Back to the viri, I was given the opportunity to treat an XP computer that "was running really slow." If no one has told you already, allow me to inform you that diagnostically that means absolutely nothing. Nothing. Once I started up the computer and logged in, I realized the problem almost immediately. The computer booted slower than the hardware should have (roughly 10min for a 2.8ghz Pentium 4 with 1gb of RAM) and never fully loaded some windows components. The layers of command prompts were just the icing on the cake for my diagnosis.
The computer was running too slowly to remove the viruses normally due to the rampant amount of programs running at the same time, not to mention the fact that all of the security and restore recourses had been disabled by at least one of the viruses on the computer.
 |
| rundll32.exe not found |
 |
| Services disabled |
So there I was with very few options, where could I turn? Well, I turned to linux. In this case I used the linux based Avira Rescue System which essentially scans and removes all viruses it finds.
All that is necessary to use it is to
1)Download the CD image
2)Use a burning program(like ImgBurn)
3)Set your BIOS to boot to the CD drive
4)Plug it in and let it run
In my case I let it run for roughly 12 hours unsupervised (I am fairly sure it didn't need nearly that much time) and returned to it to find that it had removed 72000 instances of viruses. Most of them were copies of a trojan that had copied itself nearly everywhere, but there were probably over 15 separate infections.
Once the scanner finished, I rebooted the computer, removed the CD, and let it try for Windows once more. Faster this time, but some of the infections had not been caught by the linux scanner and all of the security that was disabled was just that, disabled. How did I know? More command prompt popups. So first things first, I uninstalled McAfee Security Center (which had not been updated in quite awhile) and installed Microsoft Security Essentials. Why Essentials? It is free and not too heavy. I ran a scan with MSE and found another 90 or so infections and was able to remove them. Rebooted. Most of the 90 stayed gone, but more still remained.
I ran msconfig from the run dialog.
And found under the startup tab somewhere around 1000 unintelligible entries with file paths that directed to the "C\Documents and Settings\User\Local Settings\Temp\" folder (which is a common hideout/infection point for viruses).
The computer almost crashed from removing all of the entries at once, but it came back, just barely. I then ran Piraform CCleaner to delete the temporary files and hopefully get rid of this last set. I scanned with MSE after the clean and it reported with no detections. Sadly, I trusted that little green checkmark loitering on the screen.
After a reboot, all looked fine and good. After scanning through for a moment, the foreboding command prompts reappeared. In case you don't know, whenever those command prompts appear, it means that in the background some program is running code, likely undoing work one has just completed.
I was done with this. I restarted the computer in safe-mode (which worked well at this point) and both installed Malwarebytes and ran a quick scan. 26 more threats (including trojans, viruses, and adware) were detected and quarantined. Happy with myself, I rebooted the computer and ran a full scan. 36 more threats removed.
Now to fix the damage caused. During the infection process, the entire control panel had been consecutively unlinked from the programs that the icons represented and disabled administratively. Thanks to google I found Re-Enable which did exactly what I needed it to. Between Re-Enable, CCleaner(for deleting all of those pesky startup entries) and Malwarebytes everything was back to normal. Just to be sure, I copied the I386 folder to the C:\ drive and ran "sfc /scannow" which made sure that no other system files had been corrupted or deleted. Once that was done, I could move on to the next and final pass-through.
After that I simply ran Windows Update, updated, scanned one more time, and deemed this machine clean!
One computer down, 10000 botnets to go.
