Trojan Time

I’m supposed to no better.

All the classic signs were there. PC slowness. Programs acting strange. Pop-ups galore to great security programs! What a coincidence. Just click me and I will save you they promise. Yeah right I thought . I trust a popup about as much as car salesman. At first Mcafee seemed to have everything under control but it only saw innocuous tmp files and every reboot they would reappear. After I checked my DAT files were up to date I did a Mcafee scan that found nothing but took forever. Then I noticed Windows Defender was missing from the system tray and Ad aware would not start. Hmmm…..

No problem I can handle this. I’m IT professional! Mcafee put me on the trail but that is about it. Vundo!grb. What is Vundo? The next day, NQ-Host84 appeared , then another Vundo variant. Things were starting to snowball. I had Spybot installed so I tried that to clean things. It found some stuff but I still had popups and the PC was still slow. I downloaded HijackThis and looked at the logs and tried to fix any problems. No change but the logs showed an unusual dll file named wenijalu.dll. I didn’t want to go delete files without knowing what they are first so I kept digging. I had Process Explorer installed so using that I checked the properties Winlogon.exe under the Threads tab and I saw that strange dll file listed along with two other dll files tikiwki.dll and bowiki.dll. I checked the Mcafee process Mcshield.exe and sure enough they were there. I checked the rest of my running process and all of them had these strange dll files.

I searched Google and sure enough these dlls were linked adware and Trojans. I was really concerned at this point. Every running process seemed to be infected and my anti-virus and anti-spyware was either crippled or disabled. I killed all strange dlls that were attached to a process. I then checked my Automatic Updates and it was disabled! No way I would have done that! I was fully patched though. I checked my firewall and it seemed ok. These dlls had to go. I made backups of all my important files and put them on an USB drive. I found the creepy dll files in the Windows\systems32 directory and they were set to be hidden (unusual compared to normal dlls). I renamed the dlls by changing the extension to .bad and it let me do that surprisingly. I rebooted things seemed better. The popups went away and the pc was a little faster...but not much.

The problem with cleaning things manually is that you are never 100% sure you got everything. My mind wondered, could there still be a rootkit on there? Did I get everything? If my security programs miss it so could I. What did I miss in the registry? I checked my running processes in process explorer and saw no sign of the dlls but I worried about the registry. I ran Spybot again and it found some registry items related to Vundo. I ran a scan with Mcafee, Hijackthis, and Spybot again to find anything and things seemed clean. Still my paranoia, which had saved me before, was screaming at me now. Wipe it, Wipe clean and start all over. So that is what I did.

During my research I saw some tools that claim to get rid of certain Trojans like Vundo such as, VundoFix, ComboFix, and Malware Bytes. I have mixed feeling about these types of programs. I don’t trust them. They may work or they may not. They all claim they just want to help you but most just want to sell you there software. And no one can guarantee you they cleaned your pc 100% unless they completely format it which defeats the purpose of their use.

The lesson here . Even if you think you can handle a Trojan or Virus think again. The bad guys are ahead of security companies so we are always one step behind as well. Do yourself a favor prepare for your own personal PC disaster.