Monday, December 7, 2009

Windows Trojan removal using Knoppix

My brother called me to say his Windows XP laptop had trojan problems. He said it all started after he applied for a game testing job over the internet where the company had him download an executable application to use as part of the process (not a good idea).

The first thing I did was tell him to download MalwareBytes antiMalware and HiJack This. I had him run HiJack This and send me the scan dump text. Some malware won't even let you download or run those, so he was lucky. I spent a bit of time going through the list, but right off I saw a few obvious pieces of malware in the startup and a bunch of junk like old printer driver accessories that needed to go.

The obvious malware looked like this under the categories AppInit_DLLs, SSODL, and SharedTaskScheduler:

wehazibi.dll, gaganoza.dll, mudabihu.dll, wukoraga.dll, jujutoji.dll, jaduzumi.dll, bezijigi.dll, wegagolu.dll

And this entry
MySQL c:\Program.exe (file missing)

Another interesting file was c:\windows\system32\GameMon.des.exe (file missing). Various sources say this is not good to have, so I put it on the list.

The problem was that HiJack This couldn't remove all the things I listed, nor could Malware Bytes because the malware was not letting him boot into Safe Mode. But that was OK because I told him to use Knoppix. He had never heard of it, but eventually he understood that Knoppix is a CD based Linux that can access your hard drive if you want it to. And the best part is that it's another OS, so it's completely unaffected by the viruses or trojans on your Windows hard drive.

I had him set the laptop to boot from the CD drive and had him burn a CD of the Adriane version of Knoppix 6.2.0. He chose to use the command line interface from the Knoppix menu instead of the X-Windows interface, but that's OK if you know how to use 'cd' to change directories and 'rm' to remove files. I prefer the X-windows interface because it has a full file manager. But sometimes Knoppix has trouble with the mouse especially if it's a laser mouse (hopefully this gets improved), so he probably made a good choice - I don't know how it works with a touch pad on a laptop either.

Anyway, after booting to Knoppix he was able to cd to those file locations and delete them off the C drive. Then he rebooted and was able to use HiJack This to remove the startup entries, then he ran Malware Bytes anti-malware to clean up 'droppings'. Plus I had him update Java and other things like Adobe Acrobat.

People don't realize that Knoppix can be used to view hard drives without actually booting Windows, you simply put in the Knoppix CD, reboot and go from there. I learned about this technique from a Law Enforcement customer - they use it to view files on bad guy computers without booting Windows. But you can also use it to remove malware files if you know where they are already.

No comments: