Saturday, July 11, 2015

Profiles in PC Poisoning, Part 2

Let's get back now to our ongoing discussion of my father's computer and its CTB-Locker ransomware infection. As noted in the previous post, the protocol provided by this "REMOVE CTB-Locker" YouTube video didn't pan out very well. What next?

Go to the root

It occurs to me that I may be able to return the computer to a pre-infection state via Windows' System Restore feature. I go to the System Configuration Utility and click the button on the General tab (see the first screenshot in the next section). An alert( ) message pops up:
System Restore has been turned off by group policy. To turn on System Restore, contact your domain Administrator.
When it rains, it pours, huh? I go to my iMac to research the message, and come across a helpful Microsoft Community page on which "A. User" states:
Unless you disabled [System Restore] on purpose, the chances are good that your system has a malicious software infection. ... You need to fix the immediate problem of [System Restore] not working [vis-à-vis running System Restore itself], then scan your system for malicious software when you are done.
A. User goes on to recommend Malwarebytes and SUPERAntiSpyware programs for the removal of malicious software.

We'll get back to System Restore later in the post, but for now let's see where this gets us, shall we?

Under the knife

I download installers for CCleaner (go here to download the ccsetup*.exe executable on a Macintosh) and Malwarebytes Anti-Malware and write them to a CD on my computer. My attempts to copy the installers to my father's computer either generate a fusillade of errors or cause the system to hang, depending on the computer's boot state.

On my father's computer and in Selective Startup mode per the settings shown below - the
Load Startup Items
checkbox is unchecked because all of those items have been disabled via the Startup tab -

a second attempt to download the CCleaner installer is successful (I'm pretty sure that first download attempt was in Normal Startup mode, but I can't remember); installing and running CCleaner subsequently proceed without incident.

An attempt to download the Malwarebytes Anti-Malware installer from Malwarebytes itself in Selective Startup mode throws a "Secure Connection Failed" error; fortunately, I am able to download the installer from c|net. I am unable to install Malwarebytes Anti-Malware in Selective Startup mode; a malwarebytes anti-malware won't install Google search leads me to a "Cleanup Malware Using Malwarebytes" .pdf whose What To Do If Malwarebytes Won’t Install Or Won’t Run section instructs the user to install Malwarebytes Anti-Malware in SAFE MODE (not SAFE MODE WITH NETWORKING), i.e.:

I boot the computer into its /SAFEBOOT-MINIMAL mode. Installation of Malwarebytes Anti-Malware is successful and I scan the computer with it: 6 threats are detected, and I remove them. I boot the computer into its /SAFEBOOT-NETWORK* mode and then update the program's database(s) and run a custom scan per the Running Malwarebytes section of the .pdf: this time 62 threats are found and I get rid of them too. Gratifyingly, the latter scan serves to return the computer to operational normalcy, the encrypted files notwithstanding.

*The What To Do If Malwarebytes Won’t Install Or Won’t Run section says that after the /SAFEBOOT-MINIMAL scan you can go directly to Normal Startup mode and should then do a second, custom scan; I strongly recommend that the second scan be carried out in /SAFEBOOT-NETWORK mode in order to keep any remnants of your infection(s) at bay while you are cleaning up your computer. Upon subsequently returning your computer to Normal Startup mode or a Selective Startup variant thereof, however, you should indeed scan it again to make sure everything's OK. If I recall correctly, a third, Selective Startup scan of my father's computer did detect one last threat.

A word on screenshots

The screenshots in this post were taken via the procedure outlined on this page, with one important detour: on my father's computer I launched the Paint program by opening mspaint.exe with the Run command as the computer's Start → Programs → Accessories menu does not have a Paint selection.

System Restore, revisited

Once the computer is clean, I re-enable System Restore via the Registry Editor-based "Method 2" detailed on this page ("Method 1" is not applicable because, contra a note near the bottom of the page, the Home Edition of Windows XP does not have a Group Policy Editor).

I go to Start → Programs → Accessories → System Tools → System Restore and am hit with a confirm( ) box whose message reads, System Restore has been turned off. Do you want to turn on System Restore now? I click the box's button and am taken to the System Restore tab of the System Properties tool:

I uncheck the
Turn off System Restore on all drives
checkbox: this enables the button, which I click, and then I click . I return to System Restore and am greeted by a "Welcome to System Restore" window; I click the button at the bottom of the window in order to
Restore my computer to an earlier time.
System Restore then displays a "Select a Restore Point" window showing a single restore point that is a year into the future and a related July 2016 calendar that cannot be moved forward or backward.

As it happens, turning System Restore off deletes its restore points, so System Restore wouldn't have been able to help me in the first place. Was this disabling action part of the CTB-Locker 'payload'? I don't know.

Now, what about those encrypted files? We'll take stock of what we've got in the following entry.

1 comment:

  1. Good luck! I always figured system restore was kind of the last throw of the dice.