Wednesday, May 21, 2008
Usual oatmeal breakfast. Printer ordering followup, switched to HP because I wasn't getting the answers I needed from Paul C at CDWG. Requested hostname change from ServInt. Assigned Eric V project to update Flickr group descriptions. Student SL reported laptop problems: pop-up windows appear unexpectedly. Computer is a Dell Inspiron 1200, Celeron 1.3 GHz, 768 MB RAM. Steps taken:
- Uninstalled Webshots Toolbar and Webshots Desktop.
- Turned ClearType on.
- Uninstalled Windows Live Toolbar and Windows Live Bookmarks for Windows Live Toolbar.
- Installed Startup Manager, which enables you to control what items start automatically when your computer starts up.
- Uninstalled Image Transfer.
- Attempted to uninstall Google Toolbar. Computer hung during uninstallation process.
- Restarted the computer normally.
- Opened Startup Manager. Disabled a bunch of startup items.
- Uninstalled AIM Toolbar 5.0 and AIM 6.
- Uninstalled Java SE Runtime Environment 6 Update 1.
- Restarted the computer normally.
- Uninstalled AOL Safety and Security Center.
- Restarted the computer normally.
- Installed Sophos Anti-Virus and Sygate Firewall.
- Restarted the computer normally.
- Set Control Panel > System > Advanced > Performance to best performance—this makes the computer faster at the expense of being less pretty.
- Installed Windows Defender anti-spyware and let it run its initial quick scan. Error: Windows Defender: The program can't check for definition updates. Error code 0x80070422.
- Opened services.msc. Disabled Smart Card, Indexing Service, Google Updater Service.
- Attempted to start Automatic Updates—Error 1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. (OK).
- Opened a command prompt and ran sfc /scannow, which ran completely with no errors or warnings.
- Opened Startup Manager and wrote down the names of suspicious files: fcc3267a, BMfff015e6, jqifqkaa.dll, uhycfdmv.dll, C:\Documents and Settings\[username]\lsass.exe.
- Restarted the computer in Safe Mode, logged in as Administrator.
- Successfully deleted or renamed all suspicious files.
- Opened regedit, searched for keys with the suspicious names. Found a key called IProxyProvider which was linked to jqifqkaa.dll—deleted it.
- Opened Startup Manager, deleted disabled suspicious items.
- Closed Startup Manager.
- Opened Startup Manager—deleted items stayed deleted.
- Restarted the computer normally.
- Ran a scan in Windows Defender even though it did not have the latest definitions.
- Attempted to open Sophos Anti-Virus. Error: You do not have sufficient privileges to run the Sophos Anti-Virus main application. You are not a member of any of the Sophos groups. [...] (Close)
- Opened a command prompt, ran regsvr32 wuaueng.dll.
- Opened services.msc, successfully set Automatic Updates to Automatic, but it was stuck on "Stopping."
- Restarted the computer normally.
- Opened services.msc. Automatic Updates is back to Disabled.
- Searched Google on IProxyProvider—found a blog that described the same symptoms but I had already tried all the things it suggested as a fix. This blog mentioned that the virus was called Vundo. Searching on Vundo pointed me to a description of the threat on the Sophos website.
- The virus copied itself to my USB drive after I had inserted it to copy troubleshooting software to the computer. When I inserted my USB drive into my own computer, Sophos on my computer alerted me to Mal/Generic-A and W32/AutoRun-CW viruses on the USB drive. These were resolved by removing autorun.ini and start.exe which had been copied to my USB drive.
- Restarted the computer normally.
- Opened Internet Explorer, deleted the browsing history, changed disk space to use from 801 MB to 50 MB and set IE to empty temporary items folder upon exiting.
At this point the student took the computer back to run a Maxtor backup one last time just in case we had to wipe it and start over. ServInt hostname change complete. I had to go in to WHM and update hostname again in "Basic cPanel/WHM Setup" on my own. Listserv administration. Helped Joel resolve mailbox too full problems. Small web update for Joel. Began work on a poster project for Cindy. Sold some old computer equipment. Dinner at home with Patrick: dim sum from Simmone. Uploaded photos to Flickr. Tailoring: edited a white dress shirt to fit better, made my first properly finished hems. I made a small error in the left armpit, and my hems were not perfect, but no one will notice. Shirt fits great now. Unfortunately it took me about 3 hours. The finished hems took the longest time.