I came across a particularly nasty virus lately and I wanted to share some techniques on how to remove this virus and other virus programs that work the same way. The customer came in and said his laptop was running slow and thought he may have a virus. First things first, run HiJack this and remove anything that looks suspicious, restart and run it again and find all the ones I just removed that came back. This is common, you remove them; they come back, so I make a note of those files and restart into Safe Mode and then manually delete those files. Ok done; however upon restarting I still have pop up advertisements.
I run SysInternals Process Manager to view all processes currently running on the PC and I find nothing out of the ordinary. Very strange. This is where things start to get confusing, how are these advertisements showing up if no running processes are creating them?
Tis is a good time to introduce another tool by SysInternals; File Monitor. This program will show you a running list of all the files that are currently being accessed by the operating system. Now we can get a clear picture of not only the running processes itself but the files that are being accessed. If you look at the screen shot below you will see one file in particular that looks suspicious, fccax.dll. It appears over and over again, a quick Google search reports that is in fact SpyWare. So now what? Lets delete it. However we cannot delete it now because it is in use, restarting into Safe Mode won't work either, its still in use. Insert your Windows XP CD and boot to it, at the first screen hit 'R' and get into the recovery console. Now you can delete the file.
Email to a friend
Share on Facebook
Stumble It
