Tuesday, 6 October 2015

Killing ‘Ads by La Superba’ Virus

My laptop (with Symantec Endpoint Protection installed) was infected by a variation of Shopperz a few days ago. Google search shows many web postings claiming to show instructions to remove the virus. However, most of them are rubbish and simply trying to peddle their so called cleaners…

The blog post from Malwarebytes is the only comprehensive article explaining the inner working of the virus and how to remove it. My experience is a bit different from what has been described in the blog post:

  1. There are no shopperz (or similar) add-on or extensions in my web browser – I don’t see any additional add-on/extension in my browsers.
  2. I did not see any unrecognisable scheduled tasks, nor any rouge RunOnce entries in the Windows Registry.
  3. It certainly does not show up in the Programs list (Control Panel – Programs …)

I used Malwarebytes free version to scan and clean. However, it did not find any suspicious executables or dlls related to this virus. It did find the fake hosts file though – in my case it’s called ‘cug\teu\jabak.dat’. I promptly removed this file. I also deleted all the browser data (cookies, temp files, etc.).

So the only action left for me is to overwrite the infected c:\windows\system32\dnsapi.dll with a clean one. I tried to use ‘sfc /verifyfile=c:\windows\system32\dnsapi.dll’ to fix it. But it did not work. I can’t remember whether I used Administrator rights to execute the shell and command or not. I could not boot the system into Safe Mode because my laptop was a company one and it was probably disabled.

What I did instead was to search for file ‘dnsapi.dll’ in c:\windows directory. Several entries showed up – some of them are from c:\windows\winsxs\x86_microsoft-windows-dns-client_…(a long string) directories and their timestamp looked safe enough (in year 2011). So I just copied them over the dnsapi.dll in windows\system32. Note that because the c:\windows\system32\dnsapi.dll is opened by the system it cannot be overwritten as is; two steps are required:

  1. rename the bad dnsapi.dll into some other name (I used the ‘move’ command in cmd shell, run as Administrator of course)
  2. then copy the clean version into c:\windows\system32

Summary

In summary the actions I have taken were:

  1. remove the fake hosts file
  2. clean browser data for all my browsers
  3. replace dnsapi.dll with clean version

It’s been two days since I did that. My computer seems to have stayed clean so far.

No comments: