September 6th, 2004 04:38 AM
Major MyDoom Infestation -- Can it be Fixed?
This one's starting to drive me rather nuts. Never had this much trouble before.
I'm working on my first-ever client (yay for James's start-his-own-business dream!), and his computer is really, really screwed. He had no AV whatsoever, so he is rather owned. Malware is eating up memory like crazy, IE is hijacked to the point if being rendered unusable, and the OS is consequently shot to heck.
IE's his only browser, so I couldn't connect to the Internet to download Firefox due to the sever hijacking. So, I finally burned Firefox, AVG, Kerio, Spybot, and Adaware to CD and went at it that way. And here's where it gets fun.
I can't install an AV. During AVG setup, it tells me shell.dll is missing. MyDoom's doing I presume? I'm sure there's a host of other infections as well. Anyway, I did a repair install (this is W2k by the way) in hopes of restoring the .dlls. Nope. Evidently the infections are moving fast enough to where I'm screwed even booting in safe mode the first time. No shell.dll = no AV = infestations stay!
Not one to be outdone, I had another idea. I tried networking my secure XP box to the screwed up 2000 box via a null modem cable. Set the entire C drive to "shared" on the 2k box. So I'm thinking now I can scan the infected box's drive with my secured box's AVG. Nope. Even though they detect each other, I get a "limited connection" on the XP side, and it won't access the C drive of the other computer even though it's set to shared with full permissions all across the board. I've been looking all over configs on both machines and can't figure out for the life of me what's preventing them from interacting properly.
Surely I can get this fixed without an OS reinstallation though, I'm refusing to call it quits. So, can you guys throw some input at me? What I have I missed? I'm sure there's some elementary something I've overlooked in all likelihood...
September 6th, 2004 04:44 AM
Dude, when something is this bad, DO THE DAMN FORMAT.
There is like no way you're going to be sure of getting rid of everything unless you do the reformat.
Back up what they guy wants to keep, and format that HD, and reinstall. Then, install AVG and a firewall. Then update the thing, then update AVG, then the firewall. Do a scan of everything, then install Ad Aware, update, run, and then, charge this guy an extra stupidity tax.
Hopefully the people reading realise THIS time I say this **** to get you to laugh and not be stressed out over it. Anyway, I really don't think you're going to even WANT to try and clean it. You'd need Holy Water for that thing.
September 6th, 2004 04:51 AM
Boot disc that sucka!
Get BartPE, I don't know if you need McCafee before you use it of if it's on there already...
I think undies will know. Also BartPE has AdAware and Spybot plugins, but it's sorta different because you have to make it yourself. Just make sure you give him the option before you format.
September 6th, 2004 04:52 AM
I would suggest what gore suggested.
Just back up what he wants saved, but make sure you scan it with a AV before you put it back in his PC.
Just tell him its gonna save him money and time if you do a re format for him.
September 6th, 2004 04:58 AM
Why spend hours screwing around, move all his data/info to a new hard drive/dvd/cdrs.... and reinstall. I would expect that in the time you have already invested you could have reinstalled and reconfigured the box . Then it is for sure clean and working properly. (work smart not hard)
Do unto others as you would have them do unto you.
The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
-- true colors revealed, a brown shirt and jackboots
September 6th, 2004 06:43 AM
I know that the common belief here seems to be format... and for most people I would agree... but speaking from personal experience.. I hate formatting... It'll take me months to get a system back to how I want... While a reinstall may only take a couple hours... the PC could also be fully cleaned in the same amount of time. I'd say on average I clean 15-30 PCs a week at work.. sometimes I'll do closer to 50 and 60... I may do a reinstall once a month because there will be nothing worth keeping on the hdd (it's basically an original install).
I fully support the BartPE idea, I have a disk I created and it's handy to have... but there are better ways to accomplish the same task in my opinion...
Your primary problem seems to be the inability to install AV... Pick up a copy of Hirens Boot CD. I'm not sure if the CD is entirely legal... in fact I'm pretty sure it's not *Mental Note To Self: Investigate the Legality of Hirens Boot CD*... but I'm sure you'll find most people here have copies of it... most of the software is older or outdated and I'd gladly pay the license fees for those older version if needed to keep using the CD.... It has DOS AV on it.. We were able to clean up a PC with 3700 Viruses that we couldn't install AV on because of the same problem.... You can find the ISO for the CD (less than 50MB I believe) on any torrent site.
If the box is relatively bare and has no custom configs then reinstall is definately your best bet... but if it's quite the custom job just clean it.... I'd say that in total combined time I can clean a PC in an hour.. maybe two tops... However a fresh install, gathering drivers, setting up security and permissions, installing software and restoring backups takes me around 72 hours (minimum)... You also can't be sure that your backups are completely clean... so that could lead to problems.... A Fresh install with restored backup files isn't always a clean install.... Just something to remember.
IT Blog: .:Computer Defense:.
(Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".
