Spyware: Remove Infostealer.Avisa

Since the download off the official site wasn't running at full speed, I decided to grab the demo off bit torrent instead. After (stupidly) installing a program from bit torrent, without first checking the comments, I had trouble moving the setup files after I was done.
Doing a little snooping, I was surprised to find a few extra executables in my Task Manager with somewhat suspicious filenames.

There were 2 instances of "rundii32.exe", as opposed to the usual "rundLL32.exe".

Great! Less than 2 weeks ago I got another virus, wasting another day off.
What a way to kill time.
I'm setting a new record here folks!

The culprit (File properties):
Size:1.30 MB (1,372,160 bytes)

How it got there:
Stupidly I didnt check the comments on the torrent before downloading and installing.

The installer was bundled with a trojan which extracted itself upon execution, making it seem authentic as the application actually installed properly.

The damage:
I'm still not quite sure which strand it was, but it created a file called "rundii32.exe" within the temporary folders "%TEMP%\IXP000.TMP" and "%TEMP%\IXP001.TMP" (where "%TEMP%" is your system temporary folder).

This may just be in my case, as it is a common trait of installer packagers to put files into directories with that naming convention.

I suppose these executables sit around and steal info.

Also, it adds itself into the startup.

The fix:
A nifty program that scans your running tasks (and startup) is Trend Micro HijackThis.
(Yes, I was surprised to find that Trend bought them out too!)

A quick scan showed that it had added itself to RunOnce, so to remove it...
I fired up TuneUp Utilities Registry Editor again.

Locating the keys within "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce", delete the 2 entries which refer to "IXP000.TMP" and "IXP001.TMP".

Now type in "%TEMP%\IXP000.TMP" and "%TEMP%\IXP001.TMP" into explorer to locate the "rundii32.exe" files and delete them.

That should be enough to clear it.
A through scan with an updated antivirus afterwards should do the trick.
Copyright © Twig's Tech Tips
Theme by BloggerThemes & TopWPThemes Sponsored by iBlogtoBlog