More Trojan.FakeAV issues (IS2010 infection and removal)
In the past week I have had 2 more infections of Trojan.FakeAV (IS2010) and have developed my own disinfection/cleanup process that I thought I would share. Its not necessarily the most quick or efficient cleanup, however it does seem so far to be fairly effective.
STAGE 1 (disinfection)
-- have copies of MalwareBytes and Hitman Pro downloaded to USB stick and burned on CDROM
-- reboot infected PC, install and run both MalwareBytes and Hitman Pro and remove all infected files
I have found that after doing this, the PCs were still having some problems. In one case there was a rootkit detected in ATAPI.SYS (how? dunno!) that couldn't be removed using the above software, nor could it be fixed by anything else. I didn't trust that they were clean ... so I moved on to:
STAGE 2 (reinstall Windows XP)
-- locate correct install disk (e.g. XP+SP2 or XP+SP3) which matches the O/S installed already
-- boot off the CD, reinstall XP, choosing the option to repair the existing installation
-- go through all the Windows activation nonsense, etc
-- yada, yada, ydda, rebooting, etc
After reinstallation, I find that the infected stuff is all gone (no more rootkit alarms), however the PC has been set back to either IE6 or IE7 level and now Internet Explorer will not work properly. So:
STAGE 3 (collect patches via Automatic Updates)
-- get your XP automatic updates running and use it reinstall all available patches
-- especially get IE8 upgrade installed, so you can use Windows Update again
-- yada, yada, more reboots, etc
After all that, the PC seems to be clean, at least according to all the legit anti-virus/spyware tools that I can find. The whole process takes me about 4 hours (based on sample of 3 PCs infected thus far, but I will probably get faster at it if they keep happening).
Hope this helps someone.
Comments
· Does Symantec
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2010020116202748
Prachand Kumar MCSE-2003 Symantec Technical Specialist (SCTS)
Trojan.FakeAV (IS2010 infection and removal) UBCD4WIN approach
After over a dozen infections of IS2010 and a few similar and sometimes nastier programs over the last 6 months on some of our computers, I now have 2 approaches. Both use UBCD4WIN, a disk which I made a couple of years ago and I don't remember the details but I think it generates an ISO file that uses the Bart PE (Pre-Environment) that you burn to a CD and it has a bunch of utility programs on it and supports the use of USB drives.
1. Full reinstall; sometimes I can copy the user's files from within Windows, lately I have had to boot from a UBCD4WIN CD to copy the user files before doing the full reinstall
2. Use a UBCD4WIN, Bart PE bootable CD with utilities that allow access to files and the registry to delete some things and change others, then reboot into Windows and install and run the latest MalwareBytes program from a USB drive to try to find anything you missed. Note that deleting the files and registry entries may not be enough; if you get caught in a Login/Logoff loop you may have to modify the registry:
I got this information from this forum; it doesn't mention smss32.exe but that showed up at the same time as the is2010.exe and is in many of the same registry areas and folders, sorting by DATE helps spot it and its accompanying files in the WINDOWS and SYSTEM32 folders:
INTERNET SECURITY 2010 fake AntiVirus
* * * * * * * *
CAN'T LOGIN TO WINDOWS
ATAPI.SYS is an indication of
ATAPI.SYS is an indication of TDL3/TDSS rootkit and Hitman Pro should be able to detect and remove ALL current versions. Get the latest build, (89 at the time or writing it) and use it in "Force Breach" mode with EWS scan, it should clean your system just fine.
http://www.youtube.com/watch?v=m6eRWTv2STk
Hitman Pro added to toolbox
I found references to Hitman Pro while doing more research, ran it on the latest infected computer and it found things that the MBAM missed, including fixing a WINSOCK problem that was stopping the computer from going on the internet. It also ran into the BSOD 6 out of 8 scans at about the same point according to the files-scanned counter. It does not require an install which is a huge plus but apparently it requires an internet connection to use "cloud" processing which is a huge minus for me since disconnecting the network cable is the first thing I do when the infection is brought to my attention. I am a one-man IT department at a non-profit and I don't have the expertise to isolate infected computers in a more elegant manner.
I usually immediately put
I usually immediately put infected machine on an external wireless network and do all my work there for this very reason. I think Hitman guys are working on a core-engine that is available even when Internet connection is unavailable, but the multi-engined cloud detection part is obviously the major power behind the product.
P.S. If you're positive that machine is infected, I suggest you run Hitman in Forced Breach mode with EWS scan. That should be able to take care of those BSOD errors you've been seeing.
Would you like to reply?
Login or Register to post your comment.