PC Pwned

My mom called me last week because she was having some trouble with
her PC. The usual stuff you expect when a PC gets infested with
spyware. I thought I'd just go over and run a few scanners and that
would be the end of it.

When I did run the scans I found some really nasty stuff (including a
keystroke logger). I also noticed that whatever she had downloaded
had also modified zonealarm AND blocked access to System Restore AND
blocked access to Safe Mode. I've never seen a PC so completely
owned.

Pretty much everything I could find on the net regarding getting a PC
cleaned involved System Restore (turning it off) and Safe Mode. I
could not get to either. Of course there were pop-ups and the system
was super-slow.

I should note that this PC had Active Virus Shield installed as well
as ZoneAlarm but neither did any good, apparently. Take away lesson?
If you set up PCs for people set them up with user accounts that only
have limited rights. Viruses, it seems, have come a long way.

--
Is this thing on?

On Sun, 29 Apr 2007 16:14:43 GMT, Joe Humble <joehumble@earthlink.net>
wrote:

>My mom called me last week because she was having some trouble with
>her PC. The usual stuff you expect when a PC gets infested with
>spyware. I thought I'd just go over and run a few scanners and that
>would be the end of it.
>
>When I did run the scans I found some really nasty stuff (including a
>keystroke logger). I also noticed that whatever she had downloaded
>had also modified zonealarm AND blocked access to System Restore AND
>blocked access to Safe Mode. I've never seen a PC so completely
>owned.
>
>Pretty much everything I could find on the net regarding getting a PC
>cleaned involved System Restore (turning it off) and Safe Mode. I
>could not get to either. Of course there were pop-ups and the system
>was super-slow.
>
>I should note that this PC had Active Virus Shield installed as well
>as ZoneAlarm but neither did any good, apparently. Take away lesson?
>If you set up PCs for people set them up with user accounts that only
>have limited rights. Viruses, it seems, have come a long way.

The first thing you should do is yank the network cable to prevent
further damage.

Then check these folders where username is her login name:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\<insert username>\Start
Menu\Programs\Startup

Next check the registry by clicking start/run and typing regedit.
Checkout the following keys:
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Run
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/RunOnce
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Run
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/RunOnce
HKEY_LOCAL_MACHINE/Software/Microsoft/WindowsCurrentVersion/Run

You will need to look up each thing in there to see if it is a legit
program or not. I think you can put a ";" in front of stuff in the
registry to comment it out. Then try a fresh boot without running
anything like IE. If that lets you into safe mode than you can
proceed with whatever other instructions people gave you.

On Sun, 29 Apr 2007 13:52:20 -0400, Shute <Shute@nowhere.com> wrote:


>You will need to look up each thing in there to see if it is a legit
>program or not. I think you can put a ";" in front of stuff in the
>registry to comment it out. Then try a fresh boot without running
>anything like IE. If that lets you into safe mode than you can
>proceed with whatever other instructions people gave you.

XP is already reinstalled. I think once a PC is that far gone it
doesn't make any sense to even try to save it.

--
Is this thing on?

Joe Humble <joehumble@earthlink.net> wrote:
> Shute <Shute@nowhere.com> wrote:
>> You will need to look up each thing in there to see if it is a
>> legit program or not. I think you can put a ";" in front of stuff
>> in the registry to comment it out. Then try a fresh boot without
>> running anything like IE. If that lets you into safe mode than you
>> can proceed with whatever other instructions people gave you.
>
> XP is already reinstalled. I think once a PC is that far gone it
> doesn't make any sense to even try to save it.

I'm not going to access Internet from Windows :-) Well, not from a
computer which may have important "numbers" and such on it
somewhere. Is it even possible to know how far it's gone with the XP?
Perhaps because Linux is harder to break into, a common hacking
process would involve replacing system commands to misreport running
processes, files, and their sizes. It would replace login and secure
connection programs (both the client ssh and its server daemon),
etc. I've seen this done manually, but a pimple-ridden wannabe hacker
would likely to use a canned kit that would attempt to do all that,
without a need for him to have a slightest idea how it works.

> If you set up PCs for people set them up with user accounts that
> only have limited rights.

I'd think this would offer only a limited additional protection. I
admit that long time ago I used to actually enjoy writing GUI for
Windows. Much of that I forgot but I know the concept of message
loops. It is acceptable to post requests in those to applications that
run as admin. They say this will be fixed in Vista but we'll
see. Perhaps this means that lots XP programs won't work.

On Mon, 30 Apr 2007 18:15:01 +0000 (UTC), DZ
<18154@5694866.1900227281.17375.13291.14434> wrote:

>Joe Humble <joehumble@earthlink.net> wrote:
>> Shute <Shute@nowhere.com> wrote:
>>> You will need to look up each thing in there to see if it is a
>>> legit program or not. I think you can put a ";" in front of stuff
>>> in the registry to comment it out. Then try a fresh boot without
>>> running anything like IE. If that lets you into safe mode than you
>>> can proceed with whatever other instructions people gave you.
>>
>> XP is already reinstalled. I think once a PC is that far gone it
>> doesn't make any sense to even try to save it.
>
>I'm not going to access Internet from Windows :-) Well, not from a
>computer which may have important "numbers" and such on it
>somewhere. Is it even possible to know how far it's gone with the XP?
>Perhaps because Linux is harder to break into, a common hacking
>process would involve replacing system commands to misreport running
>processes, files, and their sizes. It would replace login and secure
>connection programs (both the client ssh and its server daemon),
>etc. I've seen this done manually, but a pimple-ridden wannabe hacker
>would likely to use a canned kit that would attempt to do all that,
>without a need for him to have a slightest idea how it works.
>

The problem, IMO, is that you really can't be SURE the level of the
sophistication of the hacker who has compromised your system. In my
Mom's case it was sophisticated enough to edit zonealarm, lock down
access to system restore AND safe mode. In windows that is the
equivalent of saying the hacker pretty much had 100% access to your
system. If, like you said, it is just a kid using a packaged script
then you have a decent chance of cleaning it. However, if it is a
more sophisticated hacker they may have "hidden" items that will only
reinstall on a given date, etc.

>> If you set up PCs for people set them up with user accounts that
>> only have limited rights.
>
>I'd think this would offer only a limited additional protection. I
>admit that long time ago I used to actually enjoy writing GUI for
>Windows. Much of that I forgot but I know the concept of message
>loops. It is acceptable to post requests in those to applications that
>run as admin. They say this will be fixed in Vista but we'll
>see. Perhaps this means that lots XP programs won't work.

I've seen privilege elevation (particularly in browsers that seem to
allow more than they should to a "limited" user). However, overall a
limited user account does seem to offer some protection from the
outright installation of viruses that actually need to run a .exe to
really compromise the system. And it further complicates the job of
ongoing corruption of the system if additional .exe programs need to
be run after the initial intrusion.

--
Is this thing on?

On Mon, 30 Apr 2007 18:15:01 +0000 (UTC), DZ
<18154@5694866.1900227281.17375.13291.14434> wrote:

>Joe Humble <joehumble@earthlink.net> wrote:
>> Shute <Shute@nowhere.com> wrote:
>>> You will need to look up each thing in there to see if it is a
>>> legit program or not. I think you can put a ";" in front of stuff
>>> in the registry to comment it out. Then try a fresh boot without
>>> running anything like IE. If that lets you into safe mode than you
>>> can proceed with whatever other instructions people gave you.
>>
>> XP is already reinstalled. I think once a PC is that far gone it
>> doesn't make any sense to even try to save it.
>
>I'm not going to access Internet from Windows :-) Well, not from a
>computer which may have important "numbers" and such on it
>somewhere. Is it even possible to know how far it's gone with the XP?
>Perhaps because Linux is harder to break into, a common hacking
>process would involve replacing system commands to misreport running
>processes, files, and their sizes. It would replace login and secure
>connection programs (both the client ssh and its server daemon),
>etc. I've seen this done manually, but a pimple-ridden wannabe hacker
>would likely to use a canned kit that would attempt to do all that,
>without a need for him to have a slightest idea how it works.

99% of windows break in's are by amateurs. Most can't even get into
the system so they use bait in emails or on the web to get people to
run their trojan. It is possible to fix most of this stuff although
prevention is a better solution. And in the OP's case there where
many infections going on. I prefer to try just to see how bad it is.
It may appear much worse than it really is. Plus you can at least
back up the data. Really if people knew what they where doing with
windows then there wouldn't be as many infections. I have only been
infected once in over 10 years and that was shortly after an XP
install. It seems easier nowadays then ever to get infected.

I want to migrate to Linux at some point. I just need to figure out
how to do all the things I want to do.

>> If you set up PCs for people set them up with user accounts that
>> only have limited rights.
>
>I'd think this would offer only a limited additional protection. I
>admit that long time ago I used to actually enjoy writing GUI for
>Windows. Much of that I forgot but I know the concept of message
>loops. It is acceptable to post requests in those to applications that
>run as admin. They say this will be fixed in Vista but we'll
>see. Perhaps this means that lots XP programs won't work.

User accounts lock it down quite a bit. I use them at work just to
stop users from doing things they shouldn't be. Vista sounds like a
nightmare from the Mac adds. They claim it asks you every time
something needs to get done. I would be sick of that in five
minutes. One of many reasons I want to swtich to Linux.