whitedove01s: (Default)
Ok, yesterday I was trojanned. Again. By the same one I had a few months back. As bugs go, this one is not as nasty as some - there's no real file damage (unless you websurf with Explorer, in which case it messes with your settings), just a ginormous amount of irritation and frustration.

This blog has pretty good info on how to remove it, tho I see a lot of people going the route of doing system restores (I've never done that) or wiping and completely reinstalling stuff on their HD to get rid of this. Neither is necessary. And while the blog has pretty good instructions, not all of its steps are necessary either.

Here's my method for defeating this nasty bugger (on Windows XP, no additional software needed, no system restores, not even a need to get online):

STEP ONE

As soon as you spot this program start its BS, hit control-alt-delete to try to bring up task manager. If it won't let you bring that up you can either use the methods on the blog there to do it or shut down and reboot your computer. When you reboot, hit control-alt-delete AS SOON AS WINDOWS STARTS. This will let you get the program open before AntiVirus Soft starts itself and starts blocking things. Also try to get a file manager window open (though if you can't, don't worry. Task Manager's the important part for the first step.) These are all you really need.

In Task Manager go to the Processes Tab and sort by Mem Usage. Look for the programs that are hogging the most memory. You are looking specifically for an EXE file whose name is a random letter string. While there are some legit Windows files with some pretty indecipherable names, the file or files you're looking for should stand out due to their memory use. In my experience, they've usually been in the top 1-4 files.

Different versions of the trojan might have different random number strings, but ones that have been seen and you should look for first include the following file names:
*sysguard.exe
*sftav.exe
*tssd.exe

If you don't spot yours among those, don't give up. It just means you have a slightly different variant. The rest of the removal is still the same.

Anyhow, once you've spotted a winner pay attention to the last four letters in its name and make sure it's alone. If there's another big memory hog that's also a random string and ends in the same four letters then the same trojan installed Antivirus Soft twice. If the same EXE is running more than once, then it's the same copy of AntiVirus Soft running more than once. WRITE DOWN THE FILE NAMES. Regardless of how many copies are running, select it or them and hit End Process to have Windows Task Manager give them a smackdown.

My own files the last time were 'tiliblxtssd.exe' and 'utetbnttssd.exe'. I'd been hit with a double dose, and each file was running twice for a total of four open instances of the malware.

STEP TWO

If you got the right files the popups and nagging from this piece of slag scareware will have gone away. If you didn't and you made your PC lock up - which is pretty unlikely really - then just reboot and try again.

Now that the little bugger can't stop you, it's time to kill it dead. Go to your HD and look in the following directory:
Documents and Settings/user/Local Settings/Application Data/
(Keep in mind that 'user' in this case might be a user name not just the word 'user'. You should know which folder that is, since all your documents and stuff go under it too.)

In the Application Data folder you'll be looking for a subdirectory that is a random mess of letters. Examples in my own experience have been 'ktrnlodwu' and 'yfpktdwwp', but these could be anything. Look in those folders. If you see an exe file all by its lonesome that has the same file name as the one you've just smacked with Task Manager, there's your problem. Also, in all cases I've had, the Windows Description of the file has called it 'notification tool Avira GmbH'.

Delete the whole random-named subdirectory it's in. If you had more than one random-letter-named.exe running, make sure to get the directories they're all in. They shouldn't be hard to find, especially if you wrote down those file names.

Once you've deleted those, and cleaned out the recycle bin, it's bye-bye to Antivirus Soft. At least, until the next time. You can now run any anti-malware software you have to check for anything missed or go back to what you were doing.

STEP 3?:
Since I've had this twice, I was a little concerned the anti-malware software might not catch the latest version and did some poking around of my own. I ran a search of my whole C drive for any directories named 'avsoft' since I'd seen a couple things hinting that might be where the trojan hides. I did not find any folders, but under Windows/SYSTEM32 I found a file named killavsoft.exe. It claims to be from Microsoft, but when I checked my second computer - which also runs XP but has never been online - I did not find this file. I've currently disabled it by renaming the exe to ex_ until I can determine if it's a trojan or a legitimate system file. So far I've had no system problems from disabling it, but also can't find anything online to confirm one way or the other, so for most folks (who aren't compulsive meddling idiots like me) I'd advise just running a couple good and recently updated malware-killers to make sure the problem is killed dead.

Profile

whitedove01s: (Default)
whitedove01s

May 2017

S M T W T F S
 123456
78910111213
141516 17181920
21222324252627
28293031   

Syndicate

RSS Atom

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Jul. 23rd, 2017 04:35 am
Powered by Dreamwidth Studios