Cleaning up viruses remotely
?: Tarnasa, I tried to download this game but it didn't work
Tarnasa: Hmm, Where did you download it from?
Tarnasa: Yeah that doesn't look legitimate at all :(
?: I think someone is hacking the computer.
And thus began a week-long endeavor to return the computer to a usable state. Normally this would be an easy task, however I was currently hours away from the computer that needed repair, so everything would have to be done remotely. Ugh tech support.
Not wanting to lose any data to possible ransom-ware, first I made sure that the computer was shut off. Then I had them burn a live image of Debian to a USB so that they could boot into it and transfer files off the computer without giving the viruses a chance to interfere.
Unfortunately, even after multiple attempts we were unable to boot the computer off of the USB, no matter what combination of boot options and f-keys. Thankfully there are other ways of booting off of external media, so I had them burn the live Debian image to a DVD. Thankfully this worked like a charm, however instructing them to do everything was simply too slow and error-prone, so I had them configure the ssh server to allow connections through the Minecraft port which I had opened in the firewall many years prior.
So now I was able to ssh in, but something was wrong, the OS seemed to run out of
disk-space almost immediately after booting, was this some side-effect of
running a live OS off of a DVD? No, but a few
du -sh * around
the filesystem lead me to the
/etc/log directory which contained multiple log files
with sizes of around 1G each! Apparently the wireless daemon kept erroring out
because the desktop computer didn't have a wireless card (but did have a wired connection).
So after defeating that daemon and its logs, the system was usable again.
Now was time to actually start copying files off of the old windows partition and onto an external hard drive I had them connect to the computer. But before that I wanted to know what kind of viruses I was dealing with. Translating some of the chinese-character filenames yielded fairly benign chinese-software such as Tencent computer manager and MTView. I also found the original trojan file pretending to be a free-version of a game.
After copying over what I thought was safe, I had them burn a windows ISO to another DVD and reinstall over the old OS. And the day was saved.