I've been pretty busy this week with malware appointments and thought I'd share this weeks "note to self stuff"...
- A client calls me and says that they have a fake antivirus (internet security 2010 rogue) and now they can't login to Windows
- When I arrive I load my UBCD4WIN and immediately:
- Replace Atapi.sys.
- Replace Userinit.exe.
- Load the host registry and fix the winlogon key so that userinit points to c:\windows\system32\userinit.exe, (not winlogon2.exe).
- Disconnect the network connection.
- Reboot.
- Load Malwarebytes and load the latest updates via usb stick.
- Quick Scan with MBAM and remove anything found.
- Reboot.
- Load new AV (either Microsoft Security Essentials or Kaspersky Internet Security 2010)
- Perform misc cleanup stuff and then leave.
{ 15 comments… read them below or add one }
The pesky Internet Security 2010. Hey Matt, you really do having a lot of fun week. Pain in the neck.
I’m getting tired of these Fake AV’s. They are now becoming the most prevalent vector of infections on the Internet. It’s a shame some AV vendors still catalog these pieces of BS as non-malicious.
The best form of defense against rogues will always be user education. Unfortunately (or fortunately for Matt), not everyone will receive this education for various reasons.
That’s pretty funny
How do you “Load the host registry and fix the winlogon key so that userinit points to c:\windows\system32\userinit.exe, (not winlogon2.exe).
I’ve recently run into this rogue and it made my friends computer unbootable. I tried combofix, drweb cureit and it didn’t work.
Dear SSJ100,
I know you from Wilders forums and from what I have learned you change security configurations more often than changing shirts.
May I ask why? What are you afraid of?
I might not be a computer savvy like probably you are but I have been running as Administrator since the days of Windows NT 4.0 and…listen to this, I have NEVER got infected by any virus, trojan or else. I used Win 2000, XP, Vista, and now 7 and I haven’t been hit by a virus and that’s without taking all the measures you take or installing all the bunch of software you have installed. How do you explain this?
LOL. Good one Carlos. Like I said Wilders people are paranoid security freaks.
Matt,
So, how do you do your remote repairs with infections like that? I don’t see how that’s possible over the net. What software do you use? Do you use Teamviewer?
I haven’t changed my security setup for nearly 6 months (except for removing Comodo Firewall). I also ran with no security software for years and also as administrator, and I never got infected.
So why do I run as LUA with SRP enabled and why do I use Sandboxie?
Well, why do you have a house alarm installed? Why would you have a car alarm? Why do you put your money in a bank?
It’s called “peace of mind”.
Also Carlos, the only third party security software I’m running actively at the moment is Sandboxie. That’s one security program. How many are you running?
And I agree, the Wilders forum is getting worse and worse. They have nothing better to do than to test out new security software and change their setups daily.
As I said, rather than promoting Antivirus A or Antivirus B or Firewall C or Firewall D, we should all be promoting LUA/SUA + SRP/Applocker. But then that’s my opinion.
Actually Carlos, I really don’t understand your reply there and consequently we’ve gone completely off topic. This was my post:
“The best form of defense against rogues will always be user education. Unfortunately (or fortunately for Matt), not everyone will receive this education for various reasons.”
Why are you suddenly talking about Wilders?
SSJ100,
For your information: I do not use Sandboxie as an everyday software. I tried it to catch some malware (specially Fake AVs) so they could not intereact with my system while being accessed/downloaded. I removed it afterwards. I also remember I wrote that SBIE 3.42 has some bugs that may need to be addressed by its creator. The reason behind me not posting this info over at SBIE forums is because I’m not actively using SBIE on everyday basis. I just wanted to experiment with it and I’m done.
By the way, I also wrote here that I’m running Windows 7 Professional 32-bit with UAC enabled. The only security applications on my computer are: ESET NOD32 4.0.474, Windows Defender (it comes with the operating system so I didn’t install it), Ad Muncher PAID version (basically, I use it to block those annoying banners on IE8 that otherwise take up much bandwidth and, sometimes redirect you to Fake AVs domains), Windows Firewall (comes default on this OS), McAfee Site Advisor FREE version, Firefox 3.6 with NoScript and…a hardware router SPI for my laptops at home. Is all this being paranoid or having too many applications on my PC?
I repeat: I’m running as ADMINISTRATOR right now on my Win 7 box and with that security setup, and I haven’t been infected (knock on wood) neither before nor now.
I talk about Wilders because over there you probably know that there are a bunch of security freaks that change their security configurations like changing underwear.
Comparing house alarm/car alarms to having dozens of security programs on your PC is comparing apples to oranges in my opinion.
Lastly, if I mentioned Wilders in my previous posts is because I know you from there. Is that bad?
It’s not bad. It’s just completely off topic to be suddenly talking about Wilders members being “freaks”.
And sure, some people don’t run ANYTHING at all (not even an Antivirus) and run as ADMINISTRATOR. I know one Wilders malware analyst that only uses the Opera browser as his “security setup”. And I bet he never ever gets infected, simply because he has good common sense etc.
However, I often purposefully play with malware and visit sites that may contain drive by malicious attacks. Why do I do that? Well, simply because I have the supreme confidence of Sandboxie + LUA + SRP + Hardware DEP – I just can’t seem to get infected. I even asked on Wilders for people to PM me malware samples that can bypass my setup. None succeeded.
That’s a good thing, and thus gives me the confidence of doing anything I want with little fear of getting attacked.
What antivirus did your client have on his computer?
FYI!
Test with rouges over at: http://malwareresearchgroup.com/?page_id=2
@ Dan, use a bootable repair disc such as UBCD4Win and load the registry hives with whatever app (there are several that allow for this) you have on your bootable disc that allows offline registry editing and you can change the settings mentioned above by Matt. I often find myself using pretty much the same methods he described above but go a bit further with a Dr Web and SAS portable scan and still prefer Avira in most cases due to both reviews and personally seeing it detect more than most other options. hope this helps. For s step by step check this out Dan. http://windowsxp.mvps.org/peboot.htm