How I survived a virus/trojan attack? (It was indeed a pain in the... you know what!)

I was working with IIS at my home, and while looking at the Task Manager, I found a suspicious looking EXE running under the SYSTEM account. It was suspicious because the name of the EXE was fffccccMLP.exe. It just scared the hell out of me, since I haven't taken a backup for quite a few weeks now (yeah, I am lazy)! I started with searching this guy and found that it is inside my C:\WINDOWS\system32 folder. I tried checking the properties, but it didn't say what it did or which company it belonged to. I decided to rename this file, but it won't allow me to. I was unable to kill the program using the KILL utility. In fact, when I tried doing it... my PC just rebooted... Holy Smoke!!!!!

When my PC came back up... I wanted to check out the network connections since I was suspecting this to be a Trojan. I opened a command prompt and executed netstat -ano, and damn... my PC rebooted again. Gloomy, ain't it? And it was just the beginning!!!

Okay, I took a deep breath, and thought lets fix it...

1. Boot my PC in safe mode. Try to delete that EXE, or kill that process tree... no luck.
2. Open Registry Editor (Start -> Run and type Regedit.exe) and check out the startup programs... (check the status below for the location). These programs will be executed as a part of my booting process. I found that the culprit EXE is not listed here.

image

3. So, the next step which I could think of was to click on Start -> Run, type MSConfig and hit ok. The default selection is Normal Startup. I changed it to Diagnostic Startup - Load basic devices and services only.

image

4. If you switch to the Startup, you will see that every startup item is disabled, including the ones in the All Programs -> Start up folder

image

5. Click on Ok and you will be prompted for a reboot. I did it, and tried renaming that EXE and killing that process. DAMNNNN... still no luck.
6. I downloaded TCPView in a hope to check my connections. As soon as I executed that... another reboot. I knew that now... instead of fixing the problem I needed to find out what that EXE was doing.
7. But before doing it, I downloaded the latest signatures of my Antivirus Software and scanned my PC again. Thankfully, it was able to recognize a few Trojans...

image

8. Although, it said it cured and a reboot is required... when I rebooted my box, I still saw those files. 
9. That hinted that probably I should start with these DLLs and see if they have any co-relation with that EXE. I downloaded the Process Explorer and wanted to find who is having the handles for these FCCCBBB.DLL and AWVVT.DLL. Very soon I found that it is loaded in WinLogon. Wow, now I was in a big trouble. I tried closing the handle but it won't :-( Killing winlogon was of no use, since your OS will reboot.
10. Finally, I thought of removing them from the command prompt, In order to do that I started by inserting my Windows XP CD, booted from my CD and when the option was given to Repair, I chose to do it. It was pretty intuitive, and I ended up with a *core* command prompt. Issued a couple of Del command and got rid of those files. Oh my dear command prompt... how much I missed you!!!!!!!!

After that, when I booted, I was pretty happy to see that the fffccccMLP.exe is not launched any more. I deleted it straight away!

I am sharing this experience with all of you so that you have a few tools handy in case anything like this happens. I am not a security expert and I am not from the team who deals with viruses or trojans, so my knowledge in dealing with these problems is quite limited. Thankfully, I was able to fix this problem. If you feel that you have some nice tid-bids I could have tried, feel free to let us all know.

By the way, there two BIG lessons that I learnt from this...

1. Download Signatures everyday is not a bad option after all in the Antivirus Software. I didn't realize that my AntiVirus has had certain connection issues due to the Proxy setting and it was not able to download the signatures since I don't know when. Happy

2. TAKE BACKUP!!!!!!! I just did, and since I have practiced it, I guess I can preach! Winking

I hope this helps. Have fun Wave 
Rahul

Share this post :