Thursday, April 28, 2011

Long battle against Malware

Yesterday I have VERY STUPIDLY tried to install a dodgy JPEG editor downloaded from some dodgy site..... (IDIOT ME!)....
I was counting on my registered AVG antivirus to protect me....
the malware pierced AVG like a hot knife the butter.

Here the consequences:

- My Web Search plugin installed on IE and Firefox
- every browser was using as a proxy (even if you removet it, every 5 seconds it's set again)
- a fake DWM.EXE * 32 process was being spawned every 5 seconds, even if I killed the whole process tree it comes back
- a fake CSRSS.EXE * 32 as above
- a fake CONHOST.EXE as above
- a fake SVCHOST.EXE as above

(in your task manager, processes, right click on the process and use "locate folder" to identify if the EXE is in c:\Windows\System32 or somewhere else.

I bought Lavasoft Ad-Aware, with runtime protection: it could identify that something dodgy was going on, but could not eradicate it completely.

I also run MalwareBytes anti malware, which identified some stuff.

Finally I killed all the dodgy processes, deleted all the dodgy EXE files, cleaned up all the dodgy Registry entries (see here for a non exhaustive list), and now everything SEEMS to be back to normal.
Here a good description of this Trojan.

I am really amazed how easily Windows 7 64 Bit Security is pierced.

I will immediately resize my partition, install Ubuntu and use Windows 7 only if really needed.

No comments: