Maggie’s coworker’s son got his Windows XP box 0wn3d quite well recently and they asked me to come take a look at it and fix it up. He had been running XP SP1 and had only a couple of additional patches installed, so it was pretty ripe for the picking. He didn’t want to upgrade to SP2 because he was worried it would make his computer too slow. He *was* running an Norton anti-virus, but still got loaded up with spyware, adware, clickbots, trojans and ratware. Why anti-virus stuff refuses to handle anything except viruses remains a mystery to me. Anti-virus stuff should block ANY malicious software. He was probably being used to send spam too, because his first-hop ping round trip was 2 seconds almost immediately on bringing up the net connection.
Usually to clean up a box I’d run McAfee Stinger, AVG Free Edition, Ad-Aware SE, and Spybot Search & Destroy and that’d take care of things. Not in this case.
I ran McAfee Stinger which was able to find a couple of copies of Korgo in the cache, but they didn’t look like they were active infections. Ad-Aware and Spybot both found tons of malware and AVG found a few, but a lot of it kept re-appearing after being removed. I found that a program called Golden Retriever Cash Back was reinstalling new malware each time. I was able to find registry entries to disable it, and then it was easier to make progress. Ad-Aware and Spybot were able to clean up many of the rest but there were still a few things that they and AVG still didn’t find. So then I went through Task Manager to look at each process name in google and see whether it was friend or foe. The bad stuff I’d kill and then search for their files and registry entries and manually remove it.
The real break-through was finding out about a program called Hijack This. It’s not for the novice, but it was able to find out how some of the stuff I couldn’t find with search were getting invoked and was able to disable them. The ones they couldn’t find were running as winx69.exe, ryhpka.exe, winagent.exe, mcafee32.exe and navprotect.exe. Some of the other malware running that I removed included clfmon.exe, Sygate.exe, elitevcy32.exe, pwn.exe, mssce.exe, msfwel.exe, gamma.exe, jah.exe, mssw32.exe, istsvc[1].exe. And that’s just the stuff that they could find but couldn’t remove automatically.
All in all this took most of the afternoon and evening on New Years Day (Feb 9). At the end, updated all security patches through present including SP2, and he had a well machine and good network performance again.
I dunno how regular people are able to get rid of this crap when they get infected this badly. The easy to use “click here” software was easily fooled, and several of the infestations were able to elude me for a while. And on top of that, five of them weren’t caught at all by anything except me manually going through Task Manager and cleaning up startup programs.
For those of you who aren’t being careful, here’s some advice:
1) Run good anti-virus software that updates *at*least* once a day. Make sure your mail server uses anti-virus software as well. (I use the pay version of AVG7 and have it set to update every 6 hours. My mail server runs ClamAV and clamassassin and updates every hour.)
2) Have a hardware firewall, or at least a software firewall. (I use a unix box as a firewall, but a USD30 broadband router is usually pretty good as a hardware firewall.) XP SP2’s firewall is getting better, but there’s still better options.
3) Don’t use Internet Explorer. Mozilla Firefox has had much less frequent and less serious security bugs than Internet Explorer. There’s a reason IE has the nickname Internet Exploiter. Whatever you do, make sure popups are disabled and ActiveX is highly restricted.
4) Don’t use Outlook Express. Also avoid Outlook, or at least make sure it is Outlook 2003 and is patched to latest update. The Outlook mail readers make it way too easy for malware to get through. If you insist on using these programs, you must disable the preview pane, and don’t click on any attachments you didn’t expect to come. Even if you get something from someone you know, if you weren’t expecting it, don’t open the attachments until you’ve confirmed that the sender actually sent it.
5) If you get a message from your bank, auction web site, personal payments site, or any other sensitive service saying you need to do something, don’t click on any links in the email. Instead, manually go to their website and see if there’s something there you really need to do. If in doubt, call them up and ask before you do anything.
6) Don’t respond to, or click on any links in any spam messages — messages you did not request from companies you don’t have a business relationship with. Just don’t. They are either gonna rip you off or infect you.
7) Run Ad-Aware SE and Spybot Search & Destroy regularly. Make sure Spybot immunizes your system each time. If you are technical enough, run Hijack This as well.
8) Run Windows Update frequently and always keep up to date with all critical patches. Better yet, set Windows Update to run automatically. (However, be aware that it will automatically reboot your system after being patched, so you don’t want to do this if you run things continuously.)
9) If you have any part of Office/Word/Excel/Powerpoint/Outlook installed, you’ll need to keep it updated separately at http://office.microsoft.com/officeupdate/
10) Be careful about pirated software, p2p downloads and porn. Some of it includes malware.