Found an interesting spyware/virus/malware/etc at the Quinlisks yesterday. It was a "Browser Helper Object (BHO)", a method of getting your own code put inside of the windows explorer, and thus pretty hard to remove.They run Ad-Aware every once in a while to clean up their computer, but apparently, this spyware stuff, was inside explorer.exe, or maybe even winlogon.exe, and when ad-aware would run, it would crash winlogon.exe with a null pointer error, and usually shutdown windows, and so unable to really fix anything.
I was able to fix it by removing all of the browser helper objects (search in the registry, but I think the key is: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Some of these entries are valid, but I was getting tired of it figuring out how to kill it, so I erased all of these keys, plus the keys that they referred to, (search in the registry for the big number that you see, and you will find a key under HKEY_ROOT\CLSID, where the real pointer to the executable is (that is also how you can figure out what the BHO actually is, and whether it is a legitimate program like Adobe Acrobat, or something else)).
But, that still didn't get rid of it, and explorer was taking up all the CPU, so I ran ad-aware with the explorer process killed, (and every service that I could shut down too). With everything shut down, ad-aware would usually not shut down the machine, though it would cause a null pointer exception in winlogon.exe, but as long as you didn't hit okay or cancel to the error message, the machine would not reboot. So, we were able to complete the ad-aware scan, and it fixed a number of things, but was unable to delete a file: awtsq.dll. It also couldn't delete it on the next reboot.
So, I got creative, and turned off all NTFS permissions to this file, so no one could access it, and then I rebooted yet again. This time the program wasn't able to run, so I could then give myself back delete privileges, and then delete it.
In the process, we also deleted a c:\windows\system32\$sys$filesystem directory, that contained some suspicious looking executables as well. Presumably, it could have been a real program, and one that needed debughelp.dll for something, but I think most likely a hacker-type program that wanted to be able to get the callstack of other programs.
So, a long time in getting rid of it, but we finally succeeded.
I downloaded BugDoctor, to see if that could offer any help, but it was junk. It detected supposedly a thousand things that were wrong, but wouldn't show me the details or fix them unless I paid for it. I don't know why they wasted my time, I guess there is some marketing that says people are more likely to pay for it if they already downloaded and installed it or something.
Posted by Jon Daley on April 8, 2006, 1:17 am | Read 4244 times
Category Reviews: [first] [previous] [next] [newest]
Comments
Hey! Thanks for helping us out! Its comforting to know that whatever thing was in here is gone. I love when people use ingenuity like changing file permissions etc...!
Posted by Michael Q on April 8, 2006, 11:42 am

In case anyone is searching for this in the future, the address where winlogon.exe was crashing with a NULL (0x00000000) pointer was at 0x10062550.
Posted by jondaley on April 8, 2006, 2:34 pm
Add Comment
Add comment
E-mail me when comments occur on this article

culpable-adaptable