Bios Password

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Saturday, June 25, 2011

Skirmish 2: A Rouge Security Software battle

Posted on 2:33 PM by Unknown

Fresh off of having wrestled my friend’s system back from the clutches of a rogue-security product, a few weeks later Dad called in a panic with his Windows Vista system in cardiac arrest.

He had booted his system only to find all their documents, emails, and family photos missing.

On top of that, they had a “security scanner” warning them their system was “infected” in many critical locations and only their product could remove the mess and possibly restore their files.

Oh bother. Not again.

I knew that with this kind of mess, attempting to clean the system remotely would be counter-productive.

Dad offered to drive down and pass the base-unit off to me.

Looks like the workbench was going to stay dust-free.

Basically, I followed the same steps previously outlined in the GSD post Skirmish 1: A Rouge Security Software battle.

However I had to tread just a bit more carefully in the assessment process.

Dad’s system did support direct USB flash-based booting.  So I could use one of my custom WinPE USB boot sticks for just a bit faster off-line booting performance.

I quickly determined (much to his relief) that all the user profiles, documents, emails, and photos were in fact present and accounted for.

Turns out this bad-nasty had done some additional mojo which “hid” all the start program files, as well as the user desktop (folder) environment as well.

The full list of infected baddies found:

  • Trojan:WinNT/Alureon.S
  • Exploit:Java/CVE-2009-3867.IJ
  • Exploit:Java/CVE-2008-5353.SN
  • Trojan:Java/Mugademel.A
  • TrojanDownloader:Java/OpenConnection.EM
  • Exploit:Java/CVE-2008-5353.QV

Again, another drive-by browsing infection caused by outdated Java version. Nice…

Because I first carefully assessed the system, in Dad’s system’s case, I had elected to NOT run CCleaner or any other temp-file cleanup tools.  This ended up being a very good thing.

This particular infection had relocated all those critical system/program files and settings into a temp folder.  Had I run the cleanup blindly, I would have ended up nuking all the original files and had to manually rebuild the entire Start/Program list, as well as the desktop items.

The public face of this infection ended up being a variant of “Windows Recovery” malware/rouge-security scareware.

This guide Remove Windows Recovery (Uninstall Guide) over at BleepingComputer.com has a good review and walkthrough of a semi-automated recovery process.

Included in there are two noteworthy tools: RKill (Download Link) and Unhide.exe (Download Link). Rkill is a rouge-process killer of sorts and unhide.exe attempts to restore malware-relocated user files back to their original/rightful locations. See this Bleeping Computer Downloads: RKill page for more information as well as this one Question on 'unhide.exe' for more background information on them both.

I preferred to take the manual restoration approach offered by “colsearle”

Try navigating to the following path: (make sure you have the hidden files and folders visible)
C:\Documents and Settings\your user name goes here \Local Settings\Temp\smtmp
Inside the smtmp folder you will see three folders named 1, 2, 4
1 = Start Menu Program shortcuts
2 = Current User Quick Start shortcuts
4 = All Users Desktop folders and shortcuts
Simply copy the shortcuts back to the original path.

I also found this guide over at SmartestComputing written by “Broni” to be very helpful as well and full of specialized remediation tools and links How to restore files hidden/deleted by Windows Recovery virus.

  • Windows 7: Restore Default Shortcuts in Start Menu All Programs
  • Vista: Restore Default Shortcuts in Start Menu Programs
  • Restore the Administrative Tools folder with vista_ultimate_admintools.zip
  • Restore Accessories Program Files Menu with accrestore.zip for XP
  • Restore Admin Tools Program Files Menu with admintools.zip for XP
  • App Paths - SourceForge

Once all was running/cleaned as expected, I had to re-arm the Windows Firewall (disabled), re-arm the automatic updates (disabled), re-arm the anti-virus application (realtime protection disabled).

Again, all Browser Plugin Updates were applied. I updated all the web-browsers, Quicktime, Adobe Reader, etc.  Removed some toolbars, stuff like that.

Dad returned a week later and after a super-yummy lunch at a local authentic tex-mex dive, the system got handed back and once reconnected at its home, Dad found it to be perfectly restored.

Now if we can’t just push him onto Windows 7….

--Claus V.

