperlink to the Web address of a site that claims to have the solution. I change the desktop wallpaper back to one of Windows XP’s stock pictures, a shot of a desert island amid a calming blue sea.
My tranquil interlude soon is rudely interrupted by a tenacious piece of spyware called Cool Web Search, which refuses to die no matter what tricks I pull. A quick Google search picks up this very useful thread at geekstogo.com and I finally get the darn thing off the machine. I think. The little flashing triangle also goes away, which is an unexpected bonus.
I’m thinking now that it would be irresponsible for me to leave this computer connected to the Internet in its current state, but I don’t dare unhook it because I’m in the middle of downloading several types of software updates. I promise to remember later when I’m done downloading things, but of course I forget. (I’ll tell myself later that it’s because it seemed I was downloading something the entire time.)
Then, I try to install Spybot Search and Destroy but the program crashes when I get to downloading updates. Undeterred by this minor setback, I decide to skip this part and forge ahead.
So next I download and install a tool that you need in order to completely erase older versions of Norton, so that I can install a free antivirus scanner. A few minutes later and I’m rid of Norton — or so I think. There’s still the program’s auto-updater and another Norton thing that I have to remove. Then it’s time to reboot and download the scanner, EZ Trust, a joint offering from Microsoft and Computer Associates. Updates are free for the first year.
I predict to my friends that the scan with EZ will take a little more than an hour and find nearly 40 viruses, worms and “Trojan horse” programs. The Trojan horses will hold the victim’s Internet connection open so attackers can update with new spyware or instructions for launching a spam campaign. Two hours and 310,000 scanned files later, EZ Anti-virus finds 38 threats, including several very serious computer worms and viruses.
EZ says it removed all but one of the buggers, but suddenly it becomes clear I am dealing with what is in all likelihood a total system compromise — i.e., it is starting to smell and feel like this computer is probably already under the thumb of online attackers who can control its every move.
A quick scan of the log of viruses found turns up one particularly nasty bugger, what’s known as a “bot,” as in “robot.” This one is called “Forbot,” which allows attackers to plug in a variety of additional features and services. Sadly, millions of home and (mostly) Windows computers are completely controlled by hackers and virus writers, a problem that is in part responsible for the sad state of affairs on the Internet today.
Still, EZ slew Forbot and 36 other unwelcome guests, leaving a stubborn survivor that hijacks a browser’s home page. A reboot and re-scan with EZ finishes it off, while another go-round with Ad-Aware takes care of three or four things it found but couldn’t crush the first time. I reboot again. A look in the computer’s “system registry” — which controls which programs get started and in what order whenever Windows boots up — still shows several traces of Forbot and a few other threats. After some careful editing of the registry file, I am ready to move on.
So, now it’s time to install Microsoft’s Anti-Spyware software. Some program prompts me to reboot. At this point, I tell my friend, we should back up all of his hard drive data onto a series of DVDs and reinstall Windows. Of course, it’s impossible to get a disc-burning program running when you’re having serious computer memory problems. Plus, after a bit of digging, he says he doesn’t have the original Windows XP install disc anyway.
Microsoft’s anti-spyware program finds five very serious computer threats, and successfully deletes them all. Trouble is, it asks me to restart Internet Explorer to fully fix the browser’s problems, and I have recently begun scanning the computer with an excellent and free online anti-virus service from Panda Software, which can find and eliminate many threats from your PC but requires you to be running IE. An hour later, Panda has finished its scanning, detects more than 70 problems, but succeeds in quashing only about two-thirds of them. Many others I must hunt down and kill by hand, finally banishing them from the PC, hopefully for good.
While this is going on I am prompted to go fetch a free update for the ZoneAlarm Internet firewall that’s already on this PC, which I agree to download and install. Again, prompted by Microsoft’s anti-spyware program and by ZoneAlarm — you guessed it — I restart the computer.
All things considered, we are making progress, but I’ve been slaving over this PC for 4-1/2 hours now, and I haven’t even installed half of the missing updates. So, I send IE over to Windows Update again, and this time my buddy’s PC is scheduled for 12 updates, which must be applied before additional patches or Service Pack 2 can be installed. (Also, spyware must be erased before you can load up SP2.) The update program works in the background while I finish installing the ZoneAlarm fix.
Nearly an hour later and the Microsoft updates are through, so it’s telling me to restart again. Doing so yields yet another prompt from Windows Update to install yet another round of patches, this time 18 bundles in all (keep in mind, we’re still not at Service Pack 2). This machine clearly had no business being on the Web, yet there it was, ready for takeover by any number of Internet pests.
I begin to remove dozens of suspect-sounding programs found in Windows’ “Add/Remove Programs” feature, including children’s games and “Internet connection booster” software.
By the time the last of the pre-SP2 patches are installed, I’ve been tending to this PC for nearly seven hours. It wants another restart. I am offered a margarita and I accept gratefully. Service Pack 2 is downloading after another reboot, and I instruct my friend not to install the update until the anti-virus and several anti-spyware programs have given his machine a clean bill of health.
It looks like someone has previously downloaded the Firefox Web browser on this machine, but that program also needs four generations of software and security updates. So once those are in place, I set out to make Internet Explorer harder for my friend to find, and set Firefox as the default browser, with its orange icon gleaming from the Windows taskbar. I don’t want him using IE while there are still dozens of important Windows (including IE) patches still lacking on the computer. I shamelessly set his home page to Security Fix.
It is now 9 p.m., and sipping the last of my margarita, I utter a weary promise to return to create a user account for him that does not have privileges to install programs, thereby making it far harder for him be tricked into accepting bad software while using the Internet. At some point soon, I plan to produce yet another video guide to securing your computer that focuses on creating user accounts and transferring your current files and settings to them.