Friday, December 08, 2006

The Epsilon War.A howto fight an unknown virous..

After a little adventure I recently had I decided to share it in case someone shares the same problem with me,or is just having a virous that is so new/unpopular to be listed.Its mainly targeted to begginer users that would be interested in knowing a bit about their systems and like to get their hands dirty...

Chapter 1:Suspicion

It all started one day I tried to type in Greek.The first symptom was when I tried to input the accented epsilon (έ) which was typed as ¨¨ε.I then tried other combos to just find out I had totally lost ( ' ) .

Fist thought that crossed the mind was the unicode and language/regional settings.After messing with them for a while with no success it was Scan time.Updated and fully scanned the system with Norton Antivirous,Kaspersky,Nod32m,Antivir Personal,Spybot,Webroot.Apart from some cookies that they are always found nothing else suspicious appeared...The problem insisted.....


Chapter 2: Investigation

It was time to locate the source of my pain.And NO I was not willing to format the system.I would not give the battle that easily.So I did a series of tests

  1. Safe mode : The letters were working ok here.Ok then it MUST be application related
  2. Normal mode : I pressed Run and inserted Msconfig.On the box that appeared I selected diagnostic startup and rebooted windows.Again everything appeared to be ok.Time to find that @#^@^$@# aplication
  3. TaskManager : Reverted msconfig to normal,rebooted.Pressed Alt+Ctrl+Delete ,switched to Processes,Sorted them by UserName and starting killing them one at a time.Occasionally I was faced by a Timeout to shutdown the system but you can disable it by pressing Start->Run->Shutdown.exe -a .After Killing all processes I could the problem was still there and only the processes I could not kill were left.Ok we are facing Stealthed application
Since there is an application that I cannot see I decided to check the startup methods just to find the suspicious exe.


-Regedit : Start->Run->Regedit.exe .From there you have to browse to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
And check which programs are setup to start.My search resulted in nothing so I went to check HKEY_CLASSES_ROOT\exefile\shell\open\command
Since its a VERY sneaky way to startup a file.Nothing here too...

-Services : Start->Run->services.msc /s .Located all the services that are enabled to start ayto and made them manual.Also disabled all the Non Microsoft Ones.Rebooted system but with no luck

-Msconfig : Start->Run->msconfig .You can play with services from here too but it does not list the hidden ones that is why I preffer the previous method.Just go to autorun method and checkout everything that you don't know what it is and reboot.Again in my case that did not fix the system.

So that was it.Time to take the war into my own hands.Poor Xp have no way to defend themselves from malicious coders...

Chapter3:Foreign Weapons -> Victory

All the medium user will ever need is 2 free and simple tools.Courtesy of Systernals

Lets start with Process Explorer.Download it extract and run.You should get such a screen



The Blue ones are applications the User started.So if you got a virous,spyware its probably coloured Blue.Kill the ones you know and check or if you are more patient than me you can try to google them.If in the first 2 pages results you see any mention of words such as malware,spyware,worm,virous you have found the culprit.I took the kill method till I located the application that caused the issue.I had a name "csrss.exe" and even though listed it was not detected by antivir so I think its a new variant.


Now its time for autoruns.Download extract and run and go to Logon Tab.This is what you should see...



The suspicious exe WILL appear here as well as its startup method.In my case it used HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
So I unchecked it,Rebooted and tested.Oh the Happiness...Opened Regedit to delete the entry and then the file....Hope you are as lucky as I am..Did I mention the fulfillment feeling you get after all this trouble?



No comments: