Adware:win32/rugo – malware removal walkthrough

Lesson #1. Never judge a file by its icon. I was mislead to believe it was an installation exe because of the icon image. I should have been more careful.

First day of chinese new year and my itchy fingers got myself into some really serious trouble: I saw a mysterious “installation” exe in my downloads folder and, as I always did, wanted to double click it to see what installation is that that I downloaded (I download installations files every now and then).

Lession #2. Turn off all network connections immediately when you get infected to prevent further damage and quarantine your computer, unless you know it’s safe not to do do.

I realised my mistake immediately after the double click. And a moment later, Windows Defender poped up telling me that it has detected Adware:win32/rugo. Luckily for me, I consider Adwares as the least harmful among the many other types of irritants. Knowing that it is an Adware and not some trojan or keylogger that takes control over your system, I can safely keep the Internet connection on without having to worry of spreading the virus to other computers in the network or getting my computer compromised by some hacker.

Lesson #4. Once you think you are infected, do not simply turn off or restart your computer.

Complete infection may not start immediately, and sometimes requires further action before the full power will be unleashed. Hence, the next best step is actually not to do anything on the computer. Not even restarting the computer. A restart can usually be the worse thing to do as it allows the infection to enjoy a clean startup procedure. If you have access to another computer, use that to proceed. Otherwise, with the infected computer, the next thing to do is…

Lesson #3. Find out that the malware does.

More often than not, you probably won’t find any direct recipe for the antidote. This is because the malware changes its appearance over different released versions. However, the behavior and the method of infection generally does not change. Hence, the first thing to look out for when researching for the malware is to understand how it operates.

Lesson #4. Look out for location and names of process, files and registry.

On XP and Vista systems: Many infection start as such.

  1. You run a poisonous program file directly by clicking on it, or indirectly by allowing some other program to start it.
  2. The program file creates poison files, registry keys, configurations and permissions and injects them to various locations in the computer.
  3. Amongst created poison files, a watchdog program is created and started. When this watchdog starts, something known as a “process” is created. This process will have a permission configuration such that there is no way to cancel/stop it during normal operation. Deleting the watchdog program will not remove the process. By now, you are infected.
  4. The watchdog process runs every now and then to ensure that the poison files are not deleted, including the watchdog program. If the converse is ture, the process will recreate them. Recreated files may have completely different locations and filenames, making you think you had already deleted them.
  5. Sometimes, the process is programmed to complete some final stages of the infection work on shutdown/restart . Hence give it the chance to do so.
  6. Since the watchdog program can never be deleted normally, every time the computer enter Windows, the process will be started by the watchdog program and the cycle repeats.

Hence the the period where the infection takes place is really the time you enter Windows until the time you shutdown completely. If there is any chance for you, it is the ability to interrupt the watchdog process. However, for very powerful virus, they can infect you even before you enter windows, before you have any chance to interrupt the boot sequence. Once you can stop the process, poison files will not be recreated and the infection can be removed successfully.