Friday, May 13, 2011

Sometimes you p0wn the malware...

So today, after 2 hrs, I saved a PC that was sentenced to death from the get go. My motivation for saving PCs is simple. Avoid more hardware, since this is costly on the environment. So a PC I can clean, is another PC saved. This one was a bit of a dinosaur, but for our purposes, it still works, for at least another while. 512MB RAM, 40GB HD. Again, a dinosaur. But I felt I could save it...

The PC was in pretty bad shape. The call comes in "Yeah, I can't do anything on my PC, I get these popups about XP Anti-Spyware. It wants me to register and pay for it. Says my PC is infected." You may have seen this lovely type of malware. Posing as Malware removers, and of course asking to be "registered" and asking for the credit card information.

Of course the clients always wait until the PC does not function at all to call. Which makes cleaning them way more difficult, but that is of no concern to the user. The malware was auto launching whenever an executable was opened. Internet explorer, control panel applets, the malware remover, anything you open does not launch and instead launches yet another window of "give us your credit card to clean your PC".

This window launches whenever you run a .exe file
So I had her reboot, entered in safe mode w/networking, then remoted to the PC that way via our web based shadowing tool. Once I was on the PC I started by running the "deleter" and CCleaner. These don't remove any malware(unless it happened to reside in the temp files). But they make scanning much faster by reducing the number of files on the PC. They clear all sorts of temp files, and for ALL users, not just the one logged on. Not just Broweser temp files, but app temp files, and windows temp files as well. This must not have been done...ever! It was seriously deleting temp files for about 15 minutes!!



Then I ran some registry fixes that fix the "host" file, in case it was hosed. And applied a fix to the executables that weren't running. All this, while I tried to figure out the name of the process at fault(turned out to be xta.exe). So now, when the windows came up, I could quickly kill the process in the task manager. So now I could run .exe files again, install some malware removal tools, and scan...


24 minutes later, remove the infected files/registry keys. Reboot. And for $44(2hrs of my work haha), they have a PC in working order again. These are the things no one probably notices. I could have just recommended re-image/replacement after 30 minutes of trying. And since it is old, they would have just replaced it. But I don't do it for recognition, I do it because less PCs that are sold/manufactured, the less resources "wasted"...and that is something that matters to me.

6 comments:

  1. that's an awesome reason to try harder to save those old computers! :D

    ReplyDelete
  2. Yeah, I agree with Geli. That's a really good reason :)

    ReplyDelete
  3. That was great work, it's really difficult sometimes to clean windows xp computers, especially if they're old with little resources. What i usually do with those computers is to reinstall windows, always works ;)

    ReplyDelete
  4. @Diego - Thanks! :) The reason we try not to reimage/reinstall windows is because since we work remotely, that means they would have to send us the PC, which makes the fix take a long time, and there's the added cost of shipping as well. And everything gets wiped too, since they are work PCs, they tend to have stuff they need on there(even though we tell them to use the network shares for important files).

    ReplyDelete
  5. you my friend are pretty fucking amazing. =) you should look at my computr. Its running ok but it doesnt make sense that i have 6Gigs of ram and almost 1T of harddrive space and it takes a while to load! Idk if its becuase of all my music, video, picture editing software but either way it be nice if u checked it out =)

    ReplyDelete
  6. @Paco - Thanks man! Let me know when it is a good time to look at it, and I will :)

    ReplyDelete