Posted by Mitch Mitchell on Dec 8, 2011
Some days ago one of my web clients calls and leaves and interesting message on my phone. He says that his hard drive has crashed and he’s lost everything that was on his C drive. The message asked me to call him as soon as possible.
by Tara Hunt via Flickr
Of course by the time I got that message it was late, and I knew he went to bed early. I called him the next morning and throughout the day, as it was Saturday, and never reached him. So I sent him an email, which I knew he’d get on his phone, and told him to reach me Sunday. He did, we talked, and he brought his computer over and left it with me.
The first thing I did was to hook his computer to my monitor and other stuff. Then I disconnected my wife’s computer from the network and booted his up because I wanted to see what it would do. It booted up just fine, and when it was loading suddenly I saw this message saying the C drive had been compromised, and that he could buy some product to help fix the problem.
I’m assuming most people reading this blog know this already, but he had malware on his computer. The reason I disconnected my wife’s computer from the network up front is because I was betting he had malware. There’s no such message ever telling anyone that their C drive has crashed; it just doesn’t work that way. If it had crashed the computer wouldn’t boot up, instead emitting these little beeps that drive someone like me crazy because of their pitch.
How did he get the malware? I have no clue, and neither did he, but often I see this type of thing when someone goes to a website that’s been compromised, they get an initial warning saying something might be wrong with their computer and to “click here” to check it out, and there you go. The uninitiated will fall for it almost every time, and my client would truly be considered one of the uninitiated.
The trick then is to get rid of the malware. His computer couldn’t access the internet, as figures, so I went to my laptop and downloaded a copy of ComboFix, which works wonders with XP computers; there’s no equivalent yet for Vista or Win 7so I’d have had to do a search on how to get rid of it for his particular issue, but for XP ComboFix is the way to go. I loaded it, then it went online to look for updates and it was ready to go.
What you’ll sometimes see is it saying you have some kind of scanner or virus program running. In this case it said he was running Microsoft Essentials, but I know I’d turned it off and I’d also disabled it under msconfig, and rebooted before running the program, so I knew it wasn’t running. ComboFix will still run, but it’ll tell you that it might not work as well; so be it. The program will create a restore point, then do its job, which could take awhile or it might work fairly fast. In this case it took about 25 minutes, but it killed the malware.
The next thing I did was install CCleaner, which a few people mentioned in my post on clearing out browser history, and ran it in both ways. By that I mean I first ran it to look through all the browsers on his computer to clean things out. Good thing I did because it discovered two dormant viruses that it took care of. Then I ran a registry check and it found over 1,300 bad entries, which I cleared up and then ran it again to fix whatever was left.
After that I added an antivirusand a firewall. Thing is I thought I’d added it to his computer last year when I repaired it, then remembered that this was actually a new computer of only a few months that I hadn’t seen before.
What are the lessons here? One, if you get a warning on your computer and it’s not from a program you know you’re running, don’t click on it. Two, if the message belies the action, such as a message telling you that your hard drive has crashed and yet you’re computer is still running, it’s malware. Three, at the very least disconnect your computer from the internet (if you’re running cable like I am) to help keep things under control. Four, make sure your computer has antivirus and firewall protection.
Oh yeah, a number five; if you go through something like this and have to ask someone else to fix it for you, ask them to clean things out while they’re in there and don’t gripe about the price, since you should have asked up front what it might cost. Even though I didn’t just sit there watching stuff running, it did end up taking me 3 1/2 hours to clean out all the junk on his computer, including all these programs that were automatically running because they’d inserted themselves into his start up files, large temp files from software loads, etc. When he got his computer back that sucker was once again humming like it was new.
You’ve got to protect your hardware; you probably need your computer more than you think you do.