In today’s world of spyware, viruses, and malicious attacks, there are very few that have given me the thought that they could actually be real. Typically you get the one that pops up saying you have 95 viruses and that you need to pay to clean your system, which is an immediate red flag. Most of the time the spyware looks really fake, and by fake I mean they have no company name, or they just use a generic names like “Windows Security 2010,” and “Antivirus 2010.” I thought this always to be the case until just recently.
The call came in like any other, the user was describing that Microsoft Security Essentials had detected an infection and needs to be cleaned. I told the user to go ahead and click the clean option in Security Essentials and it will clean the file. When she did this, it said it could not be cleaned and the apply now button on the bottom changed to a “Scan Online” option. It took me a second but I realized that I had never seen this option in security essentials ever before.
If you click on the Scan Online button, it will list a total of 35 antivirus programs, 30 of which are real and 5 which are rogue. The 5 rogue ones are:
- Red Cross Antivirus
- Peak Protection 2010
- Pest Detector 4.1
- Major Defense Kit
- AntiSpySafeguard or AntiSpy Safeguard
When these are allowed on the system they will perform a fake virus scan and say you are infected. Each one is the same, but slightly different interfaces. They also block certain applications from running (ex. Internet explorer, Malwarebytes, etc…). Below are the steps I took to resolve my issue.
Removing fake Microsoft Security Essentials.
Because I was offsite, I had to remote into this particular computer from another PC on the network, but if you are in front of it you can use the same methodology. I immediately checked add/remove programs and Microsoft Security Essentials was not even installed!
I downloaded the process explorer tool (procexp.exe) from live.sysinternals.com on a separate machine and put it on a network share (you can put it on a usb drive if you are in front of the PC). You can also try Ctrl+Alt+Del if it will work because it did not work for me. I opened the network share on the infected PC and copied procexp.exe onto the computer and ran it. NOTE: It is not usually best practice to open network shares when infected with spyware or viruses as they sometimes spread via those means but I had no other choice.
Here I found the fix.exe file was running on the system and I killed the process. I noted the path of the fix.exe file that procexp.exe shows you:
Documents and Settings(username)Application Datafix.exe
I then went into windows explorer > tools > folder options > view and made sure show hidden files and folders was selected. I browsed to the folder listed above and removed the fix.exe file. While in there I also noticed another interesting file with a randomly generated name.
Documents and Settings(username)Application Datajsdfgs.bat
I opened this file with notepad and saw the code in the picture below. This looked very suspicious, so I removed this as well.
- Note: This may/may not be related to the Fake Security Essentials
I then thought I had the issue resolved and opened IE which worked fine, but then when I tried running Malwarebytes to scan the system, it still would not start. This alerted me that there is still a bigger issue. I also tried doing Windows update and this would fail as well. I began looking at my internet connection settings and found that there were static IP addresses that had been put into my TCP/IP settings. I checked on the location of these IP address and they appeared to be coming from the Ukraine. I removed them from my internet connection settings and then Microsoft updates worked fine again.
I also loaded up the real Microsoft Security Essentials and ran a full scan where it found and removed a rootkit.
Win32/Alureon.H
Upon removing this file, Malwarebytes and all other antivirus/spyware scans worked properly.
And just for good measure I downloaded the Piriform ccleaner utility from www.ccleaner.com and ran the cleaner utility to remove all temporary files. I also ran the Registry tool in the application as well to fix all broken links in the registry.
After the full completion of all the afore mentioned tasks, the computer was running great and had no issues.
NOTE: Some of the symptoms in these email such as the file with the randomly generated name, DNS pointint to the Ukraine, and the rootkit may not necessarily be on your computer. These were found on mine during the cleanup. They may have been their previously, that is why it is always good to do a full scan with a legitimate antivirus/spyware program. It is also recommended that you consult a trained professional or be fairly tech savvy before trying to accomplish this yourself.
The tools I used are listed below:
Process Explorer (procexp.exe)
www.live.sysinternals.com (you can download the full suite of tools here for FREE!)
Malwarebytes
ccleaner
good points and the details are more specific than somewhere else, thanks.
– Thomas