Just when you think we're making progress in educating users...
A friend approached me the other day. he said is laptop has been getting slower and slower and is fast approaching the point where it's becoming unusable. He asked if I could take a look, and I agreed.
What is the average time these days of a computer being exposed and naked to the Internet before it becomes infected? Whatever it is, he had it on the Internet too long. See, he had just upgraded to broadband, and his nice laptop with no A/V, no A/S, no Firewall was plugged directly into his cable modem. That's right, no hardware firewall (or even a router) between him and the elements.
"How long have you had broadband?" I asked him on the phone as I waited the requisite 20 minutes for Safe Mode to load. "About a week. I just stretch a cable from the back of the thing they gave me to my computer." ~gulp~
I asked him when his last backup was. "Backup? Why do I need those?"
Great. Now I'm in rescue mode.
Here's my initial analysis:
He's obviously infected with stuff. Whatever he has is preventing USB drives from mounting (which I was nervous about putting on there anyway, but had to get A/V on there), and prevented the Disk Manager from seeing any of the physical disks. The CD Drive still worked so I got A/V software on through that.
I ran AVG, but it kept crashing under normal boot. I ran it in Safe Mode via it's command line interface, but I can't open the text file it produces. Access is denied. Great.
I ran SuperAntiSpyware, it found 512 or so infections. It got rid of about 500 and wants to scan on next boot to get the rest. OK, fine.
I ran Sophos Anti-Rootkit, but it won't run under Safe Mode.
I ran Spybot, it found 89 of its own infections (after SuperantiSpyware). Got rid of 80 of them, it will run on next boot.
I rebooted, tried to go back to normal Windows, but it bluescreened. Booted back to Safe Mode fine.
Re-ran the scans. AVG still won't let it read the txt file. But the output during the scan shows it found a lot of stuff.
SuperAntiSpyware was running as I left for work this morning.
Here's my problem: I don' t know how to get data off of this machine safely. the CD burner won't work in Safe Mode, and my Linux Live CDs won't boot, so there's some boot sector / rootkit thing going on here (or this laptop won't run off a CD, but that seems unlikely).
Should I tell this friend that this is a hard lesson to learn, but the only solution is to wipe it without getting his data off? Can things persist through a low level format?
ACK!
Hey Zig - Here's my 2 cents worth.
You could spend hours, days even, on that machine attempting recovery and I seriously doubt you would get a result. Suggestions can be made and tried, IMO that will only waste more time. In my experience, there is only one cure for a machine like your friend's which is so seriously infected (been there - done that)....start again from scratch.
Yes, things can persist through a low level format, even through a high level format. I would definitely be using something like DBAN to thoroughly wipe the drive before re-installation.
I reckon you may have already suspected all that,
cheers....JIM
You've probably already followed on the advice from ozbloke, since you gave it a try (only so much one can do when faced with this sort of unknown). Just because it was a short time on broadband, how much overall time of exposure and visiting what sites with NO protection???
Several years I spoke with a computer tech who had a computer exposed on the counter. When asked, he replied they were trying to remove the viruses from a clients computer. The program stalled after finding several thousand, so he was running it in manual mode to kill one thousand at a time. Mentioned that the computer probably only had several viruses, but over time they mutated and started filling up the harddisk.
BTW, when you do start all over, suggest you do beyond a standard format and nuke the harddisk with one of those wiping programs. That way it will be virgin for sure.
Just adding my 2 cents here, but I find it safer to use floppy or CD's to run program as they block writes, unlike memory sticks, Mindblower!
"For the needy, not the greedy"
well my attempts to clean it were two fold: one) an experiment to see if I even could clean it (answer=no) and two) to get data off of the system as he has no backups.
AVG found a virus in explorer.exe and removed it, and now Windows won't even boot. So much for that experiment.
Thanks for the thoughts on DBAN. I will definitely use that when I wipe the machine and start over.
As for the CD and Flash Drive "debate" - I have a flash drive dedicated to this purpose. I have a machine on my DMZ that I use to scan this flash drive regularly and keep definitions up to date. I used to use a CD, but got tired of burning a new CD every day. Then flash drives got cheap, so I have a nice 1 GB drive for this one and only purpose.
In my dial-up days I never worried about viruses or malware. I setup a Firewall and otherwise ignored everything else. I don't know how long before broadband he used this computer, but broadband certainly accelerated the problem.
Why is it that I had stuck in my head that dial-up was impervious to viruses? It's all TCP/IP anyway.
Meh.
Anyway, glad you all enjoyed my story.
There is definitely a threshold where it just isn't worth (or likely) to even try removal. That said, I almost always do a couple scans just to see what infections the computer has! It's the geeky thing to do!
You can always mount the drive in another computer (or externally) and scan it, then grab the data you need to get before you nuke it. Pretty safe - nothing bad is going to run automatically.
[quote="DavesComputerTips":31nq8m1x]
You can always mount the drive in another computer (or externally) and scan it, then grab the data you need to get before you nuke it. Pretty safe - nothing bad is going to run automatically.[/quote:31nq8m1x]
Provided, of course, that Autorun is disabled.
I just got a free Hard Drive Enclosure that I am going to have to try this out with.
--zig
Well, I was going to post my dos centavos here until I realized that everyone else has already provided several dineros.
FWIW, not being able to boot a Linux live CD of some sort probably indicates a hardware issue. I keep several flavors of Linux on various thumb drives and CDs; when I can't get one to boot, I try another. I usually find one that works.
My bootable Linux thumb drive virus scanner based on Avira's Rescue CD usually works on most machines. Anyone interested in trying it can message me and I'll provide a link.
1 Guest(s)
