Nothing like a good old virus . . .
Apr
29
Written by:
4/29/2010 3:50 PM
There has been a recent uptick in the frequency of virus related issues with quite a number of computers here in the Cincinnati area having been infected with the XP Defender virus.
Users are often times exposed to malware such as XP Defender through some form of social engineering. The user may receive a Social Media (Facebook, etc) message from another infected user or while browsing the internet they may be redirected to a web page designed to look like a system scan displaying multiple infections. The user ends up downloading the virus onto the system.
Once the virus is on the system the authors will demand that the user pay $85 for their “ant-virus” product – which does nothing more than fool the user into thinking they have antivirus and malware protection. If the user does not pay the hijack fee the software will begin to progressively degrade the systems performance until the user coughs up the money. Either way, the malware will remain on the computer, propagating itself through the infected systems friends and abundances.
Virus Removal – The process of removing a virus such as this from a computer is increasingly complicated. Once the virus has made your computer its home there is little that anti-virus packages can do without the use of advanced tools and techniques. The following was done to remove the XP Defender virus:
- Reboot the computer into safe mode (F5).
- Run MSConfig and set the computer to selective startup – disabling System Services and Startup Items.
- Install and run AVG antivirus software.
- Backup the entire registry
- Inspect the run section of the registry for entries with a non-conventional name, usually in the form of a random number or series of letters (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) and note any suspicious entries and their executable name.
- Search the whole registry for the executable name. You will know if you have a winner when you come across and entry in the HKEY_Classes_Root – shell / open command section. The virus will usually replace the prefix the value for the default entry with something like "c:\bugme\virus.exe %1" – ensuring that the virus will remain in memory by launching each time a file of that particular type is launched. CAUTION: Do not just delete the entry! Instead you should usually just manually modify the entry, removing only the virus executable.
- Use ComboFix.exe to search for and remove any root kits
- Slowly, in ½ segments, re-enable able the services and startup items in MSConfig.
It is important to note that many “viruses” are not detected by antivirus software because the programs are not technically viruses; instead they are helper applications simple do the back-end work such as downloading the viruses to the computer. So you will find that enabling the services and startup items in the MSConfig application may cause viruses to be downloaded to the computer. I recommend that you monitor the c:\windows\tmp folder for any newly created files – signaling the possibility of a new download.