Dnia Fri, 2 May 2008 11:17:35 -0400, smlunatick napisa³(a):
I am helping someone with a persistant trojan that causes Internet Explorer
(v. 7) to issue a "pop-up" even when the pop-up block is active. This "pops
up" another IE windows and re-directs his Internet to other sites. I have
successfully cleaned up his XP Home with Spyware Terminator and Spybot but
the infestation returns. I have not noticed any "suspect" activity.
Aside from a re-install, what can I do?
Rootkit or a buddy-kit trojan?
Manual Crap Handling Guide
My toolkit of choice: download from sysinternals.com
Autoruns+Proccess Explorer+Proccess Monitor+Rootkit Revealer
Using Autoruns (Check the options menu choices: Verify Code Signatures and
Hide Signed MS Entries) - than refresh - will locate the subject. Or at
least multiple suspects. Some dll and some sys file I presume - when in
doubt google their names (but NOT with IE) - after checking the intel on
them it is the BEST time for DC'ing the net. Launch Process Explorer, find
and SUSPEND all the suspects you can (RMB on the proccess, context menu) -
do not kill. Yet. When it comes to drivers, sometimes you have to use the
option "Find handle or DLL" to locate witch proccess is using
"malware.sys". Check that all IE instances are closed, locate the suspects
image paths (both Autoruns and Procexp will show you the path) - like:
C:\WINDOWS\System32\Iamaverycunninglydisguisedpieceofmalware.dll and RENAME
- changing the extension to *.crap for example. You will not be able to
delete them. Yet.
Kill the scum in Proccess Explorer without unsuspending. If another,
similar proccess pops up as soon as you kill the suspect there is yet
another buddy proccess covering their back. Find it, suspend, rinse,
shower, repeat. After all names are changed and all suspects are dead,
delete their startup entries in Autoruns. Reboot and delete the *.crap.
The rootkits/ADS' are extensively more fun to cope with, as the safest way
is by running a scan with rootkit reaveler, writing them down on a
old-fashioned sheet of paper and than deleting the suspects using a boot CD
similar to UBCD4WIN. On a sad note: The Windows reg Security keys, many
virtual/emulated device drivers and a bunch of security software suites
use rootkit mechanisms in a completly legitimate way themselves.
Again, when in doubt, google.