Worst Security Clean-Up You've Performed?

nakhla writes "Last night, I was tasked (by my wife) to help fix her friend's computer. It is a Windows XP home system which has been running slowly, almost to the point of un-usability (like *that's* never happened before). It turns out that hundreds of random processes had filled up its meager 256 MB of RAM. The cause? Nearly 7,500 viruses and worms that had infected the system. That number doesn't even include the hundreds of spyware and adware programs that had installed themselves, as well. Although the box is now behind a firewall, that wasn't always the case. This was, by far, the most infected system I'd ever seen, but I'm sure it can't be the worst ever. What was the worst security cleanup you ever had to perform?"

Well, there was that one time...

[Dr.+Eggman]

Once, I saw a computer infected with Windows ME.

Re:Well, there was that one time...

[Morphine007]

A friend of mine had that same thing happen once, it started to infect other machines around it; we had to nuke the site from orbit... it was the only way to be sure...

Re:Well, there was that one time...

Even worse than that, WinME + spyware + viruses. There is no point in trying to clean that mess up, save whatever data you can and then nuke the drive.

Re:Well, there was that one time...

[Who235]

it was the only way to be sure...

Did you salt the earth so nothing would grow there again?

You Cleaned it Up?

[neoform]

With that many viruses, is it even possible to "clean" it?

Hell, i do a reinstall if I get even 1 bad virus..

Re:You Cleaned it Up?

[Karloskar]

Reinstalling is a drastic workaround to a problem where a solution exists. The time it takes to clean a single bad infection is minimal compared to reinstalling Windows, installing the software and tweaking your settings to make sure that everything is how you like it. It takes a good 2 or 3 hours to just install XP and associated programmes. Then tweaking over a few weeks.

Next time I reinstall Windows I'm going to Ghost the drive once I've got set up how I like it.

Re:You Cleaned it Up?

[fmaresca]

Nah. With a very customized XPpro installer CD, it took about one _unattended_ hour to make a full installation with .net framework, Firefox, OpenOffice, AV, Thunderbird, etc. Next step, generate the domain logon for the first time (2 minutes) and that's is. ITOH, a clean up can take several hours full time in front of the computer, and time to time you will find after this work that you have to reinstall anyway. So why to take that chance? Salud,

Re:You Cleaned it Up?

[walt-sjc]

It was probaby just a small handful of viruses (at most) that infected 7500 files. I would seriously doubt that the poster had 7500 DIFFERENT viruses. I can also believe that, at most, dozens of spyware programs were installed, but not hundreds. Spyware programs frequently claim that each cookie and registry entry is spyware.

Re:You Cleaned it Up?

[rbochan]

Had these folks not too long ago that were getting phone calls and actual snail mail from their ISP telling them to take their computer off line and have it repaired. The ISP actualy did cut them off, because their machine was saturating the line all the time as a spambot and as a server for other bot infections.

The machine was about a year old (and out of warranty, of course) - a 2.6 gig cpu with a gig of ram. It took almost 35 minutes to go from power off to the desktop. They had an antivirus that came with the machine, but the "free 90 day subscription" to it had run out long and they weren't aware of it, since that was one of the first things the malware went after. Their 16 year old son who loved to surf porn all the time didn't help matters. A machine like that really isn't worth the time to hunt and peck for individual pieces of malware and should wiped clean and started fresh, however the godawful shit that was on it even hosed the recovery partition. And since actual install media isn't included with a $MAJORMANUFACTURER machine, they would have had to shell out for a retail copy of their previous OS.

Since these folks were obviously pretty cluless about computers, I fired them up a knoppix CD to see how they took to it. They honestly had zero problems navigating the KDE desktop and were able to do everything they wanted with the computer, except obviously to save stuff.
They now have a shiny Debian Etch based KDE desktop that they're enjoying, virus, malware, and calls from the ISP free.

That was one of the worst I've ever seen.

Re:You Cleaned it Up?

[harrkev]

Hmmm. That "very customized" XP CD must have taken some time to create. This is made worse by the fact that, between all of the different apps that you have thrown on there, one of them must have a new version every week. Just keeping Firefox and Thunderbird up-to-date can take some time. Unless you do this sort of recovery every week or more, it is probably not worth a person's time to make such an update CD that will be hopelessly out-of-date within a month.

You also have to factor in the time to backup the old user-data and restore it. The problem is that a LOT of applications just throw their data in their own directories under "program files." I can tell you from experience that even Peachtree, and small-business accounting program does this sin. This means that you can't just back up "My Documents" and be done with it.

Re:You Cleaned it Up?

I've seen machines that literally had hundreds of different spyware programs on them. An unpatched Win2K box used by someone who spent all day at work browsing the shady corners of the internet, by the time they complained that their machine was slow and they couldn't stand all of the popups they had every major spyware program I had heard of at the time and dozens I had never seen. The sad thing was that their machine had extremely confidential data on thousands of people, including SSNs. I tried to clean it just because I wanted to find out how far you could get on such a badly compromised system. I had to do a lot manually but I got it to the point where it could pass any anti-spyware software I threw at it. Of course we still wiped it and reimaged, you can never really be sure when they are that badly infested.

Re:You Cleaned it Up?

[KevMar]

They never ask for help until they cant get internet to work any more.

I had one machine that A friend needed cleaned up. If i left the explorer shell running, it would lock up after 90 sec. (Once it got logged in). I had to kill the shell imediatly.

I managed to reinstall the network stack and drivers and load fire fox from my usb key. 2 spyware scanners failed to even load and the 3rd counted 7000 infected registry keys before it locked up. The task list of running programs was huge and they were all fighting for cpu and memory.

I got my network stack fixed but could not get to a webpage. So i just gave up. I knew it was a rebuild before I even started. I spent an hour just trying to see how bad it was.

I tell people its like cancer, you never can get it all.

Re:You Cleaned it Up?

[RobertLTux]

umm if you are in a class 3 hazmat zone why didn't you just yank the drive and clean from a secure host?

Re:You Cleaned it Up?

[fmaresca]

That "very customized" XP CD must have taken some time to create. This is made worse by the fact that, between all of the different apps that you have thrown on there, one of them must have a new version every week. Just keeping Firefox and Thunderbird up-to-date can take some time. Unless you do this sort of recovery every week or more, it is probably not worth a person's time to make such an update CD that will be hopelessly out-of-date within a month.

In the first place, apps installers does not resides in the cd, but in a Samba server; a simple script pulls down the apps from the server share and executes them. The big deal are up to date device drivers, some hardware needs tweaking after installation.

You also have to factor in the time to backup the old user-data and restore it.

The user profiles, doc and settings folders are stored in the netlogon Samba server, so from the user point of view, there are no perceptible differences between WS. Of course there are several scenarios where this solution is not 100% applicable, but all in all it can reduce the reinstall time significantly.

The problem is that a LOT of applications just throw their data in their own directories under "program files." I can tell you from experience that even Peachtree, and small-business accounting program does this sin. This means that you can't just back up "My Documents" and be done with it.

Well, I simply don't care about apps that are not part of the company stuff, like IM, games, etc. And for ones that drops things under "program files": If I need to run this creepy apps in the enterprise WSs, I have to make it to store their shit in a server share, or they are a no-no.

Re:You Cleaned it Up?

[Some_Llama]

"I tell people its like cancer, you never can get it all."

Usually if you know enough about windows and the way the viruses/malware attack the OS you CAN clean it all off, it is a matter of how much time to do you want to spend cleaning it VS how much time it would take to re-install the OS and programs/restore files...

My cut off point is about 3 hours, this is also why I like to make ghost images of the OS after a fresh install and patch job, that way you cut down your time considerably for the next clean (to go full hog setup a backup routine for a root folder and have the user use that folder only for critical file storage).

For IT shops repairing home PCs, it almost makes sense to install a new drive, load the OS image, then restore files from the old drive VS the cost of 50+ an hour to try and clean the infected OS... Hmm that sounds like a good business plan.

20k

[Chrismith]

Running an Ewido scan on a computer I had to clean up at work resulted in nearly 20,000 malicious items being found. Many of them were just tracking cookies, but even so, I took a screenshot; I might still have it somewhere....It was damned impressive.

Re:20k

[Killjoy_NL]

On a co-worker's machine I ran Ewido as well, aside from the normal spyware etc, I found that the machine was infested with a worm.
Ewido came up with a final score of 16553.

Took quite a long time to clean up.

Re:20k

[codered82]

3dMark scores seem irrelevant when you throw out a number like that. Yikes.

P.S.: Anyone else see the humor in that this "Ask Slashdot" was posted right after the "Vista doesn't need Anti-virus" story?

...I'm just sayin'

A Corrupted SQL Server System

[Salvance]

Worst cleanup by far was on a corporate Windows server in 2000 or 2001. The system did not have any anti-virus, and doubled as a SQL Server and File server. A couple viruses got on the drive and started trashing files. Unfortunately, they had been on there for months before anyone noticed, so backups were basically useless. We had to go file by file to retrieve important data, and then have users manually validate exported/imported SQL Server data. Uggghhhh. It took us months before everything was sorted out, but it was an easy sell to get the client onto Oracle and a HP-UX system soon after.

Re:A Corrupted SQL Server System

[toadlife]

"It took us months before everything was sorted out, but it was an easy sell to get the client onto Oracle and a HP-UX system soon after.

So instead of recommending that they learn to administer their existing systems, you sold them a much more expensive system that they knew even less about?

Re:A Corrupted SQL Server System

[Salvance]

Haha ... not entirely. They had Unix and Oracle administrators on staff, but the division where this security breach occurred didn't want to pony up for the systems that most of the other divisions had. We actually didn't sell them the HP-UX and Oracle, we just recommended HP and Oracle implementation teams to do the work (I was doing performance tuning work at the time, so my only input was a few hours each week after the systems were installed).

Re:A Corrupted SQL Server System

[toadlife]

I see.

Your post hits home for me, as we run our core business system on HPUX/HP9000 combination. We are pretty much a 100% Windows shop. Though I like and am comfortable with *nix OSs, I am not the person in charge of the HPUX system. The person in charge is an old school HP guy, and knows little about *nix, and as a result we have a system that is never really maintained like it should be and is unbearably slow. On top of that, we pay a boatload of money every year for various support contracts on this behemouth.

We are currently in the process of migrating the system over to Win2k3 on a Vmware ESX virtual machine. Running it on Windows might not be as reliable as HPUX, but the software we run on the HP9000 is constantly being patched and has to be taken down anyway, so the uber reliability of the HPUX system means little in the grand scheme of things.

Re:A Corrupted SQL Server System

[Salvance]

I hear ya. I wouldn't have chosen the same path today as 6 years ago. But back then, it was NT 4.0 with SQL Server 7 on a server that wasn't secure, or buy a smallish HP server with Oracle 8i ... the decision was pretty easy then.

