![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
I have completely removed "Antivirus XP 2010" from the machine which suffered the infestation. Scanners and antivirus programs were useless and failed to even detect it. Online instructions for removal were inaccurate and incomplete. It was necessary to distill information from multiple sources, refine it, and then adjust to the actual contamination trail.
The most difficult part was tracking down and removing the hidden system file that activates it, and the downloaded file in the Internet Explorer cache from which it came. Once those were nuked and innumerable registry fixes applied, only then did Symantec AV start finding the remaining pieces.
Hints for anyone trying to do this in the future:
Best argument for Linux I've ever had. Because ordinary user status in Windows XP is so crippled, no one is willing to use it. Instead they insist on "PowerUser" status. This in turn is enough to let crap like Antivirus XP install itself without full administrator status. It was very deeply entrenched and hidden. Linux user security is both tighter and more amenable to customization. That way you can allow a user to have access to one or two special commands or applications without giving them the keys to the treasure vault.
Every time I have to do this, I curse the Windows Registry. It's the most intolerable pile of garbage ever foisted on a user population. Even Microsoft doesn't fully understand it or know how to manage it, as their techs have admitted to me directly. Too many cooks, too many fingers, and all that. The registry is invariably at the heart of one of these attacks, and provides a delightfully obscure way to hide an infestation under multiple redirections and masquerades.
Front desk machines will now have Firefox with Adblock Plus as their default browser. Now that I know they keep inserting library users' flash drives in order to "help" them print stuff, I have also put tape over the accessible USB ports on those machines. The director issued a stern warning against clicking on banner or pop up ads, or responding to any "warning" of a virus or intrusion without first consulting me. Time wasted on this bullshit? Eight hours. Two to tighten security at the remaining desk machines and implement a temporary replacement station out there, and six to get rid of the damage to the infected machine without erasing the hard disk. In a way it's too bad I was successful. I actually had permission to reload the machine with Linux rather than restoring a clean Windows XP...
The most difficult part was tracking down and removing the hidden system file that activates it, and the downloaded file in the Internet Explorer cache from which it came. Once those were nuked and innumerable registry fixes applied, only then did Symantec AV start finding the remaining pieces.
Hints for anyone trying to do this in the future:
- Turn OFF system restore. If you don't do this before you start fixing and deleting, it is possible to reactivate the virus or trojan by restoring to a prior checkpoint. Not only that, but I understand some of these things will actually use system restore to revive themselves if they are only partially nuked.
- Log in as "administrator" to hunt for files. Apparently no one else can find or remove hidden system files.
- Run updated virus checking or malware tools AFTER you think you have completed the removal yourself. They may find leftover bits.
- Dump Internet Explorer for a better browser, preferably one with effective popup blocking and especially advertisement blocking.
- Don't ignore weird behavior in the system. It will only get worse. I have no idea how long they had been ignoring the spurious warnings, alerts, and notifications this thing was throwing up.
- Don't forget to turn system restore back on once the repairs are complete.
Best argument for Linux I've ever had. Because ordinary user status in Windows XP is so crippled, no one is willing to use it. Instead they insist on "PowerUser" status. This in turn is enough to let crap like Antivirus XP install itself without full administrator status. It was very deeply entrenched and hidden. Linux user security is both tighter and more amenable to customization. That way you can allow a user to have access to one or two special commands or applications without giving them the keys to the treasure vault.
Every time I have to do this, I curse the Windows Registry. It's the most intolerable pile of garbage ever foisted on a user population. Even Microsoft doesn't fully understand it or know how to manage it, as their techs have admitted to me directly. Too many cooks, too many fingers, and all that. The registry is invariably at the heart of one of these attacks, and provides a delightfully obscure way to hide an infestation under multiple redirections and masquerades.
Front desk machines will now have Firefox with Adblock Plus as their default browser. Now that I know they keep inserting library users' flash drives in order to "help" them print stuff, I have also put tape over the accessible USB ports on those machines. The director issued a stern warning against clicking on banner or pop up ads, or responding to any "warning" of a virus or intrusion without first consulting me. Time wasted on this bullshit? Eight hours. Two to tighten security at the remaining desk machines and implement a temporary replacement station out there, and six to get rid of the damage to the infected machine without erasing the hard disk. In a way it's too bad I was successful. I actually had permission to reload the machine with Linux rather than restoring a clean Windows XP...
