Wisedigs

First time (in a long time) coming across a machine infected so badly that it took several hours to repair. The usual routine is download your favourite antivirus, update, scan, done. Then windows update, done.

It wasn’t so easy in this case. All antivirus websites were blocked. I checked the obvious: hosts file, proxy, tcp/ip dns settings, network protocols, nothing. Still could not get to any antivirus website. Everyone one of them blocked, no man left behind.

To add to the fun, the computer was randomly locking up. Windows would freeze, but the mouse and keyboard would continue to function. At first I thought it was the CPU overheating. The CPU heatsink was clogged with crap from here to china, and the owner was obviously a very heavy smoker. Cleaned the heatsink, slapped on some Arctic MX-2, reinstall and now I was ready to continue the battle.

After I don’t know how many hours I decided maybe I should stop trying to get past the DNS issue and focus on the real issue. Then I got the idea to test for rootkits. Downloaded Rootkit Revealer, it showed a few things, among of which was UACd.sys. From the name it sounded fishy, and when I looked it up and it was none other than a rootkit.

After a bit of googling, Combofix to the rescue. Detected the rootkit, and it claimed to have cleaned it after several reboots. Open firefox, same thing. Cannot hit any of the antivirus websites. Checked with Rootkit Revealer, at least the UACd trojan was gone.

I decided I need to get around this DNS issue, I recalled the name of McAfee‘s standalone scanner: Mcafee Stinger. Googled it, found the file on a mirror not blocked by the virus, download, run. Within a few seconds, this pops up: Conficker.c!mem detected. It didn’t take much googling after that to find out this PC had all the symptoms mentioned in the Conficker advisory articles. Now I needed to get rid of it. Remember I couldn’t access any AV sites or Microsoft’s website among others, so this wasn’t going to be easy.

I found a few Conficker removal tools, all were useless. My guess is because of all the versions that exist of this virus: Conficker.A, Conficker.B, Conficker.C, and Conficker.D. Finally I found one on Symantec’s website, Symantec Conficker Removal Tool – D.exe (for some reason, they refer to it as W32.Downadup). Except I was viewing the article using Google’s cache, and the download link still resided on Symantec’s website.

I found a website called Megashare which actually lets me upload from a URL. I gave it the URL to Symantec‘s tool, uploaded it to their servers. Had to wait 10 seconds for “free” access, finally was able to download the file. When it ran, it had a simple interface with no information at all. I clicked scan and it began scanning every file on the PC.

As the tool was running, I kept clicking through some of the search results and came across one genius who had suggested that there is a way around the blocked DNS requests. The command was net stop dnscache. Conficker infected the dnscache service, by shutting it down you force every request to come directly from the DNS server, bypassing the dnscache layer. Lo and behold, sophos.com was accessible, microsoft.com and every other antivirus website.

Finally when Symantec’s Conficker Removal Tool completed successfully, it happily reported 11 infections cleaned successfully. Rebooted, everything appears to be working successfully. I started doing the routine things, downloading/updating AV, and installing Windows Updates. And by the way it wasn’t the CPU overheating causing Windows to hang, it was the Conficker virus.

Many lessons learned. Including the fact that I can survive a 48 hour period with less than 4 hours of sleep.

One might ask the following obvious questions:
1. You freaking n00b. Why didn’t you just format?
- I wanted a challenge, I hadn’t had one in a while.
2. How much time did this consume?
- You don’t want to know
3. Why didn’t you download the av files on a different PC, put them on a flash drive and run them on the infected PC?
- General rule is, when a PC is infected you don’t put rewritable storage on it because it can get infected too.
4. CD/DVD then?
- Too lazy to get up and grab my laptop.
5. Network share with readonly access?
- See response above.
6. Why not use a website like proxybrowsing.com?
- Similar to google cache. Usually they don’t let you download files through the proxy.
7. Is Conficker real?
- Some people say he hides in the shadows, others say he has eyes like Jay Leno. All we know is: he doesn’t like pandas.

Finally had a chance to install linux (Ubuntu 9.10) on a personal computer. After 15 years of the Windows GUI (Graphical User Interface).. I can say I am not as dissappointed as I thought I would be. That means it left a not unpleasant taste, which is a good thing.

The GUI is much snappier, and you don’t waste time waiting for silly effects plaguing today’s top Operating Systems (OSes). When you run, it runs. When you stop it stops. I love that! Package management is sweet, I don’t need to spend time googling my software when most of it can be had from the OS. Nobody beats linux in customizability, something everyone should know by now. I can even say they went over the top with the features, checkboxes, and textbox fields. This needs to improve for linux to recieve widespread support from the uneducated portion of users.

When you have been using Windows exclusively (mostly) for the majority of your IT life, you “feel” the OS and it becomes very predictable. With linux, I find this predictability instinct to be useless because I just can’t feel it. I don’t know what to expect or when to expect it. I don’t know where things will appear and what the most suitable response is. This is not a bad thing, it is just different.

The one thing I can feel is the hardware has the opportunity to breath. With windows you feel like your laptop is a stressed out over-the-hill single mom. With Ubuntu it’s like an athlete ready to run the telethon. Your harddrive isn’t forever reading/writing, your memory isn’t consumed by things you don’t understand, and your CPU fan isn’t running at max speed because your CPU patiently awaits the next gentle request.

Am I ready to ditch Windows? Not by a long shot. You have nice and you have usability and convenience. Linux is “nice”, but hugely impractical for someone that has many dependencies on silly programs. It’s not a great surprise that many corporations choose linux as their primary server OS. It is also not a great surprise that windows is the #1 preferred end-user platform in the world.

Thank you Linux for the alternate experience.

Welcome to my blog.

My name is Ahmad Hammado and I am a Computer Science graduate. I love being passionate and motivated about a lot of things, but rarely finding the perfect challenge.

List of passions:

• programming
• electronics
• computer hardware
• problem solving
• design and analysis
• football (soccer in some countries)
• nature
• photography

List of accomplishments

• Starting this blog
• to be continued…

I’ll do my best to keep this updated with things I find interesting and keep it original. The internet is full of duplicated information, a good example is the first part of this sentence.