A few gems.

[bluefoxlucid]

Geek Squad. One customer had 35,000 pieces of spyware and over 3000 instances of some 30 or 40 viruses on her computer, some of which required some alternative methods to remove since they were locked when in safe mode and encrypted so you couldn't scan with a boot CD. After 4 scans taking about 6 hours I managed to get the spyware gone, and also inbetween had made note of viruses I needed to manually purge. Cleaned it up nice; meanwhile my supervisor was telling me to call the customer and tell them we needed to just reinstall Windows.

My aunt got AOL with anti-spyware and firewall and security. Eventually she had 35 different viruses, managed to remove all but 28 unique signatures (this was before I developed my brute-force removal method). Chucked a ton of spyware too.

While at WhiteWolf Security, we had a little game going; eventually our opponents got pissed at us for unrelated reasons and decided to physically break into WhiteWolf at 4am. They shorted CMOS pins and used boot CDs to evade password lock-outs, adding extra administrative accounts and rootkits that continuously gave them remote log-ins. We couldn't feasibly assess the damage and determine all the changes; I filed an incident report with cost of infinite and put the machine in the evidence locker for forensics to deal with. We got third place too.

Re:A few gems.

[spinfire]

When I worked for a small independent computer repair shop we did a lot of customer Windows reinstalls. Most of the time when it was that bad we would just encourage the customer to do a Windows reinstall and in the end it was usually cheaper and better for the customer. Plus, there is something very rewarding about getting back the computer after the reinstall - it really is like getting a new computer back.

Of course, eventually spyware will take its toll again, and the vicious cycle repeats.

Re:A few gems.

[jrothwell97]

My aunt got AOL with anti-spyware and firewall and security. Eventually she had 35 different viruses, managed to remove all but 28 unique signatures (this was before I developed my brute-force removal method). Chucked a ton of spyware too.

This is another example of people being deceived by companies saying that their products are the killer cure for spyware. AOL is an Internet provider (dubiously, as it already has an appalling track record for that too). Instead of saying that their product will stop viruses, spyware etc. it should educate its users and advise them to download AVG or Spybot. Or better still, use Linux instead. See http://www.wambooli.com/forums/viewtopic.php?t=5, http://www.wambooli.com/forums/viewtopic.php?t=116 7 and http://www.wambooli.com/forums/viewtopic.php?t=142 3 for more people's woes with AOL's spyware.

Re:A few gems.

[bluefoxlucid]

With Geek Squad you don't pay hourly. They do the service. For a Spyware removal it's $30, virus removal is ANOTHER $30 (...), then once you've removed all that if there's a problem you can just use the Windows install CD to REPAIR the system for another $20 (this includes Windows update). If they don't remove anything, they don't refund your money; but they will charge you $70 to back up any files and $60 to reinstall Windows, plus $30 per application to install any software you need back (Office, antivirus, antispyware). Oh plus they always have you do a diagnostic for $60 first, before anything else.

So, $140 to actually fix the crap vs. $250 to get a basic Windows install, and with the extra maintenance after getting Windows reinstalled (remember you need Office and Norton reinstalled) it can come up to over $300 in one visit.

I hate thinking about this one...

[Alkivar]

Had a 65yr old woman who's grandkids used the computer... I doubt she ever did. Windows 98 SE, ran Spybot on it and I just about died, over 34,000 items marked as spyware. So I closed the app and ran a virus sweep with AVG and found over 2000 trojans (only like 11 different viruses with variants but multiple installations).

I realized at that point that it wasnt worth cleaning it up, so I reinstalled with her manufacturers restore disk and rescanned it ... 300 items marked as spyware from the restore disk, and 3 viruses on the restore disk.

I did the old woman a favor and installed my old unused retail copy of Win98 on the box.

Thats why you should never buy a computer from Rent-A-Center... *shudder*

Re:I hate thinking about this one...

The technical problems are usually manageable. Often, the problems arent't technical. Case in point:

My sister's business machine got infected by something that sent virus-laden spam to her address book, which contained all her clients. The State of New Jersey bounced email from her until I made it stop that, and read her a very long list of the unpleasant things they were planning on doing to her if it happened again. I wiped the thing flat and gave everybody in the house a lecture on the long list of unpleasant things I was planning on doing to them if this ever happened again. I installed the usual gamut of AV software and scheduled frequent scans.

Two weeks later, another love letter from the State of New Jersey (those people have an excellent command of invective) and this time I decide I really have to figure out which of my mouth-breathers is responsible for this. The timestamps on AIM and Limewire installs points me to a fine collection of rap music MP3s that I'm pretty sure my Southern relatives didn't download but did implicate a teenage stepdaughter. A Spybot scan showed that the Limewire install brought on an ace collection of trojans, including a keystroke logger. Since stepdaughter did not have a login on that machine (I removed it when the last problem hit) I was a little unsure how she'd managed to gain access to it and she wasn't talking. To add to the fun, her father was indignant that I had the nerve to accuse his child of this kind of thing.

About this time, I notice that somebody had disabled the Spybot and AV scans, and after a very unpleasant conversation with stepdaughter I finally got her to admit that she'd done that because the AV software kept deleting her stuff and she couldn't IM her friends or listen to music. She'd guessed my sister's password but couldn't be persuaded that this kind of thing was a really bad idea and gave every indication that she had no intention of stopping. I clean it up again and lock it down hard.

Two weeks after that, and sure enough another letter from New Jersy and this time they were steamed. I'm out of solutions other than to start cutting people's hands off, so as a last ditch effort I march over to Best Buy (I hate Best buy) and pick up the cheapest el-cheesoid laptop I can lay hands on and install it in stepdaughter's room along with a very sincere threat to do exceptionally rude and possibly illegal things if I hear about this kind of problem again.

And for a while, it seemed to work. Then I noticed that my mail client was bouncing my sister's email because, and you guessed it, they were carrying a virus. Moral of this story, there are some things you can fix, and some things, like human nature, that you can't.

Vomit

I used to keep the case off of my computer, to help keep it cool. That is, until a friend crashed in my study after a big night out and somehow managed to throw up inside it. Needless to say I have a whole new setup now.

The worst?

[TheSHAD0W]

Buh!

Each job is the same...

Numbers aside, almost every job's the same. You run the antivirus, etc. Everyone with 12 year old kids just finding out porn is going to have viruses, and the only time they matter is when they make it fun, where you have to hunt everything down manually.

web content file audits

[dlasley]

almost 30,000 files that had to be examined either by script or by hand/eye (give you two guesses which instance was more frequent) for relevance because of an outdated and essentially useless form of content management, then organized and documented according to sensitivity level, freshness, potential legal/compliance relevance, and any noted security concerns. anything that couldn't be archived off the live site had to go through secondary examination for exploits, holes, and the like before being blessed to stay, and there were pages and pages of things to fix. combination of too many sloppy coders, too few quality folks, not enough time spent doing real maintenance, and some really ugly offshore code. yup, that one sucked. if someone tries to put you in the middle of one of those, run like hell.

XP, 128 megs...

[cpct0]

My uncle's computer had a meager 128 megabytes of RAM, running XP, with two teenagers using it.

It was a mess a real mess.

5 minutes starting XP, 2 minutes seeing the window of Internet Explorer appear. 10-15 minutes to be able to download Spybot and AVG. 3 hours running spybot (you read me right).

The hard drive stayed constantly ON during all that time. Then I said Screw That, and I reinstalled.

My conclusions after 3 hours:

- The first and biggest threat all the newbie users have on their computer are OUTDATED norton utilities giveaways they got with their machine. They THINK they are protected, but they closed the "renew" window so often they forgot it's there. Either the software is FREE AND CONTINUOUS, or it's not there, capiche? Avg is excellent, there are many other free ones too... just find one and be happy. Not something that's NOT free.
- The second biggest threat are Norton Security centers, again outdated, again with useless popups. Again with people finding it nagging and deactivating it, making certain not only the Windows Firewall is properly deactivated by Norton's presence, but that their system is totally uselessly unprotected. Very great, coming from a security company. Again, there are many FREE (beer) softwares that do spyware detection and stuff, and Windows Firewall, in all its eloquence, is still better than a kick in the butt, at least compared to the useless deactivated softwares I found.

Not that I hate norton, that is ... just that they are the culprits for at least 2 computers I cleaned so far.

Then, even if you got years of pro experience in computers, people trust only one person, and if it's not you, you're d00med. I have been explaining to them their meager 128 megs of memory was not enough.... to no avail, they wanted to change computers, almost bought a new one, then another member of my family told them the exact same thing I did, now they have 512 megs and it's screaming. "told you so" was the only answer I could say. Oh well.

Re:XP, 128 megs...

[Sloppy]

The first and biggest threat all the newbie users have on their computer are OUTDATED norton utilities giveaways they got with their machine.

Uh.. no. The first and biggest threat all the newbie users have on their computer, is whatever appplication they're using, which is downloading and executing viruses! Viruses don't "just happen", even with a very naive user; viruses only happen if some application designer goes to the extra trouble to support them by giving them a "click here to run virus" GUI.

An ineffective virus scanner is certainly undesirable, but it's not so much a "threat" as it is an illusory third line of defense. By the time a virus can be scanned, multiple failures have already happened.

Re:XP, 128 megs...

[hawkbug]

Unless you have an unpatched windows system with automatic updates turned off. Then you can easily get infected with worms, such as the old Code Red worm from about 5 years ago - that's just one example of a windows worm that can get your machine if it's simply on without a firewall in front of it.

Re:XP, 128 megs...

[hughk]

Your computer appears to be running slow click [here] for a free scan....

This kind of thing really upsets me, because no matter how much you try to educate people, someone is going to click it and then bang, another exploit is launched. It shouldn't have been so easy for a system to be compromised, but it is. Maybe Vista will solve this, but wasn't the same said of XP?

Norton must die!

[GFree]

Too many systems beyond the point of no repair, far too many to list. Most of them required a reformat/reinstall before I was confident of no hiding keyloggers and still having decent system performance.

Having said that, a large proportion of these systems had some form of Norton AV installed, and EVERY SINGLE ONE had a virus subscription which had lapsed. Entirely useless in protecting those computers.

Bugs

The computer case was so old that bugs were living inside of it

HOW did you clean it up?

[paulius_g]

I consider myself a computer-saavy Linux and Windows systems administrator.

But, I must ask, how on earth do you guys perform these kinds of clean-ups?
Most spyware that I have seen in the last months are rootkits. They hide underneath the kernel, are impossible to delete and "reinject" themselves upon reboot. I've even seen spyware which injects malicious code and/or replaces the main Windows binaries (explorer.exe, taskmgr.exe, cmd.exe, notepad.exe, etc.) How would you deal with these buggers?

When I come to a spywared computer, I start by running Spybot, AdAware and then AVG AntiVirus (to check for viruses/trojans). I would say that this technique is successful about 50% of the time. If it's not, I consider the situation disastrous and ask the person to do backups and go for a reformat.

I've even touched computer which froze upon startup (Windows boots up and everything freezes up). What would you do in these cases? I boot a livecd to do backups of a drive before the reformat.

So once again, Slashdotters, how do you guys get rid of these nasty rootkit and evolved spywares which can hide very well without reformatting?

Re: HOW did you clean it up?

[cpct0]

I do like you do.

I try all the good softwares... multiple times ... until they either find nothing, or enter in a totally endless loop ... or (like I wrote a few replys before) I abandon after a few hours.

Mostly, it depends on the usage.

In a company, with properly cared computers and correctly controlled environment... not a horrible control, only a minimal one, like telling people illegal things means losing their jobs, and non-job-related stuff are to be kept to a relative minimum (and no real enforcing of these), with a good anti-virus in a few steps, and a good spyware, firewall that protects, and proper security enforced domains... and please no direct computer sharing and full-access C$. ;) ... well on these environments, taking the time to reinstall would be longer, so you can take more time, and determine what's wrong with the computer, looking for spyware sites, google search "remove thevirusname", and so on. Usually, you will get proper information to properly clean the computers.

Also, if you have that opportunity, get all the software onto a unclosed CD, and move things from another computer to that new one using that CD, with the blue wire unplugged. Tremendously helps to kill new spawns. Unclosed because you will have to add up tools to remove specific nasty strands.

That's my trick.

But with 2 teenagers, at least 2 sharing software (and not the relatively safe torrents), "cursors", toolbars, "Chat add-ons" and weird software you don't know are coming from where ... and strange network drivers ... well ... I'd say to reformat, reinstall what they should've had, and a proper explaination on what they did wrong is the best bet you have.

Re:HOW did you clean it up?

[Veinor]

I wouldn't, at least. I don't think that the extra time of trying to remove a rootkit would be worth it, especially since those things are so insinuated into the system usually that you can't remove them. I'd just run a scan on all the stuff they need to backup, back it up, and then FFR.

Re:HOW did you clean it up?

[Mike_ya]

BartPE
http://www.nu2.nu/pebuilder/

Setup the McAfee commandline scanner and Ad-Aware plugins, create cd, boot to cd, scan system.

Not sure how successful that would be with the rootkits, but thats what I use when I have to clean up after user.

Re: HOW did you clean it up?

[hcdejong]

My parents recently had a virus on their computer. No big deal (just one virus), but Norton AV couldn't remove it and the manual removal instructions Symantec gave were rather convoluted (Recovery console, blah blah blah). Solution: pull the disk, stick it in a USB box and hook it up to my laptop. Eureka! The disk is inert (it's no longer the startup disk), so you can repair at your leisure rather than trying to beat whatever got started up during boot. You have a functional system during the procedure (if for no other reason than to keep the removal instructions handy) and no arcana like the Recovery console. Also, you've got a virus scanner you know isn't compromised.

I know what I'll do next time.

Re:HOW did you clean it up?

[Woy]

But, I must ask, how on earth do you guys perform these kinds of clean-ups?

Nobody can completelly clean a virus infected system. The ones that claim they did, didn't, but don't know enough about the subject to know they didn't.

To put it bluntly, computer security is like virginity. You either are or you aren't. If somehow, at any time, an "evil" binary run on your system, then the system may be in control of whoever wrote that binary in any number of ways.

Re:HOW did you clean it up?

[walt-sjc]

how do you guys get rid of these nasty rootkit and evolved spywares which can hide very well without reformatting

You don't. It is not worth the time and effort unless your personal / professional time has zero value. Get your data off and reinstall / restore from image.

Otherwise (if you are getting paid well for it) you can boot off a live CD or install the drive as a second in another system (one that has all the autorun crap disabled), Run AV/AS(pyware) on the drive, edit the registry removing all the startup items that you know isn't needed, run md5 comparisons on all the system files, and go from there. Dumping the registry and comparing with a known good registry is helpful at spotting crap.

Re: HOW did you clean it up?

[krack]

Make sure you either A. Hold the Shift key down while inserting the drive into your host, clean computer or B. have autorun turned off on the USB drive. I know of several virus's (viruii?) that will write out an autorun.inf to the root of whatever drive they're on for the express purpose of infecting a clean host machine in this process.

Autorun is the devil.

Re:HOW did you clean it up?

[Mr.+Hankey]

Although I typically admin Linux systems, I'm occasionally called on to clean up Windows systems where it's not possible to reformat for whatever reason. Here's the basic strategy I follow, which while not complete is a good start if at some point you really need to clean one out.

1) Like most people, I typically run an Antivirus application, Ad-Aware and Spybot SD to see what sort of spyware I can remove. I disable network access as well, so the software cannot re-download itself or other malware. Most of what I actually do ends up being done in safe mode, and System Restore gets disabled since a lot of malware will infect the restore points as well.

2) If Ad-Aware or Spybot is disabled by a running application (some spyware does this) I look first in the task manager. Note that this doesn't show all possible applications, as a program can hide itself from the task manager, but if you're familiar enough with it you can usually pick out a few things that shouldn't be there. Google them and see what they are, you'll often find more details of the issue. Even if the software goes to completion and removes everything it finds, I go through the task manager and ensure nothing odd is there. If I verify that there's a problem, I try to kill the programs. This is not always possible, as some will run with Systems privileges which Admin can't touch. I make a note of these and do further research.

3) Once this is done, I do a listing sorted by date of the system directories under Windows. The windows top level (C:\WINDOWS or C:\WINNT) and the SYSTEM32 directories are the most common places for these applications to install themselves. Sometimes you'll find something in RECYCLER. Windows files have timestamps which are consistent across most systems if you do updates identically across all your Windows systems. Examining the files for interesting strings can help to determine whether they are spyware or possibly data files which the software would use to either infect other systems (IP lists and the like) or sometimes information (e.g. passwords) that the application would send to someone you don't want to have it. Once I've verified files that belong to these categories, I delete them or (if this is not possible) move them to another directory.

4) Next, I dig into regedit and look in the various "Run" entries. You can find these by using Regedit's search function and searching for the word "Run". You'll get a few extra locations, but this will show you some of the places where Spyware often launches. Additionally, although this isn't as common, you can try searching the "Startup" folder under the Start Menu entry of each user's profile (as well as the All Users profile.) Occasionally, I've even seen the legacy Windows ini files corrupted. It can't hurt to look.

5) After doing all these things and a few reboots, I typically go back and look at the system directories again. Some applications will keep re-installing themselves, many will use different filenames and occasionally locations. If it's not possible to kill it in Windows and the system has a FAT32 filesystem, I'll sometimes pop up Knoppix and remove the files that keep coming back. A BartPE disk can be useful for the NTFS systems, but be careful that the BartPE instance doesn't get infected.

Our environment has a corporate Symantec AV subscription and we automate AV updates. Generally our problems come frome malware which Symantec AV doesn't want to touch, typically spyware. Although we strongly encourage backing up data and reformatting, for those cases where it's just not possible (unreplaceable and unique software installations from a vendor for control systems etc) these are a few techniques that can point you in the right direction.

Re:HOW did you clean it up?

For nasty stuff where the owner insists on not freshstarting, I typically running a plethora of anti-Xware|X={spy,ad,mal} and antivirus tools from a BartPE bootdisk, like UBCD. For binary corruption, M$ installations come with system file checker which can be run from the CLI "sfc /scannow" with a Windows CD, however this requires a functioning system. System Restore is crap. If the corrupted file is a driver, sometimes you can restore it from a Windows CD. Registry infection can get nasty .. there are too many places to hide. I guess you could try backing up the infected registry hives and temporary replacing them with fresh ones, then give "sfc /scannow" a whirl. Someone once told me that reinstalling SP2 will sometimes work.

Bottom line is, removing every last trace of a nasty infection is an NP-hard problem therefore, you can give a good justification to the owner why it is computationally infeasible to clean their computer.

Re:HOW did you clean it up?

1. Take the hard disk out. Put it inside your USB HDD enclosure.
2. Connect USB HDD to a good System with all the Anti-virus, anti-spyware & anti-xyz stuff.
3. Scan & clean the HDD.

How about the above? Wouldn't it be the best way? (I dont have experience)

Re:HOW did you clean it up?

[Some_Llama]

Rootkit revealer also help to show rootkits or at least alert you to the presence of same...

Good Ol' SunOS

[Jethro]

I 'inherited' a SPARCserver running SunOS 4.1. Yeah, you can secure SunOS 4.1 (kinda). But the guy who was in charge of the UNIX machines for the past few years, hadn't. This was in 1996 or so and commercial ISPs were relatively new and nobody had really ever considered security.

When I took over the machine I started lobbying the boss to let me do some security work on it and he'd never let me do it. We gave used FULL SHELL ACCESS. Compilers included. Oh and SunOS didn't even have shadow passwords by default!

Anyway, a few months into that someone changed the MOTD to some racist statement. That's when the boss finally let me do stuff.

But he wouldn't let me reinstall the thing. OR take shell-access away.

It was a constant battle. Every day I'd show up and look for what they did TODAY, and fix it. just try to stay ahead of them, and they tried to stay ahead of me...

Sometimes I'd stay up at night and ttysnoop on them talking to their other friends on IRC. Then I'd sigsev their IRC client, and watch them log back on and complain about how the sysadmin can't even keep IRC from segfaulting randomly. Then I'd take over their terminal and start saying crap about the other people he was talking to, until his friends kickbanned the hell out of him. Haha.

I eventually managed to let the boss allow me to replace the shell with a restricted shell (ok, a shell replacement I wrote in perl - it was easier than reading the manpage for rksh).

So basically the point was to make it not worth their while to break into my server.

Eventually this kid started DOSing us. We had a small 64K line to the 'real' internet, and he was on a DS3 in some university in Sweden. Our uplink (UUnet) said they couldn't do anything. Yay. So one day my boss (not the big boss) goes "hey, didn't you say they brag about this stuff on IRC?" I said "Yeah" and he goes "Teach me how to use IRC!!!"

The guy figured out IRC, found some 'hacker' channels, and FOUND THE GUY who was bragging about DOSing us. Started talking to him, getting kinda friendly. Guy starts blackmailing us - said that unless we give him a machine with his own harddrive (he demanded at least 4 gigs) or he'd DOS us again. So we gave it to him to see what he'd do. he filled it up with warez (gah) fairly fast, and then had to download it all with a 28.8K modem...

so my boss goes "Hey...why don't you come in and bring a harddrive and we'll copy it for you?"

And the guy did it. He came into our office. Where I had an IndyCam setup for him. And where we had a PI waiting outside to follow him home. And of course he brought his harddrive which we copied everything off, including his master host/password list.

The kid was 15, so we couldn't sue him or anything. But we did get a LOT of info about him. My boss basically went through all the guy's hosts and nuked them or, if they seemed legit, changed his passwords and Emailed the admins. And some of these were machines belonging to some pretty big cracker/hacker/whatever rings. We nuked those, too.

I like to think that was a pretty good security clean-up. We got rid of a LOT of bad-guy hangouts at that point.

Oh, and I was no longer with that company, but when that kid turned 18, they got him thrown in jail. That was fun, too.

Re:Good Ol' SunOS

[name*censored*]

when that kid turned 18, they got him thrown in jail. That was fun, too.

I love a happy ending! (No, I'm being serious... damn cyberthugs, making those of us with any sort of computer skills seem like evil spam-kings)

Re:Good Ol' SunOS

That truly is a great story. Thanks for taking the time to type it all up!

Have a nice day!

Re:Good Ol' SunOS

[MisterOblivious]

Brilliant! Social Engineering works both ways.

Re:Good Ol' SunOS

I call bullshit.

Re:Good Ol' SunOS

[Jethro]

You call incorrectly.

Remember, this was 10 years ago. And not in the US.

Re:Good Ol' SunOS

[shoolz]

There are some things that don't add up:

• Claims that the kid was 15, but in university - when I was 15, I was in grade 9
• Implies strongly that the person was in a different country, but came to visit when lured in by boss - think about it... how does a 15 year old a) afford plane fare; b) get away from his parents.

Good story though...

Re:Good Ol' SunOS

If the kid was hacking Unix boxes at 15, it's totally feasible that he was already in a university. My wife graduated high school and was in college by age 16.

Re:Good Ol' SunOS

[slackmaster2000]

He said that the kid was on a machine at a university in Sweden, which doesn't necessarily mean that the kid was *in* Sweden; later he says that the kid had to download warez files at 28.8K, implying that he was connecting to the machine he was "on" from a remote location.

You could be correct, of course, but I didn't interpret it the same as you.

Re:Good Ol' SunOS

[vox_soli]

He said the kid was using a machine at a university in Sweden, not that he attended said university. Swedes can have insecure machines too, you know. Anyway, I was in university at 16, and was done with high school at 15, so it isn't that much of a stretch for this kid to be in university at 15. I could have been if I hadn't spent that year sitting around goofing off and reading Misner, Thorne and Wheeler instead.

Re:Good Ol' SunOS

[Achromatic1978]

Claims that the kid was 15, but in university - when I was 15, I was in grade 9

I had a Bachelor's degree before my 19th birthday.

Real Player

[Barkmullz]

I once tried to uninstall Real Player, but I was not successful so I guess it does not count.

You're probably not looking for this one

[dch24]

This is on-topic, but not the answer everyone else is giving...

My last encounter with a virus was when my brother (who had been abroad) came home, and a few days later I got an email from him with an executable in it. I downloaded the executable and found ... surprise, he got a virus using IM, which spammed everyone in his address book. I notified everyone in his address book, cleaned up a few infections, and have never had a problem since.

Seriously. I didn't even have the free version of Ad-Aware installed until late 2004, and when I ran it I had lots of tracking cookies... that was all.

I do heavy development in Visual Studio, but only for consulting work. The rest I do in linux. I've never had a problem. I admin lots of systems, and I've seen rootkits on Solaris, but I've been lucky so far with all the linux servers I've looked at.

It's possible some of my mistakes weren't discovered until much later and no one bothered to tell me. But my own workstation has never been exploited. Sorry, hate to disappoint everyone, but I have nothing to tell.

Linux slapper was my worst

[Anonymous+Crowhead]

About 5-6 years ago. Oh, yeah, in 1995 I think I got a macro virus on a Mac using Excel.

Was it running Vista?

[wan-fu]

Was it running Vista?

Re:Was it running Vista?

[Ergasiophobia]

Offtopic? No one else sees the joke in this?
Sorry man, if I had mod points I'd give you a +1 funny.

This one time...

[GoodbyeBlueSky1]

I had to clean up a computer infected with the www.yzzerdd. That wasn't even the weirdest part, cuz the guy who owned the computer was a friggin sack of french fries. Crazy shit man.

Re:This one time...

[LunaticTippy]

That link is broken.

Seriously, ATHF is sometimes great and that is one of my favorite episodes.

W32.CIH

[dragonquest]

1600 traces of W32.CIH from a Win98SE PC, god the amount of time I spent bringing that piece of crap back up again.

Exchange, Outlook and Klez

[toadlife]

Flash back to around five years ago.

I was a junior admin at my current job and at the time, we ran Exchange 5.5 on WinNT4.

One day, the Exchange server stopped responding. Our senior network admin was not in - in fact nobody was there that day, except for little old me - so I meandered into the server room to check it out.

Now, Windows NT4, while it had the potential to be fairly stable, was not exactly known for it's rock solid reliability, so I wasn't to alarmed when the server stopped responding. I logged onto the machine, and checked the services. Some of them were stopped. I tried to start them and got some cryptic error message. I also noticed that launching other executables, like notepad gave similar cryptic errors.

I did what every semi-incompetent Windows admin would do in that situation; I rebooted the server. The server came up, and I got the dreaded "One or more services failed to start up..." message. I logged on and noticed that the same exchange server services that were not started before the reboot were still not running.

Not good.

So I tried to launch a few other programs and some of them failed too. BY this time, I was suspecting a virus. The server was rather sluggish for having no major services running and the task manager has lots of weird things jumping around in the process list.

I was able to open up the local virus scan app and start a scan and soon I got my answer. Klez.

A hour or so of research and dozens of reboots later, the server was finally free of the Klez virus. Unfortunately due to the fact that Klez was a file infector and the cleaning process didn't always leave infected executables in a usable state, Exchange, and many parts of Windows were still very broken.

Oh. Did I mention this was our first in site Exchange server...and our PDC?

In order to try and get Windows back to working order, I reinstalled Windows NT service pack 4. To my delight, this actually fixed Windows! I was ecstatic. So the next order of business was to get Exchange back up. I tried installing the latest Exchange service pack, but that didn't work. I was not an Exchange expert by any means, so I wasn't quite sure WTF to do at this point. I could just say fuck it, and wait until the next morning for the senior network admin to come in, or stick with it. I decided to do something that I was sure would hose the system - stick the Exchange CD in and reinstall Exchange over the broken copy. Since the system was already hosed, I figured I couldn't make it any worse. I figured this would wipe out any custom settings, so I made backups (and backups of those backups) of all of the Exchange information stores before starting.

To my delight, reinstalling Exchange, and the service packs actually worked! The Exchange system was back up!

It was now about ten O'Clock and I had triumphantly recovered the company jewels. But I was not done.

Somehow a few of the other servers had also become infected with the Virus. Cleaning these up was a but easier, and the virus never actually got executed on those machines. I spent another hour or so, scanning and cleaning the other servers that had infected files.

It was about midnight by the time I was done.

Now, you might be wondering. How the heck did this ever happen? Klez was primarily an email virus that relied on social engineering or extremely weak share permissions to spread.

Here's how:

Our senior network admin had an "interesting" way of administering exchange accounts. He would install the entire Microsoft Office Suite on the Exchange server, and after creating a new user account, he would log onto the Exchange server as his domain admin account, and set up the account in Outlook to "test it". If you have half a brain cell, you can see now how the Exchange server got infected.

As for the other servers that got infected, our senior network admin just LOVED to have network drives mapped at all times (just in case?). He had THE logon script from hell, and Klez, also having the ability to spread via file shares, infected every server he was mapped to when he logged onto the Exchange server.

That's my story.

Re: Exchange, Outlook and Klez

[richie2000]

He would install the entire Microsoft Office Suite on the Exchange server, and after creating a new user account, he would log onto the Exchange server as his domain admin account, and set up the account in Outlook to "test it".

IIRC that was SOP because there were some settings in Exchange that only a locally installed Outlook client could access. Now, I don't know if your admin actually needed to access any of those settings...

Re: Exchange, Outlook and Klez

[toadlife]

"IIRC that was SOP because there were some settings in Exchange that only a locally installed Outlook client could access. Now, I don't know if your admin actually needed to access any of those settings..."

Well I didn't admin Exchange back then so I've never heard of that, but I do remember that our admin was only using the Outlook client to see if the account would work.

Re:Exchange, Outlook and Klez

[obeythefist]

Hmm, Exchange and PDC? That is one of the Do-Not-Do-This(tm) things isn't it?

Re:Exchange, Outlook and Klez

[toadlife]

Definitely.

Almost as big a no-no as reading your email in Outlook whilst logged as the domain admin on your first-in-site exchange/PDC.

I have other fun stories about this senior admin...like the day he decided "the network neighborhood was cluttered" and decided to delete all of the workstations' domain accounts.

Guess what junior admin got to go aorund and re-add all of the computers to the domain that day?

The woman who wanted in-house service.

[shoolz]

This is from 2005! Her computer was a PII 75 running Windows 95. The basic problem is that it had been overrun by viruses. A one hour fix if I had taken out her hard drive, plunked it into my repair PC and done a virus scan... but she refused to allow her machine out of her house for fear that I would steal it. Rather than entrust her $50 PC to me, she instead payed me $280 in house-call fees while I sat there for 8 hours with my arms crossed, watching AVG do it's stuff.

Re:The woman who wanted in-house service.

[Morphine007]

Didn't I see this story in a Jenna Jameson flick once?

Re:The woman who wanted in-house service.

That wasn't the "in-house servicing" she was hoping for.

Re:The woman who wanted in-house service.

[Moderator]

They didn't make a Pentium II 75.

Re:The woman who wanted in-house service.

/cue porn music

Here's my toolkit...

NB: posting as AC to prevent whoring

I've been working in the small shop/repair business for over 5 years, and its a weekly experience to get a machine in with thousands of trojans, viruses and spy apps. In cases where a re-install may not be desirable or feasable, here's a list of the tools we use to find, isolate and eradicate hostile software.

Disclaimer: I do not work for any of these companies, nor am I been paid anything by them. I just find that these tools work. Your mileage may vary.

1: Antivirus

As most of our customers are home users, we can recomend Grisoft's AVG as the most capable and reasonably priced ':)' antivirus out there. It does a pretty good job, and the installers are kept up to date so you don't have to fudge around with d'loading on a broken box.

AVG Free

2: Anti-Spyware

No-brainer. The best two in the business. Spybot and Ad-Aware. They don't get everything, but they both do a darn good job, and can even set themselves up to run on reboot before some of the uglies get going. We leave them on the system so we can attempt to train the user towards a safer future.

Ad-Aware Personal
SpyBot S&D

3: Process Viewers

Now this gets a little harder. Neither of these tools will do the job automatically, but with care, can show you the files and processes that are the center of these little problems. Personally, I like MS/Sysinternals Process Explorer, my boss prefers PrcView. As an interesting note: You'll occasionally find a hostile that can stop certain known process viewers from starting up. Get the old 95/98 version of PrcView. They always seem to miss that one. Recording the file name of the app, rebooting to the recovery console, and going in to hand delete the app works 98% of the time.

PrcView
Process Explorer

Now, the easy route....

Get yourself one of these. USB HDD Adapter Kit from your favourite retailer, and just hook the offending HDD up to a good machine with a up to date anti-virus scanner. You will have some broken startup and registry entries left over, but they're pretty simple in comparision.

I'd normally say, Enjoy! at this juncture. But you probably won't.

Best of Luck

kgs

Chernobyl

[Guido+del+Confuso]

A bunch of my computers once got infected with Chernobyl, and it proceeded to trash the BIOS on two or three machines. I was pretty pissed about potentially having to replace these motherboards, so I said screw that and got an EPROM writer. With the latest version of the BIOS from the manufacturer, I flashed me up a few EPROMS and plugged 'em in. Suckers booted right up, and since the only way to erase them was with UV light, they were completely immune to BIOS attacking viruses thereafter.

Re:Chernobyl

[Datamonstar]

Chernobyl rocks. My favorite virus by far.

Re:Chernobyl

[hedronist]

One of the all time classics.

On April 26th a few years ago, a dental office I did work for called up saying they were having trouble booting their server. While trying to figure this out over the phone, the manager said, "Oh, by the way, we're having some problems with the 5 client machines."

Bing! Red flag. I googled on "virus April 26" and found Chernobyl. I told her there was a good chance the machines were toast.

Good outcome, though. The manager was anal about backing up their patient database (quite a large one). She bought 6 new machines at BestBuy and the office was back in business the next day.

Re:Chernobyl

[MonstaNoggin]

Totally, and like of all the crimes against humanity germ warfare is my favorite

Re:Chernobyl

[Achromatic1978]

You've obviously never heard of - ack, I can't remember the name but an Amiga virus:

remember viruses during the old Amiga days. One of them was a little animation that would play on your screen while it would vibrate the stepper motor on your floppy drive to play a tune (El Condor Passa). Plus the damned thing would reside in static ram and if you turned it off the little animation would flip you off. You basically had to unplug the computer and leave it off for a few hours.

I think, too, that too many instances of this threw the head out of alignment, so you could not read any old disks, but anything you saved could be read perfectly - but only by that specific drive.

Sendmail, spam relay, posted AC for obvious reason

So a few months after warning our (ignorant) IT staff that the version of Sendmail distributed with our version of Solaris was about a year and a half behind the time, I wonder why our main box is so slow, and I see 500 processes dutifully spamming the rest of teh Intarweb.

I get on the horn the folks in the IT department. "Yo, d00dz, we finally got pwn3d."

"Not our problem."

"No, really. The reason the box is so slow is because we've run an open relay for (censored) months, and this dude from a (censored).aol.com dialup has finally decided to exploit it. Shut him down".

So they do.

An hour or two later, the guy dials back in to his .aol.com dialup IP, and pwns us again.

So I get on the horn again.

And when the same dude I reported the problem to not six hours earlier comes to my own cube, and I show him the output of "ps" with his own two eyes, he denies that there's been any compromise.

So I escalate to my manager who's not there.

And in the absence of my manager, to her manager.

Who asks me what kind of spam is going out. And I reply, having seen the megabytes of world-readable spam in the output queue, that it appears that "Hot Vegas Sluts Want To Suck Your Cock", Sir, and that anyone reading *clickity-click* these headers will be able to determine that the spam's coming from our netblock, he sorta went blank.

I pointed out (actually, I lied, because our sysadmin had seen the evidence with his own two eyes) that our sysadmin he'd left for the day and had no way to know that the system was pwn3d. And suggested that it was therefore up to the PHB-type that in the absence of sysadmin expertise, that it was up to him to make the call as to whether to page our sysadmin.

Couple of hours after having left the office for the night, the spam stopped and the open relay got closed.

Copule of hours after coming back in the next day, the guy who owned the root password suggested, by means of forged email to the entire company, that someone in the company oughta either do his own job or find another.

(Props to the admin for being discreet about it. Seriously.)

But since the #0 commandment of any user of a system is to "never piss off the dude with root", I realized my days were numbered. Never mind that I'd actually lied to cover up my sysadmin's incompetence, and in doing so, saved his ass , but since my sysadmin (obviously, since he didn't need to know I'd lied to cover his ass :) wasn't in a position to see it that way, I was back to following rule #0.

I never had the heart to tell him how hard I covered for him. He probably still thinks I ratted him out.

Wait a minute. The worst security cleanup I've performed? That was the best security cleanup I've performed.

Because I took his advice. I quit the company a few months later, and am now around a million bucks richer, a good chunk of which came out in the form of stock options that I'd never have been issued had I not left the company and landed at a startup that made good.

So - if my former BOFH ever reads this - thanks. If I'd just kept my head down and done my own job, I'd still be working at the same place you stayed. But because I took your advice and stopped doing my job in order to "get another", I'm not only happy - but able - to buy you, and all your staff, as many beers as you like whenever I swing back into town.

The funny part of the story is all the admin would have had to do was wink at me while pulling one plug outa the box and lie to his boss, claiming whatever he wanted for the 20 minutes of downtime it woulda taken him to compile a current version of Sendmail, and I woulda backed him up on it. "Yeah, I saw the mail server go down around the same time. Mail was down for a bit, but it's a good thing XXXXX was on the job. He saw it before I did."

But it didn't work out

remote linux reinstall, over dialup, from a mac

[MagicMike]

I used to run a server on the campus of a university.

Winter rolls around, and I left the university for winter break.

While travelling around, I got a call that indicated the server was sending a lot of mysterious traffic across the internet and "they" had unplugged it.

Well, that's not good...

Apparently I was the victim of a sendmail exploit. Alas. What can be done?

I had to call and direct the reinstallation of Redhat 4.2 remotely through the hands of a geology grad student until it was on the internet, then finish rebuilding and restoring the machine remotely from my father's pathetically slow macintosh, on a dialup.

Did I mention he likes to drink a lot, and when he does, he plays crazy-bad music (like, Celine Dion) at extremely high volume on his stereo, which is in the living room directly below and open to the loft the computer was in?

That was a long night.

The server was up and fulfilling it's educational mission again the next morning though, minus one security hole :-)

Better yet, how do you clean-up?

[nevesis]

There's two schools of thought regarding how to do security clean-ups.

One: backup data (or preferably not), format, reinstall.

Two: remove all malware, replace corrupted files.

The difficulty is that both schools have inherent advantages and disadvantages.

While the first is virtually fool proof, it means reinstalling applications, cleaning through backed up data anyway, and fine tuning the system to the user's needs. The first is a problem for many of us running Windows boxen with hundreds of (sometimes rare) applications installed. The second is a problem for anyone who does archive important data, and the third for both superusers and grandpa alike.

The second method is not fool proof. Many people will run an off the shelf anti-virus and anti-spyware, usually ones with mediocre detection rates. Some will couple this with a XP "repair install". Good start -- but still not adequate. This is a game of cat and mouse, and unless you're really good, you're probably on the losing team. The advantages, of course, are that you aren't limited by the disadvantages of a reinstall.

The end user must weigh the advantages and disadvantages. For example, I'd presume that most all of us are capable of the first method, but honestly, are many of us truly adept at the latter? I doubt many of us truly are. And I can all but guarantee that the nationwide repair centers, and even most of the local repair shops, are not capable -- or at least not willing -- to fully clean your system.

A plausible solution? On a non-networked PC, do a fresh install with all applications and back it up to an image which can be easily deployed in the case of tomfoolery. Data files can all be checksum'd to alert you to tampering, and multiple backups can reduce infection rates. Perfect? No. But a middle ground between the two common solutions, which we can all appreciate.

tops me

[tezbobobo]

A windows box - no firewall - no antivirus - no updates - 3500ish unique virii, spyware, etc... Brother in laws. There was some nasty shit on that thing.

Saddam Virus back in the early nineties

[Carthag]

I think 70% of my Amiga disks had that damn virus. I took to installing Nuke Saddam in teh bootblock of every new disk I got.

Re:Saddam Virus back in the early nineties

[rjstanford]

I had -- I forget what it was called actually, but right when the bootblock viruses started coming out (late 80s maybe?) I remember coming across a nice bootblock program that filled up all available space with a stupid little light/sound show. The idea was that if it ever looked or sounded different starting up, you had a virus on the disk. I never did, of course, but I got very used to the startup show anyway.

pffft

[crossmr]

8 million unique items, I hadn't even made it out of the master boot record.
*adds a couple more pens to his pocket protector*

I cleaned it with dental floss and belly button lint.

Re:pffft

[crossmr]

oh and btw if slashdot is going to keep approving questions like this, I nominate a new tag "geekpissingcontest"

Re:pffft

[Killjoy_NL]

Now now, don't be pissy.
Articles like this are great resources for information and in this case cleaning methods.

We are here to learn from eachother and share "war"stories.

Re:pffft

[crossmr]

I'm not being pissy, I just constantly see questions like this and the inevitable answers. Considering some of the tags already in use, that certainly wouldn't be out of place.

Re:pffft

[Killjoy_NL]

That may be, but personally, I always learn something new :)

GPEdit + sysinternals + scan tools

[OxygenPenguin]

I worked in the IT of a smaller school, where we did infected student machines for free (It was a private school). So, we routinely got some pretty bad ones. A few of them would take nearly an hour to start up, overheat before completing startup, etc. Some of them had in the neighborhood of 15,000-20,000 separate infected files. It was insane how badly some of these kids had messed up their machines, and a lot of them were freshmen ( I cry a little at night thinking of all that beautiful hardware being wasted :
Sometimes it took me a few days, but I never sent a single one back having to reformat or reinstall. I wrote a lot of block scripts with Group Policy Editor, used Process Explorer from SysInternals alot (goodbye Mark! I miss you already!). Most of the time, however, XClean, Spybot and Ewido were plenty to remove the adware that was crippling the machine.

some war stories

I don't clean up virused windows machines. I consider them to be pre-virused from the start. Anyway, they can only infect other windows machines, so what's the harm ? I use them until they get too slow to use and then re-install, when I use them.

I've delt with some nasty cases on linux though. Be forewarned, a lot of the twitchy sys admin types who believe in the "proper" way of doing things are going to be driven crazy by what follows.

Story 1: A visitor to my house needed to use ftp (ftp something TO me, for obscure reasons I have forgotten), and I temporarily turned on the ftp server on my Redhat 6.1 box on my cable modem. Later I noticed the machine running slow and a stuck process with a disguised name; grepping strings on the executable showed it to be an IRC server with built in commands that would DDOS people. Examination of logs showed I was cracked within three hours of turning that ftp server on. I was running tripwire, so I had a daily email showing what files had changed, but I had not been updating tripwire much, so I had to dig through lengthly lists to find out what new files had arrived and remove them. The computer that hacked mine was another RH 6.1 on a DSL in California, that was serving up web pages of pictures of salvage autos from a junkyard, all in spanish. I did not bother to contact them.

