Infection: Trojan.FakeAV and Trojan.Bredolab
I posted in another thread about a week ago about an infected PC that was in a remote location. I have been waiting for it to arrive at HQ, which it finally did yesterday. After much mucking about, I have finally managed to clean it up. I thought I would post my experiences in the hope that this might help someone else.
The infection was started by an email purporting to be from DHL about a parcel delivery. The email managed to evade:
-- Symantec Information Foundation Mail Security for Exchange
-- Microsoft Exchange's in-built antispam/antivirus
When the user opened the email, it also managed to beat:
-- Symantec Endpoint Protection client (it was up to date v11.0.5000 with latest defs)
Infection resulted: Trojan.FakeAV and Trojan.Bredolab
Symptoms:
-- desktop hijacked
-- unable to run Task Manager
-- unable to download/run a variety of AV tools
-- remote logon disabled (so remote fixing of this issue was not an option)
When I got my hands on the PC yesterday, I found that all logins were being hijacked and logged straight back out again. Since this PC came from a different network segment, most of my remote control tools couldn't find the machine. I eventually set up a test network segment and tried to access it, but no luck. WMI sessions would not connect, etc etc.
I built a boot CDROM using BartPE and successfully booted WindowsXP and I could use the tools to browse the disk. Running a command line session, I checked out the \WINDOWS and \WINDOWS\SYSTEM32 directories by typing in commands to list the .EXE files and checking the dates on them:
-- dir 1*.exe
-- dir 2*.exe
etc
-- dir 9*.exe
-- dir a*.exe
-- dir b*.exe
etc
-- dir z*.exe
There were a LOT of files named: 1something.EXE, 2something.EXE and so on (where "something" is numeric digits). Many were 0 bytes, but some did have a small file size. I deleted all of them. I also found:
-- smss32.exe
-- winlogon32.exe
-- helper32.dll
with relatively recent timestamps for LastModified. Research showed that these were virus files. I tried renaming them and rebooting the PC, however this didn't work; the PC went into an endless cycle of reboots, so I had to rename them back again.
I then built a 2nd BartPE boot CDROM, but this time I tried adding MalwareBytes and HitmanPro install files to the disk. After booting I tried installing them, but neither would install or run properly. Stymied. I don't know enough about BartPE to be able to configure packages:
*** so if anyone has a goot BartPE or similar Boot CDROM that has antivirus/antispyware tools on it that they would be willing to share, I would really appreciate it! (e.g. if I could download the .ISO file!)
I then decided to reinstall XP over the top of the virus-infected installation, and this worked fine. After installing and rebooting, I was able to login (finally!!!). Endpoint Protection showed a few files sitting in quarantine, which I deleted. I then installed both MalwareBytes and HitmanPro. MalwareBytes removed the bulk of the infected files. After rebooting, HitmanPro then found a few more bits-n-pieces. Something had turned off the Windows Firewall, so I turned it back on.
Last but not least, I ran a full SEP scan ... and it found some files:
-- APQ11.TMP (Trojan.FakeAV file) in C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine
-- A0000141.EXE (TrojanFakeAV file) in C:\System Volume Information\_restore{etc etc
-- SetupIS2010[1].EXE (Trojan.FakeAV!gen17 file) in C:|Windows\System32\Config\SystemProfile\Local Settings\Temporary Internet Files\ etc etc
PC seems to be clean now.
Comments
"PC seems to be clean now"
"PC seems to be clean now" was a tad premature.
Doing some testing with it, it started having a problem with Internet Explorer 8. Wasn't able to access any website except for its home page. This also meant that I was unable to access Windows Update to reinstall patches, etc.
In the end I did ANOTHER reinstall of Windows XP which reset Internet Explorer back to v6, and then reinstalled a fresh copy of MalwareBytes. MB scan showed up a lot of files related to ALOT Toolbar (which I had uninstalled). After these were removed, I ran a 2nd MB scan which came up clean. However Internet Explorer v6.0 would not run at all now.
After leaving the PC on overnight, Automatic Updates downloaded IE8 and offered me the option to install it. After installing IE will still not run. Running HiJackThis and removing toobar Browser Helper Objects didn't fix it, and neither would IE run when activated from Programs, Accessories, System Tools, Internet Explorer (no add ons). Reapplying SP3 and reinstalling IE8 makes not difference.
So it seems I am stuck. 99% fixed, but a clean system without IE working is not an option.
