"The happiest place on earth"

Get email updates of new posts:        (Delivered by FeedBurner)

Sunday, September 04, 2005

Polymorphic spyware/scumware is annoying.

Each time I boot up my laptop a strange file (for which a search for its name returns no results on Google) is running in Task Manager, and its name changes with each bootup. I know it's the same file because I located the files in the c:\windows\temp directory, and all of them are there, with the same filesize, date modified and icon (adding insult to injury, that of a cute little dog). I've deleted them but are quite sure they'll reappear the next time I reboot, with a different file name of course.

Running Hijack This, Spybot - Search & Destroy, msconfig, services.msc and RootkitRevealer, I can't see anything suspicious. Maybe I need to go through services.msc again.

I might reformat, except that I just got my laptop back on wednesday, and setting everything up again is a pain. This is just like the last time I reformatted, and Vincent asked me to join Studio Traffic, which resulted in me getting hit by 20 spyware programs within a day of my reformat.

This is what happens when you unwisely run activate_crack.exe from an Astalavista site. Gah.

I just know some people's will respond with "just get a Mac", but this is like a small cut on your arm getting infected, and then being told to amputate the whole thing.


Addendum: I searched my computer for files with the same/similar file size/date modified, since I reasoned the polymorphic file had to be copied from a master exe...

... and found that OfcDog.exe in my Trend Micro OfficeScan directory had the same file size/date modified (down to the last second) and icon (the one of a dog). And other dlls in the directory had a similar date modified, so it was not a case of the spyware being smart enough to hide itself in the directory.

This is really odd. This is what happens when you use the Japanese Anti-Virus client which NUS installs for you.

Back to Grisoft's AVG free edition. I suspect it uses less resources too. But first I've to get around darling NUS's "we know better than you" policies (more on that in a future post): "Type the password to uninstall the OfficeScan client".

Maybe I should've formatted after all...

Addendum #2: Amazingly, the staff member who responded to my email gave me the password needed to uninstall Trend Micro. And they replied to my mail within an hour on a Sunday Afternoon too.

The staff at NUS Computer Centre's IT Care are fantastic!
blog comments powered by Disqus
Related Posts Plugin for WordPress, Blogger...

Latest posts (which you might not see on this page)

powered by Blogger | WordPress by Newwpthemes