Story 2: About three years later, when RH 6.1 was pretty old, I was working for a guy who had a few remote RH 6.1 servers at his customer's sites around the country. They never connected to the internet, we dialed into them on the modem, thus no security worries, right ? Well, we had to make them dial out to an ISP and email us the IP address, because they changed their phone system and we temporarily couldn't dial into the remote machine, and that got cracked within a few hours. Examination of a few clues, which I have forgotten, lead me to conclude it had an Aurora root kit on it, which is a kernel module that the kernel reads in on bootup, that then filters all your ls and lsof and other commands to stop you from finding it or removing it. The solution I came up with was to go to an identical machine and compile an identical kernel, except with all modules built in and the ability to load modules turned off. The decision was made to make them mail us the harddrive back and we mailed them a replacement before I got to try it.

Story 3: a Debian server a different, later employer used was the NATing gateway, mail server, file server, essentially everything for a very small office. The boss-man either connected to it from an invested public terminal at a university, or it was brute-force ssh'd, not sure. It was compromised, and not noticed for months because the guy never did anything (this was confirmed by going back through backups and checking for when the key files appeared). I noticed it when I discovered I couldn't update something because someone had used chattr to make the file immutable, and of course that file was a trojan (it took me a while to figure that out). I booted up with a live CD to make sure no aurora type root kit was intefering with my access, and searched the entire disk for every immutable file (using lsattr and grep), and then hand-replaced the binaries used by apt-get and dpkg and friends, and then chrooted to the disk and did "apt-get --reinstall install packagename" for every compromised binary. I got the package name from "dpkg -S /whatever/file" on each bad file. It took hours in spite of perl scripting a lot of it.

I discovered a "hidden" directory (named with a single space character) that had tools to make random searches on yahoo and scrape the resulting pages for email addresses, and the spam had links to a fake bank login page, and the stuff to host that page was also there. As far as I could tell it was never unpacked and run. It was in a tar.gz with a script to unpack it and set it all up automatically.

He was running a package of two or three cobbled together sniffers and a compromised ssh

just finished recently

[Tumbleweed]

Congress. Got that bitch all cleaned up. Sure took a while, though. You wouldn't _believe_ the shit that was going on in there!

Re:just finished recently

[walt-sjc]

Yeah, but you didn't patch the damn thing and now it's infected with different crap that is just as bad as the old crap.

Re:just finished recently

[Tumbleweed]

Honestly, I'd really prefer to just reformat and replace it with Ubuntu, but I'm not sure it runs on this hardware. :(

Re:just finished recently

[Aquaholic]

With an infection like that the only thing to do is
      1) nuke from orbit and
      2) reinstall from known free sources (NO spy/adware supported items).

Re:just finished recently

[Tumbleweed]

With an infection like that the only thing to do is
            1) nuke from orbit and
            2) reinstall from known free sources (NO spy/adware supported items).

I think you mean to say:

1) Take off
2) Nuke the site from orbit

It's the only way to be sure. :)

I would've tried that, but I don't have any backups to restore the good stuff. Plus I'm rather short on the nukes, and the transport to orbit. Heck, I don't even have a Caterpillar Power Loader J-5000. Or even a J-4000! It's all just very sad...

"My son works in computers"

[RationalRoot]

My father's friend has a computer, and he has clueless teenagers.

They download pretty much anything that makes noise or sparkles.

There was no point in trying to clean up, it was a straight reformat and reinstall.

I installed a firewall and antivirus software, but I forgot to disable the internet connection. 8-(

I want this for Christmas
http://www.thinkgeek.com/tshirts/frustrations/388b /

D.

A pretty bad one

[InfoHighwayRoadkill]

The headmasters wife of the school where my wife works gave me her laptop to look at whilst we were at a party at their place once. The schools IT guy wouldnt touch it. It was windows XP but it took something like 10 minutes to boot and she said it was "reeeally reeeally slew" (she is French).

Found out the disk had 5k of space left on it. Checked and there was no antivirus, firewall or antimalware installed and it had been directly connected to a broadband line with a adsl modem for the last 3 months. And the cursors were animated dinosaurs.

Once I had cleared off some space I installed AVG and Ad-Aware. They both went through the roof. One of the many many viruses was inflating every file on the drive that was around 150k to around 300k which partially explained the lack of disk space. Eventually I couldnt do any more and it was still crap. I suggested wiping it. "Oh you cant do that... I dont keep any backups and the Outlook Express has all the details of our side business in it"

I ended up passing the mess onto my brother who has a nice sideline. He actually said it was the second worse pc he has ever sorted out. The worst was a guy who downloaded from Kazaa constantly as well. After 3 days he fixed it though. He ended up using 3 different virus scanners to get everything.

When I gave it back to her I explained that someone was probably using her laptop to send out loads of spam and host kiddie porn on. She went out and bought Norton that very day. Lets hope she keeps it up to date.

Re:A pretty bad one

Hhmmm... tell me a little more about the headmaster's French wife.

Just today

[amorangi]

Today I did a reinstall on a clients laptop, it had 150,000 viruses - 70% of all the files were viruses (mostly the same one replicated). AVG took 12 hours to scan it, but couldn't remove that many. Had to go for a re-install. He'd run it for about 3 years with no antivirus or firewall. the amazing thing is it would actually start and run (somewhat).
The previous best i've seen is about 5000.

Nuke the site from orbit.

[beetlefeet]

It's the only way to be sure.

My worst...

[Seetee]

Well, once, a little more than a year ago, I paid a visit to some friends and the afternoon progressed as usual, I eventually found myself in front of their computer. Because they had some trouble with their broadband access, it seemed.

As I soon found out the broadband company had cut them off, since the computer was a breeding ground for virus and spam of all sorts. Why did they have so much problem, you ask? This is what I found.

No hardware firewall, one computer directly accessing the internet on a (albeit slow) broadband connection, no software firewall, no anti-virus program, no ad ware-removal program, outlook express and (actually!) a really old version of Firefox (0.3 I believe), all of it running on an unpatched version of Windows 98A.

It took me some time to clean that one out.

But it did impress me somewhat that the broadband company (Telia, Sweden) actually demanded proof that they had installed both anti virus and a firewall before they reactivated the connection. That is surprisingly good ethics for such a company, although it might be considered pure survival tactics, as the internet climate are today.

Re:My worst...

[LordSnooty]

As I soon found out the broadband company had cut them off, since the computer was a breeding ground for virus and spam of all sorts.

Coo, there are a few people who wish that more ISPs would do this! It might scale down the number of these infections being discussed right now.

She had been doing it for 10 years!

[Codename46]

Not two years back when I was a junior in high school, one of my neighbors asked me to fix her computer and backup her files, using the universal reason "I think it broke". After inspecting her 10-year old Compaq, I discovered that her hard drive was riddled with bad sectors. I wasn't until she told me she didn't know how to shut down her computer and instead pulled out the power cord from her PSU everytime I realized why: SHE HAD BEEN DOING THAT FOR 10 YEARS! No wonder her hardware took a beating!

Clean-up and clean-up...

[ingvar]

Not a "celan-up", per se, since I didn't do any of the cleansing myself, but...

Couple of hundred ADSL lines with Slammer on teh customer end, couple of dozens of leased lines with Slammer down the pipe and a handful of co-located machines slamming happily. Took a while to get things to a point where the network wasn't adversely affected by this shit.

Photocopy sorting nightmare

[Dr.+Hok]

This is not really security, but:

At the university I once had the job to produce 100 copies of a circa 100 page application document for a very important government funded research project.

I had a high-performance copier, to which I fed the original pages, cranked the lever to 100 copies and kept shoveling paper into it until it finished.

Only then I realized that I misunderstood the sort/collate switch and ended up with 10,000 sorted pages, meaning that 100 pages #1 were followed by 100 pages #2 etc.

I was out of fresh paper for a retry, too.

After some decent swearing and a couple of cigarettes, I arranged the tables of a seminar room around myself, then spent the whole night making 100 stacks of paper one by one.

When it was over, the skin on my fingers was so dry that it cracked and started bleeding. Not to speak of the over-exercised muscles in my hands...

Re:Photocopy sorting nightmare

[phallstrom]

Hrm... you could have re-stocked the copier with your output (100 page 1's, 100 page 2's, etc.) then had it copy *with collation* 100 blank pages.

Maybe anyway...

Bug Spray

[slarrg]

About twenty years ago an exterminator was spraying my apartment complex and asked if I had seen any bugs. I replied, "Only in the computer." Sadly, he actually sprayed inside the computer and killed it. I've since learned to curb the computer humor with non-technical people.

Back in about 1993

[Andy_R]

Someone sent me a floppy with the WDEF B virus on it, but my Mac IIci's antivirus software caught it. Of course, since those days Apple have really got their act together and I don't get viruses nearly as often.

My PC is virus-free too, probably because it doesn't have a network card or modem, a surprisingly difficult combination to achieve when buying it. I gave up trying to spec a machine without ethernet and settled for opening up a brand new computer, pulling the unwanted card and binning it.

Re:Back in about 1993

[harrkev]

My PC is virus-free too, probably because it doesn't have a network card or modem, a surprisingly difficult combination to achieve when buying it. I gave up trying to spec a machine without ethernet and settled for opening up a brand new computer, pulling the unwanted card and binning it.

Well, you could try the obvious thing, like not plugging anythign into those jacks. That would work just as well.

Of course, if you don't trust yourself, you could accomplish a lot with the cut ends of RJ11 and RJ45 cables and some superglue.

Re:Back in about 1993

[Andy_R]

I trust myself, it's everyone else in the building I have a problem with!

3 MIRV warheads floating down the Potomac

[bruce_the_loon]

Trailer came loose and fell in the river. Didn't hear about it? Good.

hmmm

[Erriv]

I wonder what one was the worst.

The one that happend back when I was 13 was quite anoying as, well I was 13. Got junkie virus from 'classmate' (in the days of copying software on floppys...)

Then the bios went totaly fliped out, had to return the computer to suport. And then the motherboard and chip was upgraded from 386 to 486 (so should I be pissed at him or not? Oh we did get revenge anyway so... (don't use bandnames as passwords on bbs:s in the early 90's...)).

But I guess the real worst clean up *I* had todo was either my ex girlfriends familys laptop... 12 year old, runing wildly around the Internet. Gargh...

But worst was the hospital where I was Interning at the libary. You see the hospital had good policies for the computers everywhere else, but the libarie was where everyone blow steem so... about 1400 AdWare things a week, on every computer except one (that was the one runing RedHat).

