Yen's Blog

Lens, Wheels, Skates, Keyboard

Removing Malware

My computer got a dose of malware today.   The trojan got a hold of my USB drive.  It made all of my files and folders hidden, then injected executables with the same names.  It also hid the .exe extension so that the executables appeared in place of the legitimate objects they were masquerading.  It gave the fake folders the right icon so that they looked just like folders.  The objective is to fool the user into double-clicking the folders to open them but instead executing the trojan.

Malware executable masquerading as folder. With the normal Windows settings, the original folder “backup” is not shown because it is set to “hidden”. The malware executable “backup.exe” looks like a real folder because it has a folder icon and its “exe” extension is not shown.

Sure enough, being careless, I fell for the trick.  The trojan installed a “scareware” Malware and Spyware scanner; whoever the authors are, they are not without a perverse sense of humor.  The fake scanner “detected” random programs on the hard drive as malware.  If you fall for the legitimate-sounding messages, you undoubted would be sending them your credit card information at some point.  Now only an idiot would do that (apologies to those who actually did).  This trojan is not a one-trick pony.  It has a fairly standard bag of tricks:

  • It  modifies Windows’ Registry so that it would be loaded automatically when the computer boots
  • It modifies the Windows Hosts file to redirect google.com, yahoo.com and bing.com to ad sites
  • It changes your IE homepage to point to its own site
  • If you start Task Manager or any other program, it immediately kills it so that you have no control whatsoever of the computer with the only recourse to click on the link that the fake scanner provides

At this point, it looked like I was stuck.  I finally managed to kill the fake scanner’s process (defender.exe) from Task Manager with some quick fingers.  It helps to be familiar with keyboard shortcuts.  Once I regained control of the computer, I used HijackThis to remove the infection from the Hosts file, IE and Registry. I manually deleted the executables referenced in the registry.  Then I put the computer through a rigorous scan with MalwareBytes.

To cleanse the USB drive, simply select Tools  > Folder Options > View in Windows Explorer. Select Show hidden files and folders and uncheck Hide extensions for known file types.  This allows you to see the hidden original folders.  You can simply delete the fake files and folders.  To be able to see the files and folders normally,  you’ll have to turn off the hidden and system attributes.  You can do so with the command attrib -h -s "file name".

Now I’ll have to go change all of my passwords.