 |
 One man's job
by Andrew Cooper
February 4, 2005 - Part I
Situation
Overview
My computer was working OK, probably because I knew how to use it safely and keep it running in a virus-free and resource-effective state. But I couldn't say that of a friend's computer. She'd been complaining to me that her computer was giving her a hard time. I promised that I'd drop by and help her fix it, if I was up to the task.
The next weekend, I visited her for a chat, dinner, and a tete-а-tete with that PC of hers.
After dinner was finished and most topics had been discussed, I went to the room where her PC was. Having seen her lack of interest in the subject, I decided not to ask her any further questions about what she thought was wrong with her computer; I just wanted to get it up and running again without much fuss or waste of time.
Turning her Acer Aspire T130 on, I noticed that it took a longer time to boot than it normally did. That, of course, could be explained by extra programs configured to start automatically when Windows starts, plus a bunch of additional drivers and services those programs require to run smoothly. But as I later found out, that wasn't the case.
Symptoms
After Windows XP Professional SP2 finally booted, the regular Windows wallpaper was replaced by this "unwelcome" screen:
This screenshot was part of the Windows desktop. Any comments?
Yeah, I have some.
First, it was clear that the desktop wallpaper had been modified or "hijacked" by some application that was running in memory and wouldn't let me restore the original wallpaper. The "removal instructions" hyperlink was working, and my mouse cursor changed from an arrow to an index finger when I placed it over the text, meaning that Windows was displaying an interactive Web page on the desktop.
The message, written in broken English, stated that the PC was infected (at least, as I understood it) and offered me ways to "secure" it.
Clicking the proposed hyperlink, of course, would do the contrary; it would exacerbate the situation even further, because hackers had created a trap to lure an ignorant victim. This trick of inducing users to click a bogus hyperlink is part of a broader "social engineering" scheme, and our readers should know how to recognize it so they don't become victims. (In my next article, I will cover that subject in depth, so please stand by.)
Back to the story--I didn't know where the hyperlinked text would lead, and of course, I didn't wish to find out by clicking it. My best guess was that it pointed to some con site somewhere in the Eastern European domain zone.
I also spotted two more nuisances. The first was the "Protect Your Data" icon on the desktop, which was added by the unscrupulous program. This icon was a shortcut to the remote IP 213.159.117.130, and a search on a WHOIS service (http://www.networksolutions.com/en_US/whois/index.jhtml) revealed that it linked to a Web site in the Netherlands.
After I had been working for a couple of minutes, a new window popped up, asking me to select my country. What for? What was it supposed to do with this information? Note from the picture above that there was no chance of my closing the window without providing any input. My immediate guess was that it was an Internet dialer--a modified Internet connection wizard using a simple dial-up call to charge exorbitant rates per minute of Internet connection.
By that time, the logical move for me was to go to Windows Task Manager (by pressing Ctrl+Shift+Esc), kill all processes and applications I didn't recognize as legitimate, and finish them off with a sweep of an antivirus or antispyware program. But that proved to be harder than I expected, because I was unable to launch Windows Task Manager. Windows simply bashed me with this alert window:
Weird. When I last installed Windows, I gave only one user account the rights of an Administrator. I didn't think my friend had gone so far as to change the system setting for the current user on her computer.
Read next:
Continue to Part II
|
|
