Friday, September 02, 2005

I went down and saw my mate over the weekend, he had stacks of spyware on his machine.

I ran Ad-aware across the machine, but it didn't really find anything much, there was still pop up ads going on.

I also tried running Spybot S&D across the machine, it found a few bits of spyware, but still didn't stop the pop up ads.

I found some other bit of software, that I can't remember the name of, it identified a few more, but it was only a demo, and wouldn't remove them.

I found another one, which I don't remember the name of either, and it installed as a
"helper" application, to protect the browser form getting crappy search pages and toolbars installed. It didn't do anything much to fix up existing problems though.

I also found references to "Crap Cleaner", so I installed and ran that, it found 2.5GB worth of crap to delete. It still didn't get rid of the pop ups though.

I poked around the machine a bit, and I found a directory called "bind frag close bows", in it were a bunch of randomly named exe files.

That looked really suspect. I couldn't delete them either.

There were a couple of Internet Explorer processes running, and when I killed one of them, the other would respawn.

There was also a dodgy named exe file running, along the lines of "gnbueikm.exe", and when I killed that, and killed one of the iexplore.exe processes, the dodgy exe would pop up again, with a different filename.

I decided that I needed to kill both iexplore processes at the same time, and the process list doesn't let you do that.

I googled around for a command line process control thing for windows, and I found this page, and downloaded "process.exe".

I dumped it in the temp directory. I ran process.exe, and got a listing of the stuff that was running, including the following:

gnbueikm.exe 2588 1 8 0 [computername]\[username]
iexplore.exe 1468 3 8 0 [computername]\[username]
iexplore.exe 1796 8 8 0 [computername]\[username]

I used it to kill both internet explorer processes ("process -k iexplore.exe"), which worked, but when I killed off the dodgy file, both ie processes came back, and the dodgy file, with a different filename.

While looking in the temp directory, where I'd dumped the process.exe file, I noticed the dodgy file was respawning when I killed it.

I tried being a smartarse, and making the temp directory read only, so that it couldn't drop a new file, but, it was one step ahead of me, and it changed the read only setting on the temp directory. Bugger.

I wondered if trashing the iexplore.exe file off the hard drive would help either, to stop it from respawning, so I could clean it.

I ended up writing a batch file, that would rename the iexplore.exe file, it didn't work, since the dodgy exe would run the file after it had been renamed.

I tried deleting it, but realised that windows would just repair it automatically. I deleted iexplore.exe out of the dllcache directory, but it was still coming back, from god knows where.

Hmm, now I wondered if I had to kill both internet explorer and the dodgy file at the same time, I wrote a batch file to do it, and after trying it a few times, and making some modifications, I ended up with the following:

attrib +r "C:\Documents and Settings\[username]\Local Settings\Temp"
del "C:\Documents and Settings\[username]\Local Settings\Temp\*.exe"
process -k 2960
process -k iexplore.exe
del "C:\Program Files\Internet Explorer\iexplore.exe"
del "C:\Documents and Settings\[username]\Local Settings\Temp\*.exe"
attrib +r "C:\Program Files\Internet Explorer"
attrib +r "C:\Documents and Settings\[username]\Local Settings\Temp"

where 2960 was the current id of the dodgy exe.

This seemed to work, after that, they were all gone, and I was able to delete another of the dodgy files I found, something along the lines of "C:\Documents and Settings\[username]\Application Data\meta hide shim\Dashmapi.exe".

There was still another one, I couldn't kill it off, I also couldn't look at the details of it, Windows kept coming up and saying it wasn't a valid Win32 executable or something.

I wondered if it was just dodgy, and tried scanning the disk for errors, but it didn't find any.

My mate didn't have a virus scanner on his machine either, I downloaded the Avast scanner, ran that through, it didn't find any virii.

I downloaded their proper installer, scheduled a boot time scan, and rebooted the machine. It took about 45 minutes to scan the hard drive, and found a couple of infected files, "payload.dat", and some exe file, that I don't remember the name of, identifying both of them as being trojans.

I didn't look at the machine after that, but the popups had stopped, so I was happy that I'd fixed it.

It took me a good couple of hours to clean all the shit off. Windows and IE is pathetic.


Post a Comment

<< Home