Lately we at IFix Computers have been dealing with more rootkit infections than normal. These internet nastiness are much more difficult to cleanup and cause a lot of havoc for the user and their networks.

Rootkits, worms, viruses, Trojans are all different forms of infections and can get on your computer in various ways. Gone are the days of you purposefully needing to download an infected program or open a link in an email. Today’s infections have been called “drive-by downloads” and quite often come from infected websites that you have legitimate reason to be there. The infections are called SQL injections and they have infected PBS, Intel as well as thousands of smaller web sites. The fix for the webmasters is easy and in the case of the big boys mentioned above they were repaired in a matter of hours.
In an article from January 2010 titled “Scareware continues to rise reaching $150 Million“ we went over how to cleanup from an infection and some basic prevention measures. It is my desire to get an updated article out on prevention next week, but right now too many people are dealing with already being infected.

In an attempt to help you after a suspected infection, I went to the ever trusty Mike Rosmis and asked him for a list of what he uses and why. Before you think “but I have an anti-virus program” remember infections occur in different ways, getting a flu shot does not prevent the common cold, diverticulitis or cancer, they occur for different reasons, that is why preventive security is so essential.

Mike has been diligent about finding the best ways to clean up infected computers and has done some tracing of where the main attacks or source of these root-kits are coming from, it appears to be China, though that could be a slight of hand done by the coders of the most recent wave of infections.

DANGER WILL ROBINSON – Mike properly warned me to warn you, we are professionals and know the limits and quirks and “got-yas” of these programs, you CAN really screw up your entire computer if something goes awry. If you can afford it, have a professional IT company do this work, at IFix Computers we currently charge between $150 and $200 to do the work described below.

From Mike – Here’s a list of my current A/V tools:
1. TDSSkiller – from Kaspersky.  It scans system32 files and the MBR.  Good to start with this because it’s effective and usually takes no more than 30 seconds to run, even if it finds a rootkit.  It primarily scans for and removes TDSS, TDL3, Alurion, and others.  Symptoms of a rootkit are browser redirection, large quantities of junk files & folders.

2. MBRfix – found on the Mini P.E. CD.  It rewrites the MBR with a generic XP boot sector.  More complicated and time consuming than TDSSkiller, but effective when Windows just won’t cooperate.  It is also useful if TDSSkiller or Combofix hose up your boot sector.
Kent’s note: we only use this on Windows XP machines, not for Vista or Windows 7. If someone has built or knows of a Mini PE for Vista and 7, we would love to know about it.

3. Combofix - The Big Daddy.  Checks for rootkit activity; steps through Windows startup looking for odd behavior; scans system files, replacing infected files with known good files.  Allow at least 20 minutes to run. This program is known to be updated several times a day so be sure to get the latest updates.  Always get a fresh copy.
Kent’s note: this program needs to be run directly from the desktop, not a USB drive or from another folder. I also prefer to run it while the computer is booted into “Safe Mode” first and then again at the regular desktop.

4. Autoruns - Use this if you can’t get to the desktop in Normal Mode and can get to Safe Mode.  It allows you to stop things like ‘hsuebvbhjsg.exe’ from starting up.

5. Spybot Search & Destroy – a good malware scanner, provides passive browser protection through a manually updated hosts file, shows you which BHO’s (Browser Help Objects) and ActiveX’s are installed, has a process explorer and an alternative registry cleaner. Allow 20 minutes for the scanner.  You have to manually tell it to fix what it finds.
Kent’s note: You should right-click on the icon and choose “Run as Administrator” in Vista and I do the same in Windows 7. Also you want to use the “Immunize” and (when in the Advanced Mode) under the “Tools” section go through the “ActiveX”, “BHOs”, and load the “Host File”.

6. MalwareBytes - good, simple malware scanner for civilians.  Update it and run it.  You also have to manually tell it to fix what it finds.  Allow an hour-and-a-half to run for the full scan.
Kent’s note: Under the “Settings” tab, be sure “Terminate Internet Explorer during threat removal” is selected.

7. ESET anti-virus - When properly configured, this program blocks a lot of infections the others don’t. It is also very “light” on system resources allowing you more horsepower to do what you need to on the computer. It cleanups op a lot of crud and can be run in safe mode as a command line tool (don’t be afraid, just run it and it automatically goes to the command line and does what is needed). If you are infected, I would run this in “Safe Mode” after running Combofix.

