18/2/2010
A user called me to say that he had been infected with a virus. Because most of our users a} have McAfee installed and b} keep it up to date (albeit maybe a day or two out) when we get a call like this its normally related to a rogue "anti virus" software package that somehow seems to get away with being "spyware". A second user then called with the same problem which again is rare as its not often we see this problem.
The infection I have to say on the outset looked a little worse than normal. As well as getting the error messages and stuff down at the bottom saying "Windows Security Alert - Windows reports that computer is infected" and pop ups such as "Security Warning : Application cannot be executed. The file FILENAME.exe is infected. Do you want to activate your antivirus software now?" one of the users reported porn popping up on the screen. A print screen of what was happening is below.
Normally I can also do a print screen and post the problems into Word for saving but for some reason I couldn't open any applications either. The "virus" as actually blocking certain applications from starting and then using that filename to say the Application cannot be executed. For reference to get the print screen above I had to reboot into safe mode and rename MS Paint to Firefox.exe as it would allow that process to run.
Other signs of infection could also be found. I checked some cookies on his machine to see what sites had been accessed when the "infection" started an one pointed to www.av-protect.com.
Visiting this site its soon becomes apparent you can buy a "fake" anti-virus package from it.
I found the following on the laptop which seemed to suggest I certainly had an infection -
A directory under username\Local Settings\Application Data\
a presumably random named directory called "qnpele"
a file called -
vnofsftav.exe
On the other machine the directory was "olxklp" and the file "qnvcsftav.exe"
Generally speaking in these cases I download Malwarebytes' Anti-Malware, boot into safe mode, install the software, run a scan and its sorted. I can then normally remove "Antivirus soft".
Today I ran the quick and full scans and had no luck.
I then tried using RKILL.EXE to kill any processes and run Malwarebytes' again but again with no luck.
I also tried an idea from the Malwarebytes forums to rename the Malwarebytes' software to FIREFOX.EXE as I did with MSPAINT.EXE because this and IEXPLORER.EXE are "allowed" as it wants you to connect to the internet to buy there software. Again this didn't work.
In the end I did manage to get rid of it. Firstly I managed to find it using Combofix a tool I haven't really used before. I also took a Ghost image of the machine before fixing it and having restored this found that SuperAntiSpyware also got rid of it well. What I liked about the latter is they have a standalone tool you can download without having to install anything and can be run in safe mode. The download file has a randomised name to help protect it.
This whole episode raises a question in my mind of the differences between spyware and viruses. Based on the fact that I could not start certain applications due to processes being intercepted is this not nearly a virus even though it didn't "replicate"? And if so shouldn't McAfee pick it up?
Friday, February 19, 2010
Subscribe to:
Comments (Atom)