time
Storage? I am Storage!
I remember when my computers never ever got infected. Ah, that was before I had kids ...
As near as I can tell, the victim received an MSN message that encouraged her to download some software; I'm told it appeared to come from one of her friends. :-?
After opening it, the antivirus software had a fit, so she figured the problem would go away if she restarted the PC.
NOD32 reported an active Win32/Rbot trojan, so I cleaned it. All okay, or was it?
The following day, I found that someone had been using IE and it had prompted to download a supposed antivirus tool. I ran Security Task Manager and found a bunch of scumware based in the System32 directory. I soon found that some of it was using the System attribute to avoid detection. A search by date found backup copies masquerading as ini files etc. I removed them all, except for a file named ssqrp.dll, which was in use.
This last file proved surprisingly stubborn - in fact, I had to repeatedly escalate my approach in futile efforts to remove it. It appeared to be registered as both a BHO *and* as a DLL for WinLogon.exe. So yeah, it ran all the time, including in Safe Mode. Killing it with Process Manager etc was impossible because that killed WinLogon which resulted in an instant BSOD.
The latest version of HijackThis couldn't see it at all. Neither could NOD32. Merijn's StartupList did see it but lacks removal capability. Security Task Manager clearly identified it as a threat but removal failed.
Just in case I doubted whether the infection was active, it popped up an Internet Explorer window exhorting me to download some sort of antivirus/antispyware while I was using Windows Explorer to look through my list of tools. :x
I believe the infection was a variant of Vundo. There are quite elaborate manual removal instructions on the Net (which vary according to the variant), but I tried a couple of removal utilities such as VundoFix (which didn't work), and finally VirtumundoBeGone (which did).
It's possible that I could have just deleted the registry entries, but that seems an obvious thing for such a sophisticated nasty to overlook. I'm still not 100% convinced that it's all gone.
As near as I can tell, the victim received an MSN message that encouraged her to download some software; I'm told it appeared to come from one of her friends. :-?
After opening it, the antivirus software had a fit, so she figured the problem would go away if she restarted the PC.
NOD32 reported an active Win32/Rbot trojan, so I cleaned it. All okay, or was it?
The following day, I found that someone had been using IE and it had prompted to download a supposed antivirus tool. I ran Security Task Manager and found a bunch of scumware based in the System32 directory. I soon found that some of it was using the System attribute to avoid detection. A search by date found backup copies masquerading as ini files etc. I removed them all, except for a file named ssqrp.dll, which was in use.
This last file proved surprisingly stubborn - in fact, I had to repeatedly escalate my approach in futile efforts to remove it. It appeared to be registered as both a BHO *and* as a DLL for WinLogon.exe. So yeah, it ran all the time, including in Safe Mode. Killing it with Process Manager etc was impossible because that killed WinLogon which resulted in an instant BSOD.
The latest version of HijackThis couldn't see it at all. Neither could NOD32. Merijn's StartupList did see it but lacks removal capability. Security Task Manager clearly identified it as a threat but removal failed.
Just in case I doubted whether the infection was active, it popped up an Internet Explorer window exhorting me to download some sort of antivirus/antispyware while I was using Windows Explorer to look through my list of tools. :x
I believe the infection was a variant of Vundo. There are quite elaborate manual removal instructions on the Net (which vary according to the variant), but I tried a couple of removal utilities such as VundoFix (which didn't work), and finally VirtumundoBeGone (which did).
It's possible that I could have just deleted the registry entries, but that seems an obvious thing for such a sophisticated nasty to overlook. I'm still not 100% convinced that it's all gone.
