Well I booted in XP Pro on my laptop about two weeks ago. I’ve always had the Windows partition and technically dual-booted but haven’t ventured into the “dark side” in about 6 months. While I was having great fun in Gentoo I was not exactly the most productive person while using it. Those of you that know me understand how I have to tweak things and how easily distracted I am. Then there is the whle can of worms that comes with rice burning (XGL, SELinux in enforcing, etc.) So I switched to XP to see how it would affect my productivity.
Overall I’ve been much more productive once I got it up and running. I already had the essentials installed like McAfee I installed WindowBlinds for themeing, TopDesk as my task switcher (the windows default left me wanting more after using XGL’s switcher plugin), Google Desktop because of it’s usefulness. After that I pretty much left it alone.
So come yesterday I decide to download a small application (never mind what it was.) I have trusted McAfee since I’ve been using it for a few years and never had any issues. Well today was different, as soon as I ran the application I got all sorts of popups and warnings from McAfee. I told it to delete and stop the applications, unfortunately some of them couldn’t be deleted. They were already running. I have no idea how McAfee missed some but apparently it did, I had a trojan. If I had to guess I would say this initial trojan was Downloader-EV. It immediately “called home” and installed a whole slew of other nasties like Downloader-AH and Download-AEU. I couldn’t even keep track of them all. McAfee was able to detect and clean most of them. However one rather old one was being really stubborn. It’s name was Qoolaid. It was a slight variant of the original as I would later find out.
Qoolaid is your typical pain in the ass Adware. It is capable of hiding files from explorer, replicating itself, recreating registry entries used to start itself, loads with the explorer shell run by winlogin, etc. Imagine how easy it would be to create a rootkit out of this thing.
This thing generates random file names sizes apparently dependent on the variants. Thankfully these files are placed in pre-determined several locations (these may eventually change):
1 * c:Documents and SettingsAll UsersStart MenuProgramsStartup.exe
1 * c:WINDOWSsystem32.dat
2 * c:WINDOWSsystem32.exe
1 * c:WINDOWS.dll
2 * c:WINDOWSsystem32*.dll
In my case the file names were (in part… I didn’t record all of them):
c:Documents and SettingsAll UsersStart MenuProgramsStartuprogld.exe
c:WINDOWSsystem32?.dat
c:WINDOWSsystem32ahukwb.exe
c:WINDOWSsystem32qqlow.exe
c:WINDOWS?.dll
c:WINDOWSsystem32sporder.dll
c:WINDOWSsystem32gotkojw.dll
The actions I took to unsuccessfully remove this thing included: running McAfee in DOS mode from safe mode w/ a command prompt, installing AdAware, SpyBot S&D, SpyHunter, and trying to clean it with Trend Micro’s Housecall. Finally, after wrestling with this thing for the better part of a day I finally figured out how to beat it. Basically I had to modify the security policy in XP by following the details at this link to allow myself to change to arbitrary directories. Then I booted off the CD and went into the recovery console. After setting the “AllowAllPaths” variable I went into each directory and listed the contents using the *.??? wildcard where the question marks represented the file extensions listed above. Some of those lists can be long so I limited my search to those files created the day I got the Adware. I deleted each one by hand. Then rebooted and was home free.
I guess that will learn me to treat Windows the same way I treat an Gentoo/SELinux install.
Spencer Shimko 18 May 2006