It's not clear what the vector was in this case - I didn't install any software for the last few weeks. I'm wondering if it's some remote exploit. When Spyware Protect 2009 first launched I was running Remote Desktop, and after it had launched my SSHD service (cygwin) quit working. I'm curious if anybody else had similar experiences.
It's easy to kill the program with task manager. Just look for a program name ending in sysguard.exe. The first couple letters will be random; mine was called fftwsysguard.exe and was found in C:\Documents and Settings\alan\Local Settings\Application Data\szvcxr (the name of the directory is also random). After killing the program with task manager it's easy to delete the main program from your disk. Finally, you'll stop Windows from attempting to load the program at bootup. Startup Control Panel is good for this.
This does not eliminate the infection. You'll also need to fix your hosts file, found in C:\WINDOWS\system32\drivers\etc
This file will include the following lines, which should be deleted:
91.212.127.227 awareremover2009.microsoft.com
91.212.127.227 awareremover2009.com
91.212.127.227 www.awareremover2009.com
The lines you want to keep are:
127.0.0.1 localhost
::1 localhost
Even after doing this, Internet Explorer will randomly try to load awareremover2009.com, and IE/FireFox will be prevented from connecting to several anti-virus websites.
At this point, running Trend Micro House Call found and deleted part of it, but this did not fix the problem with the web browsers.
MalWareBytes found some additional parts of the infection:
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b6d223f6-c185-49a2-ba7e-a03e84744702} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
But it did not catch all the registry changes; in particular several changers were made to make IE particularly less secure. See http://www.threatexpert.com/ for a list (actually, since awareremover2009 blocks threatexpert, here's a local copy).
Registry Modifications
- The following Registry Keys were created:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
- HKEY_CURRENT_USER\Software\Microsoft\Windows Script
- HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings
- HKEY_CURRENT_USER\Software\AvScan
- The newly created Registry Values are:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
- esdcsadr = "%AppData%\ijipdt\xxeusysguard.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]
- RunInvalidSignatures = 0x00000001
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations]
- LowRiskFileTypes = ".exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments]
- SaveZoneInformation = 0x00000001
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- esdcsadr = "%AppData%\ijipdt\xxeusysguard.exe"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows Script\Settings]
- JITDebug = 0x00000001
so that xxeusysguard.exe runs every time Windows starts
so that xxeusysguard.exe runs every time Windows starts
- The following Registry Value was deleted:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
- AppInit_DLLs = ""
- The following Registry Value was modified:
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download]
- CheckExeSignatures =
The changes you need to make here should be pretty obvious. The deleted values appear to be generally ok, as my other main machine doesn't have anything set for those values either. It might be a good idea to go into your IE preferences and reset all the security settings, just to be sure, though.
After all that, however, I still found that both Firefox and IE got randomly redirected to Ad websites when using Google. I tried to fix this using the following programs:
ESET online scanner found nothing.
Bit Defender Free Edition found nothing (full scan).
Microsoft Malicious Software Removal Tool (Nov 2009), (win/system32/MRT.exe, full scan) found nothing.
Spyware Doctor (PC Tools) found nothing, and even if it had, the freely downloadable version only detects infections; you need to pay if you want to remove them.
I found my solution in ComboFix. The problem: sysguard installed a rootkit (hidden in atapi.sys), which prevents detection. ComboFix was the only program that discovered this. Ironic, since ComboFix is 100% freeware, whereas those other scanners were free demos/trials.
ComboFix was able to remove part of the infection (c:\windows\Downloaded Program Files\IDropPTB.dll), but not all of it: a hacked atapi.sys was detected, but not removed. UPDATE: ComboFix was updated sometime Nov 12th and the new version did remove the hacked atapi.sys file! so far, it looks like the infection is finally completely gone.
To make sure, I ran one last round of scans, in the following order:
BitDefender Free Edition found an infected file in the System Restore folder (suggesting that running system restore might have caused the infection to occur again!).
MalwareBytes found another 6(!) copies of the infected atapi.sys file in the System restore folder (once again suggesting BitDefender Free Edition isn't worth the trouble of dealing with it's constant nag screens).
No comments:
Post a Comment