A PUP is a Potentially Unwanted Program. Not necessarily a virus, nor malware, malicious code but something that just messes with your system.
So a little background before I dive into what happened. I’ve been working in the IT industry for 20+ years, I know my way around IT “stuff” and computer savvy. I exercise care with my personal information on the web, I don’t use a password more than once. I have a number of safe guards in place to prevent an attack as best I can, measures to mitigate damage and processes for recovery and restoration.
Mid week one of my computers began to behave oddly, hard to articulate but I know how my system should be performing and I knew something was going on.
A number of virus scanning tools, some well known names, reported my system was cleaning. In each case, signatures were up to date, heuristic scanning being performed. I tried an AV a friend had mentioned on more than one occasion in the past and while it couldn’t find the problem at least it was popping up telling me something was going on.
Lots and lots of stuff, all taking place inside my temp directory. The traditional AV vendors were not up to the task and I was in a fortunate position to alter the battlefield.
Enter Cylance. Why fortunate? As far as I know this still is not available to the everyday user, much to the delight of the other AV vendors I’m sure, but we use this at a corporate level and I deployed this onto my home PC.
This was the tipping point. Cylance put a stop to the behavioral activity of this PUP and that let me get in front of it. None of the products at my disposal could find this, but at least I halted its progress. I had to find this, the old fashioned way.
Rebooted into Windows Command repair mode and cleaned out the temp directories. Sadly stuff came back. This time a clue to a directory named “kerhdom”. Found this and wiped it out. Checked the registry for references to “kerhdom”, wiped them out. Some of those had further references to MIO.exe. Rinse and repeat. Then further references to msi files inside c:\windows\installer. Not only did I delete them, but fired up my local group policy editor and created my own software restriction policy to prevent these from executing.
Deeper and deeper, chasing reference after reference methodically cleaning out this garbage. Last were tied to windows task scheduler that was running active script at login. I tailored Cylance and blocked ALL scripting.
It was a tanlged web employing several different technologies to carry on its nasty business all in plain site of active and up to date AV programs. Signatures, heuristics all failing. Behavioral detected did the trick.
It took a good 3 hours over a period of two days to get in front of this.
So what was the PUP. Well I don’t know for sure but from the files and references I did find, it was establishing its own proxy server on my PC to inject advertising ( and who knows what else ) into my browser.
I raised this with several of my work colleagues as a cautionary note. What hope does the average computer user have in situation like this.