Ed's Blog

A couple of days ago, i found a process "Update.exe" running in my PC, I didn't have time to remove it, or install a recent Anti-Spyware software. Well, I purchased "Internet Security" CA product.

I could get antivirus to install, but not Anti-Spyware, I always received ppctl.dll "Corrupt or not sufficient privileges." I tried modifying Registry entries, but CA product was unable to remove the trojan.

Just in case this works for you: ppctl.dll is here


Then I decided to give it a shot to Norton/Yahoo Combo, but again, it installed detected some issues but I couldn't pass the registration/activation form, again, Could not fix my problem.





I decided to do it manually, the hard way.
You will need http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx
to see what's running on yoru PC.

DISCLAIMER: FOLLOW THESE STEPS IF YOU KNOW HOW TO USE REGEDIT, and UNDERSTAND THAT YOU MAY DAMAGE YOUR WINDOWS INSTALL BY DOING SO. PLEASE CREATE A "RESTORE POINT" IN CASE YOU CANNOT RECOVER. THE INFORMATION PROVIDED IS "AS IS" WITH NO WARRANTIES OR RESPONSIBILITIES TO ME.

Removing COMMAND.EXE
The first trojan I found was: COMMAND.exe, which you may see in your process space. This item might be confused with your command prompt, which is CMD.EXE. Check it out it runs as part of Services.exe.

The process will have a path similar to: G:\WINDOWS\RWR3aW4gSGVybmFuZGV6\command.exe with a Random directory. You may have a hard time deleting it, but it's simple.

So follow these steps:

• Kill Command.exe (ProcessExp will do it for you)
• Reboot your machine in Safe Mode with Command Prompt
• rmdir the directory and it's contents, by running Attrib -S -H *.*
• rmdir the random sequence of strings
• reboot your machine
• Go to "Admin Tools -> Services" it will still be there listed as "Command Service"
• Delete the full entry with regedit, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdServiceReboot your machine.

Removing SVCHOSTS.EXE
At least in my machine, you will need to have Windows XP Activation Code or get ready to reactivate your windows XP copy with Microsoft.

Removing svchosts.exe is tricky. Notice that your List of Services should include SVCHOST.exe, but not SVCHOST.exe
Steps to remove it:

• Kill svchosts.exe from Services.exe process space
• Go to G;\Windows\System32\ search for svchosts.exe, atmtd.dll, s32evt1.dll, wnscpsv.exeand some other files with same timestamp.
• Proceed to erase them all, del svchosts.exe, del atmtd.dll, dell s32evt1.dll. Look for all the others with same timestamp, delete them.
• Go to "Admin Tools -> Services" it will still be there "COM+ Messages" with content as follows: "G:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000213
• Delete the full entry with regedit. Look for
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\COM+ Messages

Reboot your Machine.

How do you know if svchosts.exe has taken over your machine?
Symptoms:

• You will see a directory under G:\Program Files\Common Files\ as : G:\Program Files\Common Files\{%UUID%}\Update.exe For example G:\Program Files\Common Files\{A09EE252-086A-1033-0902-040806990001}
• It's easy to kill this process, and then delete this directory but something will keep addingan entry to your StartMenu section on your registry as follows:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run with an REG_SZ = G:\Program Files\Common Files\{%UUID%}\Update.exe "-t SomeRandomData"
• You may delete this entry and Kill Update.exe but once you reboot, it will be there agagin.

Now let's assume you did it right, you removed the files on your C:\Windows\System32 directory which all point to SVCHOSTS.EXE, and also you have removed all those weird entries on your registry. SURPRISE, when you reboot your machine "Activate Windows XP dialog box will pop," nope, not fake or something left by the Trojan, it's the real Activation mechanism by MSFT. Why is there, I have no clue.

My networking also was completely gone, even though you can png any device out there, and
you may be able to do DNS lookups, Explorer, FTP, SSH, none of that worked? So how did I fix that, a simple trick? Maybe thing were missing or spoiled in registry file.

• Remove File/Printer Sharing from your "Local Area Connection"
• If you can remove TCP/IP, or any other protocol, do so.
• You may not be able to remove TCP/IP, which doesn't make any sense.
• Reboot your machine
• Add IPv6, go to "Local Area Connection" then "Properties", "Install", select "Protocol" and look for "Microsoft TCP/IP version 6," install it.
• Upoen installation your Browser, FTP, SSH, etc will work again.

Lesson of the day: Find a good Anti-Spyware software and install it on your PC, I suggest you NOT running as "Administrator," even though you may have to switch back and forth everytime you need to install something in your PC, DO SO, it's better than wasting all day removing Trojans.

# posted by int21h @ 11:45 PM 2 comments