So I received a PC the other day that a popup kept showing up at the start up in the taskbar. A big red circle with a white "x"in the middle and if you hovered over it, the message would say..
Your computer is infected!
Windows has detected spyware infection!
It is recomended to use special antispyware tools to pervent data loss. Windows will now download and install the most up-to-date anti spyware for you.
Click here to protect your computer from spyware.
The tools I used to help me find the files were...
1-WinSpector, which is like the free version of MS Spy++, used to see the message sent to the windows message queue, and find the executable that is tied to a window.
2-RegMon, used to find out what app is writing the bad values to the registry right after I delete those values.
3-Unlocker, used to unlock processes that can't be deleted. Example viruses that are dlls tied to rundll32.exe.
I googled all the apps in the task manager. I found braviax.exe running which is a bad thing (some sort of trojan).
I also found...mljduutl.dll in the C:\windows\system32\ path.
The user received a virus a few days ago, so I found alot more garbage when I sorted the C:\windows\system32\ by create date.
I found a file called buritos.exe.
I found a file called Karina.dat.
Everytime I would try to delete this file, it would be written right back.
I also had trouble removing this registry key[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]"Appinit_dlls"="C:\\WINDOWS\\karina.dat"
To make things worst, buritos.exe was not only tieing itself to explorer.exe but also winlogon.exe. It had an entry in this location of the registry.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon]Everytime, I would try to use unlocker to untie buritos.exe to anything, it would reboot the PC.
I was able to decapitate everybody, but buritos.exe and the creating of karina.dat which I think buritos was doing it. I checked C:\windows\system32\drivers\ and found that beep.sys had been recently modified while the other files, it has been years.
I opened up beep.sys and found a reference to buritos.exe.
I decided that I would delete this file in safe mode, and then get it from another PC.
I went ahead and started the PC in safe mode(holding down the F8 key)I started windows in safe mode with command prompt. I changed to the directory using..chdir c:\windows\system32\drivers and then typed "del beep.sys".
After rebooting, Windows created a new clean version of beep.sys.
I was able to untie buritos.exe from explorer, and delete it and karina.dat.
After a reboot, the virus was gone. What a mission. I did not know that .sys files could launch exes. Also, buritos.exe was not visible in the task manager. I discovered it thanks to
the process viewer of WinSpector.
Probably easier (no safe mode required) would have been to try to open up beep.sys in notepad and erase it's contents.
No comments:
Post a Comment