Then come a wurmattack inside the network somehow and put down all computers (well except again the RedHat computer) or at least most of them at the hospital. This was about a week after mirigrating the datebase server to run remote via Citrix (And that horrible software we have at the place I work now but this isn't the place for talking about idotic systems so) . You become so happy then right.

And after that it was time to change computers, this time with new once without diskdrives. (Which is quite good at most places at a hospital, but not at the libary where all nursestudents wrote and send their essays... I had to go explain how to mount floppy in linux three times a day until we at least got some usb floppy drives). I can't get what qualification the real tech suport people was employed after (I could have done it much better than them. Definite)

Sligtly on-topic

[Centurix]

I actually had a favorite mail trojan at one point. I can't remember what it was called, and it expired itself a couple of years ago. It was distributed via mail, picking out everone in their address book. The fun thing about it was that it would pick out a random file from the victims computer, preferrably some sort of document, but it didn't seem to fussy, attach a copy of itself to the beginning of the file and send it on. Made a quick script which chopped off the virus whenever I received a mail, and then saved the actual file somewhere so I could take a look. It was like a little surprise in the mailbox every day. Some of my favorite ones were:

* An excel spreadsheet showing the expenses for a french shoe manufacturer
* Someone's thesis on the spawning habits of canadian salmon (quite well written too, best of luck with the masters)
* A strange photograph of a person driving a car with a giant carrot for a passenger
* Someones 10Mb .pst file from their MS outlook. Lots of mail, nothing interesting, but the program sent the file without the user noticing it.
* No porn whatsover, dissapointing
* An no password files, which I guess would have been a good primary target for the trojan.

Quality trojan, they don't write them like that anymore.

Script Kiddie Hunt

[rwa2]

Back in college around 1998 my Redhat 5.x box got remote-rooted by some Samba exploit (the exploit was called ADMmountd). Most of the standard utilities like ls and top and ps were modified to not detect the rootkit, but du stopped working completely, and I managed to stumble upon the rootkit files in a hidden directory in /usr/lib/.lrk or something like that. Then I noticed IRC callback connections in tcpdump and followed the trail to some swedish IRC server. But didn't really get any leads there.

It was pretty good about cleaning up after its last logs, but I finally managed to stumble into the kiddie's home dir on my box... the damned kiddie forgot to clean up his .bash_history ! Well, actually he did (as evidenced by some rm ~/.bash_history commands in his .bash_history), but of course his shell wrote it from memory again on logout. I found some entries there that led me back to another server he compromised.

Looking at that (also Redhat 5.x) server's web site, I noticed that it had some evil users who exposed /etc/passwd in some cgi scripts. This was before Redhat started using /etc/shadow, so a few cycles of john-the-ripper later I had a list of remote login accounts and most of their fairly trivial passwords (including root). Probably the exact same way the script kiddie took over that box. So I sent an email to the admin of that server, and (as it was some other poor college bastard) surrendipitously logged in to /his/ rooted box, did some additional forensics. The home base apparently was at goethe.sbu.edu , which apparently hosted some bored-looking CS guy (there were only 7 enrolled in the program :P )at St. Bonaventure University, though he may as well have been rooted himself. and cleaned up the rootkit on the remote machine as well, shutting off the compromised services and accounts before leaving myself.

So I cleaned up some other computer as well as mine. That was pretty much the time I migrated to Debian for good... haven't had nary a problem before or since. ;>

Anyway, here are some annotated excerpts from the .bash_history I archived:
blksheep/.bash_history

cd /tmp
cd .ADM
ls
ADMmountd liuxcentral.com -t 0 # plenty of typos while "scanning" for vulnerable hosts
ADMmountd linuxcentral.com -t 0
ADMmountd www.mondenet.com -t 0

# retrieving the logfile cleaning utility, which didn't work on .bash_history, apparently
ftp goethe.sbu.edu
mv utclean.wri utclean.c
gcc utclean.c -o utlcean
mv utlcean
mv utlcean utclean
chmod +x utclean

# Testing his rootkit
who
ls
screen find / -name .wh00p -print >>blah
ls
cat blah
rm blah
cat /usr/bin/.wh00p .wh00p # I guess this was the real "who", he ran this often to watch his back, I suppose

Re:Script Kiddie Hunt

[Control+Group]

But...but...

Everyone knows Linux is invulnerable to attack!

You must be some kind of weird antimatter slashdot troll from the negativerse where the sky is white and the stars burn with the blackness of a thousand really really black things.

i always wipe front to back

[stargazerAD]

my response to ad/mal/spyware and virii and the wormlike has always been a total wipe. i do it about twice a year. i actually manually write down all my links, rss feeds, dumb logins and such, and just obliterate the drive. getting sp2 over a dsl line is a chore, but that's about the biggest issue i have. this is, of course, just the opinion of a retarded wintel user, and has nothing in relation to anyone who has more difficult setups associated with their os.

Re:At one place I worked...

[orkysoft]

Yeah, I recall that that security cleanup took 24 hours to complete ;-]

Re:At one place I worked...

[eis271828]

I'm going to assume you were summarizing a season of 24, because it really does mirror season 4, I think. In which case, I picked up on it. Still not all that clever, though. Sorry.

The worst

[CDWalton]

While working in the helpdesk here, I had a customer call and had an issue where she could not get online. I got the TCP/IP winsock reset, got her online and had download Spy Sweeper, Stinger, CWShredder and run them. Spy Sweeper found on the first pass 65000 (yes 65 THOUSAND) items. removed those, and rebooted to Safe Mode and turned off system restore as some items had embedded themselves there, and rebooted again. 3 hrs later she was good to go

I shall never forget this

[cthulumythos]

Working for the helpdesk at my college, this one undergrad brought her computer in cause it was "slow". I ran our adware/spyware removal tool and found 47617 infected files. I then ran a series of virus scanners and found 6113 viruses. Obviously, a reinstall was necessary for that one...

Wow

[dlc3007]

I have to stop dissing my sister now. I only found 2100 malicious objects on her machine.

Lots of virueses...

[Endo13]

I work in a PC repair shop. As you might expect, a good percentage of our work is malware removal. The worst machine we've had in here had upwards of 20,000 files infected with viruses. And we didn't even bother checking for spyware.

Well...

[argStyopa]

This isn't precisely what you're talking about but...a son should never have to clean up his mom's computer. Or if you do, for the love of god, DON'T BROWSE THROUGH THE TEMPORARY INTERNET FILES.

Just wipe it. Trust me (shudder), a boy should never see that side of his mom.

That was no doubt the worst cleanup I ever had to do.

Re:Well...

[Achromatic1978]

I remember doing similar on a friends computer. This computer was used by their three sons, and his wife too. I remember going to Google, started typing "p", and what was the first entry in Autocomplete? "penis enlargement", and so many other similar things. Come on, dude. Not on the family PC, and not with Autocomplete on.

Vista and Allchin

[ravidew]

I remember one time I listened to an outgoing MS VP, and refused to let my son install antivirus software on his new Vista machine...

6500+ infections

[jakoz]

I've cleaned out a few with over 1000 infections, but the worst was a system with 6500 infections. I never got it working properly (Explorer randomly generated windowing problems, etc), but it ran.

But probably the scariest was one I cleaned with 350 infections of one virus. I believe it was Chernobyl, but I might be wrong. On a certain date of the month it detonated, wiping the drive. I used it on the day before until around 11:55pm unknowingly and went to bed around midnight. I found it the day after it detonated at around 6am, so neatly (and accidentally) missed losing everything by 5 minutes on one side and 6 hrs the other.

Calling Sweden...

[prescor]

I once helped out a lady with Win98 who called me after she received an $800 long-distance phone bill. She wa a dial-up ISP user and caught SOMETHING that was dialing Sweden in the middle of the night to do God-only-knows what.

Not the "worst" infection I've ever cleaned up, but certainly the weirdest!

Somedays you should just stay home

[ALibby53]

Back in 2001 I was working for an Insurance company, my incompetent boss was in his first week of a 2 week vacation, and this was my first Admin job recently being promoted from an Operator we were hit by Nimda. He wouldn't let me anywhere's near the Antivirus or security.... We had 250 workstations in the 3 buildings, 20 servers (2 were Netware, 18 were Windows NT4). I discovered that half of the servers were running Antivirus (InnoculateIT, Yeah gotta love CA), but they were 2 months behind on their definitions. Ohh and we were all Token Ring still utilizing 16 mbit MAUs.
Went into the computer room to see how things went that night and people were calling in complaining the network was slow. I looked at the Novell server (It was our primary authentication and we were running NDS for NT) to see what was going on, and the Console had continous messages flying up saying that it found a virus. Called my boss to let him know what was going on, he told me where the book that came with the software was, and answered a couple quick questions, called him a half hour later his wife answered (ohh he left but not to go to work, don't know when he'll be back or where he went, aka bastard!). Checked the other servers, learned how to update the definitions, and how to install it on the servers...
During my second pass around the servers and some of the workstations I figured out that they were getting reinfected. So I had to bring everything down (all the servers, workstations, Wang gateways....) and start one at a time with the main Novell server. Cleaned over 100,000 infected files off that one, and an additional 10,000 plus on the PDC, over 6,000 on the BDC a few hundred off other servers and workstations. Finding a few other viruses on the workstations. Found that the Anntivirus was also misconfigured so corrected that during my sweep across the entire building.
We were completely down on Thursday, Friday was unstable at best, and I worked all weekend. I went over my max Comp time by 35 hours (you can work a max of 70 hours and get 1 day off per 10 hours for a max of 7 days off, which was a complete rip off because if I work 10 hours of overtime which I should be paid 15 hours at my normal rate why do I only get 8 hours off !@#$%^& Salary).
I recovered the entire network by myself correcting major security issues (aka half the servers aren't running AV, definitions behind by 2 months, clients misconfigured), while cleaning up a network wide virus outbreak, put in 50 or 60 hours of OT and I got 1 day off. Yeah, now that's appreciation.

Cleanup method of the future

[Sloppy]

I think there's a third approach coming up, though it will be a few years before it's widespread. It's a variation on the first approach.

A quick summary: recopy the one Xen DomU image of the subsystem that has been infected. If most of your applications are installed in other domains, then you don't need to reinstall them. Needless to say, each Microsoft application should have a whole DomU dedicated to it. Maybe even have it run a freshly-copied image anytime the user clicks on the icon that starts it.

Containment. You could survive any exploit that is unable to break through the virtualization, even rootkits.

Not as bad as it could have been, I guess

[KillerBob]

About 4 years ago, I came across a friend's machine. She was complaining that it was running "a little slow". I brought in a copy of AVG with the latest definitions (downloaded that morning) on a CD, and did what I could for the box. The result? 483 unique viruses, 41,000 or so infected files.

I thought it was some kind of record. But reading other posts, I guess it isn't. :p

Old times

[kosmosik]

About 90/92 (I don't recall exactly) in Poland there was no strict software piracy laws and enforcement. Polish software market was very new (comunism just ended in 89) so basically it was very hard to get anything legal. So you pirated and it was perfectly OK (there were no alternative distribution).

I remember that few computer shops put out public computers to attract customers. These computers worked like this - you wen't to the shop with few floppies and copied games/software (mostly games) from and into these computers. These computers were by far the most virused computers I've seen. :) Keep in mind that these were DISK viruses that spreaded trough floppies.

PHBs

[Ahnteis]

It might, but the PHBs won't allow it.

Doctors and their machines

The hospital I volunteer at has some crazy policies. Each department has their own IT solutions and vendors and I volunteer in the 'tween department which basically keeps the each department talking to each other department. We are called in when there is something urgent to be done and no one else is able to or can figure it out.

We got a call in because part of a pet scanner wasn't working. We showed up and found a bunch of oncologists angry with us because the dell workstation they used to run the PET scanner was behaving really slowly. They said they had patients scheduled all day and that they needed the machine up and running as fast as possible.

The hospital had recently purchased the pet and the dell, and we learned that one of the doctors fancied himself technically adept, and had set up the dell workstation to interface with the PET without talking to his IT department. He had plugged the machine into the public network because he didn't have any of the information for adding a machine to the private network, but didn't think it was important because it was just for email. The PET scanner has over a TB of raided internal storage and in just a month or so, the dell was compromised, and the pet scanner loaded up with Warez and porn. We had to take the machine off line and call the manufacturer to figure out how to format the drives. It was bad.

Re:Doctors and their machines

[Achromatic1978]

The worst thing about that is that PET scanners run from a low of $1M to a high of $3M+. I'm trying to imagine it just being dropped off and left for some random IT guy, or anyone, to just "have a flick through the manual, and plug it in". For one, wasn't there any testing of it when it arrived?!?

Two Words:

[JhohannaVH]

Witty Worm.

Blew up the whole data center. Oh, and asshats let the support on Netbackup lapse, so the restores wouldn't run until they fixed whatever problem they had. But they couldn't get support to help them until they got the CIO out of bed to sign a $250k PO for licensing and support.

All this happened because they didn't pay the invoice for ISS, and didn't get the Black Ice patch installed quickly enough.

Funny... I have severe asthma, and this was just the day they decided to paint the inside of our entire building. Needless to say, I was no help, and I got to sit that out until the paint dried. We were still cleaning up a week later.

Holy hell!

[CAIMLAS]

That is a LOT! And that doesn't even include the spyware? I find that very difficult to believe.

The worst I've seen is approximately 3500 spyware on a 1Ghz Win2k machine with 512M ram. It was SLOW. Like 15+ minutes to boot, slow. It took a good 5 hours to "clean" with adaware, and even then I decided to reinstall anyway due to the system retaining a great deal of instability.

I WANT THAT ISP!!!!!

[Medievalist]

I would sign up with that ISP in a heartbeat. Most ISPs are total worm farms.

I'm getting DNS poisoning attacks about 300 times a day from a RR.COM cable modem address and RR says they can't do anything about it.

The attacks aren't actually working, but it still peeves me mightily.

Re:I WANT THAT ISP!!!!!

[DigiShaman]

Note: I worked for Time Warner in Austin, TX.

If you are a RR subscriber in Austin, TX and have an infected machine; it will be flagged on the network. Once done, the packets get sniffed for viri, spamming, bot attacks, and excessive port scanning. At this point, the network security department files a motion to our tech support deparment to disable the user. From here, we send a DOCSIS command to upload a disable.bin file to the modem.

I think the customer gets two tries to clean their computer last I remembered. If they get disabled again on the third time for the same issues, they must speak directly with the security department to resolve the issue. Basically however, they just need to call the tech support line to get their connection re-enabled and get chewed over the phone for not taking measures to secure their wireless network and/or computers behind the cable modem. Because RR users have access to FREE antivirus software (EZ Armor from CA), the lazy bums no longer have an excuse to stay unprotected.

If you are still having a problem with these DNS attacks, I would recommend contacting the RR security deparment to resolve the issue. you can find all the information you need from the link below. Best of luck.

http://security.rr.com/contact.htm

Re:I WANT THAT ISP!!!!!

[Some_Llama]

"and RR says they can't do anything about it."

Of course they CAN do something about it, they just choose not to, something about profit margins i'm sure...

My ISP called me recently :-(

[billstewart]

I got a call the other week from my ISP saying they'd seen half a million spams from my machine in half a day :-( I went over and checked the desktop machine, which hadn't gotten its Microsoft-update-of-the-month installed on it yet, but it was quiet, and closed my laptop so it went to sleep, but the spam persisted. Went over and looked at the wireless router, and sure enough it was blinking away - I keep it open for guests, and had never had a problem, even though I'm in a building with half a dozen neighbors' wireless sets visible. I turned it off, the problem stopped, and I kept my laptop on Ethernet for a day. I sent mail to the local mailing list, and one of my neighbors replied that his wife's work laptop was running really really slowly - and apparently the malware was clever enough to attack my unlocked wireless instead of using his home network, so it'd be harder to trace. She took it in to work to have their anti-virus people clean it up, and the problem's gone for now.

Try 7500 pcs

Sure, 7500 bits of malware on a box sucks (and what are you doing cleaning it? Nuke it from orbit and rebuild it), but I had to work with a team to clean up 7500 pcs infected by nachi. And what's worse, this was months after nachi first came out, and the desktop support team still hadn't gotten around to pushing out the patch. One user comes in with an infected laptop, and then it immediately spread throughout the network. That was multiple days of downtime to clean it up, when it could've been solved by the desktop support group following the security department's recommendation, and pushing out the patch 3 months earlier.

AOL CDs are better than salt for that!

[Behrooz]

Did you salt the earth so nothing would grow there again?

We found that sowing AOL CDs instead of salt was the most cost-effective solution.

My worst cleanup? But I've had so many...

There are certain watershed moments that make working in computer security of historical importance.

I won't tell you who I work for. Believe that I'm the biggest liar in the world, or not. This is all anecdotal, after all.

First, an observation. In security, you'll find that virus security incidents come in more than one flavor and that there is more than one way to measure 'the worst'. How can I measure the worst?

Was it the machine where I saw over 10,000 copies of a file infector? Was the worst machine one of the out of date mail servers I spent over seven hours disinfecting in safe mode, then reinstalling the mail server app? Was the worst security incident the watershed event where I complained to the av vendor that they were not disclosing which vulnerabilities were attacked by the new virus sample I submitted and got them to change their tracking and reporting policies? Was it the first time I submitted a combination adware threat and raised a stink about its Backdoor Trojan and dropper behavior, pushing my av vendor to provide detailed removal steps when their engineering staff had determined that the item performed a stealth install and no notice? Was it the radio telescope controller I was not permitted to disinfect for political reasons?

Was it the day that I navigated my av vendor directly to information regarding backdoor technology that I found on a greyware/hack site and told them that their av suite had not caught the threat I was infected with because the threat loaded before the av did?

Was it the day I was at an internet cafe with a less tech-savvy member of my organization and they 'caught a virus' and I found they actually had someone connecting via RDP? ( Fortunately, or maybe not, this laptop was never part of my assigned duties. )

These things have happened. To me. Rarely. These things *do* happen. How the av vendor reacts to an incident depends on how much service contract you have purchased from them, and how bad the incident really is. To cover my security needs, free antivirus just doesn't get it. I have Service Level Agreements to cover, and political overlords to satisfy.

I have sadly gotten to the point where I measure security events in multiple ways:

1. Number of production servers down/infected
2. Number of production workstations down/infected
3. Am I responsible for the systems involved or did it happen to 'somebody else'?
4. Is the security issue an automated hack (a worm/virus) or is someone actually penetrating the system and able to make active connections via ssh/rsh/telnet/Terminal Services/RDP/e-mailing commands to the server and having it run them?
5. Does this incident represent a new form of virus attack vector or virus hardening technique?
6. Is the time to purge/repair less than the time to reinstall the os?
7. Did I overlook something important that would have resolved the issue any faster? (This is the secret code word for "Did I screw up?" Usually my vendor is happy to help me find this out.)

So far, it's a toss-up. As I think back, I think that the worst incidents have been the ones where history was in the making. The incidents where I KNEW the game was changing and I had to squeeze my vendor because they and I did not initially agree on cause. Viruses, worms and other threats will continue to be with us, no matter what os you care to name. Someone somewhere will write one. Since John Brunner wrote Shockwave Rider, the genie called 'worms' has been out of the imagination bottle.

The worst security incident I've ever worked is the next one.

Um, not quite..

[cheros]

With popunders you can generate quite a lot of fun content in the cache. Well worth remembering..

Thank you!

[Medievalist]

I started with the "abuse@rr.com" address (which connected me to a robot that insisted I have "a copy of the headers of the problem email" in my complaint, even though I was complaining about DNS abuse and not email abuse) and eventually I graduated to dealing with a human who apparently does not understand written English.

I will go through the link you provided, hopefully the security team will be more clueful... at least they should be able to read BIND logs...

Thanks!

Working at a major Australian computer reseller...

[Scoldog]

I once had a lady dragging her computer saying it didn't work (always a helpful problem description).

So I look at it, P2.6Ghz with a 80GB HDD and 512MB RAM. Turn it on. Half hour later, it gets to the desktop and no further. I mean this thing was that locked up it wouldn't open office or other programs. Couldn't open the XP diagnostic software or the Norton Antivirus (that was a clue), so I pulled the HDD out, and plugged it into my diagnostics box and gave it a full virus scan.

9,457 viruses, spyware and other associated malware later, I asked her what on earth she was doing with this computer. The eldest kid surfed "mature" websites, the youngest kids surfed for music. I told her the computer was too far gone, the only way to get it usable again was to reformat it and get a decent virus/firewall combo before it even touches the net. She retorted it came with a virus scanner/firewall. I checked. It only had the Norton Antivirus (not Internet Security) 90 day trial the computer shipped with almost 10 months earlier. Sigh.

Now for a quick story from the other end of the spectrum. A guy bought his laptop in to me saying it was running slow, and that he knew why. I asked him to show me. He starts it up (took about 10 minutes for a 2.4Ghz to get to a usable state, not just to the desktop), opens 'msconfig' and says "look, half these drivers aren't microsoft certified. That's why it's going slow.

I looked at him with my poker face, calmly pulled the laptop out of his hands, and looked at it myself. Turns out this fool only had 256MB of RAM in this laptop running XP, with 64MB shared for the video card. Not only that, he was running two virus scanners on startup to do a background HDD scan when the computer started. I eventually had to stick an extra 512MB of RAM in the machine in front of his eyes to prove it need more RAM and not Microsoft Certified Drivers.