Well that is it, will this clean all infections? “No”, did we give you every step in configuring these programs? “No”. However, we have given you the tools do clean up your computer as best we can in this short space.

Until we meet again, have a virus (and root-kit) free week.

Sonicwall Research team has discovered a new malicious Worm spreading in the wild. The Worm spreads via Facebook profiles and as part of its post-infection activity, it installs Fake AVG antivirus security software.

Upon installation the Worm informs the user that it needs to perform a “Scan” of the system:

It performs a fake system scan which is hosted on a Fake AV web page:

When clicking on “Remove all” or “Cancel” it attemps to initiate the download of:

•bitav_2053_ext6.exe [Detected as TDSS.ABCR (Trojan)]

The worm will periodically cause pop-up messages such as in the screenshot below:

When clicking OK to such pop-up messages the Worm will bring up further Fake AV pages which attempt to download more malware to the infected machine such as: pack.exe [Detected as SecurityTool.W (Trojan)]

Make sure your AntiVirus provides protection against this threat via the following signatures:

Koobface.HJV (Worm)
Koobface.HJV_2 (Worm)
Koobface.HJV_3 (Worm)
Koobface.FF (Trojan)
Delf.EM (Trojan)
TDSS.ABCR (Trojan)
SecurityTool.W (Trojan)

So if you see this happening, get off the internet, reboot your PC and run a complete system series of scans. Check out our past article on how to remove this type of infection.

Here is some more technical jargon about it for those wishing to geek into it.

The Worm performs the following DNS queries:

•www.google.com
•facebook.com
•www.facebook.com
•d.static.ak.fbcdn.net
•x-treme-radio.host22.com
•www.ashiww.com
•www.wahdohotel.nl
•kingswoodwright.com
•kbfgb.greyzzsecure9.com
•3064972.greyzzsecure9.com
The Worm attempts to load various web pages using random page names with the .css extension:
•http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css
•http://206.160.{removed}.9/rsrc.php/ye/r/vOYlUxHAn95.css
•http://206.160.{removed}.9/rsrc.php/yS/r/w4doJXgUPVR.css
•http://206.160.{removed}.43/rsrc.php/yX/r/pWROpoRFF42.css
•http://206.160.{removed}.9/rsrc.php/y4/r/LIj01FurENH.css
•http://206.160.{removed}.9/rsrc.php/yE/r/4Kozs88a56s.css
•http://206.160.{removed}.43/rsrc.php/yQ/r/dvBK5Hfjbcc.css
•http://206.160.{removed}.43/rsrc.php/y-/r/Ki5kfy7_Bje.css
•http://206.160.{removed}.9/rsrc.php/yL/r/u8Bue217GRs.css
•http://206.160.{removed}.9/rsrc.php/yW/r/Xx2bs9YPnF_.css
The Worm installs the following files on the system:

