Fixing an XP Laptop, when to give up?

[nontroppo]

I have a friends laptop who recently suffered a trojan attack (I suspect via an IE popup and user click but they are not computer literate and are not clear how). The thing was running only NOD32. It appeared to disable NOD32 (yikes!) and wireless stopped working (unintended side effect, NDIS user I/O is broken); system restore did nothing. I installed Comodo firewall just fine, and outbound attempts were coming from IE, which I locked down. As NOD32 was inoperative, I used autoruns to scan for anything in startup / services / IE helpers. Nothing. Process explorer shows no new process running. Rootkit revealer gives me reams of data but I don't have time to deal with that. Trying to reinstall NOD32 causes the installer to fail whenever it tries to copy the NOD executable to the install directory. Installing elsewhere does not fool it. Spybot fails install too, only teatimer.exe installs but disappears on reboot. Adaware installs and claims to clean one trojan, but the OS still can't install NOD after a reboot. AVG, Avast, Bitdefender, Antivir - none of them can install. Avast at least ran a system scan on reboot, cleaning three trojan files, but its windows executable disappears as it boots into Windows. Comodo's BOClean installs and claims there are no problems. What a mess, and a pretty scary testament to the ineffectiveness of security software.

Anyone have any other tips before a full HD wipe (this is a favour and I can't waste huge amounts of time on it), I suspect that somehow permissions have been reset which is why antivirus exe's can't install but permissions of directories look fine in explorer.

[nudone]

i'd jump to the clean install as you may just keep finding one more problem after another trying to sort out the current situation.

a reinstall will probably be the quickest solution - and the one that will give you peace of mind. i've known problems that were fixed for friends only for them to tell me they'd reappeared a week or two later - not having done a complete reinstall to solve the problem just made me wonder if the problem had never been fixed OR was it their actions bringing the problem back.

best to cover you own back and know how things are for sure i'd say - wipe it and reinstall.

[justice]

threatfire behavour blocking  -- http://www.threatfire.com/
it's a new program so might not be blocked yet. When active it blocks program based on behaviour (threatfire is the old Cyberhawk).

Apart from that you can look at housecall's online virusscan (although it downloads itsself through the browser)

I would recommend a clean install too though after any trojan attack, you don't want it to come back and its hard to tell when its really gone. I used process explroer to remove trojans by looking  at the dll handles of explorer etc but it still returned somehow.

[Ralf Maximus]

best to cover you own back and know how things are for sure i'd say - wipe it and reinstall.

-nudone (November 19, 2007, 07:18 AM)

Yep.  Nuke the site from orbit; it's the only way to be sure.

[nontroppo]

Ok thanks guys, nuke it will be. This I have to say is the best reason i can ever think to upgrade from XP to Vista for normal users, it is worth losing 50% performance for. I know users have some responsibility for keeping safe, but the level of threat and the ineffectiveness of security solutions for XP for users who don't really know what a trojan is is frightening.

Bah, and why the hell did MS shutdown Autopatcher!

[Darwin]

Thanks for the reminder, nontroppo! I'm off to run a backup now... I think it's time I invested in a proper external harddrive (a TB drive in its own cooled case as opposed to old notebook drives in simple USB enclosures) that I can leave running whenever my computer is connected to it and not worry about it getting too hot. This way I can actually use the scheduled backup feature in TrueImage and avoid forgetting to do them once a week...

[justice]

Consider setsafer if you think the enduser will understand the slight changes to their browser:
Topic: Run apps as non-admin with SetSafer to avoid spyware.

[Lashiec]

In those cases, it's always better to have a CD with some security solutions stored. Don't know how many can be burned in a CD and executed with the app complaining about it can't write to disk, though. Or resort to online scanners, Kaspersky, TrendMicro's HouseCall or the same NOD32 are pretty good. Unfortunately, except HouseCall, all of the others are ActiveX based, so it may be a bit difficult to run in a pest-infested environment. Anti rookits, like AVG, F-Secure, or Panda (those two are only available in sites like MajorGeeks or Betanews, as they were discontinued). Scanning tools like HijackThis or expert tools like GMER, DarkSpy or IceSword will do a better detective job than Process Explorer.

At least now you know how to protect your friends better. IE7 with common sense is pretty secure, but add browser protection tools like SpywareBlaster or SpyBot to avoid scumware sites. Even adblockers like AdMuncher can suppress those damn redirections and storms of popups. A good antitrojan like AVG Anti-Spyware could come in handy too, and it has a free trial before becoming a simple scanner. NOD32, despite what they say of it, it's not watertight, like any other security tool, despite being the most resistant tool to process termination. So, a multilayered defense is better, at least for peace of mind.

[psionics]

there is no better way to eliminate a virus than manually eliminating them.. check my blog:
http://hapuzi.blogspot.com

[nontroppo]

Well, IE7 is the most probable vector in this affair - the machine was fully patched (auto updates anyway) and my friend has no recollection of specifically running an application downloaded (they don't use outlook). Secunia suggests IE7s unpatched vulerabilities are 37% of its total, pretty shoddy, irrespective of the severity of said issues (and 37% of those vulnerabilities are extremely or highly critical). The browser installed will be Opera or Firefox, with content blocker and phishing filter set up.

I am gobsmacked at how easily NOD32 was inactivated. Trend Micro Housecall cannot even download its updates via the browser for recovery via that route. Threatfire installs OK, but its scan reveals nothing. I have to say I have some respect for whoever coded that, it is invisible and has somehow fought off all the recovery products I can throw at it.

So to invert mousers question, how many security products are enough?

[Lashiec]

Maybe it's a new trojan, or is hidden by using a rootkit (as rookits by definition are not malware). If you somehow come across the offending file, it would be a good idea to sent it to various security software companies. It looks that you won't find it, though

How many security products are enough? Well... a maximum of 4 running and scanning in real time is more than enough, that is, antivirus, firewall, antispyware and a HIPS. Of course, HIPS and firewall are optional, Windows firewall behind a router (or even without it) should be enough.

[mouser]

Honestly, in everything but the very most trivial easily identified and localized infections, my recommendation would be:
back up all user data files and reformat the hard drive completely.

It's just not worth the risk that there is some infected file you won't find, and not worth the hassle.

Reinstall from scratch, then make an image of the drive in case you have to go back again to the clean state.

Keep in mind however, that many laptops come with a cd that will do a clean format and reinstall of laptop hardware drivers.  Unlike desktops, some laptops have specialized drivers and software that should be installed to get the most out of the touchpad, etc.

[Deozaan]

Keep in mind however, that many laptops come with a cd that will do a clean format and reinstall of laptop hardware drivers.  Unlike desktops, some laptops have specialized drivers and software that should be installed to get the most out of the touchpad, etc.

-mouser (November 19, 2007, 04:41 PM)

Also, some manufactured computers (Dell) have a certain order for the drivers to be installed in, or it could cause problems much farther down the road. Be aware of those kinds of situations.