Written by Rock, former SS:2845 dev and StarSiege guru.
Well, the files are really there. There really is a folder called "ubeasus", and there really are several Registry keys that support it. The article clued me in to the best approach to take for the final step. Reboot into Safe Mode.
In Safe Mode, most device drivers don't load. Windows runs in a minimal mode. That means that the cloaking device driver probably wouldn't load either, and I could really see everything. So reboot, hit F8, and I'm in Safe Mode.
Fire up Explorer and low and behold; there it is in all its stinky, nasty little glory. With something as extensive as this, it's best to just move the culprits to a different, safe, location. So I renamed the "ubeasus" folder to "dogdoo". How fitting, I grinned, while typing in the command! This was SWEET!
I moved the other few files that were located outside of the "ubeasus" folder into their rightful deposit in the "dogdoo" folder. Then I fired up RegEdit and sure enough, all the keys showed up in there too. I had to track each one down manually, and then study any linking-key that they referenced, and track those down too. THAT'S what put me onto the device driver. A little beastie named "ipiroxy".
So I opened Device Manager, enabled "View Hidden Devices" and there it was. It wasn't there before, but now, in Safe Mode, I could see it. I disabled it, and then I uninstalled it. Then I manually deleted all of its keys in the Registry. It's sort of like using a shotgun to kill a gnat, but I was kicking this dead dog while it was down, and I was enjoying myself.
I went back to the top of the Registry, and did a "Find" for each item, object, folder, or key that was related to the trojan. I deleted them until none remained. Again, you can't just go willy-nilly and hit delete for everything. You have to scrutinize what you're about to do because a mistake in the Registry can be catastrophic.
I covered all my bases, and I nailed everything I could think of while in Safe Mode. I rebooted back into normal Windows and I ran my tests. Pull up the browser... no popups. Explorer still worked fine. Pull up the Security Task Manager and there was no 6topdsvc running. Watching the STM, I ran many applications, especially anything related to the internet. Everything was fine. I reran the RootKitRevealer, and all the other tools, and it all came up clean. I jumped from my chair, raised my fists into the air, and like Rocky Balboa, I danced for joy! "Yo Adrian! I did it!"
The tools I used to do all the work:
Spybot Search & Destroy
CWShredder
AdAware
Startup Control Panel
RootKitRevealer
Security Task Manager
The background task that I have now put in place:
Microsoft AntiSpyware
AVG Free Edition AntiVirus Scanner
Finally... open your browser and go to Tools, Internet Options, Security, Custom Level, scroll down to "Download signed ActiveX Controls" and set it to Prompt. Then "Download unsigned ActiveX controls" and set it to Disable. When you visit a webpage and you get a prompt to permit it to load an ActiveX control, unless you're at a reputable website, you should DENY it.
Beware the pale horse!
http://www.starsiege2845.com/forums/style_emoticons/default/cool.gif Previous
This article along with other technical write-ups and downloads are available at Rock's Place. Contact Rock at rock@rockshq.com
