Success!

[altivo]

I have completely removed "Antivirus XP 2010" from the machine which suffered the infestation. Scanners and antivirus programs were useless and failed to even detect it. Online instructions for removal were inaccurate and incomplete. It was necessary to distill information from multiple sources, refine it, and then adjust to the actual contamination trail.

The most difficult part was tracking down and removing the hidden system file that activates it, and the downloaded file in the Internet Explorer cache from which it came. Once those were nuked and innumerable registry fixes applied, only then did Symantec AV start finding the remaining pieces.

Hints for anyone trying to do this in the future:

1. Turn OFF system restore. If you don't do this before you start fixing and deleting, it is possible to reactivate the virus or trojan by restoring to a prior checkpoint. Not only that, but I understand some of these things will actually use system restore to revive themselves if they are only partially nuked.
2. Log in as "administrator" to hunt for files. Apparently no one else can find or remove hidden system files.
3. Run updated virus checking or malware tools AFTER you think you have completed the removal yourself. They may find leftover bits.
4. Dump Internet Explorer for a better browser, preferably one with effective popup blocking and especially advertisement blocking.
5. Don't ignore weird behavior in the system. It will only get worse. I have no idea how long they had been ignoring the spurious warnings, alerts, and notifications this thing was throwing up.
6. Don't forget to turn system restore back on once the repairs are complete.

Best argument for Linux I've ever had. Because ordinary user status in Windows XP is so crippled, no one is willing to use it. Instead they insist on "PowerUser" status. This in turn is enough to let crap like Antivirus XP install itself without full administrator status. It was very deeply entrenched and hidden. Linux user security is both tighter and more amenable to customization. That way you can allow a user to have access to one or two special commands or applications without giving them the keys to the treasure vault.

Every time I have to do this, I curse the Windows Registry. It's the most intolerable pile of garbage ever foisted on a user population. Even Microsoft doesn't fully understand it or know how to manage it, as their techs have admitted to me directly. Too many cooks, too many fingers, and all that. The registry is invariably at the heart of one of these attacks, and provides a delightfully obscure way to hide an infestation under multiple redirections and masquerades.

Front desk machines will now have Firefox with Adblock Plus as their default browser. Now that I know they keep inserting library users' flash drives in order to "help" them print stuff, I have also put tape over the accessible USB ports on those machines. The director issued a stern warning against clicking on banner or pop up ads, or responding to any "warning" of a virus or intrusion without first consulting me. Time wasted on this bullshit? Eight hours. Two to tighten security at the remaining desk machines and implement a temporary replacement station out there, and six to get rid of the damage to the infected machine without erasing the hard disk. In a way it's too bad I was successful. I actually had permission to reload the machine with Linux rather than restoring a clean Windows XP...

Comments

[moonhare]

...and may it stay gone :o)

I've read Norton's recommendations but never got down to repairing the registry. All my fixing was done with taskmanager, forensic searches, and SpyBot (pulled out zlog and showed me the .dll after the other processes were killed, as you said).

on a lighter note-

My son reports that one of the Middle School pc's was infected today with this virus. He tried to give the tech guy some hints (like the man wanted a 13 year old to tell him what to do), having gone through this three times with his own pc's, but the man insisted on doing things 'wrong,' says the boy. In the end, when that blue screen appeared during 'safemode,' my son told him he should get Linux.

Your story, and the school's mishap, helped to convince our Director to let me put DeepFreeze on the staff machines, and to let me get the 500Gb portable drive I've been asking for. I've made baseline images of all their machines, at least, as an interim. Looking forward to Sunday morning at work for once- coffee and bluegrass and updating.

[altivo]

Eeeww. DeepFreeze! Yuck. (Holds up silver cross.)

That's what they had here when I arrived eight years ago. I hate it with a passion now. So many steps and reboots to go through just to do some silly little thing like reset the system clock. By far the most cumbersome "protection" tool I've ever used. Right after it comes that hardware protection gadget on our old Gates machines, the one with the key lock. Again multiple reboots to disable it, make changes, test the changes, relock it. With either one, get a step out of order and you've blown it and have to go through the whole sequence again.

I really should have just lied and said I couldn't fix this. I'd actually extracted an agreement that if it was not fixable without wiping the drive and reinstalling, I could reinstall with Linux instead.

Millennium runs identically on Linux. They are all adamant that it doesn't do that, yet no one can show me a specific example of how it is different. I think their problems are erratic mouse and keyboard use rather than the OS. The only thing I got out of anyone was "We can't double click this, we have to right click and click again." So I double clicked it and it worked. They didn't believe me, so I repeated the action three times. "Oh no, that doesn't work" they kept insisting, even after watching it work. Pure prejudice.

Likewise they can't live without MS Office. Yet half the machines they've been using don't have MS Office. They have Open Office instead. Most of them never notice the difference. It's hopeless arguing though. Next time they trash a Windows install, I swear they're getting Linux back.

My cataloging assistant is retiring at the end of this month and I'll not be getting a replacement for her due to budget. I'll be expected to pick up all the cataloging work she did without dropping any of what I already do. Wasting a full day to fix a worm infestation that could have been avoided by simply paying attention to what they were doing is not going to be acceptable.

[moonhare]

So many steps! One reason I like to image machines instead of systems is because it allows me to bypass the dreaded 'sysprep' and all the associated DeepFreeze steps. Still, it feeds my OCD mind to run through these excercises.

I'll be expected to pick up all the cataloging work she did without dropping any of what I already do.

I used to do a lot more maintaining of the pcs and keeping backups handy for incidents like we've just experienced, but it was adding comp time to my week to wear this 'third hat' and the boss was blunt in saying she'd rather I put my efforts into building maintenance. Hence many of my ghosts are very out of date.

[cabcat.livejournal.com]

For my own machine Windows XP,, for machines that a lot of people use linux definitely :) There are USB port lockers I think for linux.

[altivo]

Oh sure, I can disable nearly any device or interface in Linux if I choose, or secure it to a particular user or group.

I don't like Windows even on my own machine. It gripes me that manufacturers continue to act as if Linux didn't matter when we have a market share to match the Mac or perhaps even more now.