This guide serves to educate you (and me, just in case I forget in the nearest future) on how to fix a very cunning trojan – Update.exe
A client came to me and complained “My laptop is dead! My laptop is dead! Each time I plug in a removable device on my PC, the files disappear. All I am left is/are shortcuts. Where are my files?”
If you have ever experience that scary situation where your data sees to “disappear” – days of hard work on that presentation or report, weeks of research on that paper, and just when you are about to print it (maybe in a cyber café), your data just is no longer existent, you sure will understand the feeling this user had when he came seeking my help.
As a not-so-seasoned IT professional (I’d rather say hobbyist), getting around such a challenge is certainly not a problem. Revealing the contents of the removable device is as easy as singing A,B,C from the Greek alphabet. And fixing the trojan manually on the user PC is also as cheap. But in this case…
Using command prompt, I checked for hidden files and folders in the root of the C drive, Windows, System32, Drivers and User folders, but found nothing.
I checked the running processes in task manager, nothing.
I checked for startup entries in the registry, nothing
I checked for userinit or explorer hooks in the registry, nothing too.
I also checked startup entries using msconfig, nothing as well.
Now this really got interesting. Where then was the virus hiding? Or was there a new approach these virus coders have discovered that eluded me?
What was I missing?
Somehow (either by stroke of luck or by touch of genius), I took a closer look at a particular file I initially looked legit – UPDATE.EXE. Looks legit, doesn’t it? Many programs use update.exe as an update package (in fact, my GFI Languard Scanner uses it… I believe Avira uses it too). But on taking a closer look, I discovered that it’s location was rather suspicious – a temporary folder in the User directory. Bingo! And it was also running in task manager, from the same location!
Looks like malicious code writers have gotten more cunning ways of crafting malicious code.
WE FOUND THE BAD GUY
Is that so hard anymore? All I had to do was just locate the file and hit the “Delete Forever” key. And that was it. I rebooted, and there, it was all gone – I plug a flash disk, and nothing runs into hiding anymore.
There are smart guys out there. Don’t get fooled.
PAY ATTENTION TO DETAIILS
Quote of the Day:
Resentment is like taking poison and hoping the other person dies.