Malware Customer Call – Notes from a real appointment

Ms Hager: “Hi Matt,  my computer is giving me a little fit…I don’t know what my husband has been doing”

Matt: “What’cha got going on?”

Ms Hager: “Well, when I turn the computer on I either get a blank desktop or a big alert saying my antivirus is not registered”

I’m thinking it’s malware or a corrupted profile…probably malware.

Matt: “Ok Ms. Hager,  I’ve got a Tuesday evening open at 5:30.  Would you like to take it?”

Ms. Hager:  “Sure Matt, see ya then!”

I arrive at the Hager residents at 5:30 pm.  They take me to their computer.  The computer is already turned on but the monitor is turned off.  I turn on the monitor.

Matt: “You’re infected with Malware Ms Hager.”

Ms. Hager: “How do you know?”

Matt:  “You have something called “Rogue Antivirus…AntiVirusPro 2009”.  It’s a fake security product designed to steal a little money from you and your identity.  You probably have other infections as well.

Ms Hager:  “Can you fix it or do you need to reformat?”

Matt:  “I can take care of this…should be…ehhh…about an hour”

Ms. Hager:  “Ok Matt, we’ll leave you alone now”

  1. I begin by installing Avira Antivir free.  Avira installs and updates fine, but detects nothing in real-time.  When I try to run a scan on System32 it never starts.
  2. Next, I try to install SASPro.  SASPro installs but will not load in any fasion.
  3. I’m suspecting we’re dealing with a very nasty rootkit (or multiple rootkits).
  4. I don’t want to waste anymore time…I breakout my bootable Antimalware disc
  5. Once the bootable antimalware disc loads I scan c:\Documents and Settings and C:\Windows
  6. While SAS is scanning I delete antiviruspro2009 out of program files.
  7. I find about a dozen pieces of malware and some are of course rootkits (tdsserv and beep.sys)
  8. I remove everything with sas and save a log for this post (see log below)
  9. I reboot
  10. Windows loads normally.
  11. SASpro loads and Avira is now able to scan.
  12. I perform a scan with Avira on c:\Windows and nothing is found.
  13. I test the internet connection and all seams well.
  14. Avira is configured for maximum protection
  15. I notify Ms. Hager that I’m finished and she should test out a few of her websites to make sure they load OK.
  16. Ms. Hager is very happy and I get paid 😛

SAS Log from Antimalware Disc:

Rootkit.Unclassified/KR_Done
C:\WINDOWS\system32\kr_done1

Rootkit.Unclassified/USBHubB
HKLM\SYSTEM\CurrentControlSet\Services\usbhubb
HKLM\SYSTEM\CurrentControlSet\Services\usbhubb#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\usbhubb#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\usbhubb#Type
HKLM\SYSTEM\CurrentControlSet\Services\usbhubb#Start
HKLM\SYSTEM\CurrentControlSet\Services\usbhubb#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\usbhubb#Tag
HKLM\SYSTEM\CurrentControlSet\Services\usbhubb#Group

Rogue.XP AntiSpyware2009-Trace
C:\WINDOWS\karna.dat
C:\WINDOWS\system32\_scui.cpl

Rogue.XP AntiSpyware 2009
HKU\User_ON_C\Control Panel\don’t load#wscui.cpl [ No ]

Trojan.Downloader-Gen
HKU\DEFAULT_ON_C\Software\Microsoft\Windows\CurrentVersion\Run#brastk [ C:\WINDOWS\system32\brastk.exe ]

Trojan.Dropper/Gen-NV
C:\WINDOWS\BRASTK.EXE

Rootkit.TDSServ/Fake
C:\WINDOWS\SYSTEM32\DRIVERS\TDSSMHLT.SYS

Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\KARNA.DAT

, , , , ,