Scrape this stuff off my shoe!
Written by Rock, former SS:2845 dev and StarSiege guru.


As I said earlier, when I clicked on the trojan-link, I immediately knew that I got hammered. So I shut down the browser, exited my emailer, and disabled the network connection to prevent further contamination while I performed damage control. I went through all of the typical steps to find the annoying little tick, and get rid of it.

First, I opened the Task Manager to kill any suspect processes, i.e. those that I don't recognize. Then I just watch the Task Manager for a couple of minutes to see if anything automatically restarts itself. If something does, then I've got a bigger problem. In this case, everything remained cool.

I did the same thing with Services in the Computer Management Control Panel. I terminated and disabled any services that that I didn't recognize. To actually get them out of the Services list, I would have to edit the Registry to remove them, but first I wanted to run all the other tools because they might do the work for me.

I checked the Add/Remove Programs and found a couple of things that were new. They were signature CWS-like installations. That's when I first knew that this was either a CWS variant, or something very close to it. I removed them using Add/Remove Programs and then deleted their installation directories in the Program Files folder. You have to do the "remove-and-delete" in that order. For one of them, it wanted me to go online to download the Uninstall Program. Yea right! I might be a fool, but I wasn't born yesterday, so I removed that one the old fashioned way... DELETE!

Since I now knew that it was a CWS variant, I ran the CWShredder utility, which found, and cleaned up, a couple more nasty little thingies.

Then I ran Spybot Search & Destroy, followed by AdAware. Spybot nailed a few more items related to CWS. AdAware, however, only found a few tracking-cookies, the heavy work already being completed by the other tools.

I've got a Startup Control Panel utility that lets me enable/disable/delete any startup entry at any of the machine boot locations, like the Startup folder, or the Registry Run, and Runonce keys. I found a couple of things there and got rid of them.

I opened Windows Explorer, highlighted the C drive, and then did a Search for all files on the drive that were "Created" in the last 30 minutes or so, about the time of the trojan-infection. This revealed a very small number of files, only a dozen or so, all of which were safe to delete outright. This is typical when looking for created files within a few minutes of an event... there aren't very many of them. Of course, you still need to scrutinize each of them before you delete them, but they're not usually "Windows-Official" files.

Finally, with all of that up-front effort accomplished, I then ran a freshly updated virus scanner, and it found nothing. But I really didn't expect a virus scanner to find anything because most spyware are actually legitimate programs that work on their own, whereas a virus is something that kludges onto other programs, but you never know.

Just before rebooting, I performed all of those steps one more time just to make sure something didn't get infected again. When I Searched the drive again for created files, I found a single small file called "pcv23" or something or other. I deleted it and it magically reappeared a few seconds later. It's creation date and time remained as the exact moment of infection, even though I would delete it and it would recreate itself. It wouldn't STAY DEAD! Something somewhere was still running and creating the file. This was NOT a good sign! All I could do at this point was reboot and hope that the cleanup took care of everything.

Continue to part 3: "What's that smell?"

Previous

---