Like a lot of other computer savvy guys, I’ve been used to get called by friends to help them solve their computer problems. Today was no different, and as usual it was because of a ms windows computer infected with a spyware. Boy I hate this operating system…
Today’s spyware was hijacking MSN to propagate itself by sending the following message to the user’s contacts:
Da uma olhada nas fotos dessa festa…muito legal…
[link to the spyware]
Followed by a link to a .zip containing an executable (the spyware).
Of course, this spyware relies on the user being naive enough to click on it (thinking it was sent by its friends… never-mind if it is not his native language…).
I browsed the net to find information about this spyware, and everyone was asking to download anti-virus software and so on. I’m going here to give you another way to disinfect your machine without requiring extra softwares. You should attempt this only if you feel confident enough, I’m not responsible if you mess up your computer even more. We are going to edit the registry database manually, which could really screw the computer up if you delete random stuff from it.
As I just said, I’m not going to give you a standard procedure to remove this spyware (which is to run an anti-spyware/virus software after rebooting in echec mode). We are going to get our hands a little bit dirty, but it should take approx. 5min to remove this very simple spyware. Furthermore, it’s not about the kill but the hunt. Understanding the procedure could help for other simple spywares. Without further introduction, let’s jump into it.
This spyware is a variant of PSW.Banker called Logged.Banker.Byu (by AVG anti-spyware). It is supposed to log your bank’s information whenever you connect to your online-banking. As said earlier, to spread, it sends messages to your MSN contact’s list.
To disinfect your computer follow the following steps (it looks long, but it’s just because I went into details…):
- Press Ctrl-Alt-Suppr to display the current task list.
- Look for something called “icpldrvx” or “icpldrvx.exe” and kill it (terminate it). This is the spyware, resident in memory, and responsible for sending the MSN messages.
- In the windows menu go to “Start->Run” and run “regedit” (without the quotes).
- Go in the menu “Edit->Search” and search for “icpldrvx” (without the quotes again).
- It should find it. The key might be called “msconfig”, and the value should be set to “c:\windows\system\icpldrvx.exe” (windows 98) or maybe “c:\windows\system32\icpldrvx.exe” (Windows 2000 or XP). Write down this value/file path, we’ll need it later. We’re now going to assume the value was “c:\windows\system32\icpldrvx.exe”.
- Select this key (”msconfig” in our example) and delete it by pressing the delete key. This entry in the registry database is how the spyware manages to start whenever you turn on your computer. That’s why we deleted this entry.
- Do a “find next” (F3), it shouldn’t find any other entries. If it does, delete all these entries as well, and check each time if the value is set to the same file path.
- Exit/Close the registry editor.
- Delete the file “c:\windows\system32\icpldrvx.exe” or wherever it is. Be careful! Don’t execute it and don’t double click on it! Also make sure you empty your trash. You don’t want this file to stay around…
- We’re almost done, we are going to delete the file downloaded by MSN when you clicked on it, just to make sure no one executes it by accident.
- Search on your computer for the filename “fotofesta*.*” or however the file you clicked was called (the file will probably be found under “c:\windows\temp” or temporary folder like that).
- Delete this file. Again be careful not to execute it by double-clicking on it. otherwise it will reinfect your computer! Make sure you empty your trash again.
- Reboot your computer.
- You’re done!
- At this point I usually re-open the task list, verify I don’t see the spyware in the task list anymore. Re-open “regedit” and search again for the spyware to make sure it doesn’t find it anymore. I verify as well that the files I deleted are really deleted. This is an extra step I take to make sure everything is cleaned and that I didn’t forget a hidden and smart way the spyware could have used to start when you rebooted.
That’s it, I hope it will be useful for some people and I can’t help but to finish with the following advice: Buy a Mac 
digg
del.icio.us
Reddit
NewsVine
I agree on the last advice:)
Hi.. I followed your instructions on removing that annoying virus, however I do not have any of those files on my registry no on my computer and I still get the pop-up URL. Any advice?
Maybe you got a variant of this virus, or maybe you have multiple ones. It’s hard to give any advices without being in front of the computer, but if you saw icpldrvx in your task list, it means that something in the registry is starting it. Thus it has to be there somewhere. Also, maybe the executable’s name is a different one. People on the internet seem to be using “HijackThis” to find them, but I don’t have experience using this software.
But if you don’t feel comfortable trying to identify it, I would suggest going through the normal way: getting a recent anti-virus.
Sorry for not being more helpful.