|
Step-by-step guide to remove stubborn malware
Question : Here are some attached
files for your reference. The problem causes my PC to slow down dramatically
and eventually I can hardly do anything with it. Before this, my PC was
infected by malware/adware. The Internet Explorer was damaged, thus I had to
get it fixed. From the Task Manager, there is a file called SVCHOST.EXE which
uses most of the central processing unit bandwidth. Can any
virus/malware/adware do such a thing?
Answer : They not only can do such a
thing, they usually DO do such a thing. Malware is, by and large, very badly
written. Because of this, a lot of malware have the tendency to slow down or
otherwise impact the system in a negative way. It's gotten so indicative that
the first thing troubleshooters look at when a system deviates from the norm
is the presence of malware.
After looking through the logs, we noticed some suspicious behaviour. First of
all, the line "C:\WINNT\TEMP\DS3C68.EXE" under "Running processes" tells us
that the file "DS3C68.EXE" is running from a temporary folder in the WINNT
directory.
The "TEMP" folder under the main directory (which is WINNT in this case) is
usually used to store data files that are used by a running program. Because
of this, any program running directly from the "TEMP" folder is highly
suspect.
Another suspect entry is "04-HKLM\..\Run:
[winsync]C:\WINNT\system32\wkrior.exe reg_run" -- this is probably where your
problem is. It's malware that many virus cleaners call "Qoologic", and it is
not easy to remove. Basically, Qoologic has three major components.
The first component runs from a "winsync" entry in HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run -- this is the aforementioned
entry. The filename is typically a random set of six characters.
The next component is typically a DLL (that would probably be the one eating
up all the processor bandwidth). In some versions, this DLL is called
"wuauclt.dll" and usually placed in the system directory (C:\WINNT in this
case).
Note that the offending file is called "wuauclt.dll" and not "wuauclt.exe".
Also, with many variants, an entry can be found in C:\Documents and
Settings\All Users\Start Menu\Programs\Startup that refers to another
executable file -- this is another location where programs can be started
automatically.
We don't usually advocate wholesale re-installing for any Trojan infection,
but this is one of the times that we're going to say it might be easier to
just re-install it. Before we go to that extreme, though, we'll try to take it
out.
The first thing to do is to figure out what DLL is causing svchost.exe to do
this. The offending DLL can be located with Sysinternals' "Process Explorer"
(available from www.systinternals.com). After downloading the program, run it,
and then locate the "svchost.exe" entries (they're under "services.exe").
One of the "svchost.exe" entries may have a large number under "CPU". If one
such entry exists, right-click on it and select "Properties". If not, note the
number in the "PID" column of the offending "svchost.exe" entry, and select
the entry with the same PID in Process Explorer.
Once this is done, click on the "Performance Graph" tab to confirm CPU usage.
Once this is confirmed, click on the "Threads" tab to view all the DLLs that
are being supported by this instance of "svchost.exe".
If there's only one listed, then we've found our culprit. If there's more than
one DLL, use a search engine to identify the offending DLL.
Just type the DLL names (including the extensions) into a search engine and
read what comes up. In this way, the offending DLL can be identified.
Now that we've identified every file and location, it's time to remove them.
Before doing anything, update the browser at windowsupdate.microsoft.com (or
download the IE6 service pack 1 from www.microsoft.com/ie and install it).
This is a crucial step to ensure that the operating system doesn't get
reinfected after the malware is removed.
After this is done, restart the OS in "safe" mode and use HijackThis to remove
"04-HKLM\..\Run: [winsync]C:\WINNT\system32\wkrior.exe reg_run" (click on the
checkbox to the left of it and then on "Fix Checked").
While you're here, open Windows Explorer, navigate to the "C:\WINNT\TEMP"
directory and delete every file in it. Do the same for the "temporary"
directories of every user (each user has a temporary directory named
C:\Documents and Settings\(user name)\Local Settings\Temp (where (user name)
is the name of the user).
The startup entries are more difficult to remove. Look through the entries in
"C:\Documents and Settings\All Users\Start Menu\Programs\Startup" to see if
all programs there are recognised. If the programs are not easily
identifiable, just delete everything in it.
Each user will also have a Startup directory, usually called "C:\Documents and
Settings\(user name)\Start Menu\Programs\Startup" where user name is, again,
the user name of the particular user account.
The same should be done with these directories as well.
Also look in the C:\WINNT directory for a file called "wuauclt.dll". If it's
there, remove it. Note that the name is "wuauclt.dll" not' "wuauclt.exe".
"wuauclt.exe" is usually a legitimate program.
Okay, now it's time to cross your fingers and restart the OS.
After restarting the OS, run regedit again and see if it's gone. If it is,
allow yourself a small pat on the back. It's gone for now. Don't bring out the
champagne yet, however.
After this, run HijackThis periodically to see if it's coming back. If you see
"04-HKLM\..\Run: [winsync]C:\WINNT\system32\wkrior.exe reg_run", or
"04-HKLM\..\Run: [winsync]C:\WINNT\system32\(x) reg_run" again (where x is
some random filename), you've been infected again, in which case you might
just want to re-install, and remember to update the browser this time.
If you've removed everything from the "startup" directories, also remember to
uninstall and re-install any firewall software/malware cleaners installed on
this PC to replace the automatically loaded components. |
