How easy it is to install spyware – especially for the unsuspecting person. It almost happened to me yesterday. I logged out of my account on scribd.com to take a screen shot of Scribd from a not logged in perspective and got a dialog box pop up saying that Windows needed to perform an urgent scan of my PC. The dialog box just ‘didn’t look right’ Normally I get Security Essentials dialogue box would pop up and the box would be orange. Then the next thing I saw is a new browser window pop up showing me the following:
A few things to note here:
- System udgtrnbl – not a normal system volume name
- The Shared Documents and Hard Drive folder were flashing warnings that there were 5 infections on each folder
- This view of Control Panel is viewed through a browser window – not the normal control panel GUI
- This view of Control Panel is an XP view – I’m running Windows 7 with a totally different look and feel for the dialog box
- undefinedappmgmts.dll doesn’t exist
- Windows doesn’t have a ‘Start Protection’ button
I closed the initial dialog box (the ‘urgent scan’ warning) and got the download box for AntiSpy2011.exe which is captured in the snip above. This is the same spyware / worm / virus / trojan that paralysed my friends machine which now needs a total format and rebuild before I’ll be happy with it
A new process started – Companionuser.exe which is a valid process used by Windows Live but is often used by malware and other malicious programs
So how did I fix this?
- I closed all editions of iexplore.exe using task manager.
- I stopped the companionuser process
- I and watched as it re-invoked itself… over and over again
Every time I stopped the process, it started again… Damn thing. And then I remembered where the virus was stored on my friends machine. The virus / worm lived in the Temporary Internet files. C:\Users\%Username%\AppData\Local\Microsoft\Windows\Temporary Internet Files. In Internet Explorer, I clicked on the View files button, sorted the files by time accessed, and deleted all of the files, images and cookies that had been accessed in the last hour.
Only then did the companionuser.exe process stop re-appearing in Task Manager.
I can see how so many people install this worm. It pops up unexpectedly – all I was doing was logging out – and I must have rolled the mouse over an advert or something. Quick as anything, and to the unsuspecting person, worried about getting a virus or a worm, so simple to install.
But i thought it was certainly worth highlighting so that others can back themselves out of this problem safely – or know who to call when they have a problem… And delete cookie files regularly – just in case…