Monday, January 07, 2008

[log] Win32:TratBHO [Trj], Win32:Agent-PCJ [Adw], Win32:Bojo-G [Trj]

Marc must have downloaded the Xmas specials malware pack. When we got the laptop, we could not even use internet explorer to download the anti-virus software. The browser was so jacked that the clicks would be intercepted to go else where and every few minutes a random browser window would open to "Secret Lovers".

- Changed the desktop background from a lovely picture of his daughters to straight black, windows explorer and start menu to "classic" mode. Yes, this had to be done before I could proceed.
- Downloaded FireFox by manually typing in the download path, all the while fighting off randomly opening windows
- Installed FireFox, and from there downloaded and installed Avast!, Ad Aware, and CCleaner.
- Ran CCleaner, which deleted 3.6 GB of crap
- Ran AdAware, noticed that there were still a huge number of cached files in Local Settings\Temp. No doubt downloaded by all the malware. Manually unhid the folders and files to delete them.
- Downloaded and ran Norton Removal Tool to uninstall Norton 2005, so that Avast! could function fully
- Ran Avast! which found the first two malware in the boot-time scan:

"Win32:Trojan-gen {Other}" found in "C:\WINDOWS\system32\tuvtqpq.dll"
"Win32:Bojo-G [Trj]" found in "C:\WINDOWS\system32\moywh.dll"

- Avast! easily removed these two. Though the power adaptor on the laptop had not been working right, and the computer decided to hibernate in the middle of the scan.
- Woke it up from hibernate, fudged with the power cord until it seems to be charging, and continued scan with blank screen with no sense of progress. Entertained myself by chatting with Jessica and watching Jose and Scruffy run around.

- Avast! scan finally finished. The computer is behaving much better now. But, malware still left clearly, since "Secret Lovers" were still popping up every so often, especially when I try to use IE.
- Ran Windows Updates to upgrade IE and Hotfixes to latest version. This took a while as it had to upgrade to IE7. Entertained myself by doing work on my work laptop.
- Finally it was done, and with Avast! now running resident, it started to alert on a new malware:

"Win32:Agent-PCJ [Adw]" found in "C:\DOCUME~1\Marc\LOCALS~1\Temp\wjsfldwg.exe"

- I had Avast! delete it. Only to find that after I reboot, Avast! would then complain about the same malware but in a different file name:

"Win32:Agent-PCJ [Adw]" found in "C:\DOCUME~1\Marc\LOCALS~1\Temp\cymqdwmk.exe"

- Checked the startup list in CCleaner. Noticed a suspicious entry that loaded a dll with the same random 8 letter file name from the system32 folder. I delete the entry.
- After a reboot, it got worse. Now the login just hung. I brought up task manager and killed explorer and restarted it, in order to be able to do anything again. I checked startup list in CCleaner again, and, voila, that entry is back, with a different dll!
- From command prompt, went to c:\windows\system32, and ran dir /O:D *.dll to see the DLL files order by create date -- Saw dozen of dlls with the similar random 8 letter names, but cleverly, all with slightly different file sizes.
- I deleted them all but could not delete the latest two -- "File in use. Access denied". Meanwhile, Avast! keep alerting me of the same Win32:Agent-PCJ with the exe file in the Temp folder.
- After repeating this a couple of more times, I came up with the idea of killing the explorer process from Task Manager, which finally allowed me to clear out the last of the random 8 letter dlls. Hurray!

- I reboot the computer, and what do I see? Another trojan horse alert from Avast!

"Win32:TratBHO [Trj]" found in "C:\WINDOWS\SYSTEM32\TUSQO.DLL"

- I asked Avast! to delete it. I reboot. Same problem.
- Did it again, and manually checked it in cmd prompt. I noticed that Avast! did not actually delete the file. I tried to delete it myself, and of course, the good old "File in use. Access denied" message showed up.
- I immediately tried the same "kill explorer then kill dll" trick. This time, no luck. I proceeded to try to kill a bunch more processes, still no luck. I tried regsrv32 /u tusqo.dll. Nope.
- Tried Avast! a few more times with Delete and Chest on the file, with "delete file on next boot as necessary". Reboot. Still nope.
- Finally, I got Avast! to Rename/Move, with "move file on next boot as necessary". Reboot.
- Voila -- Victory!
- (Who knows why the same did not work for delete, but I guess that's part of the challenge)

After ridding not 1, not 2, not 3, but 4 different malware, all freshies (TratBHO only made it into the virus definition file on 2008 Jan 4), this poor little Pentium III with 256MB RAM is one clean mean machine. IE actually loads faster on it than on my duo core laptop.

Now if only all that work had earned me some achievement points ...