Wednesday, September 5, 2007

extirpating Think-Adz

The self-styled winantiviruspro2007 has a cute little install pop-up that says 'Click OK to cancel this install'. This fooled number-one-son into clicking 'Cancel', which of course double-negatives into actually installing the winantiviruspro2007. Removing this lying thieving bastard was straightforward, between Scotty and Clamwin, no troubles.

However it brings Think-Adz along with it. That has a cunning trick whereby it re-installs itself every thirty seconds or so. None of the usual helpmeets could touch this - Scotty disabled its startup tasks and marked the dll files for deletion at startup, but after startup, the pox just re-installs; Clamwin didn't find anything, Ad-Aware and Spyware Blaster failed too. I went through the registry and pulled each key out, but before I could restart, it had re-installed. Hm.

Google failed me too: lots of references to Think-Adz, but all the 'solutions' involved buying someone's dodgy-looking software, or helpful 'tips' like "use Add/Remove programs to uninstall". Of course Think-Adz does not list itself in Add/Remove, and if it did, I'm certain the Remove would install something else noxious, plus keep T-A itself.

When in disgrace with fortune and men's eyes, not to say Windows, I trouble not deaf heaven with my bootless cries, but instead go to Sysinternals. Process Explorer (PE) and Autoruns are the essential tools. The Sysinternals tools overlap with Scotty's functionality - Scotty is usually more readable, the tools have useful extras. Since I didn't find this anywhere else, here's a step-by-step for rooting out Think-Adz, and mutatis mutandis, similar infections.

Scotty will show the rogue processes, using tab 'active processes'. This step involves knowing what's usually running on the system, so the skellums can be identified. If the usually running processes are not known, unsigned processes (no Company Name or Version information) are a good place to start. Google the process names for more information, and read with a jaundiced eye. Often infections will give their processes the same names as real Windows executables, and install them in C:\WINNT\system32\, so they look legit. In this case, the rascals were owinpmdt.exe and dwdsrngt.exe, running indeed from \system32.

For this case, look in \system32 using Windows Explorer (WE) or similar, sort by 'Modified Date', and check the files that were installed at a similar time to the known rogues. In this case the files all had recent timestamps from the install, so they all sorted to the top of the heap. Apart from the .exes, there were also two dll files installed in system32, xxyaaxu.dll and awvtt.dll.

These dll's and .exe's can't be deleted from WE, since they are marked 'in use'. Scotty can delete the .exe files - rightclick on the process in Scotty, and select 'delete file on reboot'. The dll's can be removed similarly using another Sysinternals tool, PendMoves, but I prefer to first find out what's using the dll's, to make sure I didn't miss some process.

To do this, start the Process Explorer, then use Find to enter a dll name and see which processes are using it. This revealed the xxyaaxu and awvtt were used by the known rogues, but also by Winlogon.exe, which is a legitimate Windows process. The Winlogon turned out to be where the reinstalls were coming from. Killing Winlogon also terminates Windows very rudely, so there's no simple way to stop the reinstallations. Luckily PE has another option: rightclick on the process in PE and select 'Suspend'. Obviously some bits on Windows won't work right while this is suspended, so complete the T-A removal as a priority.

Now use Scotty and Autoruns to see what new horrors have been scheduled to run at startup. As for the processes, it's good to know what is legitimately started, so the rogues can be identified. If not known, proceed as before to check the signatures and Google the unknowns. As for processes, use Scotty to rightclick on the task and select 'delete file on reboot' for the known bad guys, and 'disable' for the suspected bad guys. Check with Autoruns that Scotty found everything.

I found
C:\WINNT\system32\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP000.TMP\
and
streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D0-A5D6-28DB04C10000},{53172480-4791-11D0-A5D6-28DB04C10000}
in my setup. Neither of these looked legitimate, so deleted them both as well.

Reboot. After reboot, verify that the dlls and exes were deleted from their locations. In my case the dll's still existed, but weren't in use anymore, so that WE could delete them.

For completeness' sake, run a registry edit and search to look for other traces of the beast. If the process above doesn't get rid of it, this will be required. First re-do the steps of the above process up to but not including the reboot. Then, Start/Run or open a command prompt, and run regedit. Read the awful warnings from Microsoft about editing the registry, take a deep breath, and proceed. Backup the registry first if you are feeling timid, but I usually don't bother. Note that in XP and Vista, there will be automatic System Restore points created by Windows, which can be used to restore the registry if need be. If doing this, select a date before the system was infected ;-)

Select 'My Computer' in the left-hand pane of regedit, then use the Edit menu to find all mentions of the known bads, owinpmdt, dwdsrngt, xxyaaxu and awvtt. Delete all keys containing references to these, unless they belong to BillP Studios, which is Scotty. BillP Studios will have references to the bad 'uns, which allow Scotty to delete the files upon reboot. To delete the keys, note that the find will show the reference in the right-hand pane. It's not immediately obvious which key is involved, but look at the bottom of the window, which will list the full key name. Select this key in the left-hand tab, then rightclick and select 'Delete'.

Also search the registry for Think-Adz, and any related data. For example Google turned up ExploreUpdSched, BrowserUpdateSched, kwinkrex.exe, ljdsrngk.exe and twinkmdt.exe as being related to Think-Adz. I didn't see these on my infection, but check and make sure.

After a mere three to four hours' work, you'll be back to an undiseased state. Hooray. Maybe it's time to upgrade to Ubuntu Linux.