September 6th, 2004 07:41 AM
take your laptop and download an updated version of stinger. it'll fit on a floppy disk. it'll take care of mydoom
after that do the same with hijackthis. you know what your doing so it shouldn't be dangerous. you should be able to install an av after that
if your going to do this all the time you need to set up an ftp server. im sure you'll find the the ftp client has no problem connecting even though ie will not if its a dsl connection. if you dont want to do that keep an updated cd of bart with all the tools you need on it. pslist and kill fport mcaffee cmd line virus scanner. you'll have to make a new disk fairly often but it'll be worth it. i ptrferr the ftp server.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
September 6th, 2004 08:20 AM
I am an anti-restore fan. So what I would do is the following.
Boot the pc
Erase all Temp files
make sure you do everything else in safe mode
Couple of options here:
Remove hard drive, slave it on your computer and scan with your AV software. (potential problem: it erases some important OS files and you have to do a soft install)
Burn Stinger or your other favorite to cd and run it in safe mode, if you do this remove all temp files first.
Run Ieradicator...... WARNING... make sure you have another copy on cd to install when you are done.
http://www.litepc.com/ieradicator.html <-- Completely removes IE
You dont necessarily have to remove IE, you could clean it up.
Download The following
Run those programs, if you have questions about any of them please ask and I can go into further detail on any/all of them.
Now with AV, Spyware, and IE all taken care of does the PC still boot up? If it doesnt you may have to reinflate all the cab files back over windows in order to make it work....Or do a soft/dirty install (install windows on top of itself. Worst case scenario rename the windows directory and install windows again, this will keep everything there but not erase it... downside none of the programs will work (honestly defeats the purpose of everything we have done).
Edit: I would take all these programs and install them on on Cd and use them wherever you go while you are working. This way you dont have to rely on your clients having internet or not having problems.
Duct tape.....A whole lot of Duct Tape
Spyware/Adaware problem click
September 6th, 2004 08:49 AM
i have to agree, if there is ever a system that screwed up, just turn around and say, look, its your fault because you need AV software and all the rest, sorry, i have to format to fix and i will put these programs on for you for the future...
unfortunatley i have had systems that are that bad, its literally impossible to fix because its so deep. Format the sys.
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
September 6th, 2004 09:51 AM
Yep undies is here.. and is not in a good mood..
You are doing a paid repair job right.... What research have you done into what you have Found so far.. Have you searched Symantec or Sophos, Grisoft.. These are some of the tools you NEED to Use.. before you start fiddling with any removal tools..
While I am a great fan of the Bart PE enviroment Live CD.. You do need to be very careful..
And it is not always my first shot in the crowd.. know thy fo .. is first.. then gather ye weapons.
I would very certainly read the post by spyrus.. and follow what he has to say..it is tried and proven.. mine is still experimental
My current disk has the following tools installed.. * denotes come with the Builder prog..
McAfee command line AV * (updates need to be downloaded - i have not attempted a build with the se version)
Adaware (you need it installed on a machine and the latest refs)
Stinger (you need to d/l the lartest version)
RegeditPE ( https://sourceforge.net/projects/regeditpe/ )
Find BArtPE info here http://www.nu2.nu/bootcd/
Fo;;ow the instructions for each tool.. run PEBuilder.. then burn the the resultant ISO
Realise that when you are using any of the tools with BartPE live cd.. it is the same as removing the HDD and scanning the drive in another machine.. and this has its limitations.. it also removes several causes of problems.. When used as a part of a organised approach to malware removal it can help you speedup the cleanup as well as improve the effectiveness of the clean..
(I won't hit on to many more of the pro and cons here)
OK place BARTPE cd in the Cdrom drive and Boot
depending on the job at hand you choose your poison.. in your case.. I would run the McAfee AV.. useing the GUI wrapper.. set the scan to detect only.. we want to know what we are dealing with here..
and just for a giggle.. fireup Adaware and get it to do a custom scan.. of the C:\ drive.. a normal scan will be scanning your clean Bart OS won't it..l
HAve a good look at the results of both scans.. from here you may need more information.. GOOGLE is your friend (hate those words don't we..but you won't learn **** if you dont put some sweat on your brow)
Withe the Adaware scan you will be able to remove the mostly harmless ****.. but any bad stuff you will need to work your plan of action.. and that comes from the study of the AV scann and your reasearch..
If the removal process requires more that 2 hours of your personal input time (the job may take 5 or 6hrs with scanns and all).. consider the costs involved with doing a clean install.. this will include..
Backup up of ALL of the customers DATA..
internet (dialup account data) and mail server settings,
cookies (yes they are handy),
data from any important prog that dosen't save in my docs..ie Accounting sofware
this can be a pain if you don't have a burner or a spare HDD or the malware prevents you accessing the data (Bart pe again?)
Then the reinstall.. the customer will expect their machine working as before the virus hit.. browse the internet as the are used to, and use what ever crap program they think is cool.
they will expect a working version of what you have infront of you now..
weigh up the expected costs.. or more the time factor.. if the job needs to be ASAP, and it is not critical..format
When I am in a particularly bad mood.. and the client is bad arsed idiot.. format.. "sorry mate the virus ate everything"".... (even ya 30G's of pron and 20Gs of mp3's )
Most of the tools that I use in Malware removal are on CD and USB Ram stick.. (am seriously looking at getting a 1Gb usb stick and attempting to put BartPE on there..)
that is as well as the BartPE disk, a Hirens Boot CD and a Knopix cd..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr