MALWARE

MALWARE

1. Opening task manager didn’t do much help since it showed no presence of any suspicious process.
2. Upon opening a drive, it opened in a new window. This made me certain that some code was being executed prior to opening the drive, marking presence of an autorun.inf file, which will be super hidden.
3. Initially I tried restoring registry defaults, but it didn’t worked, indicating malware was active and was monitoring registry changes and re-writing the malicious keys if original entries were restored.
4. Since the only thing I was certain of was presence of a autorun.inf file, I went for the kill. Using killbox,  wrote address of file as C:\autorun.inf and was able to find the file and deleted it. Since killbox takes backup of deleted file in a folder in C: drive, I accessed the file. Opened it by double clicking it ( don’t be afraid, these files wont eat up your system when opened!). I found code to execute a U.COM file on drive autorun. This made me happy since I got another chance to take my old revenge with this guy!
5. Using killbox, I gave instruction to delete the file C:\U.COM. I was able to find the file and deleted it. I repeated steps iv and v for all drives.
6. To be certain to delete all files, I searched internet for details on malware named U.COM and was able to find what all files it creates. I deleted,

c:\windows\system32\drivers\klif.sys

c:\windows\system32\olhrwef.exe

c:\windows\system32\nmdfgds0.dll

and delete the registry key-

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cdoosoft C:\WINDOWS\system32\olhrwef.exe

1. Having cleaned the mess, I restored windows registry defaults, entered each drive, created a dummy autorun.inf folder and deleted suspicious files as well. Also delete all files that killbox had taken backup after deleting. I deleted all files from all temp locations and using ccleaner, deleted the start up entries of U.COM. Search in registry editor for U.COM entries and delete them all. Usually there are other related entries in the same sub key, delete them too. Restart your system and check if every thing is OK.

The malware U.COM comes in the category of CLOAKED MALWARE, the new generation viruses. They run hidden from task manager, inside a back ground service, like svchost, along with other system processes. They write to other programs virtual memory, also called as process hijacking. They are packed and/ or encrypted to be invisible to our eyes. It is added as a Registry auto start to load Program on Boot up. It creates various files inside system32 folder and also in all drives and alters registry to hide its files from user.