I'm therefore moving all the data files off the PC and will do a clean reinstall of Windows XP.
hi
try if you are not able to open symantec or micrsoft websites
if security sites are blocked, then its sure that you are infected with DownADup.
run this tool
http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
Please don't forget to mark your thread solved with whatever answer helped you : ) Rafeeq
Thanks for the suggestion
Thanks for the suggestion Rafeeq ... unfortunately it is all websites, not just the security/Microsoft-related sites ... IE was not even starting up properly.
BUT
I have since had a big "win" ... I thought "one more try".
I ran HiJackTHis again and deleted a few more toolbar- and other-software-related Browser Helper Objects and registry keys that I thought might have an impact. No change.
I then downloaded a tool named WinsockXPFix.exe which I used to reset all the networking settings (winsock libraries and so on).
After rebooting, I waited for Automatic Updates to prompt me with updates/patches, told it to install only IE8 and nothing else. It prompted me to reboot.
After rebooting again, HEY PRESTO, everything is working again. I am not certain which of the above steps was key, but I suspect that it was the deleting of the BHO's with HiJackTHis followed by the reboot and the re-installation of Internet Explorer 8. Perhaps also the resetting of the networking/winsock may have forced registry entries to be reset?
Anyway, I am now much happier, as it again looks like I have managed to avoid having to completely re-install XP!
Thanks,
I have one with very similar symptoms but do not know if I will be able to use some of the fixes that you employed as my company might not approve. However, as far as the network issue goes in the past I experienced the same thing and found that the virus had reset the network settings, lmhost and host table so that it was just going to the loopback. I also saw where it redirected everything to a specific site.
I have some really old images to rebuild the computer but I do like to have the capability of stopping it even if only to get the users data off the computer. The virus the I currently have does all that and prevents booting into safe mode and I am glad you experienced all the users being locked out because I thought I had possibly locked myself out. I have several local users setup so I thought that was unlikely but I still wondered.
Very good and complete explanation.
Trojan.Fave.AV virus
Trojan.Fave.AV virus
We have found that if the computer is infected with the Trojan.Fake.AV!GenXX and none of the above tricks work - Try this:
1. Shut computer down and unplug
2. Open the case and remove the hard disk drive
3. Slave the hard disk drive in another computer (WARNING - make sure you have your anti-virus on the second computer completely up to date. I gave this information to someone else and the anti-virus in his second computer was months out of date! Yup...)
4. Scan the infected drive with MalwareBytes (fully updated). Symantec will also scan the files MalwareBytes scans since MalwareBytes opens each file to scan it.
This has worked for use 98% of the time. We have never had a virus infect the second computer (yet), and have been doing this for over a year now. We have several hundred computers with users from all walks of life and intelligence and we have infected computers on a regular basis (NOTE TO SYMANTEC - even though Symantec Endpoint Protection is running on all computers).
Good Luck
Tim
SERT / FakeAV Info
Hi Frosty,
First off: did you submit the suspicious files that you identified to Symantec Security Response? If ou still have a copy, please do so- definitions can be updated to protectagainst this variant and save otehr admins from the grief of manual removal.
You asked "so if anyone has a goot BartPE or similar Boot CDROM that has antivirus/antispyware tools on it that they would be willing to share, I would really appreciate it! (e.g. if I could download the .ISO file!)" - are you familiar with SERT? SEP 11 RU6 comes with a LiveCD which scans and cleans computers. Definitely recommended! See these for details:
https://www-secure.symantec.com/connect/forums/can-i-create-scan-disk-sep-11-work-infected-computer
https://www-secure.symantec.com/connect/videos/symantec-endpoint-recovery-tool-sert
Fake AV / missleading app / smitfraud / scareware / rougeware is an area that Symantec is very actively investigating. In October 2009, a white paper was made public on the topic. The Symantec Report on Rogue Security Software is an in-depth analysis of rogue security software programs and how they affect users. The report includes an overview of these programs, how they work, their risk implications, various distribution methods and innovative attack vectors.
To learn more, please download and read the report or listen to the podcasts on the subject. http://www.symantec.com/business/theme.jsp?themeid=threatreport or http://www4.symantec.com/Vrt/wl?tu_id=XuOB125692283892572210
You may also find some excellent info on FakeAV in these forum threads:
https://www-secure.symantec.com/connect/forums/sep-and-fakeav
https://www-secure.symantec.com/connect/forums/fakeav-webcast-app-and-device-control-examples
https://www-secure.symantec.com/connect/forums/question-fakeav-and-proactive-threat-protection
Hope this helps! Please do keep the forum up-to-date with your progress.
Thanks and best regards,
With thanks and best regards,
Mick
Would you like to reply?
Login or Register to post your comment.