Email ThisBlogThis!Share to XShare to FacebookShare to Pinterest
Posted in anti-virus software, browsers, malware tools, security, software, troubleshooting, tutorials, utilities, viruses, Vista, Win PE | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Finally! Time to Post! New material list
    After a recent text from my bro reminding me it has been since March since I’ve done a blog post, I was finally able to clear the schedule a...
  • Oscar watch Linkpost
    Alvis and Lavie are watching the Oscars tonight and I’m along for the ride. I wasn’t able to come even close to getting out some of the pos...
  • New Year’s Day - First Post 2011
    Same day I came out with my first post after a long drought, I fell upon this article Blogging Seems To Have Peaked, Says Pew Report over a...
  • Utility Gumbo
    There’s a lot in this pot.  Probably something everyone can find to enjoy. I’m serving it up tonight out of the back of the truck on the s...
  • iodd : Multi-boot madness!
    Like many computer technicians and responders, I seem to always have at hand a collection of bootable media; CD’s, DVD’s, USB-HDD’s, flash m...
  • Ubuntu 13.10 Upgrade - Lessons Learned & VIDMA utility found
    A few weeks ago a new release of Ubuntu came out. Naturally that meant it was update time! I have been getting pretty good at this now so ...
  • Interesting Malware in Email Attempt - URL Scanner Links
    Last weekend I spent some time with extended family helping confirm for them that their on-line email account got hacked and had been used t...
  • Windows 8 Linkage: A Bit Behind the Ball
    CC attribution: behind the eight ball by Ed Schipul on flickr . OK. Confession time. I’m more than a bit exhausted this weekend. Besides a...
  • Lego MiniFig Extravaganza
    picture clipped from Wired’s clip from Gizmodo clip… Thanks in no small part to the Windows 7 RC release, XPM mode research, and a big “l...
  • This Week in Security and Forensics: Beware the cake!
    Cube Party! image used with permission from John Walker at "rockpapershotgun.com" Yeah, the cake is a Portal thing.  Let’s d...

Categories

  • Active Directory
  • anti-virus software
  • Apple
  • architecture
  • art
  • AVG
  • Blogger
  • blogging
  • books
  • boot-cd's
  • browsers
  • cars
  • cell-phones
  • cheat sheets
  • Chrome/Chromium
  • command-line interface
  • cooking
  • crafts
  • crazy
  • curmudgeon
  • DHC
  • Dr. Who
  • E-P1
  • Education
  • family
  • Firefox
  • firewalls
  • For the Gentleman
  • forensics
  • Gmail
  • Google
  • graphics
  • hacks
  • hardware
  • humor
  • hurricanes
  • imagex
  • Internet Explorer
  • iOS
  • iPhone
  • iPod
  • iTunes
  • Kindle
  • Learning
  • Link Fest
  • Linux
  • malware tools
  • Microsoft
  • movies
  • music
  • networking
  • NewsFox
  • NFAT
  • Nook
  • Opera
  • organization
  • PDF's
  • photography
  • politics
  • PowerShell
  • recipes
  • Remote Support
  • RSS
  • science
  • Scripting
  • search engines
  • security
  • Shuttle SFF
  • software
  • Texana
  • Thunderbird
  • troubleshooting
  • TrueCrypt
  • tutorials
  • utilities
  • VBscript
  • video
  • Virtual PC
  • virtualization
  • viruses
  • Vista
  • Vista mods
  • wallpapers
  • Win FE
  • Win PE
  • Win RE
  • Windows 7
  • Windows 8
  • Windows Home Server
  • Windows Live Writer
  • Windows Phone
  • writing
  • XP
  • XP mods
  • Xplico

Blog Archive

  • ►  2013 (83)
    • ►  November (8)
    • ►  October (8)
    • ►  September (14)
    • ►  August (6)
    • ►  July (10)
    • ►  June (10)
    • ►  April (11)
    • ►  March (6)
    • ►  February (7)
    • ►  January (3)
  • ►  2012 (96)
    • ►  December (8)
    • ►  November (4)
    • ►  October (9)
    • ►  September (8)
    • ►  August (12)
    • ►  July (4)
    • ►  June (3)
    • ►  May (7)
    • ►  April (13)
    • ►  March (3)
    • ►  February (5)
    • ►  January (20)
  • ▼  2011 (41)
    • ►  December (8)
    • ►  November (7)
    • ►  September (4)
    • ►  August (4)
    • ►  July (2)
    • ▼  June (6)
      • Anti-Malware Tools of Note
      • Skirmish 2: A Rouge Security Software battle
      • Skirmish 1: A Rouge Security Software battle
      • PSA: Browser Plugin Updates
      • GSD Blog Template Reboot
      • Finally! Time to Post! New material list
    • ►  March (5)
    • ►  February (1)
    • ►  January (4)
  • ►  2010 (69)
    • ►  December (1)
    • ►  October (3)
    • ►  September (2)
    • ►  August (13)
    • ►  July (17)
    • ►  June (3)
    • ►  May (3)
    • ►  April (3)
    • ►  March (11)
    • ►  February (1)
    • ►  January (12)
  • ►  2009 (177)
    • ►  December (20)
    • ►  November (11)
    • ►  October (7)
    • ►  September (7)
    • ►  August (21)
    • ►  July (17)
    • ►  June (7)
    • ►  May (18)
    • ►  April (9)
    • ►  March (17)
    • ►  February (23)
    • ►  January (20)
  • ►  2008 (35)
    • ►  December (23)
    • ►  November (12)
Powered by Blogger.

About Me

Unknown
View my complete profile