What's that smell?
Written by Rock, former SS:2845 dev and StarSiege guru.


After the reboot, I rechecked for the mystery file and "pcv23" was still there, and still recreating itself out of thin air after I would delete it. Task Manager and Services did not reveal anything out of the ordinary, so I performed the entire cleanup again and reran all the scanners. Nothing was found. Nothing, except for that crappy little file, and it was just a one-line text file at that, containing the current date and time. Hmmmm, this is interesting. Maybe Windows uses it for something and I never noticed it before. It still smelled like dogdoo to me though.

Then I opened the web-browser and WHAMMO! That's when the "dogdoo" hit the fan! My Desktop had crap all over it. Pop-ups, 2, no wait 3... oops there's a 4th, Holy Mother of God! I could still browse the internet, but I had to deal with a pop-up every two or three minutes.

I noticed that when I opened the browser, it still went to Google as my normal home page. Ahhh, but Google doesn't have pop-ups on their web site. They're adamant about that. No pop-ups at Google. So where the hell were these coming from?

I shut down the browser, killed all the pop-ups until I was back to a clean Desktop, and then I did all the cleanup work yet again. Nothing! So this little devil wants to play huh? Been there, done that. I decided to dive into the Registry.

When you get into the Registry, you have to know what you're looking for. Screw up while you're in there and you can kiss your machine's operability or hard drive data goodbye. You could do a Restore, but Restore only works if you HAVEN'T TURNED OFF YOUR SYSTEM RESTORE SERVICE, which I did years ago. I always figured, real men don't do restores, and I didn't need no stinking directions either. Besides, I was feeling pretty manly. Anyways, I didn't have the Restore option, and I certainly didn't have any directions for tracking this thing down, but I digress.

By this time, I had 3 clues: the magical "pcv23" file, a single appearance of a program error dialog from "c:\program files\ubeasus\6topdsvc.exe" when I first rebooted, and the browser itself (IE6). Searching the Registry (or the drive) revealed nothing. Everything was normal. There was no "ubeasus" directory either. Then how can "6topdsvc.exe" load and run if it doesn't exist?

It must be embedded in a dll file somewhere, I thought. As a software developer, I have Windows tools that let me hook into a crashed program, enter debug mode, and look around at what the crashed program has bound itself to. I needed to get that program to generate its error again. I rebooted, one, two, three times and I got it to fire, so I pulled out my big debugger guns, hooked into the crashed process, and did a Dependency Walk on it.

Well, what have we here? There were several files listed, but two of them were listed as also being sourced in the "ubeasus" directory, and one of them was wingenerics.dll. I Googled for the three filenames and only wingenerics.dll hit, but it was a BIG HIT! Wingenerics.dll is part of several different NASTY trojans.

Now I was certain that I still had the trojan, or part of it at least. Even raising the pop-up blocker to full-block mode didn't prevent them. I had never seen anything like this before. It was eluding all of the typical detection methods. I needed more clues. This was developing into a whole new smell, so I figured I had better check my other shoe!

Continue on to part 4: "Dusting for fingerprints"

Previous

---