I’ve written here a few times about the various times I’ve removed malware from various computers. Generally you don’t hear about me actually having it on my system because I have a ton of safeguards in place. Today, that changed not because of what I did but because of what a co-worker did to my laptop (which is supposed to be off limits). Said co-worker just wanted to play a practical joke, as he thought he was just doing some harmless fun, I guess, or something. Actually, I don’t know what he was thinking, but if I were him, I’d be thinking he won’t have a job soon.
I’ve spent a total of 5.5 hours today eradicating whatever the hell it was (there were several that got picked up by AVG). It required this post (and the thread attached to it) to get rid of the more annoying one (most of that was spent trying to find that thread, as the file names were all different, but the unique key was the same). AVG managed to kill the bulk majority that popped up (which included Trojan horse Dailer.BZB, Trojan horse Downloader.Generic2.CWC, Trojan horse Generic WUE, Trojan horse PSW.Ldpinch.XL, Trojan horse Downloader.Istbar.4.P, and Trojan horse Dropper.Generic.FRP), though a couple of them were spawned from other processes that had to be manually scrubbed and scanned.
And the thing is, after thinking I have it all clean, something still pops up: Trojan horse Dialer.BZB. AVG is killing it from doing anything, but I guess I get to go find out what’s causing that.
Meanwhile, co-worker’s going to get a serious beating and I’m going to be locking my desktop if I’m away from my desk for more than a few minutes. Meanwhile, I want to find the script-kiddie who wrote these stupid things and shoot them. All of them. Seriously. I know I’ll sleep better.
Update at 4:15: OK, I think the Trojan horse Dialer.BZB is dead. There was a strange DLL tying itself into the winlogin.exe process upon start up. Looking at the properties for the DLL, it was totally blank, and a google search for the DLL’s name didn’t turn up anything. I unbound it from the process, ran killbot to get rid of it on next boot, and it hasn’t appeared yed.
However…. now Trojan horse generic.WUE is popping up again in the cache files for MSIE (getting an AVG popup), and I haven’t even used MSIE during this whole process and it’s not running in the background. Cripes….
Update at 10:20: I think the thing is finally cleaned off. I ran Trend Micro’s online scan and it found some stuff that none of my stuff on my hard drive found, and I think it irradicated the last of it.
My co-worker apologized profusely, and said he got the idea from a geek friend of his who gave him the file to download (he obviously have no idea what it was). I was the one that actually (unintenntionally) did the most damage, thinking it was a file I downloaded.
So as long as there’s no long-term damage (which there isn’t, so far), he won’t be getting an a$$ kicking — he just knows better than to get near my laptop now.
And as much as I’d like to retaliate, I can’t. I’m the only one in the office that has my own seperate system. We have a Citrix Metaframe setup at the office that powers every desktop in the office (they’re all thin terminals). It’s a stupid system, yes, but basically anything I do to him also (for the most part) gets done to everybody else. Obviously I can change that, but I’ve got better things to do with my time than to set him up in a seperate permission profile just so I can screw with him.
Update on 7/5: Forgot to mention, these are the ones that Trend Micro’s scan came up with, in addition to what I found before (I think the httpsniff is a false positive as I do indeed have an HTTP sniffer installed on here for troubleshooting):
SPYWARE_TRAK_ACEPSTL.12
SPYWARE_TRAK_HTTPSNIFF.A
SPYWARE_KEYL_BOSSEVERYWARE
Aliasnames: PAK:PEData (BitDefendr); Trojan-Spy.Win32.BewLoader.b (Kaspersky)
SPYWARE_KEYL_ASTLOG
Aliasnames: Tools.Nirsoft (PestPatrol)
ADWARE_ABETTERINTERNET
Subsequent scan have come up clean, so I’m assuming this got all cleared up.