Thursday, June 02, 2011

How I Survived A "Windows XP Recovery" Attack

Let me stay first that I believe any hacker who writes hijacker programs, viruses, trojans, malware of any kind or who snoops around in my private files should be stripped naked, hog-tied and branded on his forehead and his butt with a big letter "H" by the hairiest, smelliest cowboy we can find (on who's been out on the prairie way to long and thinks the hacker has a "purty mouth".  Then he should be dipped in honey and dropped on a tiny deserted island infested with fire ants, somewhere not far from the arctic circle with lots of friendly crabs, scorpions and other assorted crustaceans - anything with pincers or stingers.

That said, I was working and doing a Google search for bananas and tomatoes and trying to find out if you could grow them together. Somebody on one likely looking site planted a trojan that opened a video file and when I tried to shut it down, it paused and installed a Trojan.

MacAfee kept deleting it to no avail.  It started giving me messages that said my SATA hard drive was failing. Well, my laptop doesn't use a SATA hard drive.  I discovered that a new "security" program icon had appeared in the lower right task bar calling itself Windows Recovery XP.  I began receiving ever more frantic messages that my computer was going to fail. I quickly saved my files I was working on. That was an early giveaway because a hard drive failure wouldn't have let me save files. To be certain, however, I saved my files to an SD disk and then rebooted.

Things got worse.  My wallpaper disappeared and a big "security" screen came up telling me I had 12 problems with my hard drive and that I should scan it with Windows XP Recovery. The program also uses several other variants of the same name. Whatever it calls itself, it is another of the fake Windows Security programs that have been so successful of late at getting past firewalls and security software.  Task manager was greyed out so I couldn't manually delete whatever process they had running.  So:

1. I went to my desktop computer and downloaded fresh versions of Norman Malware Cleaner  and Kapersky TDSSKiller Anti-Rootkit Utility onto a jump drive.

2.  I booted the infested laptop, plugged in the jump drive and started TDSSKiller right off the jumper.  It found nothing, but it's always smart to check first or the malware can reinstall itself every time you reboot.

3.  I ran Norman Malware and scaned the entire C: drive.  Norman Malware was busily deleting registry entries this nasty piece of business had installed when the computer shut down on its own.  This is something this particular malware does to protect itself. It hopes you'll give up and buy their "security software" to rid yourself of the problem.  Of course, then they'll have your credit card - I don't think so!

4.  Restarted the laptop and this time closed the "security screen" from the blue program bar. I started Norman Malware Cleaner again and checked the program bar again by right-clicking on it. This time Task Manager was operational. By now it was throwing hard drive crash notices at me again.  I opened the process tab in TM and found a bunch of copies of a program called "attrib"  - six or seven copies of it. I shut them all down quick.  Next, I found a program that I didn't recognize with a word salad name that no respectable programmer would ever use (ASduaswhIbMHgW.exe).  I shut it off.  The "notices" stopped and Norman was able to finish the scans and clean 4 malicious files.

5. Restarted the laptop and it was still there, but Task Manager still worked.  I again disabled the invading file to stop the phony "alerts" and shut off the "security window".  Went to the control panel and clicked "run" then typed "msconfig". Found the ASduaswhIbMHgW.exe file in startup so I disabled it.  I didn't try a restart it yet. Instead I ran my Advanced System Care Pro software's deep clean utility before restarting, hoping it would catch the file and eleminate it. ASC found two high risk programs and removed a bunch more malicious registry entries.

6. Restarted the laptop. and everything on my desktop and all the programs in my Start program menu were gone. Restarted the laptop and went to Save Mode with Networking by tapping F8 till the safe mode Window came up. I selected the "System Restore" option for bootup and restored from yesterday afternoon's system setting restore point. Everything looked fine till I noticed that my McAfee real time virus scan is turned off. When I try and turn it back on it won't do it. opened McAfee and ran the "check for updates" utility. Seems there's also a problem with McAfee when you do a system restore that McAfee sometimes loses any updates that happened after the restore point. Updating McAfee fixed the problem.

7. Ran Malwarebytes' Anti-Malware software. I couldn't update the malware database, but was able to run the program. Still acts like something's wrong. Malwarebytes scanned for over an hour and found 1 Malware file designed to restore the program and a tracer file.

8.  Restarted the laptop. Ran a full McAfee scan. For some reason Advanced System Care Pro self-destructed when it tried to update and I had to go to the control panel and remove all traces of it and reinstall it.

9.  Finished up about 2:30 am.  The laptop is working again and I am in a state where, if I met the hacker who came up with the Windows XP Recovery Malware, I fear I might have a great deal of difficulty obeying the golden rule. I would likely obey it, but the only comfort would be the thought that the lake of fire awaits evil people as their reward for their labors in this life. 

I figure it cost me $45 to $60 in lost time working at the pittance my lowest paying writing job pays.

 If it's still loggy in the morning, I'll run TDSSKiller and Norman Malware Cleaner again. For now I'm taking a shower and hitting the sack. I hope the anti-virus/anti-malware/anti-spam people figure out how to block this. After all we pay them quite enough protection money thank you.

ONE MORE PROBLEM:  When I opened Internet Explorer I discovered my Favorites (bookmarks) folder was empty.  Five years of bookmarks gone.  My Firefox browser still had its bookmarks, but IE's were missing in action - a serious PIA for someone who does research and writing for a living.

HOW I FIXED IT:  I found the favorites folder in my files under C:\Documents and Settings\Tom King\Favorites .  But every file was greyed out. They had all been marked "hidden".  I had to go to the favorites file, right click, select properties, left click on it to open "properties" and uncheck "hidden" as the attributes. Fortunately, it lets you unhide all the files in the folder at once, so I selected "all subfolders" when it gave me the options. In about 30 seconds it unhid my bookmarks.  I opened Internet Explorer and all my Fav's are back. 

WARNING:  The vicious little punks who created the "Windows XP Recovery" malware program likely hid a lot more key files.  I'll be cleaning that up for weeks, but at least I know what they did.

Hiding files is an easy way to mimic a hard drive break-down.  Their phoney security software probably doesn't do anything except unhide the files that have supposedly "gone missing" on your computer. It's a fraud. Their software is what hid the files in the first place. I hope someone sends these pipsqueaks to prison for it. In the meantime.......



P.S.  If anyone out there is like a super computer geek who wants to be a superhero, let me suggest something.  Track people that do this down and post their home addresses on-line. You could support your super-hero work by selling baseball bats on-line to people who have had hours and hours of their lives robbed from them by these villains. Or even more fun, track down every virus, malware program, trojan and herbal viagra spammer you can find, every Nigerian e-mailer, every phony lottery and create a database of their creator's names and the homes or basements they live in.  Put a "donation" link on your website. You'll make a killing.

If you'll do it, let me know. I'll buy you a genuine superhero cape!  Flame retardant.

No comments:

Post a Comment