Security at its....worst?

Avatar

Please consider registering
Guest

Search

— Forum Scope —






— Match —





— Forum Options —





Minimum search word length is 3 characters - maximum search word length is 84 characters

Register Lost password?
sp_Feed sp_topic_old
Security at its....worst?
Avatar
Chad Johnson
Mod
Forum Posts: 867
Member Since:
August 11, 2011
sp_UserOfflineSmall Offline
1
April 24, 2009 - 10:15 am
sp_Permalink sp_Print

Just when you think we're making progress in educating users...

A friend approached me the other day. he said is laptop has been getting slower and slower and is fast approaching the point where it's becoming unusable. He asked if I could take a look, and I agreed.

What is the average time these days of a computer being exposed and naked to the Internet before it becomes infected? Whatever it is, he had it on the Internet too long. See, he had just upgraded to broadband, and his nice laptop with no A/V, no A/S, no Firewall was plugged directly into his cable modem. That's right, no hardware firewall (or even a router) between him and the elements.

"How long have you had broadband?" I asked him on the phone as I waited the requisite 20 minutes for Safe Mode to load. "About a week. I just stretch a cable from the back of the thing they gave me to my computer." ~gulp~

I asked him when his last backup was. "Backup? Why do I need those?"

Great. Now I'm in rescue mode.

Here's my initial analysis:
He's obviously infected with stuff. Whatever he has is preventing USB drives from mounting (which I was nervous about putting on there anyway, but had to get A/V on there), and prevented the Disk Manager from seeing any of the physical disks. The CD Drive still worked so I got A/V software on through that.
I ran AVG, but it kept crashing under normal boot. I ran it in Safe Mode via it's command line interface, but I can't open the text file it produces. Access is denied. Great.
I ran SuperAntiSpyware, it found 512 or so infections. It got rid of about 500 and wants to scan on next boot to get the rest. OK, fine.
I ran Sophos Anti-Rootkit, but it won't run under Safe Mode.
I ran Spybot, it found 89 of its own infections (after SuperantiSpyware). Got rid of 80 of them, it will run on next boot.

I rebooted, tried to go back to normal Windows, but it bluescreened. Booted back to Safe Mode fine.

Re-ran the scans. AVG still won't let it read the txt file. But the output during the scan shows it found a lot of stuff.
SuperAntiSpyware was running as I left for work this morning.

Here's my problem: I don' t know how to get data off of this machine safely. the CD burner won't work in Safe Mode, and my Linux Live CDs won't boot, so there's some boot sector / rootkit thing going on here (or this laptop won't run off a CD, but that seems unlikely).

Should I tell this friend that this is a hard lesson to learn, but the only solution is to wipe it without getting his data off? Can things persist through a low level format?

ACK!

Avatar
Jim Hillier
Admin
Forum Posts: 2492
Member Since:
August 9, 2011
sp_UserOfflineSmall Offline
2
April 24, 2009 - 5:54 pm
sp_Permalink sp_Print

Hey Zig - Here's my 2 cents worth.

You could spend hours, days even, on that machine attempting recovery and I seriously doubt you would get a result. Suggestions can be made and tried, IMO that will only waste more time. In my experience, there is only one cure for a machine like your friend's which is so seriously infected (been there - done that)....start again from scratch.

Yes, things can persist through a low level format, even through a high level format. I would definitely be using something like DBAN to thoroughly wipe the drive before re-installation.

I reckon you may have already suspected all that,
cheers....JIM

Avatar
Mindblower
Montreal, Canada
Member
Forum Posts: 411
Member Since:
September 17, 2008
sp_UserOfflineSmall Offline
3
April 24, 2009 - 6:17 pm
sp_Permalink sp_Print

You've probably already followed on the advice from ozbloke, since you gave it a try (only so much one can do when faced with this sort of unknown). Just because it was a short time on broadband, how much overall time of exposure and visiting what sites with NO protection???

