My career in technology

I’m not a malware hunter by trade, but I have been called on from time to time to do a little extermination.

A client had a little malware problem on her Windows XP box. The initial symptom was a phony virus scanner window telling her she had a large number of infected files, and that she needed to purchase the full version of the software to clean the system. It was causing her Internet Explorer to hang when launched, and prevented Outlook from displaying graphics in HTML-formatted e-mails.

A malware scan using a legitimate scanner revealed several genuine culprits, including the phony “virus scanner” and a Trojan identified as Win32.Agent.ws, which had an offending file named glddyk.dll located in C:\Documents and Settings\Local Settings\Application Data\Windows Server, along with some entries in the registry. The scanner offered to remove the various unwanted programs, and successfully removed all but Win32. It did manage to delete the associated registry entries, but could not delete the offending dll file.

The scanner offered to try to delete the file on reboot. On reboot, the scanner was also unable to remove the file. Running the scan again showed the registry entries had been restored by the persistent little bugger.

In Safe Mode the file could not be deleted either.

Essentially, the file makes sure that Windows loads it into memory early in the boot process, even in Safe Mode, and then it prevents itself from being deleted. On system shutdown, the program checks the registry entry that tells Windows to load the file, and if it has been deleted, the software adds the entry back.

I tried several solutions, including creating a restore point after the registry entries had been deleted and then booting to the restore point. It sounded like a great idea, too bad it didn’t work!

After some research, I saw several mentions of the Recovery Console. I booted to the Windows XP install disk and pressed R to get to the Recovery Console. Unfortunately, I found out you can’t modify files in the filesystem outside of the %SYSTEMROOT% directory (in this case C:\Windows).

Unless you edit the registry!

In the registry (Start >> Run >> regedit), I navigated to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\ and changed SetCommand to a value of 1.  Booted back to the recovery console, and entered the following command:

SET AllowAllPaths = TRUE

And voila!  I can edit the files to my heart’s content.  I navigated to the folder with the offending .dll file, and renamed it and the other files in the folder.  Then renamed the folder for good measure.  Now the registry entry referencing the .dll file can’t find it, but I can still do a post-mortem on it if I want to (or just delete it if I don’t).  Once back in Windows, searched the registry for glddyk.dll, removed any key with that reference, and rebooted.  Checked the registry again, and it was clean!  Ran the scanner again, and that came up clean too.

The final piece was restoring the settings of IE. IE still would not display web pages even after the cleaning, unless the https protocol was being used.  One of the malware programs that had installed themselves on her system was a browser hijacker, which had set a proxy server through which to route her http browser requests.

The fix for that was very easy.

In IE, Tools >> Internet Options >> Connections tab >> LAN Settings button >> “Use a proxy server” check box is checked, uncheck the box.

I did a little dance.

Death to viruses, trojans, and spyware! Death to malware!

Jim Adcock makes a living as a SharePoint Administrator, and makes a difference as Vice President of Launch Pad Job Club, an organization in Austin, Texas, whose mission is help people who have lost their jobs to get the skills they need to land their next job, and to help them cope with the interim between jobs. Check out his career-related posts or check out some of the other content on the site.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: