RSS

Cleaning Malware

12.16.05

For unfamiliar terms, look in Matisse Enzer Glossary of Internet Terms.

Clearing Malware From My Friend's Computer

I've added this page to the site to share some problems I faced clearing viruses, trojans, worms, spyware, and a keystroke logger from a friends computer. I learned a lot and thought someone out there might benefit from this. I apologize if it gets long winded but I want to be very descriptive of the problems and solutions. I think I remember the order of the steps I took, fairly well. The whole job was a two day project.

I recently helped a friend with her computer (Windows 2000, on cable internet access without a router) after she complained it was really slow and every time she turned it on, she got a warning from Norton Anti Virus saying it could not verify something. The warning from Norton suggested uninstalling the antivirus and reinstalling it. She was unable to do that so she asked someone to reinstall Windows 2000 and Norton. That was done but didn't resolve either problem.

When I got to the computer, I saw the same Norton warning and it appeared that Norton was not protecting her computer at all. The computer was also extremely slow to open anything. I thought it I could easily uninstall Norton and install another antivirus program, AVG. Before uninstalling Norton, I downloaded AVG Antivirus then I attempted to uninstall Norton and rebooted the computer. I got an error message upon rebooting saying that it could not find a particular Norton file at start up. I could see why she was not able to properly remove Norton before. I didn't want to leave her computer vulnerable for long so I immediately tried to install AVG. AVG warned that it could not install properly because the computer had a conflicting version of Roxio (CD burning software) and I needed to get the Roxio patch. AVG was kind enough to include a link to get the patch. The patch would not install because Roxio was not on the computer.

I then thought about trying an online virus scan. I selected Trend Micro's Housecall since Leo Leporte had recommended it in several of his radio shows, podcasts, and TV shows. That site required java, so I installed that. Started the scan, noticed it was extremely slow, and left for dinner. When I came back the computer had rebooted and I didn't see the results of the scan. I tried the scan again but it seemed to get nowhere.

I decided to tackle the antivirus later and tried to install the ZoneAlarm firewall to help protect her computer from hackers. After running the install file, I got an error message stating that the ZoneAlarm program file could not be found. So I went to the ZoneAlarm program folder and looked at the files. The file that should have been named "zonealarm.exe" was named "zo3nealarm.exe." Of course that made me very suspicious. During the install, something on her computer changed the name of the ZoneAlarm program file so her computer could not be protected. I manually removed the number 3 from the file name and the properly named file suddenly vanished. So not only could this suspected virus disrupt the installation but it could also delete or hide the file from the operating system. Now I could not install the antivirus or the firewall I wanted. I uninstalled ZoneAlarm and rebooted again.

Once it rebooted, I got the error message again saying that it could not find the proper Norton file that I had tried to uninstall. This made me think I should use MSCONFIG to look at the programs trying to start at boot up and perhaps disable the one trying to start Norton. Windows 2000 did not include MSCONFIG. So I went online to see if I could find a free program that would do the same thing as MSCONFIG for Win 2000. The first link on Google.com was for an article on techadvice.com. The article said you could use MSCONFIG.exe from Windows XP or download it from their site. I had not used their site before so I decided I would try to get MSCONFIG.exe from my laptop first.

In the mean time, I remembered hearing that Norton Antivirus had a tool to help uninstall the program if all else failed so I tried to go in search of that. As I was browsing I could no longer get to Norton's website. Other websites worked fine but I could not get to Norton. So I tried other antivirus sites. I could not get to those sites either. Earlier I could get to those sites but now I could not. I don't know if it was because a new virus was now on the computer, one of the viruses already there was actively adapting it's program to block my attempts to remove the viruses, or it may have been possible that a hacker was actively behind the new problem but that seems less likely.

I went to the Microsoft Update page to try to get and missing security patches (she had Service Pack 4 for Win2000). It said I couldn't get updates because some services were disabled and provided instructions on how to enable them. I was eventually able to download the latest MS malware removal tool for some of the biggest worms/trojans/viruses. That didn't find or remove anything.