Several years I spoke with a computer tech who had a computer exposed on the counter. When asked, he replied they were trying to remove the viruses from a clients computer. The program stalled after finding several thousand, so he was running it in manual mode to kill one thousand at a time. Mentioned that the computer probably only had several viruses, but over time they mutated and started filling up the harddisk.

BTW, when you do start all over, suggest you do beyond a standard format and nuke the harddisk with one of those wiping programs. That way it will be virgin for sure.

Just adding my 2 cents here, but I find it safer to use floppy or CD's to run program as they block writes, unlike memory sticks, Mindblower!

"Light travels faster than sound;
That is why some people seem bright until you hear them speak"

Avatar
Chad Johnson
Mod
Forum Posts: 867
Member Since:
August 11, 2011
sp_UserOfflineSmall Offline
4
April 24, 2009 - 6:32 pm
sp_Permalink sp_Print

well my attempts to clean it were two fold: one) an experiment to see if I even could clean it (answer=no) and two) to get data off of the system as he has no backups.

AVG found a virus in explorer.exe and removed it, and now Windows won't even boot. So much for that experiment.

Thanks for the thoughts on DBAN. I will definitely use that when I wipe the machine and start over.

As for the CD and Flash Drive "debate" - I have a flash drive dedicated to this purpose. I have a machine on my DMZ that I use to scan this flash drive regularly and keep definitions up to date. I used to use a CD, but got tired of burning a new CD every day. Then flash drives got cheap, so I have a nice 1 GB drive for this one and only purpose.

In my dial-up days I never worried about viruses or malware. I setup a Firewall and otherwise ignored everything else. I don't know how long before broadband he used this computer, but broadband certainly accelerated the problem.

Why is it that I had stuck in my head that dial-up was impervious to viruses? It's all TCP/IP anyway.

Meh.

Anyway, glad you all enjoyed my story.

Avatar
David Hartsock
Admin
Forum Posts: 1105
Member Since:
August 7, 2011
sp_UserOfflineSmall Offline
5
April 24, 2009 - 11:46 pm
sp_Permalink sp_Print

There is definitely a threshold where it just isn't worth (or likely) to even try removal. That said, I almost always do a couple scans just to see what infections the computer has! It's the geeky thing to do!

You can always mount the drive in another computer (or externally) and scan it, then grab the data you need to get before you nuke it. Pretty safe - nothing bad is going to run automatically.

Avatar
Chad Johnson
Mod
Forum Posts: 867
Member Since:
August 11, 2011
sp_UserOfflineSmall Offline
6
April 27, 2009 - 7:55 pm
sp_Permalink sp_Print


You can always mount the drive in another computer (or externally) and scan it, then grab the data you need to get before you nuke it. Pretty safe - nothing bad is going to run automatically.[/quote:31nq8m1x]

Provided, of course, that Autorun is disabled.

I just got a free Hard Drive Enclosure that I am going to have to try this out with.

--zig

Avatar
Ken Harthun
Mod
Forum Posts: 86
Member Since:
August 11, 2011
sp_UserOfflineSmall Offline
7
April 27, 2009 - 9:44 pm
sp_Permalink sp_Print

Well, I was going to post my dos centavos here until I realized that everyone else has already provided several dineros.

FWIW, not being able to boot a Linux live CD of some sort probably indicates a hardware issue. I keep several flavors of Linux on various thumb drives and CDs; when I can't get one to boot, I try another. I usually find one that works.

My bootable Linux thumb drive virus scanner based on Avira's Rescue CD usually works on most machines. Anyone interested in trying it can message me and I'll provide a link.

Forum Timezone: America/Indiana/Indianapolis

Most Users Ever Online: 188

Currently Online:
15 Guest(s)

Currently Browsing this Page:
1 Guest(s)

Member Stats:

Guest Posters: 10

Members: 1273

Moderators: 3

Admins: 4

Forum Stats:

Groups: 8

Forums: 19

Topics: 1538

Posts: 11824

Administrators: Jim Hillier, Richard Pedersen, David Hartsock, Marc Thomas

Moderators: Judy Novotny, Jason Shuffield, Mail Poet