Practical computer tips, with a smattering of digital philosophy
I had the great honor of becoming acquainted with yet another malicious “anti-malware” program this evening, and in the process, I discovered yet another place where these bugs can hide their files. Actually, the cloaking tactics used by particular scourge were some of the most fiendishly clever I’ve ever seen. First off, the malware piggybacked on a system process (in typical rootkit style), making it impossible (a) to find out the name of the malicious process from the Process Manager, and (b) equally impossible to directly kill the process (without shutting down Windows, of course). But this is hardly atypical malware behavior; the real kicker was where the malware had decided to deposit its files. Here’s how I found them:
The bug in question was one of the ones that hijacks IE and displays bogus “unsafe browsing” warnings at regular intervals – and after a half-an-hour of fruitless poking around, it occurred to me that these alerts might actually supply a way for me to track them back to their source. Sure enough, when I viewed the source HTML for the warning page, I discovered that the page was linked back to a directory in the user’s Application Data directory – to be more specific, a directory named Google. The bug had even been cheeky enough to put an empty subfolder named something like “Saved search results” in the directory – along with a bunch of .dll and .exe files with random names. Tada.
After being thoroughly outraged (and, I must admit, a bit amused) by this program’s sheer audacity, the removal process was a simple matter of moving the entire Google directory somewhere else (I have no idea why this is, but while files being used by active processes cannot be moved, their parent folders can), and then deleting it when Windows was restarted. (Killbox didn’t work on these, by the way).
At any rate, here’s the updated list of all the places I’ve found malware lurking to date:
C:Windows (most often .dll files with random names – though some call themselves things like “sysrestore32.exe” (in case you can’t tell, that’s definitely not what the system restore executable is called)
C:Windowssystem32 (same as above)
%USERPROFILE%Local SettingsTemp (same as aoove; I’ve also seen winlogon.exe and winlogun.exe here).
*Because this link takes you directly to the file itself, and there’s no documentation on the server that’s hosting it, the best I can do to prove that this is what I claim it is (if you were skeptical, bravo) is to point you to other sites that have recommended the use of this program: here’s one from Expert’s Exchange (sign-in required), and here’s another from some random forum.
The point here is that you need to either:
(1) identify and kill every single process that is either actively using or was spawned by the files in question, or
(2) switch to an environment in which it’s totally impossible that any such process could be running.
The first option allows you to work within windows – but probably won’t help you if your computer is infected with a rootkit, which cloaks itself so well that the system thinks the rootkit code is actually part of a system process (which means that as long as that system process – explorer.exe, say – is running, you’re not going to be able to delete the malicious files. Period). The second option, by contrast, is guaranteed to allow you to delete/move any file you wish – but requires the use of a Linux boot CD. Depending on which option you choose, here’s some additional helpful information
1. If you elect to try the first option (which, being more straightforward for most people, is probably a good first step), there are two utilities that will make your search-and-removal task a great deal easier: ProcessExplorer, and KillBox:
I’m afraid I don’t have the time or energy at the moment to detail the various ways in which you might use these applications to your advantage – but the programs are both fairly intuitive, and ProcessExplorer has excellent documentation, so you shouldn’t have much trouble.
2. As for the second option, I can only say that I do plan on writing a primer on how to obtain and use a Linux Boot CD for a wide variety of system-rescue purposes – but not right now. So if you know exactly what I’m talking about, and just need help with mounting your system drive, go for it (don’t forget to specify -t ntfs -o rw, since you want to delete stuff). Otherwise, if you really cannot find any other way to permanently delete the files in question, you’ll either have to consult an online Linux tutorial, or consider the possibility of reformatting your hard disk and reinstalling Windows.
Browser hijacking, which prevents any web browser from being able to get to anti-malware websites, and causes the browser to be redirected to random shopping websites whenever you try to click on a link from a search engine (google, yahoo, you name it).
Disappearance of the “Display”, “Screen Saver”, and “Advanced” tabs in the Display Control Panel.
Disappearance of the Folder Options Control Panel
Crippling of Windows Security Center
Disabled Windows-key shortcuts (Winkey-R; Winkey-D, etc.)
Disabled Command Prompt
Disabled Registry Editor
Appearance of cockroaches on the desktop, accompanied by a warning informing the user that that there “are bugs on the system” I’m not kidding.