Saturday, June 25, 2011

Skirmish 2: A Rouge Security Software battle

Fresh off of having wrestled my friend’s system back from the clutches of a rogue-security product, a few weeks later Dad called in a panic with his Windows Vista system in cardiac arrest.

He had booted his system only to find all their documents, emails, and family photos missing.

On top of that, they had a “security scanner” warning them their system was “infected” in many critical locations and only their product could remove the mess and possibly restore their files.

Oh bother. Not again.

I knew that with this kind of mess, attempting to clean the system remotely would be counter-productive.

Dad offered to drive down and pass the base-unit off to me.

Looks like the workbench was going to stay dust-free.

Basically, I followed the same steps previously outlined in the GSD post Skirmish 1: A Rouge Security Software battle.

However I had to tread just a bit more carefully in the assessment process.

Dad’s system did support direct USB flash-based booting.  So I could use one of my custom WinPE USB boot sticks for just a bit faster off-line booting performance.

I quickly determined (much to his relief) that all the user profiles, documents, emails, and photos were in fact present and accounted for.

Turns out this bad-nasty had done some additional mojo which “hid” all the start program files, as well as the user desktop (folder) environment as well.

The full list of infected baddies found:

  • Trojan:WinNT/Alureon.S
  • Exploit:Java/CVE-2009-3867.IJ
  • Exploit:Java/CVE-2008-5353.SN
  • Trojan:Java/Mugademel.A
  • TrojanDownloader:Java/OpenConnection.EM
  • Exploit:Java/CVE-2008-5353.QV

Again, another drive-by browsing infection caused by outdated Java version. Nice…

Because I first carefully assessed the system, in Dad’s system’s case, I had elected to NOT run CCleaner or any other temp-file cleanup tools.  This ended up being a very good thing.

This particular infection had relocated all those critical system/program files and settings into a temp folder.  Had I run the cleanup blindly, I would have ended up nuking all the original files and had to manually rebuild the entire Start/Program list, as well as the desktop items.

The public face of this infection ended up being a variant of “Windows Recovery” malware/rouge-security scareware.

This guide Remove Windows Recovery (Uninstall Guide) over at has a good review and walkthrough of a semi-automated recovery process.

Included in there are two noteworthy tools: RKill (Download Link) and Unhide.exe (Download Link). Rkill is a rouge-process killer of sorts and unhide.exe attempts to restore malware-relocated user files back to their original/rightful locations. See this Bleeping Computer Downloads: RKill page for more information as well as this one Question on 'unhide.exe' for more background information on them both.

I preferred to take the manual restoration approach offered by “colsearle”

Try navigating to the following path: (make sure you have the hidden files and folders visible)
C:\Documents and Settings\your user name goes here \Local Settings\Temp\smtmp
Inside the smtmp folder you will see three folders named 1, 2, 4
1 = Start Menu Program shortcuts
2 = Current User Quick Start shortcuts
4 = All Users Desktop folders and shortcuts
Simply copy the shortcuts back to the original path.

I also found this guide over at SmartestComputing written by “Broni” to be very helpful as well and full of specialized remediation tools and links How to restore files hidden/deleted by Windows Recovery virus.

Once all was running/cleaned as expected, I had to re-arm the Windows Firewall (disabled), re-arm the automatic updates (disabled), re-arm the anti-virus application (realtime protection disabled).

Again, all Browser Plugin Updates were applied. I updated all the web-browsers, Quicktime, Adobe Reader, etc.  Removed some toolbars, stuff like that.

Dad returned a week later and after a super-yummy lunch at a local authentic tex-mex dive, the system got handed back and once reconnected at its home, Dad found it to be perfectly restored.

Now if we can’t just push him onto Windows 7….

--Claus V.

1 comment:

FF Extension Guru said...

"Now if we can’t just push him onto Windows 7…. "

Ain't that the truth! I have forgotten how painfully slow Vista is until I booted into it the other day on the machine I mainly use for Linux. I was trying to check to see if a Firefox issue was related just to Win7 or Win7 and Vista. Then there were all the updates and reboots. I am so tempted just to nuke the Vista and the recovery partitions and just use that machine for Linux Mint now.