Sunday, September 04, 2005

Polymorphic spyware/scumware is annoying.

Each time I boot up my laptop a strange file (for which a search for its name returns no results on Google) is running in Task Manager, and its name changes with each bootup. I know it's the same file because I located the files in the c:\windows\temp directory, and all of them are there, with the same filesize, date modified and icon (adding insult to injury, that of a cute little dog). I've deleted them but are quite sure they'll reappear the next time I reboot, with a different file name of course.

Running Hijack This, Spybot - Search & Destroy, msconfig, services.msc and RootkitRevealer, I can't see anything suspicious. Maybe I need to go through services.msc again.

I might reformat, except that I just got my laptop back on wednesday, and setting everything up again is a pain. This is just like the last time I reformatted, and Vincent asked me to join Studio Traffic, which resulted in me getting hit by 20 spyware programs within a day of my reformat.

This is what happens when you unwisely run activate_crack.exe from an Astalavista site. Gah.

I just know some people's will respond with "just get a Mac", but this is like a small cut on your arm getting infected, and then being told to amputate the whole thing.


Addendum: I searched my computer for files with the same/similar file size/date modified, since I reasoned the polymorphic file had to be copied from a master exe...

... and found that OfcDog.exe in my Trend Micro OfficeScan directory had the same file size/date modified (down to the last second) and icon (the one of a dog). And other dlls in the directory had a similar date modified, so it was not a case of the spyware being smart enough to hide itself in the directory.

This is really odd. This is what happens when you use the Japanese Anti-Virus client which NUS installs for you.

Back to Grisoft's AVG free edition. I suspect it uses less resources too. But first I've to get around darling NUS's "we know better than you" policies (more on that in a future post): "Type the password to uninstall the OfficeScan client".

Maybe I should've formatted after all...

Addendum #2: Amazingly, the staff member who responded to my email gave me the password needed to uninstall Trend Micro. And they replied to my mail within an hour on a Sunday Afternoon too.

The staff at NUS Computer Centre's IT Care are fantastic!
blog comments powered by Disqus