Recently spent a CONSIDERABLE amount of time working on a PC that had picked up a malware/spyware install. The initial symptoms were pretty much the norm - a "spyware cleaning program" suddenly showed up on the desktop of the PC, followed by browser redirects and pop-ups. However, all the "normal" actions were falling flat. (BTW, this PC was running an up-to-date version of Symantec Antivirus and ZoneAlarm firewall.) Tried to run AdAware - hung up every time while scanning Tired to run Spybot - hung up every time while scanning Tried using HouseCall at TrendMicro - would shut down immediately when the scan started. (http://housecall.trendmicro.com/) Installed Webroot Spysweeper (http://www.webroot.com/)- it identified the malware (trojan-downloader-ruin http://research.spysweeper.com/search.php?serialnumber=4D8X8VCA ) However, it was not properly cleaning it due to the fact that the trojan was inserting itself and running on top of explorer.exe. Because explorer is running, Webroot couldn't kill the process and clean it (and it was being reloaded with a registry entry each time on reboot.) Finally solved this by starting the PC, opening a command prompt window, and then opened and ran Webroot. Once it finished the scan and had identified again that the infected process was explorer.exe, I opened the Task Manager and killed the explorer.exe in the process list. Now, at that point the desktop and all ability to navigate on the PC goes away, but I still had access to any open and running programs. With explorer.exe out of the way, Webroot was then able to quarantine it successfully. Then, with the open command prompt window, I renamed explorer.exe in the /WINNT folder and copied in a fresh version, and changed the attributes to Read Only. Restarted the PC, ran Webroot again and all was clean. For a second opinion, I decided to run the Trend Micro HouseCall again - which bombed out just as it had earlier! Ran Webroot again and guess who is back....trojan-downloader-ruin! (Replacing explorer.exe had not worked as the file itself wasn't infected. The trojan was hitching a ride on the process as it was loading into memory.) Obviously there was even more going on in the background, so next ran the online scan at Ewido (http://www.ewido.net) They've recently merged with Grisoft, the AVG folks. More alarm bells go off!! The Ewido scan of memory showed almost EVERY running service as being infected with downloader.agent.uj....which Ewido could not clean since, again, they were running processes. Side note - besides catching this infection which Webroot and the other tools were missing, the Ewido memory scan provides the PID of the infected program. It's a simple matter of popping up Task Manager and looking at the processes and matching up the PIDs to see where the problem child is. In this case, it was SERVICES, WINLOGON, etc. Just about all major running processes were showing up as infected. So, thank you Ewido for pointing out the problem, but how to get rid of? Some searching through tech forums produced a link to F-Secure (I used to use their antivirus F-Prot many moons ago) and a Beta tool called Blacklight that is used to get rid of rootkits. http://www.f-secure.com/blacklight Downloaded Blacklight and ran it and it dug deep and found FOUR hidden files that were root cause of the problems. I allowed Blacklight to rename them, restarted the PC and ran Ewido again and got a clean scan. Ran Webroot again and this time it identified the Blacklight renamed rootkit file that was loading the original trojan (ruin) and removed it. Further scans by Webroot and Ewido are still coming up clean. Sorry for the long description but just passing along to emphasize that malware infections are getting much more sophisticated and harder to get rid of and a "clean" machine might not be! These types of trojans are especially bad as they open the possibility of identity theft by capturing sensitive data on your PC. Many people have been treating malware/spyware problems with the free versions of programs (like AdAware and Spybot) to clean up their computer AFTER it becomes infected. I would suggest that the time has come that proactive protection against these threats is very important - reacting to them after the fact is becoming more costly than the purchase of the programs that could prevent the infection from occuring in the first place. (Note to other computer guyz - the Blacklight rootkit tool is a beta and is available as a limited time release, which will operate until September 1, 2006. Anybody using it should take note of the warning that allowing Blacklight to alter files it considers to be infected could affect the operation of the computer, depending on what files may be involved.) Always scan your PC with more than one product! There is no single Malware/Spyware protection software on the market that catches everything!
Ken, I'm going to pick on you for a minute...........Does Linux give you a kickback everytime you mention them? Just Kidding! I'm in a mood this morning and couldn't resist!
Have you tried running them spyware removal tools in safe mode? That might help. It might not remove them all in safe mode as some might be activated with Windows but it should remove a fair amount and maybe that will give your PC the boost it needs to run the spyware removal programs in normal mode. Randy
APPCOMM, It's getting bad isn't it? I no longer give a flat rate on spyware removal as of 1 month ago. Some of these rootkits go deep with a coordinated attack on the registry. I would suggest you try a good registry only tool in conjuction with the spyware removers. I use a freeware called REGSEEKER. Works great and it has some great utilities for program removal when windows won't. I recently used SPYWARE KILLER PRO from Cosmi. It's often on sale at staples or office max for $10. It worked where others did not in combating the rootkits. I also install a stealth surfer by Cosmi. It prevents many of these problems from starting. When we make it illegal to purchase the data collected by these hijackers, and paying hijackers for linking, the problem will go away. But the big problem is that the US Government is the largest seller of data and it would stop them. So this is not going away and will only get worse. Ken, your Linux has seen it's day. Theres a man writting code that will infiltrate all OS's now. Linux and Mac included. Go to NPR.org for the story.
I forgot to mention. Blacklight will continue to work by just backdating your PC. For a beta program it works great and I use it often.
I'm sorry Ken, it was not NPR where I saw it. I was investigating EXE files and ran into it. I'm still trying to backtrack to find it but it's related to the Virus.Linux.Bi.a/Virus.Win32.Bi.a virus code. Which is actually only a PoC. But Linus Torvalds took it seriously enough to make a patch for that kernel version and then blew off the severity. But the page I saw showed someone implimenting the code. I'll keep looking. Also a test was run last weekend to infect handheld PC's and mobile phones. http://www.f-secure.com/v-descs/dtus.shtml
I run AVG always, and AdAware, Spybot periodically. What proactive programs do you recommended for us non-technicals? ddrdan, you were addressing appcom but are your suggestions for everyone?
A-L, I find AVG & Adaware OK, but they lack in stopping the newer methods for hacking into your system. I like the E Trust firewall the best. Running just one spyware like Spybot won't catch everything. You must run multiple programs to catch all the trash out there. Registry cleaners are not something you want to play with if your not at least "above average" PC literate. Changes to the registry can do more damage than good if done wrong. So I don't suggest Regseeker to everyone. I do suggest running the following in the order given to combat to most common spy and hackware. 1. Windows Disk Clean-up 2. Spybot (make sure you click the "update" before running it.) 3. HijackThis : This program creates a list of things running on and in the background. It generates a text file that you can copy & paste so others more knowledgable can assist you in removing the proper entries causing the problems. There are many sites that assist. Along with, you can post your results here or PM me and I will assist. 4. Consider buying something like Spyware Killer Pro and run it. The good thing about SKP is that it comes with a Spyware Monitor that warns you as the process is initiated. Blacklight & Regseeker can be run if you think you know what your doing after that.
