Score One: Removed Rogueware via Remote Access
Posted: Fri Sep 03, 2010 4:30 pm
I'm surprised I won this battle. The client has a business in town that I manage the IT for, but I also take care of his home machine, mostly via remote access because he lives an hour's drive away and the only day he's there is on a weekend (and I hate working weekends). I rarely go there unless I have to and I thought I'd have to this time when he told me he had a rogueware trojan.
He got one of those classic but simple rogues going around. It blocks you from running any app except IE & FF and constantly throws gay porn at you while nagging you to buy the full product to remove your viruses. It sets itself up as a proxy so you can't brows any websites except what it wants you to (and you can't open IE settings to disable the proxy). You can't run Task Manager, DOS command line, or any utility that can disable processes, and it also blocks you in Safe Mode.
It's not a true rootkit because it loads rather late in the boot process. This sucker is easily circumvented by IMMEDIATELY hitting CTRL-ALT-DEL to bring up the Task Manager as soon as the desktop comes up and before the virus is loaded. Then disabling every process that comes up that's not required for minimal operation of Windows.
Works like a charm IF you are physically at the computer. I thought it would be a little dicey via remote control but I rebooted the PC via Logmein, then sat at the Logmein web portal continually refreshing until I saw the PC was back online, and immediately logged on. Even with the slight delay I still got on before the virus loaded - fortunately Logmein is a service and is loaded very early - even before the desktop comes up.
Then it was just a matter of killing processes, removing the virus startups and deleting the executables, removing the proxy and then running my standard cleaning with HijackThis, Hitman Pro, Trojan Remover and Malwarebytes to clean out the remaining debris.
It also didn't hurt that this was a fast quad core system and I didn't have to sit there waiting painfully for the system to respond. I hate it when I have to do a cleaning like this on a 6 year old PC with 512Mb or RAM - it takes twice as long.
He got one of those classic but simple rogues going around. It blocks you from running any app except IE & FF and constantly throws gay porn at you while nagging you to buy the full product to remove your viruses. It sets itself up as a proxy so you can't brows any websites except what it wants you to (and you can't open IE settings to disable the proxy). You can't run Task Manager, DOS command line, or any utility that can disable processes, and it also blocks you in Safe Mode.
It's not a true rootkit because it loads rather late in the boot process. This sucker is easily circumvented by IMMEDIATELY hitting CTRL-ALT-DEL to bring up the Task Manager as soon as the desktop comes up and before the virus is loaded. Then disabling every process that comes up that's not required for minimal operation of Windows.
Works like a charm IF you are physically at the computer. I thought it would be a little dicey via remote control but I rebooted the PC via Logmein, then sat at the Logmein web portal continually refreshing until I saw the PC was back online, and immediately logged on. Even with the slight delay I still got on before the virus loaded - fortunately Logmein is a service and is loaded very early - even before the desktop comes up.
Then it was just a matter of killing processes, removing the virus startups and deleting the executables, removing the proxy and then running my standard cleaning with HijackThis, Hitman Pro, Trojan Remover and Malwarebytes to clean out the remaining debris.
It also didn't hurt that this was a fast quad core system and I didn't have to sit there waiting painfully for the system to respond. I hate it when I have to do a cleaning like this on a 6 year old PC with 512Mb or RAM - it takes twice as long.