Seven with one blow!

Last week my work computer got infected with a few unwanted programs. These were all related to improving your search and stuff. What they mostly did was cause annoying popups or redirections.

How did this happen? While blog hopping on blogger using their "next blog" feature, I came across a blog that did these nasty things.

Most of the infections I was able to clean up using Spybot Search & Destroy and Hijaack This, but there was one I couldn't. I suppose I should have called IT, but their general solution is to reformat, notwithstanding I would be at least a day without the computer - and, as a programmer, not having a computer puts a serious crimp in my productivity.

I ran various antivirus and spyware programs, but they could not pick up the offending application. It was very well cloaked (the files did not show up on the hard disk, nor did the application show up in task manager).

I downloaded PsTools which allowed me to see the running applications. I then downloaded the Microsoft Server 2003 debug tools - which could not see the processes, but I could attach to them by using the Process ID (PID) obtained from PsList. This allowed me to track down where they were hiding on the hard drive.

Nothing I did under Windows was letting me kill these files. There were 3 instances of one and a single instance of another. If you tried to kill a process (which I did), they would come back. Obviously, they were monitoring each other and ensuring there were multiple copies running all the time - if one copy was killed, the others would relaunch it.

Eventually, I decided the only way I was going to be able to solve this was to boot a non-Windows OS - in this case Linux. The particular flavour I used was Damn Small Linux (DSL). At 50Mb it is a small download, easy to burn and quick to boot from the CD drive (fortunately, IT left me the option to boot from alternative sources - likely and oversight on their part, since they lock up general access to the computers with admin passwords. Normally, I would have simply booted into "Safe" mode and deleted the files, but I was locked out from doing that).

Now, I was lucky that my machine’s hard drive is FAT formatted instead of NTFS (while Linux can read NTFS, it cannot write to it - hence deleting files from an NTFS formatted drive would not be possible).

I suspect I may have been able to do it using just Hijack This, but when I initially tried, I was not aware of one file - which showed up nowhere (I only became aware of it because after removing the files I new were running, it showed up. Using Microsoft’s debug tools, I was able to determine its location). Hijack This has a feature which allows you to specify a file to delete on reboot - had I known of the file earlier, I would have targeted it for deletion.

The files I got rid of:

\winnt\system32\cniywg.exe
\winnt\system32\swydw.exe
\winnt\system32\iuhynoj.dll
\winnt\system32\esfhhlx.exe
\documents and settings\all users\start menu\programs\startup\uutad.exe


The files in the system32 directory were the ones I was able to delete, but they would come back after reboot. I believe this occurred because uutad.exe would be launched on start up and recreate them.

Certainly, I have not observed them since I removed all those files.

Another possibly useful tool is Unlocker, which allows you to unlock a file that is in use, so you can delete it.

I tried seeing if I could submit the files someplace, but none of the antivirus / spyware companies seem to have a mailbox to permit dropping off suspected viruses.

After quarantining the files, I ran a number of free online scanners on them as well, but they claim that there is nothing wrong.

These files would cause periodic windows to popup for either "My Media Buyer" or "Direct Media".

Image nabbed from here.

Comments

ghee said…
I admit that I still cant understand computers.

four months ago, a TROJAN HORSE got in my computer and I panicked a little coz it was in my screen and couldnt delete it by my security system.

I called my internet provider and they adviced me to buy a software for vaccination.Now,its ok..maybe next time,I could get some advice from you :)
Richard said…
It is hard to debug a machine remotely.

I would suggest a good antivirus program (I use the free version of AVG).

We use Symantec Security at work (but clearly, it didn't catch it).

I also recommend Lavasoft's AdAware. As well as the other products mentioned in the post - especially Hijack This.
ghee said…
some says that it isnt advisable to use a lot of spywares coz they might not fit with each other.

I have norton sec,yeah,symantec,so do i need to download those stuffs still?

happy weekend,Richard! :)
Richard said…
Yes, some programs to conflict with one another (typically they report each other as viruses).

You should always have multiple checking options.

I run AVG continuously in the background. AdAware and Spybot Search and Destroy, I only run periodically. I only use Hijaack this when I need to.
Mum2One said…
It's scary these viruses. Did you have to open up the programs or files before you got infected with them or did you just have to browse the site? And, which site was that? I'll make sure I won't go there!!
Richard said…
It downloaded itself onto my computer automatically - I thought I had secured my computer against it doing that sort of stuff (I have IE warn about any content it is being asked to download - java scripts, java applets, activex controls - when it is navigating across different domains, whjen page security is changing, etc), so I was surprised it happened.

I don't know what the site was, I was clicking the next button on Blogger to hop from blog to blog when it happened. If I knew the page, I would have reported it to Blogger.
Sassy Lady said…
I'm also using the AVG free version plus other antispy ware...
It seems to work wonders on my computer and against viruses..

Like ghee, I had the same thing (Trojan) virus, but with the help of AVG, it managed to terminate the 'germs and bacteria'
Richard said…
sassy: AVG is quite good and I highly recommend it.
Blogger said…
BlueHost is ultimately the best web-hosting provider for any hosting plans you might require.

Popular Posts