Monday, June 25, 2007


Just yesterday, my laptop got infected with some malware and trojans. Serves me right. That's what you get for downloading cracked S60v3 applications for your E65. Who would've thought that a self-extracting archive will also come with a batch file that auto-runs, executing all the trojans inside? The trojans are pretty sneaky, too. My PC started slowing down and disk activity started picking up. First thing I thought of is to disconnect from the Internet. Not easy when you're using Wi-Fi. I pressed the key combination to disable Wi-Fi. Nothing happens. Sneaky malware - I'm sure it's their doing. I had to manually walk over to the cable modem to turn it off. Hopefully, the spyware agent didn't have enough time to extract my passwords and bank details and send them off to its master.

Now, this is the first time I personally encountered trojans in my many years on the Internet. A quick look at the Task Manager showed some unfamiliar processes. Not surprising. Spybot - Search & Destroy came up with a few minor culprits, but not the ones I'm sure slowing are down my system. Symantec's real-time scanner popped up a few warnings, but wasn't able to do anything. At the risk of the trojan sending off more data, I re-connected to the Internet to get Kaspersky to scan my system. After downloading an ActiveX control, plus a 7MB signature database, the scan found 5 infected executables. (Kaspersky scans, but does not remove.) I immediately deleted them all after killing them via Task Manager. Of course, I cleaned up their entries in the registry, too. HijackThis identified a few rouge DLLs that are registered as BHOs (browser helper objects) and associated with critical services like explorer.exe and winlogon.exe. You can't simply delete those DLLs because they're in use. Deleting their registry entries and deleting them with FileASSASSIN and HijackThis' "delete on reboot" function didn't work. They just kept on coming back. Killing explorer and winlogon in order to delete the DLLs also didn't work because Windows would've frozen up by then. I also tried booting from a Linux live CD, hoping to delete the rouge DLLs while they're dormant. No such luck. Pointsec encryption is so good, my Linux can't find any NTFS partitions.

So finally, this is how I licked the problem. I figured that since the bad registry entries keep being re-generated after every reboot, then they must be being injected during logoff. Using FileASSASSIN, I flagged the bad DLLs for deletion upon next reboot. Then, I took out the battery pack of the laptop for an instant shutdown. No more proper logoff. Next time I booted up, the DLLs are gone. Problem solved.

No comments: