The price of free porn
Thursday, June 22, 2006

Take a laptop.
Take an internet connection.
Take a 17 year old boy.

What do you get? A zombie PC so infested that it took me more than three hours to get it clean.
How did this happen? Purely hormonal you could say.

Last night I was at a distant relative 's house to get moms laptop repaired, which from what I understood from the phone was a standard spyware/virus infection.
When I first booted up the PC, I immediately got an error message from XP that the DCOM service had crashed and the PC was shutting down in 60 seconds. Immediately logged on and did a shutdown -a (abort). About a zillion popups were telling me that the PC was infected with spyware and that you should purchase the antispyware tool that was telling you about it. This and the fact that nothing about this PC still worked.
I immediately went to safe mode with networking, logged on as administrator, but was still unable to start my Internet Explorer to go and download HitmanPro: IE crashed instantly.
Another #$@(666ç  thing was that some Trojan or spyware had deactived taskmanager, so no luck killing the bastard.
So I first had to do some manual cleaning: running regedit still worked and in the default autorun location of the registry I found about 25 entries, all with stupid, bogus names. Thank God virusmakers are still stupid enough to make 90% of the filenames this way. But they 're not very stupid anymore, although infesting a PC so badly can only result in the PC fire department coming to the rescue.
After cleaning that, the user startup environment, the start menu, brower helper objects  (last 2 not used so much anymore), some temp files, etc, I rebooted and managed to get IE going to where I started downloading. After running it for a while, the PC blue screened a first time on the winlogon process. Then a second time. Then a chkdsk. Then a third time. Until finally I had to skip Ad-Aware from running, because it always happened over there.
After I finally managed to get HitmanPro all to the end, I was still left with a lot of badboys and taskmanager still refused to run.
Time to get a decent antivirus installed on it and get rid of the not-up-to-date Trend PCCilin 2005. In comes Grisoft's Free AVG. To my opinion still the best, most lightweight and fast antivirus in existence since the 4 years I 've known about it.
And there it was: easily about 10 different Trojans and an equal amount of malware, viri, backdoors, spyware.
While I was waiting, I also helped a little by getting some utils from sysinternals like handle or procexp.
But the hardest one of all to remove was the Win32.Goldun. This was reported being the dll sdcard98.dll. Neither AVG, nor the commandline delete was unable to remove it, not even after killing explorer or IE (was hooked in the winlogon process, probably adaware tried to kill that). This called in to boot from Trinity Rescue Kit and remove it manually. If I had known the time it would take me to get the PC cleaned, I would have taken the time to get TRK run over it from the beginning with F-prot or AVG and clean some of it this way.
After getting the PC booted up in normal windows again, I had another run with AVG, which found me some more evil. But the PC started to clear out.

So after having spent 3 hours on it, I called in the parents and showed them Internet Explorer 's history a bit. And that 's where proof of the hormones came in: 1 week, hundreds of so called free pornsites, all waiting to hijack the horny surfer's PC who will click 'yes' to anything he 's presented in order to get his "free meat".

First thing I did afterwards with that laptop is change the password so their son couldn 't get in anymore : he 's got his own bloody desktop PC in the living, only mildly infected with some innocent adware (AVG had been running on it for over a year since I last cleaned that, with success).
Secondly: I installed newsbinpro on his desktop PC and started downloading "clean" dirty stuf" from the newsgroups. I told the parents this is the only way of making sure infestations like this (hardly) ever happen again. It 's like legalising cannabis, fighting evil with a lesser evil.
Third: enable automatic updates (duh!), which immediately did 42 of them.
Fourth: charged 60€ for more than 3 hours of work + transportation, which is quite kind I believe.

I arrived at 20.30 and left at midnight, both parents gratefully waving me out and their 17 year old probably hiding in shame somewhere ;-) (he did try to put the blame on grandma, can you imagine?)

No comments yet

Add/Edit Comment 
Name *
eMail  Will not be published!
Homepage  Will not be published!
Security Code Security Code
Enter Security Code  Case INSENSITIVE
Comment *
 Notify on follow-up  (E-mail address required)
Note that your comment after submission has to be approved.
Thanks for your understanding.
Note: If you are a registered user, on login these form fields
will be pre-filled with your information.