Untitled Document

Understanding Suspicious.Mystic

Suspicious.Mystic is a root-kit/common variant of a malicous adware bug designed, to completely take over your computer and 'get you' to purchase their software (which doesnt/will not fix your problem).

As of this writing (8/20/2010) Norton, Kaspersky, McAfee, Malwarebytes, SUPERAntivirus as well as other software DOES NOT correct the problem. In fact, Symantic considers it a 'low risk'. Which is all fine and dandy, unless its taken over your PC and you cannot remove it.

I have figured it out (it took me 9 hours of work) and successfully removed suspicious.mystic from multiple PC's.

The following info explains to you how to remove this pest from your life, with minimum hassle and WITHOUT REFORMATTING!

If this helps you, please consider donating to the cause. It is my goal to use donations to stop virus's that the big software companies overlook.

Suspicious.mystic attacks your computer in multiple ways.

First, it infects and deletes the program "explorer.exe" in the WINDOWS directory of your PC. (Typically, the beginning of the infection, causes your system to crash, and upon reboot, you have no START, Task bar or ICONS on your Desktop).

Next, it the infection spreads to "winlogon.exe", which I expect was the virus creators way of keeping the rootkit/virus resident in memory so that it can replicate.

Then it turns to the meat and potato's of the virus, which is that it installs at least 3 (possibly 4) DLL's into your WINDOWS directory and THEN adds them to your registry to be executed upon start up.

From there, it launches multiple payloads, which consist of blasting your PC with messages that "you computer may be infected", spelled like the person who created the virus had no grasp of the English Language (probably because they don’t and are most likely in China). It tries to trick you into purchasing software from them, which will not work.

The second payload that suspicious.mystic drops upon you is that it latches into your email program and starts sending out TONS of Spam, which contain the suspicious.mystic rootkit for others enjoyment.

At this point, your desktop is blank, everyone and their grandmother has been Spam bombed and you cannot even get to a website to fix your pc. Norton doesn’t work. Neither does anything else you have tried. Which is not a good place to be. You feel like you have a very expensive paper weight instead of a computer.

Then the fun starts. (Yeah, this thing gets worse).

In at least 1 instance, it seemed to be key logging and scanning for network addresses, changing your firewall, switching your network traffic off/on port 80, blocking DNS requests and giving you a message that "The website cannot be displayed" as well as other mischief. So much so that I stopped watching. (In some variants, it tries to protect itself by modifying your RESTORE points, slamming itself into your WINDOWs Prefetch directory and making your Recovery points worthless!

I even had a version trying to turn my PC into a zombie, while I was sitting there watching it! (Fortunately, that was only replicating in memory, so I was able to block it before it did any damage)

Fixing the thing that would not die!

You will need the following: a flash drive, a ‘good’ copy of explorer.exe (from the WINDOWS directory of a working computer and down load some other software.

First, download Ad-Aware software to your flash drive. (it is free, click here!)

Next, download Ccleaner software to your flash drive. (It is free, here is the link)

Next, copy a good copy of explorer.exe from a non-infected PC to your flash drive (You might also want to copy winlogon.exe from there too).

Plug your flash drive into your infected PC and boot to SAFE Mode (this is done by pressing the F8 key while restarting the computer). Choose Safe Mode or Safe Mode with Networking.

Note—your system ‘may crash’ a few times before you can successfully get into SAFE mode. Many rootkit/virus’s run various DLL’s that they have put on your machine that are malicious. Some of them tend to crash your system frequently. Usually you can get into Safe Mode. Some variants of suspicious.mystic even affect SAFE MODE. Just try a few times.

Eventually you will get to SAFE Mode. It will look like a blank screen, with SAFE MODE in all 4 corners.

You will notice that you have no Icons, start button or task bar. This is because your explorer.exe has been deleted/infected by the rootkit.

Now, comes a tricky part.

You will need to Right Click at the bottom of your screen and start Task Manager.

Once in Task Manager, choose the APPLICATIONS tab.

In the lower RIGHT of your screen you will see a button “New Task”. Click that.

Choose BROWSE and navigate to your flash drive and find the explorer.exe that you stored there.

Right Click on explorer.exe, choose COPY, then navigate using BROWSE to your C:\WINDOWS directory.

Right Click again and choose Paste. This will attempt to put it back in your C:\WINDOWS directory where it belongs.

More than likely here, your Anti-Virus will recognize that “suspicious.mystic” has infected your PC. IT will display some messages. Don’t Panic. That’s normal. Click OPEN (on the new task for explorer.exe) and it should run explorer.exe. This will bring back your Icons and Start Button and task bar.

