Ms Hager: “Hi Matt, my computer is giving me a little fit…I don’t know what my husband has been doing”
Matt: “What’cha got going on?”
Ms Hager: “Well, when I turn the computer on I either get a blank desktop or a big alert saying my antivirus is not registered”
I’m thinking it’s malware or a corrupted profile…probably malware.
Matt: “Ok Ms. Hager, I’ve got a Tuesday evening open at 5:30. Would you like to take it?”
Ms. Hager: “Sure Matt, see ya then!”
I arrive at the Hager residents at 5:30 pm. They take me to their computer. The computer is already turned on but the monitor is turned off. I turn on the monitor.
Matt: “You’re infected with Malware Ms Hager.”
Ms. Hager: “How do you know?”
Matt: “You have something called “Rogue Antivirus…AntiVirusPro 2009”. It’s a fake security product designed to steal a little money from you and your identity. You probably have other infections as well.
Ms Hager: “Can you fix it or do you need to reformat?”
Matt: “I can take care of this…should be…ehhh…about an hour”
Ms. Hager: “Ok Matt, we’ll leave you alone now”
- I begin by installing Avira Antivir free. Avira installs and updates fine, but detects nothing in real-time. When I try to run a scan on System32 it never starts.
- Next, I try to install SASPro. SASPro installs but will not load in any fasion.
- I’m suspecting we’re dealing with a very nasty rootkit (or multiple rootkits).
- I don’t want to waste anymore time…I breakout my bootable Antimalware disc
- Once the bootable antimalware disc loads I scan c:\Documents and Settings and C:\Windows
- While SAS is scanning I delete antiviruspro2009 out of program files.
- I find about a dozen pieces of malware and some are of course rootkits (tdsserv and beep.sys)
- I remove everything with sas and save a log for this post (see log below)
- I reboot
- Windows loads normally.
- SASpro loads and Avira is now able to scan.
- I perform a scan with Avira on c:\Windows and nothing is found.
- I test the internet connection and all seams well.
- Avira is configured for maximum protection
- I notify Ms. Hager that I’m finished and she should test out a few of her websites to make sure they load OK.
- Ms. Hager is very happy and I get paid 😛
SAS Log from Antimalware Disc:
Rogue.XP AntiSpyware 2009
HKU\User_ON_C\Control Panel\don’t load#wscui.cpl [ No ]
HKU\DEFAULT_ON_C\Software\Microsoft\Windows\CurrentVersion\Run#brastk [ C:\WINDOWS\system32\brastk.exe ]