So the trojan this popup installs, how do you get rid of it? I got a user's machine, I think it's clean and then the next day it's back.Welcome to the thankless world of IT Security, non-IT Security folks. Someone clicked on the dancing baby, or the phishing popup, and now the computer is "acting wierd." Slow. Applications don't start.
First, shoot the user and hang the body at your company's front door, pour encourager les autres.
Now to the problem. Modern spyware has two nasty characteristics:
- It often installs its executable files using random names, so that you can't find it by looking for a file name.
- It often hides it's bootup sequence, so deleting most of the files means that it recreates them the next time the system starts. ASM826 is probably seeing this.
Step 1. Try a bunch of antivirus scanners. I talked about a bunch of good free ones yesterday, so I won't repeat myself. I would recommend starting with the online (browser-based) ones, like Trend Micro's House Call. The reason is that some of the nasty malware will try to attack/shut down/delete antivirus scanners. I haven't heard of them doing this to the online ones.
I'd fire up one of these and give it a spin. Reboot when you're done, and see if the Spyware comes back. There's a decent chance it will, but if you run this while you're at lunch, you probably haven't lost much. You can try running all of the online ones in sequence before rebooting - in this case, more is definitely merrier.
Step 2. If that didn't work, try installing an antivirus agent. I gave a selection of good ones in yesterday's post. The malware may try to disable the antivirus, so you need to make sure that the malware isn't running, and for that, you need to boot into Safe Mode. Download the antivirus installer on a different computer, and copy the installer to a USB drive. Use the USB to install it on the infected machine when it's been booted into Safe Mode. Run the scan. This takes time, which is annoying, but won't hurt anything. If it works, then you don't have to try any of the other steps, which may indeed hurt something. Again, reboot into regular mode when you're done, and see if the system is clean (do the symptoms come back?).
Step 3. If that didn't work, you're in for some surgery. Here's where you can start breaking things, so be careful. If you're nervous, skip to the next step which sounds even worse, but actually isn't.
The first thing that you need to do is take out the infected computer's hard disk. Yeah, I know - welcome to the thankless world of IT Security. Put the hard disk into a clean computer. Boot the clean computer. MAKE SURE THAT YOU BOOT FROM THE CLEAN COMPUTER'S HARD DISK, OR YOU'LL INFECT THE CLEAN COMPUTER!
Try running the clean system's antivirus before you go mucking around in the Registry, or you'll make Baby Jesus cry. If that doesn't work, you can try to manually delete the spyware from the infected system's hard drive. There are detailed instructions at this site, although I'm not a big fan of Ad-Aware (can't say about Spybot). In any case, the clean computer's antivirus scanner will likely be as good.
Step 4. If none of this worked, then you Nuke it from Orbit. Back up the user's data, and then re-install the OS. You'll now have an unhappy user, because they'll have to reinstall their applications, and they'll be in iTunes DRM Hell, and probably lost their bookmarks, but their system is now guaranteed malware-free. Run Windows Update to get the latest security fixes, make sure that the antivirus is installed and up to date, and let them grumble about stupid IT can't fix my @#$% computer.
Welcome to the thankless world of IT Security. Mac and Linux fanbois can stop smirking, thank you very much.
Now my experience is that many corporate IT departments start with Step 4. It's just faster (meaning less expensive) to nuke it until it glows and then reinstall. If IT does a good job of backing up user data (some don't), then this is actually the preferred strategy, as any scan can miss something, but Hydrogen Fusion won't.