Saturday, March 7, 2009

The creation of the ridiculous is almost impossible...

It started innocently enough. I sent an email and it was returned. However, instead of the usual "user unknown" or "email delay, do not resend" messages, this message turned out not to have been returned but rather "rejected". Reading further, apparently our mail server had developed a bad reputation and folks accordingly decided to stop accepting its email. Then another rejection. And a third. It seems these sites all use a rating from SenderBase to reject email. And SenderBase thought we were "poor".

Our SysAdmin did something (specifics omitted) to see if and how email was leaving our premises. He reported good and bad news. The good: he was able to identify unauthorized email was outbound. The bad: it was coming from my computer. Damnation.

A trojan. How did that happen? Regardless, let's stamp this thing out.

First attempt was Kephyr's Bazooka, a tool I had used before to find problems on other computers. It doesn't repair problems, just finds them and shows you how to manually fix them. Unfortunately, Bazooka came up empty. I should've known when the most recent version of their threat database was over 400 days old that maybe it hadn't been kept up to date. I also didn't bother to try their FreeFixer tool which I hadn't used before. No time to experiment - on to the next tool.

Another oldie but goodie is Trend Micro's Hijack This. This tool is not for the faint of heart. It produces a list of stuff that you can peruse to identify bad things or you can post the list to a forum where experts will identify the problems for you. Nothing stood out in the list and the explanations for some items would essentially say "this could be malicious or it could be perfectly normal." I'm not that bright. I move on.

A trusty tool is Lavasoft's AdAware which I've used on our home PC. Unfortunately, while AdAware did find and repair several issues, it didn't find the trojan and the flow of emails kept on going.

Fourth in the arsenal was Safer Networking's Spybot, another tool with which I have experience. But just like AdAware, Spybot found and fixed yet more problems but not the trojan.

I don't recall whether it was AdAware or Spybot, but I scanned using one of them after booting my computer in safe mode. Needless to say, this was a failure with respect to the trojan - no problems found. Also, you should be advised that "safe" mode is somewhat of a misnomer because after rebooting my computer, something had decided to change my Display settings and I had to reset them all manually. Some of the artifacts of that change persist to this day; I can't get rid of them.

Next up was AVG. Unfortunately, it wouldn't even install. This is probably the result of also having AdAware and Spybot installed, but disappointing nonetheless. So, AVG never got tried.

Having exhausted my prior experiences, I turned to Microsoft. It seems they have a Malicious Software Removal Tool. Download. Scan for 3 hours. Nothing. I stare. At. The. Screen.

PC World magazine's web site has always been a reliable place to turn for software recommendations of all kinds, so I go to their Security Center. Sure enough, I find recommendations for several tools and the first I try is Malwarebytes' Anti-Malware. Runs for hours. Finds and removes bad stuff. But the trojan persists.

Another PC World recommendation is SUPERAntiSpyware. This looks promising. It's not just your regular spyware removal tool it's "super". And it's not just "super" it's SUPER in all uppercase. Download. Install. Run. A-ha! It finds a trojan that it identifies by name. It removes it and says I have to reboot because it'll delete more files on startup. Reboot. Oops. Windows fails to start. Is this good or bad? I try again and up she comes. And there's no more bad email. Der trojan ist kerput.

This is good, because I have only one thing left in my bag of tricks. STOPzilla has worked for a friend in a similar situation.

Lessons learned:
  1. Have your sys admin regularly monitor your email score at SenderBase.
  2. Use a malware tool on a regular basis. I will not say which one I've chosen.
  3. If you find yourself with malware, try SUPERAntiSpyware first.

...because of the competition it receives from reality. --
Robert A. Baker

No comments: