2 November 2008

Killing a trojan

My laptop got infected with something on Thursday (I think) and so Saturday morning was spent cleaning it and every other machine on the network. Symptoms: Google search results looked a little wonky, odd font?, and clicking any of the result links would pop open a new window with advertising crap. I should have save the page for reference. The HTML had a mishmash of odd links replacing what it said the URLs were. Fuckers.

A quick search came up with Malwarebytes' Anti-Malware utility. First run on my laptop found ~16 infected files and registry entries. Clean, reboot, and rerun. Second found four. Third and subsequent runs found one: Rootkit.Agent in a file under C:\System Volume Information\_restore*. Each pass, it would be a different .sys file. Cleaned up the two desktop machines; the web server was completely clean. Lisa's laptop had Rootkit.Agent also. :-(

I had accepted that I would have to scorched Earth both laptops, but then found a reference to FileASSASSIN (also from Malwarebytes) in a forum talking about that particular pest. I rebooted in safe mode, ran the malware scan (since the file changed after each cleaning), found the currently infected file, and used FileASSASSIN to delete it. Reboot back in normal mode and both laptops scanned clean.

According to ThreatExpert, it's a rootkit and a trojan. I have my doubts that it's gone so will be running more scans. Let's just say you shouldn't accept any emailed files from me for the foreseeable future...

The cool new video converter that I found for my Creative Zen, M2Convert from M2 Solutions, Inc., is apparently File Zero for the virus. It was the simplest video converter I found. That really sucks. So, for the search engines: M2 Solutions video converter contains malware.
[ posted by sstrader on 2 November 2008 at 4:21:57 PM in Home Network & Gadgets ]