Seven with one blow!

Last week my work computer got infected with a few unwanted programs. These were all related to improving your search and stuff. What they mostly did was cause annoying popups or redirections.

How did this happen? While blog hopping on blogger using their "next blog" feature, I came across a blog that did these nasty things.

Most of the infections I was able to clean up using Spybot Search & Destroy and Hijaack This, but there was one I couldn't. I suppose I should have called IT, but their general solution is to reformat, notwithstanding I would be at least a day without the computer - and, as a programmer, not having a computer puts a serious crimp in my productivity.

I ran various antivirus and spyware programs, but they could not pick up the offending application. It was very well cloaked (the files did not show up on the hard disk, nor did the application show up in task manager).

I downloaded PsTools which allowed me to see the running applications. I then downloaded the Microsoft Server 2003 debug tools - which could not see the processes, but I could attach to them by using the Process ID (PID) obtained from PsList. This allowed me to track down where they were hiding on the hard drive.

Nothing I did under Windows was letting me kill these files. There were 3 instances of one and a single instance of another. If you tried to kill a process (which I did), they would come back. Obviously, they were monitoring each other and ensuring there were multiple copies running all the time - if one copy was killed, the others would relaunch it.

Eventually, I decided the only way I was going to be able to solve this was to boot a non-Windows OS - in this case Linux. The particular flavour I used was Damn Small Linux (DSL). At 50Mb it is a small download, easy to burn and quick to boot from the CD drive (fortunately, IT left me the option to boot from alternative sources - likely and oversight on their part, since they lock up general access to the computers with admin passwords. Normally, I would have simply booted into "Safe" mode and deleted the files, but I was locked out from doing that).

Now, I was lucky that my machine’s hard drive is FAT formatted instead of NTFS (while Linux can read NTFS, it cannot write to it - hence deleting files from an NTFS formatted drive would not be possible).

I suspect I may have been able to do it using just Hijack This, but when I initially tried, I was not aware of one file - which showed up nowhere (I only became aware of it because after removing the files I new were running, it showed up. Using Microsoft’s debug tools, I was able to determine its location). Hijack This has a feature which allows you to specify a file to delete on reboot - had I known of the file earlier, I would have targeted it for deletion.

The files I got rid of:

\winnt\system32\cniywg.exe
\winnt\system32\swydw.exe
\winnt\system32\iuhynoj.dll
\winnt\system32\esfhhlx.exe
\documents and settings\all users\start menu\programs\startup\uutad.exe

The files in the system32 directory were the ones I was able to delete, but they would come back after reboot. I believe this occurred because uutad.exe would be launched on start up and recreate them.

Certainly, I have not observed them since I removed all those files.

Another possibly useful tool is Unlocker, which allows you to unlock a file that is in use, so you can delete it.

I tried seeing if I could submit the files someplace, but none of the antivirus / spyware companies seem to have a mailbox to permit dropping off suspected viruses.

After quarantining the files, I ran a number of free online scanners on them as well, but they claim that there is nothing wrong.

These files would cause periodic windows to popup for either "My Media Buyer" or "Direct Media".

Image nabbed from here.