For a time I felt there was nothing more I could do. I let my friend know that we would try to save her data, pictures, etc. to my back-up drive, format her hard drive, and reinstall the operating system. Well she didn't have the disks for her operating system so we were planning to buy a full install of Windows XP. That's about $200 for an OS that will be replaced in a year with the next OS Windows Vista.

I decided to go back and try some more things. I went back to techadvice.com and downloaded MSCONFIG.EXE. I wasn't to concerned about what I downloaded at this point. When I ran MSCONFIG I looked at the list of programs starting when the computer booted. I searched the name of each at Google and I found that four of them were trojans. I also found the file associated with Norton's start-up and unchecked that. I found the Loader Trojans A, B, C, and some other trojan. I deselected them so they would not start at the next boot. Then I went to the folder where the files were and deleted them. I found some associated .dll files in the same folder but could not remove them at the time because Windows said they were in use at the time. I wanted to remove the registry keys for those files as well, but the computer did not have the registry editor program, REGEDIT.EXE. I haven't worked with Windows 2000 in a long time but everything I found on the web suggested it should have REGEDIT.EXE.

Well I then rebooted the computer. I noticed the auto logon went real quick. That was promising. I tried installing ZoneAlarm again and it went without a hitch. Following another reboot, I went on line and now I could go to the antivirus websites. I tried installing AVG again but got the same warning about a Roxio conflict. So I went in search of another free antivirus. I downloaded and successfully installed the free antivirus, AntiVir. That was real progress. After installing it, I updated it and started a system scan. It found more viruses. I stopped counting after the 6th one found. Most of them were variants of the Bagle trojan/worm. It found some virus that upon research I read that it would create a folder on the hard drive and download malicious programs there. I found that folder and deleted it and the .EXE files within. AntiVir also found two .ZIP files containing viruses in the temporary internet files. Antivir could not delete those. I assume it just doesn't delete archives like .ZIP files in case there are legitimate files within the archive. Anyway, I did a search for those files and deleted them.

The next step was to run the three standard free antispyware programs. I ran Microsoft Antispyware first. It found a keystroke logger. A keystroke logger can record every key the owner types including usernames and passwords. Many can then send the data it has recorded across the internet to the jerk who installed it or invented it. To me it appeared that the keystroke logger was disguised as a graphics editing program. I didn't note the name of either the keystroke logger or the folder it was in. I knew then my friend would have to change all of her passwords. I set MS Antispyware to run in the background to protect her system and automatically update itself. Spybot Search and Destroy did not find anything. Ad-Aware found another spyware program on her system. From that I had confirmed what many experts say, you need more than one spyware because none of them will catch it all. I also installed Spyware Blaster to help prevent new spyware from getting in through Internet Explorer or Firefox.

The first Trojans I found were described as e-mail trojans. I asked my friend if she used the preview pane in her e-mail client, Microsoft Outlook. She did so I explained the danger in that. Basically the preview pane opens an e-mail as soon as you select it and displays it below the list of e-mails. That sounds convenient but the problem is that if you select junk mail to be deleted, it will open it first in the preview pane before you can delete it. An infected e-mail has the chance to infect the computer before you have the chance to remove it. If you use an e-mail program that has a preview pane, turn off the preview pane! For Outlook you can turn it off under the view menu. After turning off her preview panes (inbox and deleted items folder) she changed her passwords and so far all seems to be well.

Finally I installed Firefox for her and made it the default browser to help avoid active-x malware that can get in through Internet Explorer.

I owe credit to Leo Leporte, everyone at the old Tech TV, Steve Gibson of GRC.com, and all the folks in the many forums and newsgroups I read for educating me on all these programs and techniques for removing all that crap. I hope that this may help someone out there who may be ready to pull their hair out over their computer problems. Some of the important lessons that were reinforced were that the most popular security programs like Norton Antivirus and ZoneAlarm are being targeted by malware, you need to run several antispyware programs, and MSCONFIG can completely save the day. Thanks for taking the time to read this and again I offer my thanks to the many folks out there that have helped me.