The first symptom was Clare’s laptop having trouble burning a CD through iTunes. A few reboots later and some odd anti-virus dialogs started popping up. A few web searches and another reboot later, the machine was completely owned.
Boot up was taking five times as long and was punctuated with incessant dialogs and tooltips from the system tray. Having tackled a few bits of malware in the past, I immediately turned to Malware-Bytes Anti-Malware and ComboFix. Unfortunately, the malware-writers know all about these tools and try so very hard to keep the system. Here are some of the cute steps they took to keep the system in lock down:
- Disabled access to the Task Manager
- Disabled CD and USB drive access
- Turned off automatic updates
- Disabled all executables!
That last one was ridiculous. If you could find a way to get a file onto the computer (don’t forget, no USB disks, no CDs), you couldn’t even execute the file. I tried all sorts of tricks and literally everything was locked down. Finally, a little research explained that only a few executables are allowed to run. If you rename your app to explorer.exe, it’ll run. Using that trick and Process Explorer, I was able to kill the offending processes. A few registry hacks, exeFixer, ComboFix and finally Malware-Bytes and I think the system is fixed.
Oh, who am I kidding, I don’t trust a once-rooted system. Time to wipe and install Windows 7!