Friday, 7 August 2009

Trojan Alert!

[This happened a couple of weeks ago. I've been "clean" ever since.]

I'm kind of confused as to exactly what my laptop was infected with, but I noticed that my laptop was smtp-ing mails all over the place (but mostly to Russia).
[I only noticed because I have a somewhat peculiar locally-running-my-own-smtp-server email setup - and whatever had infected me had determined that server to be a suitable relay for the odd message.]

Anyway, the obvious symptom was that the absolutely real services.exe process was connecting on port-25 and sending mail. (Lots of connections seen via "netstat -ao".)

I noticed that my hosts file had been tampered with; the often-dependable spybot-s&d found a few things (including sdra64.exe, IIRC) and then malwarebytes' anti-malware told me sysdiag.dll and ipcmd.dll (in system32) were problems and got rid of those for me.
[Microsoft's/SysInternals' ProcessExplorer showed me that those DLLs were infact what was being loaded up into the services.exe process to send the mail.]
AdAware and some other thing starting with super (superspyware-something or other?) didn't find anything. McAfee was finding nothing (and never found anything, even after I'd manually updated it to the should-have-been-auto-updating-but-was-actually-failing new version) - until after I'd uploaded sysdiag.dll to webimmune.net and got a patch file.
Online virus-scanners showed that maybe 20% of the products they used detected these DLLs were malicious at all - and none of the products seemed to agree on a problem-name.

I thought I was clean at that point. But no - after a while the DLLs were trying to come back. (With the patch applied, McAfee was blocking them - every half an hour or so.)

I'd googled and found a few references to some of these files, but none of the problem-descriptions really tallied with the problem I had. (Which was lucky, because by most accounts if I'd got these files on my system then I'd got some completely incurable virus!)

I was getting close to deciding to reinstall Windows - I'd wasted a couple of days on this and my project deadline wasn't exactly getting further away.

Anyway, I continued throwing all the (now varying) dll names that McAfee was warning me about into Google and the only web page that was consistently coming up was somewhere under prevx.com. It didn't give much detail (and I was even a little suspicious that it wasn't just a scare-ware site, given that their product seemed to cost) but after searching for a little comfort on PrevX I downloaded the "trial" product and ran a scan.

Lo! Four minutes later and this program's quick little scan revealed problems that hours of scanning with McAfee and all the other spyware progs I could find had got nowhere near. Rather marketingly-cleverly, the prog does the scan for free and then makes you pay for (most) removals. I paid up the 20 quid for a year's subscription.

Rather quickly, cleanly and successfully, Prevx3 sorted out my machine for me.

Now as a general rule I dislike paying for software. (In case you were wondering, this means either work pays, or I try to get away with free / open-source stuff - and not that I'm into nicking it. I'm not into the piracy angle - I do figure if it's that indispensible to me then I should buy it and reward someone for their efforts.)

It's probably something to do with having spent two frustrating days getting to the point, but I'm actually finding myself feeling proud and clever to have shelled out (my own money!) for prevx - and I think it's such a sleek and effective bit of software that I'm happy to recommend you pay for it too!

I've since seen some excellent support being offered on some forum or other and they also have a they'll-remotely-fix-your-machine and/or a give-you-your-money-back-guarantee too. So when the other (free) tools aren't doing it for you, let prevx have a quick look and then decide if a quick result is worth a few dollars/quid/euros to you...

No comments: