Wrangling Another Gremlin (WAG)Posted by Gruntled
Being someone who “works with computers,” Family and friends quite often fling random personal hardware into my lap to “fix when you have some spare time.”
This is one of those spare times.
I’ve seen the patient (a late model Dell Inspiron, well apportioned with several hardware options, no signs of abuse or even heavy use) several time now for systems issues.
First it wasn’t showing local drives and had some permissions issues installing any new software, even if you logged in as an admin. There was a small trojan that had dropped a reg key to keep itself from getting uninstalled. I corrected the reg key, put some basic adware/junk filters in place, installed the software in question and returned it, advising a full backup of personal data and a dirty install of windows.
When the patient returned with complaints involving spyware blocking prompts, I thought that the basic crap filter had been left a bit sensitive. Signing on, I found a huge mess.
Starting with the usual review of startup processes, killing off of regular user clutter, I found the gremlin…
The now-famous trojan, Antivirus Home 2009 has been updated, and the patient is singing the Fake AV Blues. Loudly. From the back fence.
Our botnet buddies have included some familiar features, but have ramped things up. The install has become very worm-like. It has the usual home base, but any CPL “uninstall” or use of any of the usual removal tools in your tool belt will make it very defensive.
Even after killing off all of its processes, renaming its executables, and cleaning the tempspace, it sees mbam, spybot, and the stinger, kills them off, puts its OWN fly-by installer in place of the exe of the tool, and hides another install of itself using what looks like randomized names.
I ended up doing a manual kill, very similar to the list found at syschat, but with several new ones added to the list, including:
A load of registry entries that I should have logged, as they were all serial based.
_scui.cpl in a secondary location
lots of copies of a binary batch file, with names like asox, avaxo, tufija
reg files named ylifat, etc
inf files named like xehiger
and lots of copies of the same .dat file in all of the locations mentioned at syschat, but with names like jabocixevu, jihomuri, sevotif
After getting the polyps knocked down, I did a restart, then removed the installs and stubs of all the detect and protect tools because they are all suspect at this point.
Rebooting again, things look much better. For the first couple of minutes. Then a notifier bubble shows up from the task tray with a fake “malware detection” notification. Downloading and installing a fresh mbam install and running it kicks off a new install of antivirus 2010.
Back to square one.