Monday, February 12, 2007

Chasing the Phantom Trojan

My weekend did not turn out exactly as planned. Far from it. Instead of painting new masterpieces, or working on photos, or driving to Wenatchee for a shopping spree, I spent a great portion of my weekend chasing down an infection in three of our computers. And, as I subsequently learned, a lot of other folks wound up doing the same thing.

On Saturday afternoon, I pulled out my laptop and decided to run a full CounterSpy scan as it had been a couple of weeks since I had done it. I downloaded the latest spyware definitions from their website and began my scan. Not too far into it, the scan said I was infected with something called "Trojan.Gromozo." Not having heard of it before, I looked it up on my desktop computer.

I found out the following: "Trojan.Gromozon is a dangerous and complex threat that attempts to install various malware components onto the user's computer. Trojan.Gromozon is typically installed through browser exploits and makes several attempts to hide itself and to disable or bypass anti-malware tools. Once Trojan.Gromozon is active, it loads various pieces of Adware onto the machine, usually the LinkOptimizer trojans and premium-rate dialers." I also found out that it was a rootkit infection, the most dangerous type of malware out there.

After my scan was completed, I took all the necessary steps to remove the Trojan from my system, following the directions on the screen. The last step call for me to reboot the computer, which I did. After it came back on line, I decided to run another CounterSpy scan just to make sure it was gone. But, Counterspy found it again. I took the same measures as before and ran a third scan. It was still there.

In the meantime (and I had plenty of time as a full scan takes 20-30 minutes on my laptop), I decided to check my new desktop computer and Susan's computer in her office. CounterSpy found Tojan.Gromozon on both those computers also. I did the same procedures on both those computers and when I ran a rescan, both computers showed were still still infected.

By now its late in the evening on Saturday night so I decided to leave it till Sunday. In the meantime, I shut down the Internet connection as Gromozon needs a Net connection to do its dirty deeds.

Sunday morning I got to work again, doing more research to see if there was something else I could do. I ran a virus scan on all three computers, but only one found a small virus (not Gromozon),which I duly erased. I then downloaded trial copies of two other highly recommended spyware catchers...Spyware Doctor and Spy Sweeper.

Those scans revealed some additional spyware that CounterSpy missed, but they did not find Gromozon. (I will talk more about these two products more in-depth in another blog.) At about the same time, I received two phone calls from friends who use Counterspy and were also being told they have Gromozon.

Continuing my research, I found out that an excellent security software company called Prevx has put out a free software product that will detect and remove Gromozon rootkits and clean up any other related Gromozon infections.

I downloaded it to all three of our computers. All three scans indicated that none of our computers had Trojan.Gromozon. By now, I was pretty sure that Counterspy was giving me a false-positive result, especially since Counterspy said it removed the infection, only to find it again on another sweep. But, still there was that nagging scary feeling about being infected that just wouldn't go away.

More research on the Net eventually took me to the Spybot Search and Destroy User Forum. There I found other folks like myself who had spent their weekend doing the same thing. One of them wrote an e-mail to Sunbelt Software, makers of Counterspy, not expecting any answer until Monday. But he got an immediate response:

Hi Brian,

Thank you for contacting Sunbelt Software. The Trojan.Gromozon detection
is an erroneous, phantom detection -- meaning that the file lpt4.ago is
not really on your system and that you are not at risk from the Gromozon
Trojan. This phantom detection is being produced by an odd interaction
between a file trace in our database and a little known aspect of the
Windows file system.

You can safely ignore this detection, which will be removed in the next
update to CounterSpy's definitions. Sorry for the inconvenience.

Warm regards,
Mike Williams


Aaaaaaaaagrh!! My weekend was ruined. I spent it chasing down a non-existent infection and all they can do is say, "Sorry for the inconvenience." Needless-to-say, I am not happy with the Counterspy folks right now. I hope my experiences will help you if you have CounterSpy and think you're infected.

Things like this make me sometimes wonder if it worth being connected to the Internet as there are so many despicable people out there who are trying to infect my computer and ruin my life and I must spend a certain amount of time and dollars trying to stay one step ahead of them. But, of course it is, as the Internet helped me eventually solve this problem and I still thinks the Internet is worth the trouble.

I think being connected to the Internet is similar to having sex. Its a lot of fun...if you take all the proper precautions.

No comments: