(Off Topic) Windoze spam and corruption

Ben Scott dragonhawk at gmail.com
Mon Feb 11 10:16:54 EST 2008


On Feb 11, 2008 8:55 AM,  <paul.cour1 at verizon.net> wrote:
> I have a Win XP machine that is terribly infested (Ugh!)

  I'm guessing, like most Windows computers, the account used for
day-to-day activities is a system privileged account ("root" in nix
terms; "Administrator" in doze terms).  If so, what you have is
commonly termed a "root compromise".  It's entirely likely the malware
(malicious software) has subverted the system to lie to you -- and
other software -- about the malware's presence.  So the malware will
be hard to find and/or remove on the running system.  It's like asking
a thief if he stole something: Crooks lie.

  As the saying goes, if someone else manages to install their
untrustworthy software on your computer, it isn't your computer
anymore.

  The only way to say for sure is to boot from trusted media and run
your investigations from there.

  Booting from trusted media might mean booting from CD on the suspect
system.  This is easier on nix, where booting from a read-only CD is
well-supported.  Unfortunately, 'doze *really* wants a large, writable
medium for its running system.  I've seen frequent reference to using
the third-party project "BartPE" to create a working, bootable CD
environment for 'doze, to run malware scanners; Google it.
Alternatively, one can take the hard disk out of the suspect system
and install it as a secondary disk in a working, trusted system.

  Once you've got a trustworthy boot, run some software designed to
scan for signatures of known malware.  Software I've used in the past
for this are Spybot Search and Destroy (free;
http://www.safer-networking.org/), Ad-Aware (free for personal use;
http://www.lavasoft.com/), and AVG (free for personal use;
http://free.grisoft.com/).

  The same principle -- root compromise == untrustworthy system --
applies to nix.  CERT has a good document on it (NT == Windows
2000/XP/etc):

"Steps for Recovering from a UNIX or NT System Compromise"
http://www.cert.org/tech_tips/root_compromise.html

> I.E. I am trying to erase as much stuff as I can with out corrupting
> the Operating system.

  Corrupted?  It comes that way out of the box.  Oh, you mean by
someone *other* than Microsoft... ;-)

> I have deleted these (or attempted)
> but in a second or two, they are back...

  See above about the system being subverted by the attacker.

> These Browsers reference Yahoo services and Internet Explorer,
> in the window frame . Obviously I have removed every file that looks
> like it is an I.E. or Yahoo reference.

  Again, crooks lie.  They're impersonating MSIE and Yahoo to fool you
into looking for the wrong things.

> Short of wiping the drive and reinstalling windows, M. S. Office,
> reconfiguring Linksys router, etc., what can I do?

  If malware scanners fail to get you out of the hole, a
wipe-and-reload is your only choice.

> While my last and most effective option is to wipe drive and reinstall
> Windoze, ...

  I'd argue your last and most effective option is to wipe the drive
and install Linux.  I'm not being a wise-guy, either.  Generally
speaking, there are satisfactory solutions for most of the "But I need
Windows ..." objections, and Linux can make one's life a lot better.
Big companies have to worry about all sorts of inertia, but
single-users can often switch easily.

  This group is full of people eager to help with such endevors.

> 2.) don't have the patience to teach Linux to the owner of this machine.

  Do you have the patience to teach Windows to the owner of the
machine?  Because regardless of OS, an untrained operator is a
problem.  Especially on Windows -- most malware explicitly preys on
operator ignorance.  Unless you look forward to doing this kind of
malware recovery and/or system reinstall on a regular basis, you have
few options:

(1) Lock down the machine, so the user(s) don't have admin rights.
Administer the machine for them.
(2) Train them how to do it all themselves.

  I can say from current experience that either option is a lot easier with nix.

-- Ben


More information about the gnhlug-discuss mailing list