My malware removal business has exploded this month. More and more people are getting infected with Rogue anti-virus software and components that prevent you from removing the rogue anti-virus applications.
Infections vary from trivial, easy to remove malware all the way up to sophisticated infections that demand a bootdisc (or an OS re-install).
Computers that are easiest to clean are 64 bit versions of Vista. Why? Rootkits cannot patch the Vista x64 kernal and therefore do not work. This makes applications like antivirus and antimalware extremely effective against malware.
Computers that are the hardest to clean are Windows XP and Vista 32. Why? Rootkits disable the current antivirus and download copious amounts of other malware. Most of the time combofix will remove these rootkits (UAC Rootkits and Skynet Rootkits) however sometimes a bootable anti-malware disc is the only way to clean their PC onsite.
If an appointment starts to run over an hour I’ll take the computer with me for extensive, automatic cleaning or in some extreme cases I’ll have to reinstall the OS.
{ 26 comments… read them below or add one }
What do you mean by “extensive automatic cleaning”? Is there some combination of software you run in a worst-case scenario?
@Ken – Yup, my “secret weapon” … well actually it’s just a batch file that launches a series of removal and repair apps.
Any chance you’ll share your secret combination or do a video on it?
@Ken – I might do that, I just need to check on some copyright issues.
That would be great!
Hi!
Where are these rogue Anti-Virus apps are coming from? I’m surfing in the web for more than 15 years now. I’ve never seen something like this.
But I’ve removed a lot of rogue Anti-Virus-software from the machines of friends
Regards
Andy from Germany
PS: I’ve seen a lot of Videos, you r providing. Great work!
At least business isn’t down
@Joe – yep, that’s for sure. Business is booming this month and I think I know why…these new generation of rogues disable all user invoked .exe’s
why cant malware patch 64 bit vista?
is it because of the forced driver signing or that vista 64bit is more sucure for whatever reason
I hope you gets alot of money this year hopefully it will be busy
We’ve discovered how to get around the blocking of invoked exe’s. It’s not the rootkit that’s blocking the exe’s but, rather, the fake AV they installed. This explains why you can boot into safe-mode and use combofix without issue. However, the more advanced infections will have the rootkit prevent the computer from running in safe mode (it’ll reboot the system if you try) To get around this, right click the shortcut for the fake AV on the desktop to reveal it’s location on the drive. (usually in ‘docs and settings/allusers/application data’) Reboot the computer with a boot-cd. We use ubuntu since it boots pretty quickly. Then delete the folder that the fake AV is installed. Reboot back into windows and you should be able to run combofix in normal (non-safe mode).
On a business note: August and September are traditionally the busiest months in our line of work. Back to school and the end of summer usually prompts the customers to get their computers cleaned up. Of course the busy little Russian bad guys are helping bolster those numbers this year.
Just FYI: you can get around these fake AV’s that block all exe’s without a boot cd or safe mode. All you need to do is to rename your antimalware application to a system process. EG, to kill some malware, I’d rename Process Explorer to “svchost.exe”, run the program and then kill the fake AV
@Jimmy James: aww – that’s a brilliant idea. We’ll try that. Much easier than using a boot disk.
@jimmy
i think that malware can tell where the souce was.
Matt with all due respect ..You need to post more often .I visit your website very often and always is the same ..1 video a week at least!! Come on ..
The reason it works is because the malware adds a registry key that is built in to Windows, and Windows thus knows that if it kills it’s own processes than BSOD.
The key it hooks is :
“HKEY_CLASSES_ROOT\exefile\shell\open\command “%1″ %* “
Defenitly, the start of the holls ware dead, 3-5 computers in per day. ( averaging on 4 compleated per day ) last 2 weeks, 8-9 in er day ( avraging at a epic 8 jobs a day compleated) ( based on a workshop where the majority of the time only a single person works. the senior kicks in when the que grows larger than 20 xD )
But sometimes it’s enough to renamne but the UAC rootkit sucks!
Dericka – wish I could, sometimes i’m just slammed with work. I’m a one man band right now.
@927 – the UAC rootkits are everywhere now and I can usually tell when they are present. Getting rid of them is pretty simple. I either use combofix or a bootable av disc.
Hey Matt can you tell me where i can download ComboFix? Lol when i tried to download 1 i found out that it was a rootkit :S
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
It sounds like a false positive from your antivirus program
Nah no Ive scanned it with some programs and all of them found that its a rootkit
and thanks for the download
From where did you download?
@927, i don’t really remember but i typed ComboFix on google and found some site and downloaded it from it i don’t really remember the site name
Yup, August was another higher than ever business month for me too. Sometimes it’d be one remote session after the other and I’d end up having breakfast at dinner time :p
Fake av is definitely in the rise.