Friday, September 01, 2006

To catch a virus

Uggh! My computer got a virus the other day and it took me a day and a half to bring order back to my computer. After going through this experience I feel sorry for the non tech-saavy people out there. You really don't have a chance.

This particular virus did several things
- Launched ads through IE. Surfside Kick was the package
- Installed a Toolbar 888
- installed a series of Dlls with random names, some in the windows/system32 directory, some in temp folders, some in hidden system folders, on and on. It was a pain to find them all
- set up auto run registry values so everytime you would restart the computer it would be the first application to run
- set up apps to be extensions of windows shell, so every time explorer ran these dlls were running in memory
- would create files like win???.tmp.exe and would launch them
- upon reboot it would set up pending install commands to copy files around on reboot. So everytime I rebooted the files had different names
- would randomnly launch a dialer
- etc...

Oh and did I mention Norton Antivirus only resolved a handful of the issues above. Everything else I had to do perform manually.

Over the course of a lot of google searches I was able to find a website that pointed me in the right direction.
http://www.merijn.org/index.php
The apps I used to diagnose the problem included

StartupList - this file would generate a log indicating all of the programs that will run when your computer boots

IBProcMan - similar to the HijackThis utility, this allowed me to see what programs were running and what DLLs each program had running in memory.

L2mfix - hard to explain what this program fully does. There were a lot of warnings about use at your own rick. I ended up using just the logging function. When it runs it prompts you to run a report. This report identifies things that may not look correct that have been configured in the registry or might be files that are in directories they shouldn't be in.

By using these three programs I was able to isolate the problem programs and registry settings. I wasted too much time trying to get Norton to clean up the system when ultimately I should have just done this myself. When the last program I was trying to delete was tied to the windows shell I had to boot up outside of windows and manually delete the file. It was configured in the registry but every time I edited the registry it would re-edit on top of my changes so my changes wouldn't stick. Another interesting thing about this DLL is if a program like Norton or Ad-aware would scan it looking for a virus it would automatically issue a system shutdown command. So as soon as I was about to find something I'd be racing the clock of the computer shutting down. In some ways it was pretty clever on part of the virus/trojan writer but at 2am in the morning it was just pissing me off.

Needless to say one day later everything looks good now and I've been running for a good 12 hours with zero signs of any issues.

Here's hoping that if this happens to you, then you will be able to find this blog post to point you to some useful tools.

Good luck.

No comments:

(C) 2003- 2008 ytsanyd | http://www.thedaveblog.com/ | david@jedi.net