I’ve written here a few times about the various times I’ve removed malware from various computers. Generally you don’t hear about me actually having it on my system because I have a ton of safeguards in place. Today, that changed not because of what I did but because of what a co-worker did to my laptop (which is supposed to be off limits). Said co-worker just wanted to play a practical joke, as he thought he was just doing some harmless fun, I guess, or something. Actually, I don’t know what he was thinking, but if I were him, I’d be thinking he won’t have a job soon.
I’ve spent a total of 5.5 hours today eradicating whatever the hell it was (there were several that got picked up by AVG). It required this post (and the thread attached to it) to get rid of the more annoying one (most of that was spent trying to find that thread, as the file names were all different, but the unique key was the same). AVG managed to kill the bulk majority that popped up (which included Trojan horse Dailer.BZB, Trojan horse Downloader.Generic2.CWC, Trojan horse Generic WUE, Trojan horse PSW.Ldpinch.XL, Trojan horse Downloader.Istbar.4.P, and Trojan horse Dropper.Generic.FRP), though a couple of them were spawned from other processes that had to be manually scrubbed and scanned.
And the thing is, after thinking I have it all clean, something still pops up: Trojan horse Dialer.BZB. AVG is killing it from doing anything, but I guess I get to go find out what’s causing that.
Meanwhile, co-worker’s going to get a serious beating and I’m going to be locking my desktop if I’m away from my desk for more than a few minutes. Meanwhile, I want to find the script-kiddie who wrote these stupid things and shoot them. All of them. Seriously. I know I’ll sleep better.
Update at 4:15: OK, I think the Trojan horse Dialer.BZB is dead. There was a strange DLL tying itself into the winlogin.exe process upon start up. Looking at the properties for the DLL, it was totally blank, and a google search for the DLL’s name didn’t turn up anything. I unbound it from the process, ran killbot to get rid of it on next boot, and it hasn’t appeared yed.
However…. now Trojan horse generic.WUE is popping up again in the cache files for MSIE (getting an AVG popup), and I haven’t even used MSIE during this whole process and it’s not running in the background. Cripes….
Update at 10:20: I think the thing is finally cleaned off. I ran Trend Micro’s online scan and it found some stuff that none of my stuff on my hard drive found, and I think it irradicated the last of it.
My co-worker apologized profusely, and said he got the idea from a geek friend of his who gave him the file to download (he obviously have no idea what it was). I was the one that actually (unintenntionally) did the most damage, thinking it was a file I downloaded.
So as long as there’s no long-term damage (which there isn’t, so far), he won’t be getting an a$$ kicking — he just knows better than to get near my laptop now.
And as much as I’d like to retaliate, I can’t. I’m the only one in the office that has my own seperate system. We have a Citrix Metaframe setup at the office that powers every desktop in the office (they’re all thin terminals). It’s a stupid system, yes, but basically anything I do to him also (for the most part) gets done to everybody else. Obviously I can change that, but I’ve got better things to do with my time than to set him up in a seperate permission profile just so I can screw with him.
Update on 7/5: Forgot to mention, these are the ones that Trend Micro’s scan came up with, in addition to what I found before (I think the httpsniff is a false positive as I do indeed have an HTTP sniffer installed on here for troubleshooting):
SPYWARE_TRAK_ACEPSTL.12
SPYWARE_TRAK_HTTPSNIFF.A
SPYWARE_KEYL_BOSSEVERYWARE
Aliasnames: PAK:PEData (BitDefendr); Trojan-Spy.Win32.BewLoader.b (Kaspersky)
SPYWARE_KEYL_ASTLOG
Aliasnames: Tools.Nirsoft (PestPatrol)
ADWARE_ABETTERINTERNET
Subsequent scan have come up clean, so I’m assuming this got all cleared up.
Comments
Man, that’s gotta suck. You don’t mess with people’s laptops like that. Sheesh!
You know, they have USB dongle thingies that will lock your computer whenever you step away from it. Maybe you should get one and charge it to your coworker.
What kind of twisted practical joke is that? Burn down his house and see how funny he thinks that is!
My neighbour popped in a few days ago with some malware. It was a Trojan Horse and adware telling him to go buy some anti-virus program. (Ironic, don’t you think?) I removed it using some program called antispyware or something of the like, but I can’t recall — or find it on the net anywhere.
Sounds cheesy, but typically I use Spybot S&D or something of the like. When that does nothing, I piddle my way through the system until I remove anything and everything that I think shouldn’t be there.
AVG is a lifesaver by the way… The first thing I put on new systems, whether its my own or somebody elses.
Well, fight back. Load up their computer with child porn and call the police. That would be SOOOOOOO funny.
Geez. Some people.
One fun thing you can do is put an icon on his desktop. Rename it, “I am the worlds dumbest asshole.” Then go into the security tab and take away all his security rights so he cannot delete this icon. Then he has to ask for help to get the “I am the world’s dumbest asshole.” icon off his desktop.
Great suggestions, guys! If I could only get away with it on a corporate network…
Maybe you will just have to think outside the box. Example – next time he needs a password reset, change it to, “iforgotmypasswordagain” or “icantremembermypassword” or something like that.
Where I work we always lock our computers, if any tech leaves his unlocked, we get them, but usually something harmless.
Downloaded a Gay Windows Theme for the guy next to me this spring. Then added a ton of Gay Favorites to his IE, and set his search engine to a Gay one.
It was damn funny. But we’re all techs and should know better than to leave our systems unlocked.
You could always set his screensaver to point to shutdown commands instead… or stick that in the startup folder.
FYI:
SPYWARE_KEYL_BOSSEVERYWARE kicks out on .dsv file extension (SQL Server / Visual Studio related)…….!”#�#�%�
“Why Is My Fan So Loud?”
I do a lot of tech support during my day job, handling all sorts of random problems. I’ve posted about various spyware removal jobs I’ve had to do, along with…