I was telling my brother about torrent site mininova.org, so he went there (on his work system, no less) in IE, and immediately after typing in his search criteria ("Johnny Cash"), he got the big Spyware Protect 2009 window. I knew at once we were in trouble, and sure enough, pretty soon his system stopped responding. He had been able to close windows for a few minutes, but they would always relaunch, and eventually, he was unable to do anything.
He rebooted (bad idea), but his system would never reach a point where he could use the mouse or keyboard once the OS loaded. I did some research to see how to remove it, and while we downloaded "Malwarebytes" tool to remove it, it wouldn't install in safe mode. So basically we were left to do it manually.
In a nutshell, here is what we had to do:
DO NOT LAUNCH INTERNET EXPLORER WHILE DOING THIS!!!
Boot INTO SAFE MODE WITH NETWORKING.
1. TASK MANAGER (right click task bar, select Task Manager)
KILL SYSGUARD.EXE
2. Regedit
DELETE FOLDER HKEY_CURRENT_USER\SOFTWARE\AvScan
DELETE FOLDER HKEY_CURRENT_USER\SOFTWARE\SYSTEM PROTECT 2009
(didn't exist)
DELETE ENTRY HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "system tool" C:\WINDOWS\sysguard.exe
DELETE FOLDER HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bbd4551A-9b23-41cd-9bcd-818aa2da7b63}
DELETE FOLDER HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bbd4551A-9b23-41cd-9bcd-818aa2da7b63}
DELETE FOLDER HKEY_CLASSES_ROOT\CLSID\{bbd4551A-9b23-41cd-9bcd-818aa2da7b63}
3. Windows Explorer
DELETE C:\WINDOWS\sysguard.exe
DELETE C:\WINDOES\system32\mcenspc.dll (didn't exist)
DELETE C:\WINDOWS\system32\iehelper.dll
DELETE C:\WINDOWS\Prefetch\[all files]
SEARCH ALL FILES in the WINDOWS folder:
- CREATE DATE of yesterday through today (looking for .exe and .dll files)
- MODIFIEd DATE of yesterday through today (looking for .exe and .dll files)
.exe and .dll files are program files, so they should ONLY be created or
modified when something is installed....normal use does NOT modify or create
executables! There will be lots of files and folders listed in this search,
but we are specifically interested in .exe and .dll files.
You can sort the list by clicking on the column header "Type". The types we
are interested in are "Application" (.exe) and "Application Extention" (.dll).
DELETE C:\Documents and Settings\[UserName]\Local Settings\Temp\[all files]
DELETE C:\PROGRAM FILES\AVSCAN (did not exist)
DELETE c:\PROGRAM FILES\SYSTEM PROTECT (did not exist)
modify C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS to remove all but 1st line
The latest variants of this thing modify the hosts file to redirect you to their
sites (94.232.248.66), so you keep getting infected....pretty clever really.
In doing the SEARCH of WINDOWS for any .exe or .dll files that had been created in the last 2 days, we found 3 additional files. I thought I wrote them down, but apparently I didn't (I just typed them into the Google search as he read them off, and I've since closed the tabs and cleared private data). Anyway, all of 3 of them (2 dll's and 1 exe) pulled up via Google as being bad guys, so we deleted them as well.
Once all of this had been done, we rebooted into normal mode, and his system came up normally. If we had been able to install Malwarebytes removal tool, it would have made things so much easier. Oh well. In any case, I suggested he move to Firefox with add-on Noscript, to disable java unless specifically allowed.
No comments:
Post a Comment