Malware Photos from the Field – Issue #2

Well I’ve decided to post photos from at least one of my appointments each week along with a little story about the appointment. Here is this weeks.

Sally called me and said something got through her Avira and was preventing her from opening anything. At this point I knew she was infected with a rogue antivirus that prevents other .exe’s from loading. While this is fairly easy for me to get rid of it’s almost impossible for the average PC user.

When I arrived to Sally’s house I was greeted with a rogue antivirus screen.

Upon further inspection I can see the Rogue Antivirus has been installed to the All Users directory under application data. This is a very common installation path for exe terminating rogues (for now at least).

Let’s open that folder and take a look at the rogue inside…WOW! What a shock. A randomly named exe. Typical.

Next I proceded to load combofix…but wait…it’s not loading. Doh! We’re dealing with a rootkit. Lets rename combofix and try again. Still no dice. Ok…hmmm…lets reboot in safe mode. Nope. Fine…time to break out the anti-malware boot disc.

When my disc loads I immediately start SuperAntiSpyware and scan the System32 directory. SAS quickly lays waste to a few rootkits and some other malware. Once the rootkits are toast I reboot into safemode and peform my typical quick scans with SAS and MBAM.

Now that the malware has been removed from Sally’s PC we need to advise her to start using a sandbox when browsing the web because antivirus just isn’t enough right now (or ever again). I installed Sandboxie and configured the default sandbox to be emptied as soon as the browser closes. After a little training (like 5 minutes) Sally is a Sandboxie pro. I place two shortcuts on Sally’s desktop: Safe Internet and Non-Safe Internet.

, , , , , ,