•C:\Documents and Settings\{USER}\Local Settings\Temp\feb.bat
•C:\Documents and Settings\{USER}\Local Settings\Temp\zpskon_1296703528.exe [Detected as GAV: Koobface.FF (Trojan)]
•C:\Documents and Settings\{USER}\Local Settings\Temp\zpskon_1296699165.exe [Detected as GAV: Delf.EM (Trojan)]
•C:\WINDOWS\5456456z
•C:\WINDOWS\bt7.dat
•C:\WINDOWS\jjp156.exe [Detected as GAV: Koobface.HJV_2 (Worm)]
•C:\WINDOWS\system32\feb.dll [Detected as GAV: Koobface.HJV_3 (Worm)]
•C:\WINDOWS\system32\drivers\feb.sys [Detected as GAV: Koobface.FF (Trojan)]
feb.bat contains:
netsh firewall add allowedprogram name=”feb” program=”C:\WINDOWS\system32\svchost.exe” mode=enable
netsh firewall add portopening tcp 8087 feb enable
sc create “ffeb” type= interact type= share start= auto binpath= “C:\WINDOWS\system32\svchost.exe -k ffeb”
reg add “hklm\system\currentcontrolset\services\ffeb\parameters” /v servicedll /t reg_expand_sz /d “C:\WINDOWS\system32\feb.dll” /f
reg add “hklm\system\currentcontrolset\services\ffeb” /v failureactions /t reg_binary /d 00000000000000000000000003000000140000000100000060ea00000100000060ea00000100000060ea0000 /f
reg add “hklm\software\microsoft\windows nt\currentversion\svchost” /v ffeb /t reg_multi_sz /d “ffeb\0″ /f
sc start ffeb
feb.dll contains a list or URL’s all of which are either taken down or lead to blank pages at the time of writing. Below is a sample of the URL’s contained feb.dll:
•impri{removed}.gr/.lhinrs/
•hk{removed}.org/.ycguh3/
•roomservi{removed}.com.au/.9mov05w/
•nubs.wo{removed}.co.uk/.7txq/
•lenga{removed}.com/.ck5rg8/
•cayenneo{removed}.com/.fplf/
•www.dead{removed}.co.uk/.qe9v/
•ib{removed}.org.il/.5cei7f9/
•www.kurdist{removed}.com/.x5fyik/
•heali{removed}.co.za/.12vatd/
•forwardmar{removed}.org/.6sta03t/
•numerus-{removed}.fr/.li81/
•fino{removed}.com/.ea2cuwa/
•fe{removed}.co.za/.jts51/
•tarr{removed}.com/.5fu3/
•toppla{removed}.nl/.vfnc/
•www.fishingfo{removed}.com/.5wmm9/
The worm installs the following registry keys to ensure startup of jjp156.exe and the feb.sys driver:
•HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoAutoUpdate dword:00000001
•HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoWindowsUpdate dword:00000001
•HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost ffeb hex(7):66,66,65,62,00,00,
•HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run dfg49df “c:\windows\jjp156.exe”
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEB NextInstance dword:00000001
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FEB\0000 Service “feb”
•HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\feb ImagePath hex(2):”\??\C:\WINDOWS\system32\drivers\feb.sys”

In the last 3 weeks we have received more calls per day than we receive in a normal month from people who have pop-ups claiming they are infected or who actually clicked on the pop-up and became infected.

Hacker and @#^&*%$ heads are using news events to spread these fake alerts and infecting computers.

The wild fire stories, the Obama speech in schools, Ted (I can kill and get away with it) Kennedys death, all have sprouted a flurry of fake security warnings, infected e-mail (Phishing attacks), and fake web sites.

Without creating a 3 hour seminar, here are the basics…

1. Quit searching the internet for “fantastic” stories. Within hours of Michael Jackson’s death 212 new web sites that were infected with crap-ware popped up proposing to be Michael Jackson sites. There were also dozens of different emails with links to or pictures of his death, all which were fake.

2. Stop using My Space and Face Book! I know this is going to get me flamed and maybe even a note from one of these “businesses” but they are @$@#$ (I really do dislike using so many language referenced but this is ridiculous). Why are you telling strangers when and where you are going on vacation? To make it easier to rob you? Why are you telling the world about your 4 year old grandchild’s ability to ride his bike down the street? So the local pedophiles know where to pick him up for a little “play time”? Do you just like complaining about the cost of getting crap-ware and infections off your computer?

3. Just stop thinking the world owes you free anything. Free music, programs, data, cheese… in this age of ever expanding socialism in America, you must remember, nothing comes without a price. Limewire is a perfect example of what happens. Hackers get into or create all this “free” content management, take over your computer, infect your computer and more. That is how terrorist in Iran got plans to the presidential helicopter. Turn on the radio or go to your local radio stations web site, go to the local video store or Netflix to get a movie.

4. Stop forwarding junk emails. “Verified by Snopes” – what a crock. Almost daily I “reply all” to the sender of this type of stupidity and give actual links to Snopes and other  sources showing the hype and falsity of their fantasy. Just because you don’t like the current US President does not mean you can hope hatred or that he is not a US citizen will remove him from office. The Democratic Party may be the dumocrats to many but they certainly would not make that mistake, just quit forwarding the email.

If you received it in all capitals or with large colorful letters, underlines bolded et al please for the love of Jesus (I know the one who sent it to you told them Jesus asked them to forward it – He didn’t, I double-checked in person this morning) stop forwarding this junk.

5. Read what you are installing or updating and NEVER accept the defaults. People consistently ask me how they acquired 4, 5, 6 or more toolbars. Yes, you need the Adobe and JAVA updates but please pay attention, you should take the extra 30 seconds of your life and read each screen before selecting “Next”.

