In a previous article,
Why won’t this “Your Computer Is Infected” warning go away? I
described some of the symptoms I was faced with when a friend called me
for help on his infected machine.
It was seriously infected by one, if not more, currently common
forms of malware.
As an example of some of the steps you might consider if faced with
a similar situation, let me describe what I did.
But First, a Disclaimer
I need to reiterate that once infected by anything the only way to know that you’re no longer infected is to reformat the machine, reinstall Windows and all your applications from scratch, make sure everything is up to date and then restore your data from backups.
It’s a huge pain, but the only way to be absolutely certain.
So, at the risk of having missed something (which you’ll see actually did happen), I elected to try the more common “can’t we just clean it?” approach.
One of the symptoms that my friend mentioned was something about a message including the phrase “antivirus 2009”. Antivirus 2009 (and 2008) are viruses that are currently hitting a lot of people, and still being missed by many anti-spyware utilities. Thanks to reader comments on an earlier article, How can an infection like Antivirus XP 2008 happen? I knew exactly where to start: Malwarebytes. This anti-malware software is a relatively new player, and has garnered a lot of good buzz. It was time for me to try it.
However, before even getting that far, I had a known infected machine on my hands, and the one thing I did not want to do was connect that machine to my local network for fear of the virus spreading to my other machines. Instead, I left the machine disconnected and took a spare external hard drive and copied a number of tools, including the latest Malwarebytes installer. I then connected that to the infected machine and installed from there. Once connected to the infected machine, of course, that external drive could also no longer be trusted, and hence could no longer be safely connected to one of my machines until erased.
One thing I did not need to do immediately was backup the machine. My friend had an external drive of his own, and had been running the backup software that had come with the drive. While it might end up “backing up” the infection as well, it at least had all the data. More on the backup drive below.
Scanning, and Scanning Again
The initial “quick scan” with Malwarebytes turned up over 30 separate infected files and settings. I had it quarantine those and ran the scan again, where it turned up only 2. This actually raises a good point: when scanning, always scan and rescan until the count of infections you care about reaches zero. I say “infections you care about”, because depending on the tool you’re running things like tracking cookies aren’t worth worrying about or re-scanning for.
At this point, the anti-virus program pre-installed on the machine (Norton) also indicated that it had found something, and as such needed to reboot to finish cleaning up. I did, it did, I re-ran Malwarebytes and all was clean.
Since my friend was waiting in my living room, I sent the machine home with the same warning with which I started this article: it may appear clean, but the only way to be absolutely positive would be a reformat and a reinstall, which we’re avoiding for now. Something certainly may have been missed.
It’s probably a good thing I said that.
My Mistakes – More Intensive Recovery
The next day my friend called and indicated that he could no longer log into his machine. It had worked great that morning, but in the afternoon any attempt to log in appeared to work, but then immediately logged him out.
I told him to bring the machine, but to plan on leaving it for the weekend.
This time I took several, more time-consuming steps:
I ran SpinRite. Not for anything malware related, it’s just something that made sense to run overnight once the machine was going to be here for a while. (Though, occasionally, boot issues can be the result of hard disk issues that SpinRite can clear up.) The disk scanned clean with no problems at all.
I ran Memtest86. The machine had recently had additional memory added to it, and I wanted to rule out bad memory as a potential problem. Test passed.
I did a little research and ended up digging up my own Dell Windows installation (not repair) disk, and booting from that to get into the Recovery Console. Once there, I was able to restore a copy of c:\windows\system32\userinit.exe from the installation CD. That file having gone missing was the cause of the immediate logout on login. Chances are it went missing by virtue of having been infected after which an anti-malware scan quarantined it. I could login again.
I performed a complete system image backup to a spare external drive.
I turned off System Restore
I cleared all temporary files, and cleared Internet Explorer’s cache.
I ran alternating full disk (not “quick”) scans by both Malwarebytes and Norton until both showed clean. Twice.
I set up a private network behind a second router specifically for this machine, so that I could connect it to the internet for updates without putting any of my own machines at risk.
I updated both Malwarebytes and Norton, and once again ran full disk scans until both showed clean.
I rebooted the machine a time or two, since some of the malicious behavior seemed to “kick in” after a reboot. No bad behavior resulted.
I let the machine sit overnight, connected to the internet. One of the vague reports was that the machine would sometimes show malicious behavior after it had been sitting for “a while”, perhaps due to uncaught malware “reaching out” to the internet and infecting the machine more deeply. This also allowed the anti-malware software on the machine to perform its normal updates and scans. Nothing bad happened.
I reconnected the backup drive and scanned it with both Malwarebytes and Norton. Surprisingly, no infections were found at all. More on this below.
Finally, I defragged the hard drive, just because.
This time I was fairly certainly (though not absolutely positive) that the machine was clean. So far, a few days later, things seem to be well.
What was different about my second attempt that made it more successful than the first?
Full disk versus “quick” scans
Turning off system restore
Cleaning out temporary and cache file
Setting up a safe network connection that allowed the anti-malware packages to update to their latest databases.
Perhaps one or more of those made a difference, perhaps something else.
About that External Hard Disk
I fully expected the external drive to be infected, particularly when I saw that the backup program was not keeping things in a proprietary format, but rather a normal Windows filesystem, but that didn’t happen.
What I discovered was that the backup that had been run was backing up documents only. Specifically, it was backing up the “My Documents” folder, and a few other things. It was not backing up the entire system. If the system or hard disk ever dies, the only recourse will be to reinstall Windows and applications from scratch. Data saved in “My Documents” can then be recovered from the backup.
This is a valid choice of backup approaches, but it should be a conscious one. For this type of situation, I actually prefer an image backup, since in the case of hardware failure it can be used to restore a system completely without having to wade through a lengthy reinstall process.
Lesson: don’t assume your backup is backing up what you think it is. Confirm that it’s doing what you want.
The day after returning the machine I got a call from my friend. He’d received an email from his ISP indicating that there had been reports of “malicious activity and spam” originating from his connection. All in all, not very surprising, considering his previously infected machine.
The “twist” was that the ISP had blocked outgoing port 25 on his connection – meaning he could no longer send mail, and neither could any malware. (Hence the phone call as opposed to email. )
The ISP had instead opened up port 587 (an alternate email sending port), and configured that port to require authentication. Personally, I find this a very appropriate response on his ISP’s part – it blocks spambots, but gives people a way to continue to send email. (Tip of the hat to Comcast on this issue.)
I walked him through reconfiguring Outlook Express over the phone, and moments later I received an email from him.
At this writing, about a week after it all started, all appears clear.
How Did This Happen?
I honestly don’t know.
On the surface, the machine had appropriate safeguards in place and they were all configured appropriately.
My guess, and it is only a guess, is that a website popped up a fake message that looked enough like a system message to fool my friend into clicking on it. Who knows what was installed on his system, but with that foot in the door all bets were off thereafter.
Perhaps the strongest lesson I can take away from this experience reiterates some of what I said in a previous article: it’s important to know what’s running on your system and know what messages to recognize as legitimate.
And to, above all, be skeptical.