Monday, September 12, 2005

Spyware, Adware, and PUS oh my

Last night I was working quietly on my computer when a voice of sheer terror rang out from upstairs - "Dad, I need your help right now!!!". Not wanting to match the raw power of my daughter's screech, I calmly typed into Windows Messenger, "Please stop screeching and what is the problem?". I recevieved back, "My stuff is all rearranged and there are extra ones. And popups". Oh, boy sounds like Spyware I thought to myself. I typed back, "OK, I will be right there."

Girding for battle, I marched resolutely up the stairs steadfast in my belief that this would be a short, satisfying encounter ending in the well deserved death of YASP (Yet Another Spyware Program). Little did I know that these vermin and the a$$holes that create them are getting a bit smarter at avoiding removal. Last year I had an outbreak that cropped up on my son's machine after he made the mistake of letting a friend visit some stupid video game "cheat" site (one of these places that lists the cheat codes you type into video games). That one took a bit of work since two of the processes kept starting each other up if you killed one - but all in all took only about 30 minutes. This one got downright nasty.

First, the machine is at Windows XP SP2, is current on patches and does have SpySweeper on it. Running Spysweeper showed about 4 pieces of software. A manual look through task mangler showed at least 10 processes that were surely spyware. A partial list: InSearch.exe, MediaAcck.exe, thin-138-1-x-x.exe, svcproc.exe, vidctrl.exe, MediaAccess.exe, command.exe, jdzryj.exe, wintask.exe, casclient.exe, gms2.exe, and a scourge called "NewDotNet_36_8.dll" that had inserted itself in as a network provider. I didn't even bother looking up all of these, but some of the names were: Surf Sidekick3, CmdService (the one that launched command.exe), Casino Client.

Not being an expert on Anti-PUS (by the way, PUS is "Potentially Unwanted Software"), I figured it would still be no problem since I am pretty damn savy with Windows in general. I knew that some of these would have two components and re-launch themselves if killed, but I went ahead and started killing things with task mangler to see which ones were going to do that. After I found the EXE's that were re-starting, I decided to try a trick that I thought up on the spur of the moment - setting the ACL with a DENY on execute for the user ID I was logged on with and then killing the damn thing. (Please - I told you I am not an expert - don't tell me about your web site that has had this technique on it since 1999. I believe you, however it's still possible for others to discover the technique on their own, OK?). Well - that worked for some of them. One of the other ones (I think it was Surf Sidekick 3) noticed the ACL change and immediately threw out the ACL and replaced it with one that had only Everyone Full Control and of course it got launched again.

Next, I decided to clean any that I could out of the registry and reboot. I had put a deny execute on NewDotNet and several others. I cleaned out all of the registry entries from HKLM\...\Run and HKCU\...\Run, set items that were BHO's (Browser Helper Objects) to disabled and all that fun stuff. Rebooted, and presto - we were down to three things. CasClient was still there, Surf Sidekick 3 was there, and while NewDotNet was not running it's absence had made AD functions not work correctly (could no longer do ACL tricks with domain accounts as the lookups woudld fail even though GPO and mapped drives all worked). I then ran a "netsh int ip reset" or whatever that command is that removes the network add-ins and then ran the NewDotNet uninstaller. That issue was resolved.

One of the harder ones was the command.exe program. This was setup as a service! First time for ME to see spy/ad ware that was smart enough to do this. I tried to stop or pause the service, but the sneaky ba$tard$ had coded the service such that those control codes were not valid. So I tried to terminate the program and got access denied. I then used a sneaky trick to pull up a cmd.exe prompt as local system, and used "TaskKill /f /im command.exe" to nuke it. Then used "SC.exe delete cmdservice" to remove it from the registry's service database. Deleted the file, rebooted again and that one was sent packing.

Then I had to get nasty. About then I went to find my daughter and told her that it was down to this: Either I could kill the remaining vermin with WinPE or I would re-image her machine. I stalked down to my office to get a WinPE boot CD - not defeated but now knowing that this was not going to be the short battle I had anticipated.

I booted to WinPE and deleted the offending files. "Try to start back up now, you pile of rubbish!", I exclaimed. I then mounted up the HKCU registry hive for my daughter's account and the HKLM\Software hive for her machine into the WinPE regedit. It took just a couple of more minutes to hunt down and destroy the few remaining registry entries for this stuff.

I rebooted one more time and installed the latest version of Firefox and set it as the default. I gave my daughter the instruction that she is not to use Internet Explorer to work around a page that doesn't work in FireFox without checking with me first!

Elapsed time: 2 stinking hours! All wasted on this crap. Boy, if we knew who the developers for this stuff were - it sure would be satisfying to get back at them some way.

3 comments:

Anonymous said...

Found your post. So far it's the only place I've been able to find that even mentions how to get rid of command.exe without having to buy some program. (run the scan for free, but you have to buy to nuke the damn thing). Would be interested in reading step-by-step instructions on how to get rid of it, as I'm poor and cant afford to blow money out the monitor on a spyware program that isnt going to work three days later. (and since my father is far too comfortable downloading any and every program that says it kills spyware, and bogs down his own machine, I'd rather not let him anywhere near mine) Any help would be appreciated! ~Aia

Anonymous said...

Hello,

Just like anonymous above, I would really appreciate any more details you might be able to give on removing command.exe problem.
This is one of the most tenacious worms I've seen yet.
Thanks

Unknown said...

Great blog! Thanks for the cmdservice help, worked like a charm!