Friday 10 July 2009

Rogue Infection: WARNING! YOUR’RE IN DANGER!

One of our clients received a link via an e-mail from a friend saying that they needed to purchase, download, and install a product to help keep their system running great!

Now, the machine is virtually unusable due to constant battering by pop ups from a product called System Security 2009 (also a Rogue AntiSpyware blog link). The rogue also prevents any .EXE from running on the system except an IE window that takes us to the “online activation system”.

We are going to flatten this system, extract their data from an earlier ShadowProtect image, and start fresh.

Since much of the infections legitimately found on the system are Trojan related, there can be no guarantees that removing them does not leave a backdoor of some sort into the system.

The desktop as it is now:

Security-Warning

And:

Security-Warning-2

Our client new something was well out of sorts due to the misspelling of “YOUR’RE” when the background started showing up.

Note the constant fight between the malware and AVG Free.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*All Mac on SBS posts will not be written on a Mac until we replace our now missing iMac! (previous blog post)

Windows Live Writer

3 comments:

Ryan O'Dwyer said...

I've found that Antispyware Pro 2009(a variant I presume from System Security 2009) stops most exe files from running, including the SysInternals tools.

The following has worked for me, simply because it was a remote system miles away;

The spyware seems to only stop exe files a few seconds after launch.

Therefore, I can run "cmd /c taskkill sysguard.exe /f" and kill the spyware, and then load a malware removal program, or remote access, buying time at least until the machine can get back to your office.

YMMV, but if you can identify the exe files that are running then you may be able to run the command and get into the system.

Just my finding thus far, given how smart this spyware people are getting, and given how far away this system was from me.

--Ryan

Anonymous said...

Philip: This happened to a client of yours? What protection was on this system and it still got trashed? How do you explain that to the client? My vision is that even with security software, machines will still wind up being taken over. 'why am I paying you and have all this security software andit still gets compromised?'

How do you answer that? I guess things would be worse without security software, without OpenDNS set as their dns servers. Are these local admins? While not best practices, local admin is kinda needed for some LOB and just to do routine things like change the clock time, etc.

Anonymous said...

and another thing - flatten the machine? On a domain? While roaming profiles would save you from getting off the old data (right?) beecause the data is stored on the server, roaming profiles can cause problems? What do you do with this?