Thursday, April 29, 2010

Total Security Spyware

Here comes another piece of spyware down the pipe... Total Security spyware

When I was called to remove this, it wasn't running properly, but had traces still running on the system that allowed it to keep itself installed in a limited functionality.

I removed the drive to scan it externally, but AVG and Malwarebytes couldn't find all the files. So, the next step was to look at the drive to see if I could notice anything.

Here's what I found:
In the registry, under HKLM\Software\Microsoft\Windows\CurrentVersion\Run, I found two entries:
- {random characters} Rundll.exe "C:\Windows\System32\bafekefe.dll", a
- {random characters} Rundll.exe "C:\Windows\System32\vetaweyo.dll", s

or something close to this.

If I deleted these entries, and refresh the screen, they came right back. So, something is running on the system and I cannot use Malwarebytes on the infected system because the spyware deletes it immediately after it's installed.

Next step:
- Connected it externally and looked at the "system32" folder and found a bunch of "dll" files with random characters HIDDEN, with file sizes either 42k or 63k. Once I deleted all these files, I was able to boot the system cleanly, but errors came up stating that it could not run legitimate ".exe" files because "bafekefe.dll" was not a legitimate file when they were loading(I deleted the bad .DLL and made a notepad file with the same name).

What was causing this action? The follow fix helped:
Go to: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
and clear the data field for "AppInit_DLLS", but DO NOT DELETE the value key.
REBOOT

Now the system seems clean from the virus and I was able to install Malwarebytes and AVG to do scans, and to update Windows with all the latest patches/fixes.

Hope this helps to all.

ONE LAST NOTE: ComboFix.exe may have helped me with this, but my copies were infected and I was able to clean up the spyware manually, and aides my experience.

Please post any comment replies if you found this helpful, I omitted other key information, etc.
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)