Hawk’s Babble-Log

I was helping a friend re-install his entire Microsoft Windows XP Home system recently. After the re-install, things still were not running correctly. Sometimes the net would not work, sometimes it would. The machine would freeze for minutes, then resume what it was doing before.

With such activity, I alwas suspect malware. And I’m always right.

I ran a program called TCP View:

[http://www.sysinternals.com/Utilities/TcpView.html](http://www.sysinternals.com/Utilities/TcpView.html)

This handy little program shows me a listing of all TCP and UDP network connections. There were a few hundred entries for a process called libsys32.exe. Search Google for this and you’ll see immediately it’s MalWare. It connects to a remote machine and requests instructions on what to do. In other words, it’s _evil_, and it hijacks your computer.

Now comes the trouble of removing it. More searching on the net led me to a nice site with instructions for removing almost anything you don’t want:

[http://www.bleepingcomputer.com/tutorials/tutorial101.html](http://www.bleepingcomputer.com/tutorials/tutorial101.html)

These instructions will direct you to download a nice little program called Autoruns:

[http://www.sysinternals.com/Utilities/Autoruns.html](http://www.sysinternals.com/Utilities/Autoruns.html)

This is like Mike Lin’s Startup program on steroids. It’s probably much better, but at least more extensive. All ya need to do is boot up windows in Safe Mode, run Autoruns, remove all the evil software from startup, delete the evil software off the disk, and finally reboot.

That’s the short version. Read the instructions linked above for the more extensive version.

“But Hawk,” you may ask, “how do we know what software is evil?”

I get questions like this a lot. I also get comments such as, “Wow Hawk, you’re so smart. Can I be just like you when I grow up?”

To which I reply, “Don’t ever grow up. I didn’t; I’m still 12.” And to the first question, “Use Google.”

Honestly, I’m not all that smart. How did I know that libsys32.exe was evil? I had not a clue when I started this investigation. How did I find out? I went to this site:

[http://www.google.com/](http://www.google.com/)

I entered libsys32.exe into the search box, and then I clicked the ‘Search’ button. As I do this excercise right now, I see the second entry has this text: “libsys32.exe is Trojan/Backdoor”. But I didn’t stop there (remember I’m still mostly clueless). I needed more clues, so I clicked on the first link, the one which goes to the info page for this specific MalWare:

[http://www.bleepingcomputer.com/startups/libsys32.exe-12025.html](http://www.bleepingcomputer.com/startups/libsys32.exe-12025.html)

This page states, “This is an undesirable program.” Ha! That’s putting it mildly. My friend could barely use his system at all with this crap running in the background. This page also states, “This file has been identified as a program that is undesirable to have running on your computer. This consists of programs that are misleading, harmful, or undesirable.”

Okay, I’ve got enough clues to not be clueless about this thing. Now I know exactly what I need to remove from Windows startup using Autoruns.

So… now I have one more tool in my arsenal against MalWare. Here’s my current MalWare software toolbox:

TcpView:
[http://www.sysinternals.com/Utilities/TcpView.html](http://www.sysinternals.com/Utilities/TcpView.html)

Spybot Search and Destroy spyware removal tool:
[http://safer-networking.org/en/index.html](http://safer-networking.org/en/index.html)

ClamWin antivirus:
[http://clamwin.com/](http://clamwin.com/)

x-Cleaner:
[http://www.xblock.com/](http://www.xblock.com/)

Startup Control Panel by Mike Lin:
(this is what I used to use)
[http://mlin.net/StartupCPL.shtml](http://mlin.net/StartupCPL.shtml)

Autoruns:
[http://www.sysinternals.com/Utilities/Autoruns.html](http://www.sysinternals.com/Utilities/Autoruns.html)

I hope this helps defeat those MalWare-writing bastard asshole criminals.