I have recently received several complaints from our customers regarding
a Winfixer pop-up. Whenever the customer turned her computer on, a
Winfixer pop-up would appear although Winfixer was removed by Spyware
Nuker. It seems like Winfixer has implemented new tactics to maintain
it's presence on a computer.
Nothing appears out of the ordinary after skimming through the
customers diagnostic log files. The startup entries are clean and
there are no suspicious browser helper objects or program files.
Where is this pop-up hiding? Upon closer inspection of the log files,
I discovered random, suspicious DLL files that were connected to
the Windows Winlogon process. The Winlogon process is vital to Windows
operation and if a file is "hooked" into this process,
it is extremely difficult to detect and remove. Here is an example
of what was found in one of the customer's logs:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnll
"DllName"=C:\WINDOWS\system32\nnnll.dll
There is an added 'nnnll' extension to the Winlogon
key as well as the nnnll.dll file. The 'nnnll' name
is random and was different in each customer's log. This technique
is used to make it difficult to detect and remove. I asked each
customer to send us this random DLL file. After the files were received,
we began in depth investigation.
I installed the suspicious file and several minutes later a pop-up
appeared.
The DLL file made a silent connection to the internet and displayed
this pop-up advertisement which looks similar to a Windows error
message. Many end-users can mistakenly press the 'OK'
button thinking it is an actual Windows error message. By pressing
the 'OK' button, the end-user would have accepted the
Winfixer 2005 installation. However, within minutes of running the
suspicious file, Winfixer 2005 was fully installed without my consent.
Winfixer 2005 claims to remove viruses and Trojans, yet it uses
the same methods to install itself on an end-user's computer.
How ironic.
Further investigation revealed that the DLL file did "hook"
into the Winlogon process. It was found that the end-user could
not manually delete the file in safe mode or even rename the file.
Being connected to the Winlogon process has made this file nearly
invincible. Nearly, but not completely invincible. The file was
dissected and its binary contents were examined for an effective
signature. This signature will allow for detection and removal of
all similar files. This signature was then integrated into Spyware
Nuker. Spyware Nuker was run against the infection and it was able
to detect the infection, and successfully delete the infection on
reboot. It was also able to detect and remove the Winfixer 2005
application. Our customers were thrilled to hear the good news.
Once again, Spyware Nuker has triumphed over wicked Spyware that
plagues the internet.
|
