Wednesday, September 15, 2010

Computer Viruses

My main motivation for starting this blog was because I was exceptionally annoyed at a virus that had infiltrated my machine.  I've never spent this much time in trying to fix a single problem--more than 15 hours of my time...and my computer's been on for about two weeks straight running virus scans.  I can only imagine what kind of bill you'd get from Geek Squad for this kind of service.

I've never succumbed to a virus so badly that there was data loss...but this time it came close.

Symantec anitivirus...its the only antivirus protection I have on my home PC. About half the time, I have it turned off as it really thrashes the hard drive.

I use Outlook to aggregate my mail. I love not having to log in to three different websites to see my new messages.

I hate how Outlook automatically runs scripts within email. Especially now that it's helpfully deployed a few different trojans on my machine. It started with popup windows appearing all over the place a week ago.

SuperAntiSpyware nor MalwareBytes were able to detect anything wrong.  And I didn't want to bother the good folks who inspect HiJackThis logs.

Enter UBCD4Win. I've used this several times over the last few years to get me out of windows-cannot-boot jams. And now, I use it to boot into a clean environment, start up MalwareBytes Anti-Malware, update the definitions, and scan the drive.  It fixes a few things, but upon booting back up, Windows is still atrociously slow.

Back into, I use a McAfee cleaner (Stinger?) which finds a few viruses, and removes them.

Back to Windows, which boots, shows the "Loading user profile" momentarily, before showing the "saving user profile" message (essentially a login and logout).  Uh-oh, looks like the overzealous virus cleaner wiped out a few files (or didn't fix the registry redirects put in place by the virus)

Thought I'd try the in-place upgrade of Windows XP with a WinXPSP3 CD I made using nLite a few years back.  The CD didn't give me an option to repair, so it started installing instead.  Scared that it had actually reformatted the drive without me knowing (the default nLite settings will do this), I cancelled out. Fortunately, it only created a new Windows.0 directory instead of reformatting. Phew.

Back to UBCD4Win, so that I can use a web browser to find out this log in/log out behaviour is because of an invalid entry in the registry for winlogon.exe .  Not being able to find the registry editor in UBCD4Win, I took a chance that wininit.exe was not working, and copied it from D's XP Home installation.

Yay, now I can log in.  However, most of my apps would crash, including IE6 (on startup), Chrome (after a few minutes), and Firefox (which seemed to be hijacked still, based on the google search results redirections). The system is basically at a SP3 level, so I'm missing quite a few critical security updates, and also experience told me that running all the updates usually fixed up some key system files in the process and got the apps to work again.  Not wanting to get hit with another virus, my first priority was to get Windows Updates to pull in all updates.  However, IE6 would crash upon starting (and hence Windows Update disabled).  Alternative browsers weren't an option either as Windows Updates won't work with them.  I downloaded IE8. Incidentally, that step also fixed the problem where Services.msc wouldn't show anything in the Extended tab.

Windows update still not working, due to a more common issue with BITS not started, but going to the Dependencies tab yielded "Interface: class not registered" error.

Initial google searches directed me towards the little-known "sfc /runnow" command, which attempts to restore ones files back to their original condition. Problem was that it asked me for the WinXP CD, and it would neither accept the original CD nor the nLite SP3 CD.  A more manual approach was needed.

Later on, I found this was the answer:

rundll32 wbemupgd, UpgradeRepository
as described here:

BITS still wouldn't start due to error 0x80070BC2.  I needed to re-register a few files:

That enabled BITS to start.

but when starting Automatic UPdates Service, got this:
Could not start the Automatic Updates service on Local Computer.
Error 1083: The executable program that this service is configured to run in does not implement the service.

I reregistered some more files, and was finally able to get all the Windows Updates to run, and got the computer running smoothly for the first time in a week.

Still suspicious that there was a virus somewhere (Google results were still redirecting), I did a complete scan with Symantec Antivirus, which picked up a few.  I also ran Windows Onecare Safety Scanner, which I've good experience with in cleaning out stuff Symantec couldn't find.  While the quick-scan was clean, the complete scan would show 6 items found. Unfortunately, the complete scan would never finish, and I'd never be able to clean out those files--it would loop inside the c:\windows\installer for nearly a day (before I cancelled the scan).

I updated MalwareBytes and SuperAntiSpyware once again, and ran a quickscan on each.  MalwareBytes picked up the virus, while SuperAntiSpyware missed it.  After deleting the virus, and rebooting, I did one final scan (just yesterday) and can now confidently say (after about 2 weeks of dealing with this) that I'm finally clean.  There are still a few lingering issues on the system, most likely to do with certain DLLs needing to be reregistered, but for the most part, the system is back to normal.

No comments:

Post a Comment