Now that I have offended most of you, what can you do if you have already been infected?

1. Update and run your PAID FOR, quality, properly configured anti-virus program (Kaspersky http://www.kaspersky.com and ESET http://www.eset.com).

2. Install, update, configure and run a real copy of Malware Bytes http://www.malwarebytes.org/ and Spybot Search and Destroy http://www.safer-networking.org

The above are excellent programs and many malicious people have created fake sites leading to crap-ware, USE the links I have provided.

There are numerous other good to excellent programs that can be used to clean up an infection, just be sure of the program and then the source where you are getting the program from.

There are several other security basics home users should have and many great hardware and software tools for Micro and Small businesses to use. Just search this site for the many articles on security your computers and network.

Until I cool off, have a virus free week!

Just nine short years ago, ok ten really, the media picked up on a “bug” in computer systems where the first two digit of the year were not used so, according to the “experts” the media contacted all computers will think it is 1900 and ATMs will crash, Wall Street will blip to all zeros and the CNN would start playing old Howdy Doody shows, non-stop. Ok, I made that last part up. In any way, the long of the short of it is that the Y2K “bug” was mainly just another panic and media scare.

Alas, we come to April 1^st 2009 and another “April Fools” worm/virus or attack was supposed to bring the World Wide Web to a standstill. Conficker, where are you? I know, hind-site is 20/20 and I should have written this in late March but my great excuse is that I was answering so many calls about the “imminent attack” that I did not have time to write. Yes, once again that is an exaggeration. I did not write about it because it was, in my opinion going to be another non-event, that was until March 30^th when a local television station ran with some sensationalism on this and then on the 31^st another station did to.

This time I was uncertain about how to respond, not to the threat, after all, Microsoft had created a patch 6 months prior that would have been installed with it critical updates and the top anti-virus companies had hardened their systems against this threat at the same time (I can only speak for those I researched such as ESET and Kaspersky).

My concern was how a local computer / technology company was going to respond to the questioning. Since I have been interviewed by the local media and am a little on the paranoid side as it is, I worried about the way thing would be presented. I do feel a little hype was injected by thankfully no hysteria message from the technology company to the effect “quick, bring in your PC for the $99.99 checkup…”

In the end, what happened? Well on my end so far (as of April 7^th) not a single customer has been infected and we have not received a single call that would lead us to believe a potential client was infected.

Does this mean no-one was infected? I doubt that, the worm was supposed to activate on the 1st so the threat is not over. Update your computer via Windows Critical updates, install and properly configure a current anti-virus and anti-malware program. If you are not sure how to do these steps, contact your local computer repair shop and then take a class from you local community college or from any of the great usergroups around almost every town.

So I ask again, where is Bigfoot, where is the Y2K bug and where is the Conficker?

This particular program and attempt to get on your computers has been around for a while, however the most recent incarnation that started a week or two ago seems to be evading several anti-viruses. I have found it on machines with current up-to-date versions of Norton, ESET, AVG (free) and Computer Associates. I have read of others with Trend Micro as well as Panda Anti-virus getting infected.

Usually this particular nasty only infects people who visit sites with infected video codecs (normally, but not always “adult” sites). This time around it seems to be using some vulnerability and hacking “good” web sites and or servers and injecting them with the infection. Once they are infected you (or in one case your child) goes to the site / server and wham bam no thank-you man, you are infected.

Once infected the program tries to prevent your current security from updating or running properly.

The first thing that needs to be done is to disable System Restore and reboot.
Next you need to kill AV2009.exe via Task Manager.
Now navigate to “Program Files” and under the folder “AV2009” delete AV2009.exe (I just deleted the whole folder the first time but then security programs did not find the program and thus a pop up still occurred)
At this point I have been able to manually run a thorough anti-virus scan which has caught and paused other AV2009 files.
The next thing, I downloaded, updated and ran Spybot Search and Destroy 1.6 from Safer-networking (be aware there is a crap-ware and malware program masquerading as this program). Spybot S&D seems to have finalized the destruction of AV2009 but just in case I also have run Combo Fix.
Finally I suggest that you remove all temporary internet files for all your browsers (many of you use Firefox or Opera but still have Internet Explorer to remember). That should finish removing this program. All that is left is to turn System Restore back on and reboot.

I hope this helps many of you out. Until we meet again, have a virus free week.