AKA the great cleanup of 2006.
I’ve always said that I wasn’t a good test subject to measure how effective any anti-trojan or spyware application is, so while I’ve kept a professional interest in the latest and greatest tools, I hadn’t been given a really good opportunity to try them out, until last week.
A friend of Angela had a laptop that suddenly had this program called Brave Sentry popping up, telling her she was infected, and promising to fix it once she purchased the software, naturally. It wouldn’t shut down, and it had taken over her desktop wallpaper, blocking her from changing it. I suspected that wasn’t the only thing causing problems on this machine, but I wouldn’t know for sure until I got my hands on it. I agreed to take a look at it, and try to get it back to being usable.
When I got the laptop the next night, I confirmed that very quickly. I powered it up, disconnected from any Internet connection, and was greeted by the Brave Sentry warning, and by an attempt to connect to iesettings.com, and a handful of other programs complaining that they couldn’t get connected to the Internet. This whole startup process took a good 5 minutes, so my first stop was msconfig to disable startup items. I found a good 20 to disable turned off system restore and restarted.
It was still a slow boot, and there was still a couple of complaints about not being able to connect, but it was better. At this point, I went looking for the low-hanging fruit. By that I mean the stuff that’s easy to uninstall, that actually gives you an entry in Add/Remove programs to uninstall the junk and the obvious spyware exe’s not currently running in the Windows directory, etc. That got rid of some stuff. Next was to check out her Norton A/V install. It was being disabled by another program, but the definitions subscription had expired a couple of years ago, so I just went ahead and uninstalled the whole thing. It wasn’t doing me any good at this point, and it was just slowing down the machine.
Then I grabbed my thumb drive. First I installed the free version of AVG and ran a scan. (Let’s see how trojaned this sucker is before we get into other stuff!) That found some stuff, some it could clean, some it could not, telling me there was definitely some processes running in memory that didn’t show up as a startup item. That’s important to know going forward. I also installed Grisoft’s new anti-spyware offering, Ewido, AdAware and Spybot S&D. I ran Spybot first, and was somewhat disappointed in that it didn’t find as many spyware apps as I knew there to be on this machine. It cleaned a bunch and identified some more that it couldn’t clean, but overall, I’m beginning to wonder if Spybot’s usefulness is being surpassed. I got Ewido installed next, and was very impressed with the amount of tools and information available in this program compared to Spybot. It even gave me access to a list of running processes, which was the first time I’d been able to do that on this machine. (Task Manager had been blocked from running.) It even has a tool to identify BHO’s and open ports. (I don’t know which of these options is still available after the trial period in the free version, so take this all with that grain of salt.) The one thing that really disappointed me about Ewido, though, was the registry scan. I ran it, and it came up with nothing. Now, keep in mind that while I disabled all those startup items, I had not messed with HKLM/Software/Microsoft/Windows/CurrentVersion/Run in the registry yet, so there were a number of spyware apps listed there, and this anti-spyware tool didn’t identify any of the keys. Adaware, on the other hand, did it’s usual fine job of scanning and cleaning the registry and a number of other files/folders. After all these scans, I knew we weren’t clean yet, but I had to take a chance on connect to the Internet just long enough to update def files for all of these tools. In those 15 minutes, I got smashed with pop-up ads, and I could see something grabbing information and connecting out to the Internet to get new advertising information, so I hurriedly got my updates and disconnected again.
After updating, all the scans found some more things and cleaned them up. Ewido, however, kept identifying some randomly named dll’s as spyware. It wouldn’t get cleaned up and I couldn’t find any processes running that would keep me from being able to delete those dll’s. I tried to use Killbox to delete them, but as much as I like the ease of that tool, it didn’t clean them up either. At this point, I figured I better figure out what process was using these dll’s so I installed Process Explorer. It confirmed my fears about those couple of dll’s. They were running as part of explorer.exe. It also confirmed that in safe mode without explorer.exe running, those dll’s would gladly attach themselves to winlogin.exe or lsass.exe, basically whatever was available.
At this point, it was time to do some research about this spyware, which was being identified as Adware.Virtumonde, and it was time to assess where I was in this process. Brave Sentry was gone. Almost all of the spyware and trojan files had been removed. I had a couple of dll’s still connecting to the Internet and displaying popups that continually regenerated themselves and their registry entries whenever I tried to delete them and I still couldn’t change the desktop wallpaper, though I could get to task manager. Definitely time to set this aside and do some more reading about these specific problems. Tomorrow, I’ll talk about what I found out, and how this ends.