27 August 2008

whew! another trojan attack.. lucky i survived!

Thanks to Autoruns from SysInternals

Just downloaded a screensaver recently and enjoying the great 3d solar system view but after a couple of second a balloon pop-up notifying me that my Windows Firewall and Windows Update was disabled! So it got me thinking that the screensaver I've just downloaded was a trojan!! (stupid-stupid-stupid!)

A bit lucky i got my Windows Firewall back but ... I couldn't turn Windows Update on! its like something's monitoring it and keeping it disabled! hmmm.... tricky situation...

After a half hour of hunting ... I thought of using Autoruns to look more deeply in Windows autoruns and saw some weird dll filenames in:
  • Logon
  • Explorer - HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
  • Internet Explorer - HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
  • LSA Providers - HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders
I listed them and made a batch file so i don't have to type and delete them manually

----- deltroj.bat -----
@echo off
echo deleting stupid trojans
echo deleting
echo d:\windows\system32\tptdclih.dll
del d:\windows\system32\tptdclih.dll

echo deleting
echo d:\windows\system32\pmnkkcsl.dll
del d:\windows\system32\pmnkkcsl.dll

echo deleting
echo d:\windows\system32\pmnmklbb.dll
del d:\windows\system32\pmnmklbb.dll

echo deleting
echo d:\windows\system32\jmvqbh.dll
del d:\windows\system32\jmvqbh.dll

echo done

---- end ----

oh and btw, those are locked! means you can't delete them while WindowsXP is running or download Unlocker - that should help you delete those files ... or you can boot up in DOS mode ... errrrr .... how? I used BootCD from Hiren

hmmm... so after those stuff, I rebooted and bootup in normal WindowsXP, got some notifications about missing files... that means my OS is clean but I should do some manual clean up ... run Autoruns again and look on the tabs where I found the trojan files and deleted the entry!

and that's it!! :P stupid-me .... and dump-ass-a-hole trojan creator *wink*

No comments: