Infected!

May 4th, 2006

I wasn’t planning on writing about viruses today, but I got infected yesterday. Even with a firewall and antivirus, you just aren’t safe.

How it happened:
I was updating websites, and using my editing software. I wanted to open a text file with Notepad, but when I chose to “Open with” I slipped onto an unfamiliar EXE file in my root directory and all hell broke loose.

Norton alerted me to some malicious scripts running, so I started closing things down, but not soon enough. Before the dust settled, I had multiple ad windows and a dozen icons on my desktop for poker, games, and adult sites.

IMPORTANT LESSON: As soon as you notice trouble, disconnect from the Internet. Most of these programs connect back to a home base for their installations. Now I’m not sure where this EXE file came from, but I guess the good news is that it required user interaction to kick it off. Even with the best protection, be sure to answer “no” to those subtle “do you wish to install a virus” questions.

Next step:
After disconnecting from the Internet, I did a quick assessment by running one of my favorite tools, Hijack This! I tried removing some of the obviously offensive registry entries, but they came right back. I had to head off for work and knew this would be a large effort, so I shut down my PC to deal with the problem later. I always hope in these situations that after resting period, the problem will just fix itself. Of course it doesn’t. I think it’s called denial.

Plan of attack:
I don’t use an adware/spyware tool, so I risked connectivity and used Trend Micro’s free scanning tool. All the while new pop-ups were appearing every few minutes. TrendMicro found and removed some files, but things still seemed off. I disconnected again and ran a complete virus scan and more items were found. The ad pop-ups had stopped, but I wasn’t confident that I was clean. Another Hijack This! scan still had suspicious entries that I could not remove.

I restarted in safe mode and tried more to no avail. The good thing about recognizing your mistake right away is that you can use that to your advantage. There were scores of files in the Windows and System32 directories that all had the time stamp from the moment of impact. After some mild research I simply deleted all files fitting the bill. However some DLLs were in use and not removable. Some of the more innocuous components were removable via Control Panel however.

Although it appeared things were OK, I just wasn’t feeling clean and fresh. Some research seemed to indicate that after the annoying adware was removed, I may still have some dangerous spyware threatening to capture my personal information. I then remembered a little known utility of Windows XP called System Restore.

System Restore takes a snapshot of your system configuration periodically or you can manually create a restore point. It’s not a total backup, but it keeps track of installed software and registry settings. I ran the utility located in Start -  Program Files - Accessories - System Tools - System Restore (perhaps I know why it’s not very popular), and I found there was  a restore point available from the night before.

When you restore, you don’t have to worry about losing any data files you may have created, and I hadn’t installed any software in a while, so I felt that restoring would be best. Also, I could always reapply my changes with the same utility.

The system restored and restarted and everything seemed fine. I ran Hijack This! and felt much better about the scan results, and glad I didn’t just settle. I saw the offending W.EXE in my root directory. Scarily, virus scanning it did not find anything wrong. I continued to look for clues of infection, even doing complete scans and everything seemed as it was.

Conclusion:
You can never be too careful. Make sure you have virus software and the definitions are up-to-date. Make sure you have a firewall for your broadband connection. Make periodic backups of your files. Scan for viruses and spyware regularly. Using system restore, setup a manual restore point before making any changes to your system. Uninstall and virus removal tools don’t get everything. The weakest point in all of this security tends to be the user. Don’t run programs you are unfamiliar with and be cautious about installing questionable software.

In future articles, I will discuss the utilities and methods described.

Let’s be careful out there.

Entry Filed under: Technology

Send to a Friend