 |
 One man's job
by Andrew Cooper
February 4, 2005 - Part II
Summary of problems
Here's a roundup of the problems I found:
Facts: Task Manager down, wallpaper hijacked, suspicious desktop icon, active program requesting user input (possible dialer).
Suspicions: Malicious processes in memory, attempts by offensive program(s) to divulge user data to third-party locations, other destructive activity.
What was really discouraging was that my friend didn't know about the need to use a firewall and an antivirus program; therefore, those programs weren't installed on her system. They would've been a big help in that situation. I didn't have the necessary tools to tackle the problem, so I had to get them online.
The next section focuses on how I returned my friend's stricken machine to a normal workable state.
Actions taken to resolve the crisis
Spyware removal tools
The best way to cure a compromised (infected) computer is to disable any Internet access and make further remedial actions on the isolated system. Simply unplugging the network cable from the socket will do the trick, but in my case this option was not available, because I had to download all necessary programs from the Net.
First, I downloaded Microsoft AntiSpyware. It is the first product by the software giant to combat malicious programs such as viruses and spy/adware, and I wanted to see how it worked. The program has been made available only recently and is free to anyone in its beta 1 (not final) version.
The program is sleek, with a rigorous user interface and all the traits of a solid Microsoft product. The program, which appears in Windows' system tray constantly monitors various executable programs for the presence of malicious code. Every time it suspects some illegal activity or changes to key Windows components, the program displays an alert window. The alerts are lively and encouraging, but the program is quite weak when it encounters serious resistance: After I checked my friend's entire system and eradicated a score of pests, the computer was still not free of malware.
In the following picture, you can see Microsoft AntiSpyware catching TIB Porn Dialer, which was persistently bugging me with its requests to select a country. Also note an interesting detail: The process initiated by a Microsoft AntiSpyware scan is called GiantAntispywareMain.exe, after the Giant company, which developed the program and was later acquired by Microsoft.
Registry tuneup
Next, I decided to go to the System Configuration utility, a program that helps configure the programs and components that start automatically when Windows starts up. To do that, I typed "msconfig" in Windows' Run dialog box. The program actually mirrors Windows' basic startup registry values viewable by typing regedit.exe in the "Run" window.
In the msconfig window, I discovered an unknown entry: kernels32.exe. I knew the file kernel32.dll-the core component of any Windows NT-compatible system-but kernels32.exe looked odd to me. I located the file in the folder c:\windows\system32 (right where the msconfig settings referred) and right-clicked it to learn additional information, but the strings that interested me most-namely, the "product name" and "company" entries-were blank. That reinforced my suspicions that the file was unauthorized and should be disabled.
To do that, I renamed the original file kernels32.odd.exe and removed the link to it from the msconfig settings:
While Task Manager was disabled, I had to get a tool that would show me the active programs and processes on the computer. I downloaded a small shareware program called Far File Manager (available at http://www.rarlab.com/far/Far165.exe). You can press Alt+F1 in an active program to view the processes that are running, and you can highlight a particular process and press F3 to view additional information that may be very helpful.
You can also download the WinTasks program, which gives essential information about the processes resident in your computer's memory. Furthermore, on the WinTasks Web site, you can get a list of the 100 most typical processes run on Windows machines and compare them against the ones activated on your computer.
Other helpful programs
Although I had done a great deal to clean my friend's computer, I wasn't sure that I'd rooted out all the destructive pieces, so it was natural to get more software that would help with the situation.
I downloaded two more programs that are known as leaders among spyware neutralizers. These programs are Webroot's Spy Sweeper and Spybot: Search and Destroy. I gave each program the task of removing any poisonous elements it was capable of finding, with Spybot scheduled to go first. Below is the result of its first run:
Spybot reported that it had successfully removed all found elements. Yet after I restarted the program, the same DSO Exploit listing showed up again.
Then it was Spy Sweeper's turn. That program did much better. Even after numerous runs by Spybot, Spy Sweeper still detected the following spyware instances:
Note that the most destructive of the threats Spy Sweeper found was the Desktop Hijacker program-probably the one responsible for that black window I told you about at the start of this article. However, when I restarted Windows after the program reportedly cleaned the system, the black window was still there. Even if the program had removed Hijacker itself, it was unable to remedy its ramifications.
But I could do that manually. I chose Control Panel-> Display->Desktop->Customize Desktop-> Web; then I deselected or removed everything that wasn't needed.
Read next:
Continue to Part III
Back to Part I
|
|
