I had an issue with spyware last weekend. OK – it's also my fault, this machine was infected when my girlfriend's sister was using it and she knew the access to admin account. This machine was infected with a bunch of spyware and malware. Just want to share with You few thoughts about it.
I spent more then 6 hours trying to get rid of different spyware which was installed on this machine – man .. this is a madness. Simple ad-ware, was protected by rootkit-like driver (i386p) and few others things. I used MS AntiSpyware and other tool (Spyboot Search&Destroy ). Afeer running all automatic tools and removing few different things as a result I was still at the point where something was not OK in this system, I've noticed some resources consumption and strange network connections attempts (I was all the time off-line to protect this system from infecting again through internet). So I have to invastigate it with my "own hands".
Some specific details I've discovered – this machine was infected with Look2me\VX2 malware which is really pain in th a$$ when it comes to remove it. It drops dll files with random names in %systemroot%\system32 directorym then hooks it under Winlogon\Notify registry key and protects this registry key from deletation or modyfing. On shutdown it dropes another file called quard.tmp in %systemroot%\system32 which helps it get up and running on the next system boot. It hides itself from the users using i386p rootkit driver. So first You have to get rid of any other spyware dropped on Your machine, which is relatively easy. Then You have to disable this i386p driver and then get rid of spyware. It takes some time and You need some efforts or it was just me tired after week spent at the customer site.
Number of useful tools when it comes to track and remove spyware:
- Process Explorer, Filemon, Regmon: set of very useful tools from Sysinternals.
- Sysinternals autoruns: lets you track all the things which are trying to run on the system or process startup, very usefull.
- Sysinternals Rootkit Revealer
- Kill Box: very usefull utility when it comes to deal with files protected by some process, it let's You remove selected file upon the reboot and replace it with a stub file which may prevent from writing it again by some malware.
That's only few of available tools which I used when I had to fight back this infection. I can tell You that these few were very helpful.
After You get system back to health state again it always comes a question – is it health for 100%? Should I rebuild the box or can I let it run in this state. I'm sure that I've checked everything I can to be sure that it is not running any malicious sftware, right now I'm revieving Port reporter logs from this machine after some time and it looks ok, but always there is a question about safety after infection. How ordinary people can deal with it in a safe manner? I'm not sure if they can …