(NOTE – the virus will have infected explorer.exe again and/or your system may have deleted explorer.exe again before you can run it. Just run it as fast as you can. And your Icons/Start menu will be back.

Now, you need to run Ad-Aware from your flash drive.

Hit Start, RUN, navigate to your flash drive and choose Ad-Aware. Install it and run it.

It will take a few minutes to go through your entire PC, depending on how much info you have.

If it asks you to Reboot, DO NOT REBOOT IT JUST YET. Just sit on that Yes/No or OK screen.

At this point most of your PC will be cleaned. However, it will not fully remove the virus or its effects.

You will need to Recopy “explorer.exe” back to your C:\WINDOWS directory again. You may have to do this to winlogon.exe too. (The virus probably will have already infected it, or deleted it or your anti-virus may have deleted or quarantined it for you, so you need it in there again) So go back to the Task Manager, New Task, Browse to flash drive, right click copy and navigate back to C:\WINDOWS and paste it down. You can do this all on the page asking you to reboot.

This time, it should not be attacked.

(NOTE If your virus scan STILL tries to block explorer.exe or gives you strange messages at this point, you probably have a variant. Go to the very bottom of the section on VARIANTS for more information)

Now you can click OK to reboot your system to Normal Windows.

You are not done yet.

Once your system reboots, you will get various error messages. Write down the names of the DLL files that the system gives you errors on. These are the DLL’s that the virus loaded on your machine. Ad-Aware DOES NOT always remove them from your Registry. It just removes the DLL’s from the c:\WINDOWS directory.

Now Start, Run, navigate to your flash drive and install/run Ccleaner.

(NOTE, if you do not want to download Ccleaner, you can edit your registry yourself and remove all instances of the DLL’s by searching and manually deleting the entries. In a number of cases that I saw, they were named jacacrt.dll, oresicujola.dll and mmduch.dll
Manually editing your Registry can be tricky. Do no do this if you are inexperienced.)

Once Ccleaner is loaded, on the LEFT of your screen choose REGISTRY, then at the bottom of the screen choose ANALYZE. Once it is done analyzing, choose FIX.

It will run quickly. It will delete the Registry entries that gave the errors on boot up. Make sure the DLL’s that were deleted were removed by Ccleaner and or were the ones that gave you errors on boot up.

At this point, you should be free from the virus itself. But not all its affects.

You now need to fire up Internet Explorer.

It will say that it cannot find your homepage or whatever website you type in. (Typically, this is because it has tried a LAN attack). Choose TOOLS, then Internet Options, Connections and then Click OFF the LAN checkboxes. (All check boxes should be OFF on this page).

Voila! You should be free from the suspicious.mystic virus.

You can run Ad-Aware again to see that it finds nothing bad on your PC.

You can reboot and check your work, knowing that you did not lose anything (Hopefully), other than maybe some cookies and bit of your time.

This pattern/method should work with a number of rootkits/variants that are not covered by the big virus scan programs. That does not mean that they are not good products, it may just mean they never hit/found a particular variant. Most likely, it is because rootkits change their names frequently and their signatures are difficult to detect.

If this helped you. Saved you money or made your life easier. Please consider a donation (no matter how small), it will help me pay for/figure out other issues/problems with adware/viruses that slip by the big guns. I am just the little guy, trying to help out.

Thanx!
Andy R.

VARIANTS (and other info)

Variants are modified versions of rootkits/viruses intended to skip past signatures in Anti-Virus programs. Ad-Aware may not find it. Neither may other software. But don’t give up hope.

Typically rootkits install a number of ‘bad’ DLL’s in your C:\WINDOWS directory. Because of their nature, their names are goofy looking, such as oresicujola.dll or klelksdl.dll or such. Look in your windows directory at all your DLL’s and then search in Google/Microsoft for oresicujola.dll or whatever the name is. Fake/Bad DLL’s from rootkits typically do not have definitions in Google/Microsoft. If they are not valid, there is no harm in deleting them or renaming them to something else less toxic. Once the DLL’s are removed/renamed, they cannot fire their payload.

They almost always modify your registry. Or delete something important. Most files can be found on a working (non infected) PC. Some don’t transfer over well or easy and a repair install is necessary.

Variants also do different things. They crash your computer. Lock you out. Change your homepage. Many times, they even change their names with every reboot. This makes them difficult to find/conquer. But not impossible. A little diligence and you can get the buggers out of your life.

Again, I wish you well on getting this thing out of your life and please donate if you can.