Since most of the Rogue AVs out there are good at hiding from anti-virus programs, you’re going to need to do a few things to make the system usable again, including scanning the system from the bootable disk. However, you first need to look in the Documents and Settings Folder, both under the All Users folder and the folder for the main user, these are hidden folders so make sure you have the ability to see hidden folders turned on. Alot of the things out there have gotten smarter and started putting files in the All Users/App Data folder to be started with Windows on boot up! This can make it a real pain when you are looking for the exe and dll files in the main user profile and not seeing anything thinking MAYBE you caught the infection before it got in, only to get sucker punched later. Some of the ones I have seen put the files in most of the user directories so that no matter who you logon as you launch the nasty little bugger again.  Standard clean up procedures apply, as I have described in one of my earlier posts, making sure to fix all the registry entries.

The nastiest new trick I have seen is the changing of ALL the folder and file permissions to be Hidden/System files. This means that Windows will boot but all the data seems to be missing from the system, and most programs will not run. There is no easy way that I know of to completely reset all the permissions, the best solution I have found is to remove the infected files, then do a System Restore from a few days previous to reset alot of the permissions. The problem with this method is that it doesn’t always reset the User Profile folders to be not hidden. Also depending on when you picked up your unwanted guest, you may have just restored it along with the folder permissions. Another nasty little trick is to change the registry entry that controls how Windows handles exe files. This means when you click on Adobe Reader on your desktop for example, it won’t launch because it is looking for your unwanted guest so it can launch IT then either launch or prevent the launching of the program you actually tried to run. I use the following to change it back, usually loaded from a USB thumb drive:

[HKEY_CLASSES_ROOT\.exe]
@=”exefile”
“Content Type”=”application/x-msdownload”

[HKEY_CLASSES_ROOT\.exe\PersistentHandler]
@=”{098f2470-bae0-11cd-b579-08002b30bfeb}”

[HKEY_CLASSES_ROOT\exefile]
@=”Application”
“EditFlags”=hex:38,07,00,00
“TileInfo”=”prop:FileDescription;Company;FileVersion”
“InfoTip”=”prop:FileDescription;Company;FileVersion;Create;Size”

[HKEY_CLASSES_ROOT\exefile\DefaultIcon]
@=”%1″

[HKEY_CLASSES_ROOT\exefile\shell]

[HKEY_CLASSES_ROOT\exefile\shell\open]
“EditFlags”=hex:00,00,00,00

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@=”\”%1\” %*”

[HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@=”\”%1\” %*”

[HKEY_CLASSES_ROOT\exefile\shellex]

[HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
@=”{86C86720-42A0-1069-A2E8-08002B30309D}”

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PEAnalyser]
@=”{09A63660-16F9-11d0-B1DF-004F56001CA7}”

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\PifProps]
@=”{86F19A00-42A0-1069-A2E9-08002B30309D}”

[HKEY_CLASSES_ROOT\exefile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@=”{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}”

This has worked (so far) every time for me in restoring the normal ability for exe’s to run. I have gotten into the habit of running this reg entry after every time I have cleaned a Rouge AV from a machine, just as a precaution as they are getting trickier to deal with. As always, you should be sure to clean out the temporary Internet files, and check for anything that may have been added to the hosts file, and run multiple scans with different updated anti-virus and anti-spyware programs before you consider a machine healthy enough to be used again. But hopefully this will give you a better insight into what you should be looking for when trying to clean these kind of infections up.

Lately, I’ve had more and more fake/rogue AV programs popping up and some have taken a new twist. Usually malware installs itself into the currently logged in user’s Documents and Settings directory. But I have a had quite a few that have put themselves into the All users or Default User directories. Fortunately I tend to check those anyway to make sure nothing is lurking in there but it would be very easy to overlook something set to run at start-up in those other user directories. One of the files, as an example; is hotfix dot exe which is a pain as it installs, runs at start-up and prevents Windows from even finishing loading!

As a person who has to support a lot of users and remote locations, it can sometimes be a hassle to get remote process information from a machine. While I know that the command line tools are out there to do it, I am a firm believer in GUI tools. (Show me a command line tool that is more powerful than a point and click GUI version, and you’ve just shown me a GUI version that had a lazy developer who didn’t put all power of the command line version as he should have. But that’s my personal opinion, your milage may vary.) Anyway, a new tool that I found that works really well for accessing and killing remote processes is Remote Process Explorer.  It’s free for personal use, around $90 for a corporate license and does an excellent job of  letting you connect remotely to machine and see what processes are running, and to kill them. Very much like a task manager for remote machines, I have used it several times to help me kill fake AV programs that are trying to take over a user’s computer and then been able to remove the offending exe and run local anti spyware and anti-virus software to eliminate any thing left behind by the fake AV.

The following is my view of things, your mileage may vary……

Many of the malware and viruses out there are looking to spread in the best and most wide spread way possible. Since sex, porn, naked pictures of ‘Insert Celebrity name here’ are some of THE most widely searched terms on the net, this is one of the oldest and most popular ways to spread your infection around to unknowing users. Before pop-up ads, banners, phishing, click jacking and the like became the big way to spread malware around, a lot of people would get online and search for pornography, esp the young teenage crowd. And since you could setup a website with almost anything on it, what better way to get yourself a large amount of victims? And, of course once you infect a machine, setting up a few pop-ups on the machine that talk about ‘Hot Girls’ and the like will allow more infections to get in (like any distraction, it’s not what you’re looking at that is the issue, it’s what you don’t see in the background that is the problem) and while it may eventually make the user seek help in getting the machine fixed, the embarrassment and humiliation of having to show those pop-ups to a stranger (or worse, someone you know) can delay the fixing of the PC long enough to enable personal information gathering, use of the machine for storage of pirated files, or use of the resources of the machine to attack other machines to happen. Why use porn? Well because you’ll get more hits from “LIVE! NAKED! GIRLS!” “Click here to see Insert Celebrity name here” “HOT SINGLE MEN/WOMEN/GOATS WAITING JUST FOR YOU!!!!” than you will if you say “LIVE! NAKED! SPYWARE!” “Click here to see how fast your machine can get a computer virus!” “HOT IDENTITY THEFT WAITING JUST FOR YOU!!!!”. Now which is more likely to generate traffic and get viruses etc. spread out farther?

With the ease of the setting up a website on the internet, many people now have a site, from small businesses to people who believe they are the greatest thing to hit the adult entertainment industry since high speed internet connections enabled the downloading of videos. The problem is that many of the adult sites that get setup have a lot in common (when it comes to a lack of security) with small businesses, they just get more press. If a small business gets compromised, you really don’t hear about it. But if an Adult entertainment site (which sells videos, pictures what have you) gets compromised and starts handing out viruses and malware, or worse their customer information, it becomes news on the Internet. The trouble is no matter what the small business site or Adult site are selling, they suffer from the same thing… not enough informative decision making when creating their site. A lot of sites out there are using Apache, PHP, MySQL, and Linux servers but have no idea that after they set them up, they need to lock them down. Sure you can get a site setup and running with an out of the box setup, but you leave yourself wide open to compromise by hacker wannabes, up and comings and veteran hackers alike. And even if you do lock down the server and the software (PHP and Apache seem to be favorite targets as they are so popular) when you update the server, you have to go back over it and make sure it is locked down again. If you’re a web master and have the time to stay on top of the server, this shouldn’t be too bad. But if you’re a small business owner/porn site owner, you most likely are doing the work yourself in between trying to create new content, shoot pictures, create products, manage the business etc. This means that you do not have the time or the knowledge to secure the system and keep on top of the patches etc. Many places have cousin Ralphie’s college bound son/friend of a friend, or a third party company who does the site management for them and again, they may know how to make a web page but not how to secure it properly. Many of of them do not want to spend the money to hire a professional to help them either setup or secure the site because it could cut too deeply into their profit margins. While that may be true, it also may not be true. And it’s better to get help sooner rather than later. I’ve dealt with small businesses (non porn) that have been hacked, and waited until after the fact to ask for help, and generally the damage to the business and cost of recovery outweighs what the initial cost of getting the site secured to begin with would have been. There are always IT professionals who are willing to be reasonable on price and advice that small business owners can turn to. Not asking around, either before or after the fact is foolish in my personal opinion, but it does happen. As I have told many of my SMB clients, do some research on the web, make a few phone calls, find out what some of your peers are doing and see if they have any helpful suggestions about securing your online presence.

Couple believes their house was ransacked by Facebook “friend”

Crooks using Foursquare and Twitter to rob houses

So think about what information you’re handing out on the World Wide Net these days, you might be telling just a bit too much.

“Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?

Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list until they gain control of your network – after which time they will own you!

Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.

I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson.”

Head on over to One Man’s Blog and check the article out for yourself, it is well worth the read.