Friday, July 3, 2015

Profiles in PC Poisoning, Part 1

About a month and a half ago, my father walked into my room and asked me to take a look at his computer: "I can't do anything with it." Sure enough, something was slowing his computer down to the point that it took several minutes to process a mouse click - if it responded at all (i.e., if the system didn't hang). With some major-league perseverance I have been able to largely nurse his computer back to health: believe me when I tell you that this is the most exasperating thing I have had to deal with in my entire life.

My father's computer has a 1.39-GHz processor and 736 MB of RAM, which is not so different than the 2.4-GHz processor and 1 GB of RAM that my own computer has. But that's where the similarities end. I have an Intel iMac that runs OS X 10.6.8 whereas he has a Compaq 5017m that runs Windows XP Home Edition Service Pack 3. At this point you are thinking, "Windows XP? Dude, just get a new computer already." Yeah, yeah, we'll get to that: I am acutely aware that Microsoft pulled the plug on its XP support a little over a year ago. Be that as it may, a Compaq running XP is what I had to work with; moreover, there was an 'archival' aspect to its cleanup that appealed to me.

Low-hanging fruit

So, I trudge over to Google, run a windows xp troubleshooting slow search, and decide to try some of the things recommended by a "How to Speed Up a Windows XP Computer" wikiHow article.

I go to the computer's Add or Remove Programs Control Panel and throw out all of the Apple stuff - iTunes, QuickTime, a Bonjour program I am unfamiliar with, a Software Update application - and then get rid of RealPlayer. I reason, "If he wants to listen to music or watch a movie, he can do that with the Windows Media Player that is built into XP." I access the Add or Remove Programs panel via the My Computer pointer in the upper-left-hand corner of the desktop - this is a lot easier than getting to it via the Start menu.

I use the Disk Cleanup utility to
(a) delete temporary files,
(b) empty the Recycle Bin, and
(c) compress what can be compressed
for the C: volume. The Disk Cleanup utility can be launched by opening cleanmgr.exe with the Run command, which I access via a &Run... pointer on the desktop.

I defragment the C: and D: volumes via the Disk Defragmenter utility, which can be launched by opening dfrg.msc with the Run command.

I disable all of the system's Startup Items via the Startup pane of the System Configuration Utility, which can be launched by opening msconfig with the Run command.

None of this has any noticeable effect on the computer's performance.

Hitting the iceberg

The wikiHow article recommends
(1) a CCleaner program for the removal of unnecessary files and
(2-4) Spyware Blaster, AVG, and Avira programs for the removal of spyware and/or viruses.
An initial attempt to download CCleaner causes the browser (Firefox) to crash. AVG 2015 is installed already on the computer: a "Scan now" operation turns up nothing.

I wonder, "If worse comes to worse, can I copy programs onto the hard disk via a CD?" In the course of trying to mount one of my old CDs via the F: drive I am suddenly confronted with a screen very similar to the one shown in the image below:



Uh-oh. My father's computer is infected with a ransomware program - specifically, a trojan named CTB-Locker - that has encrypted various files on the computer and will leave them encrypted unless a ransom payment is tendered within 96 hours. Clicking the button does display a list of encrypted files, most of which are in the computer's My Documents folder(s). I do not proceed to the 'payment page': whatever the payment is, I'm not going to pay it.

What doesn't work (for me at least)

I go to my iMac to research CTB-Locker on the Web, and come across a "How do I REMOVE CTB-Locker ransomware (Free removal guide!)" YouTube video. The video gives the following procedure for getting rid of CTB-Locker:
(1) Reboot the computer into its safe mode.
(2) Go to the Temp folder, show its hidden files, and then delete everything in it.
(3) Go to the My Documents folder and delete the "Decrypt All Files" .bmp image that should be residing there.

• I put my father's computer into its safe mode by launching the System Configuration Utility, checking the
/SAFEBOOT
checkbox in the Boot Option menu on the BOOT.INI tab, clicking , clicking , and restarting the computer.

• In this case, the Temp folder refers to the C:\Documents and Settings\Owner\Local Settings\Temp\ folder (vis-à-vis the C:\WINDOWS\Temp\ folder), which can be opened by opening %temp% with the Run command.

I clear out the Temp folder. There are two "Decrypt All Files" .bmp images in the My Documents folder and I delete both of them. I go back to the System Configuration Utility, check the
Normal Startup - load all device drivers and services
radio button in the Startup Selection menu on the General tab, and restart the computer. After the boot the ransom screen is gone but the computer still runs excruciatingly slowly. Without getting into the details another ransom screen emerges with a vengeance a few hours later - if I recall correctly, this is triggered by an attempt to surf the Web.

It would seem that the video procedure cures symptoms of the CTB-Locker infection and not the infection itself, but I don't know for sure; in any case, stronger medicine is clearly required. So, what do I use to clean up my father's computer, and how exactly do I do it? All will be revealed in our next episode.

No comments:

Post a Comment