Monday, April 5, 2010

Another Day in the Trenches: killing XP Antivirus 2010

I hate rouge antivirus programs. They seem to be getting more numerous and harder to get rid of all the time. Case in point: At work I noticed a shared computer suddenly popped up a Window announcing to me it was doing a scan and that I was infected with over 4,000 trojans and other forms of malware. Nice try I thought, so I used Control Alt Delete to start task manager and I closed Internet Explorer and all running processes involved. Fortunately it was a limited user account that was infected, and that turned out to be a important factor in removing it. I immediately ran Malwarebytes from that user and found a number of infections including the rogue antivirus product I was afflicted with.
These cretins that come up with this crap can’t even come up with something creative, we’ve seen XP Antivirus for a few years now, each year they just tack on a year to make it look current. Sad thing is I’m sure somewhere out there is someone who renews this crap every year, imagine paying yearly to be infected, oh right we already do that it’s called McAfee, but don’t get me started.

Well back to the task at hand: I rebooted the machine and logged into an administrator account. And updated Malwarebytes and ran it again... and found more junk, actually the same junk. Malwarebytes found it but could not kill it. Next I downloaded Superantispyware, a great application that I always run at home but wasn’t on the work machine. The first thing I do now after I download a anti-malware application is rename the installer, I do this because I often find the malware knows to prevent anti-malware from installing, okay these guys aren’t creative but they re getting smarter To rename a file, right click on the file and select rename and type anything.exe and install the program. Superantispyware did its thing and found a ton of additional files. I removed the infected files and rebooted again, and ran both my programs again. I still found junk! I repeated the sequence two more times until nothing was found. I then ran a scan in all user accounts to confirm “the kill”. So far so good, until I went into the user account where the infection had started, now whenever I tried to launch any program from the desktop I’d get the “Choose what Program you want to use to Open this File” message. This means I had to fix file associations and a great site with XP file association fixes is. //www.dougknox.com/xp/file_assoc.htm I used the .exe file association fix and it worked great. The last thing I did was to run Process Explorer, and Autoruns from Syinternals, these utilities give a great in depth look at what is currently running and starting on your machine at boot-up. Finding nothing suspicious I deemed the computer clean for now.
So a few lessons I learned on that one: Don’t use IE this was caused by a flaw in Internet Explorer I believed it was just fixed this week. Second running as a limited user is still far safer than running as an administrator, even though its trivial to elevate to administrator level, most malware seldom does, and this makes cleaning an infected PC much easier. Next running your cleanup tools multiple times and rebooting after each scan is the only way to give the anti-malware tools a chance against the bad guys.
http://www.malwarebytes.org/
http://www.superantispyware.com/