July 30th, 2009
Helping a friend cure a trojan infected computer
I spent the last 2 days on and off trying to rid a friendīs computer of a nasty little virus contracted through the use of limewire. I am publishing my findings and the solution here in the hopes it will help others.
The first little note I feel it prudent to mention is that over the last year I have had 3 occurrences where I have had to help someone try and rid their computer of a virus or trojan. In all of these cases there has been one consistent factor - all of these people were using the AVG anti-virus suite. Not to poke at any one product in this area, but this seems too much of a coincidence not to mention.
In all cases the installed anti-virus and anti-spyware packages did detect the threat(s) but were unable to prevent their taking hold.
So onto this particular threat. The computer is running Windows XP SP3 and had IE8 as the primary browser. The detected trojan was virtumond.c initially but as is often the case a whole host of others were immediately injected into the system. The behavior was that any internet access (regardless of the browser) resulted in a hijacking of the connection and a host of IE browser pop-ups from various advert, fake virus scan, and malicious web sites.
The friend initially tried scans with AVG, and Spybot all of which claimed to detect and remove the infection but as soon as IE was used again the problems remained.
What I did to fix it:
1) Physically disconnect the system from the network and install new anti-virus applications from a flash drive.
2) Run a barrage of scans using Spybot, Windows Defender, Symantec Anti-virus Corporate Ed, ComboFix followed by reboots and rescans until all returned a clean result (approximately 20 reboots and about 30 scans) When the scans all came up clean I re-installed IE8 from the flash drive.
3) Next I Looked at the startup entries for the computer and identified anything unusual:
-- Step 3 found the culprit "dswave32.dll" which resided in the C:/Windows/System32 folder and couldnīt be deleted it was created a few days ago and a quick google identified this as the remaining problem.
4) To remove that file I rebooted into the Windows Recovery Console and deleted that file.
5) Then performed rescans using all the available applications and manually deleted any mention of the dswave32.dll from the registry.
6) At this point everything seemed to be fine so I completed a windows update and performed a login to all the different profiles on the machine. Rebooted and performed the scans again and rebooted again.
After all these procedures I canīt find any lingering threats on the system and will be returning it to my friend.
I hope that helps someone out there who may be facing a similar infection.