Last night, I was working on a laptop that was given to me for some freelance tech support with the simple description of “acting like it has a virus and won’t connect to the Internet.” I got it home and fired up the computer. It definitely had a malware infection but the side effects may have proven to be worse than the actual antivirus.
The computer was running Windows Vista SP1. There was only one account, which ran at administrator level with the User Account Controls disabled. It also had no active antivirus running while having many out-of-date applications installed. If there was ever a computer just asking to be infected, this was the one but some factors made it for a more intriguing case of cleaning up the machine and getting it up and running again.
The laptop was pretty fast and that was fortunate since it had some scans to complete in its near future. After powering it on, I was greeted with a pop-up and noticed an unfamiliar icon in the system tray for Cyber Security. This was clearly a Fake AV and kept popping up every so often. I normally would have hoped to try killing the Cyber Security process through the task manager but the malware was blocking access to it. Figuring I could deal with that later after the malware had been removed, I headed into the Control Panel, Programs section. I was hoping Cyber Security might be one of those lax malwares that could be primarily removed from the Control Panel. Although it was listed in the Add/Remove Programs, it wouldn’t uninstall. Instead I found old Adobe Flash, Adobe Reader, and Java instances installed. I removed them so I could just install the latest versions after the computer was all cleaned up. I also found a trial of Norton 360 that clearly wasn’t doing its job so it also got uninstalled.
I installed Avast and MalwareBytes from a USB key since the computer couldn’t get online at this point. One problem at a time, I ran a Quick Scan with MalwareBytes which found 96 infected objects. I restarted the computer and resolved the error getting to the Task Manager that the Malware had created, “Task Manager has been disabled by your administrator.” I did that by deleting this key, HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr, from the Registry. I was then able to get in the Task Manager and look at the current processes and see if everything was running clean.
I still wasn’t able to get onto the Internet even after MalwareBytes removed a significant number of files related to the infection. I checked the usual settings that malware likes to change which makes recovery difficult: the HOSTS file and the proxy setting. The HOSTS file was clean and the proxy setting in Internet Explorer’s Tools, Options…, Connections, and LAN settings wasn’t set. The fact that it was connecting to ‘Local Only’ bothered me, what would cause it to not connect the rest of the way. This gave me pause to review what I’ve seen so far.
After running through everything in my mind, I looked at the properties of the Wireless network adapter and found a clue. There was a Symantec service enabled on both connections, apparently a leftover from the Norton 360 I had removed. Simply unchecking the service didn’t resolve the situation so I looked online and found a Norton Removal Tool. After running through the tool, which includes a screen where you have to answer a CAPTCHA, the Internet connected immediately upon reboot. Here’s another reason to avoid Norton like the plague.
Running the Norton Removal Tool allowed the computer to connect to the Internet so I updated MalwareBytes. Upon running the quick scan again, it found 45 infected objects with the new definitions. To hopefully prevent this from happening again, I updated Adobe Flash, Adobe Reader, and Java to their respective latest versions. I then went to move onto running Windows Updates and Windows Defender Updates but they wouldn’t connect. In the beginning I set the system date and time at the beginning from January 1st, 2001 to the correct time, so I can’t say that these dates are correct but Windows Defender was reporting that it was last able to check for updates in June, 2009. Yikes!
Unfortunately, neither Windows Defender nor Windows Update were able to connect and update the system. Internet Explorer was able to connect to the Internet but not to FTP locations (I downloaded Adobe Reader from the Adobe FTP site but had to switch to Firefox in order to download it). Windows Defender gave this error code as a result of failing to be able to connect:
Unable to connect. Error code 0x80072efd
While the Event Log gave this:
Event ID: 11
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Unfortunately, that error message actually sent me in the wrong direction. I kept looking for solutions to that error and ended up at a Microsoft TechNet Library article that didn’t resolve the problem. Many searches and wrong paths later, I finally started over with a new search and ended up with an article on Walker News.
While I had previously checked multiple times that the proxy was disabled through IE’s Internet Options, Connections tab, the article showed different commands to run to see and disable the proxy.
netsh winhttp show proxy
netsh winhttp reset proxy
After resetting the proxy, Windows Update and Windows Defender were both able to update. They had their work cut out for them as they were both missing updates from the past year. I set them to download and finally went to sleep. I woke up, rebooted the system, and it was purring along happily and cleanly.
With updated applications, OS, and a working antivirus installed now, hopefully it will be a while before the customer manages to get the computer infected again.