Sometimes Windows can be a complete pain, well Windows XP specifically. Today my colleague presented me with an spy-ware issue on his PC that he needed help with removing. After trying the usual tools like HijackThis it became clear that this little critter wasn’t going to be going away that easily.
I believe there were actually two on his machine stored as C:\WINDOWS\system32\jkkjjge.dll and C:\WINDOWS\system32\ddcyx.dll. According to HijackThis both were loaded into Internet Explorer as Browser Helper Objects (BHO) and the first one was being loaded under winlogon.exe as well. Trying to fix them with HijackThis didn’t work as they were monitoring the registry and simply replaced the keys as they were deleted. As the one was loaded under winlogon.exe it wasn’t a case of just killing the winlogon.exe process as its a critical system process. Trying to get Windows to delete the files on reboot didn’t work either.
That is where my new favourite utility came in. Its called IceSword and its really powerful. It allows you to search the running processes for loaded modules loaded and then to attempt to unload the module from the process. In this case the winlogon.exe process resulted in an automated system shudown which was quickly aborted with shutdown -a on the command prompt. I then noticed that the ddcyx.dll module was loaded by lsass.exe process so I killed that as well. IceSword also allowed me to forcibly delete the files off disk. A reboot and a cleanup using HijackThis resulted in a clean machine once again.
[tags]spy-ware,virus,utility,windows,IceSword,HijackThis[/tags]