Saturday, October 20, 2007

Tough days... getting rid of Windows vermin

I downloaded a small utility to figure out my Windows XP's license key and lo & behold I had a nasty virus/worm/trojan/adware... which none of the regular anti-virus anti-adware programs could beat. In fact while these things were working/scanning the trojan would pop-up windows - mocking all my efforts.

Well the culprit was some variant of the Downloader trojan. After plenty of research I found out that this beast used rootkit to hide and be stealthy from the products. And here's the endorsement: F-Secure managed to get rid of the Downloader trojan, with some help from the ProcessExplorer utility by the fantastic ol' SysInternals folks, now with Microsoft.

Here's the way to get rid of the Downloader trojan (you'l need admin privileges for this, perhaps):
  1. Download and install ProcessExplorer: http://www.microsoft.com/technet/sysinternals/utilities/processexplorer.mspx
  2. Download and install F-Secure Anti-Virus 2008 (30 day trial product) http://www.f-secure.com/home_user/support_and_downloads/evaluations/
  3. Start F-Secure full scan and immediately pause it as soon as it starts
  4. Start ProcessExplorer and then right click on 'explorer.exe' & 'windows logon' and select 'Suspend'. This ensures that the rootkit/trojan cannot launch to re-hide or do its dirty work.
  5. Use alt-tab keys to switch to F-Secure and let it do its work. Takes a while depending on your disk size/utilization and computer's hardware.
  6. Once F-Secure finishes, right-click on the suspended processes in ProcessExplorer and 'Resume' them.
  7. Say 'phew' and never run unknown/untrusted software. My company's IT admin tells me that there is a way to find out your XP license key from the registry. I couldn't find anything on this except a utility at MSFT's site that only shows the last 15 digits. See: http://go.microsoft.com/fwlink/?linkid=52012
If you find this useful do let me know or if you removed Downloader using other tools/methods.