Category: Spyware

As time passes, viruses and malware are getting very hard to clean up when Windows is running.  Therefore, we need some tools that do offline virus scanning.  Correction: FREE tools.  After doing some reason, I have found some very decent products for doing this.

One is the F-secure Rescue CD version 3.01.  This is a Linux based rescue disc that can read/write NTFS partitions. The CD supports updating the virus definitions either via the Internet or a USB stick.  It appears that F-Secure is using the Kaspersky engine for detecting viruses and according to VB100: Kaspersky ranks up there with ESET.  The CD will rename infected files with a file extension of .virus, but will not delete or disinfect them.  I tried the manual update routine by downloading http://download.f-secure.com/latest/fsdbupdate.run to a USB stick.  I placed the USB stick in the computer, booted from the CD and it found the updates right away during the boot process.  This is very useful, especially if the CD fails to find a NIC driver for your PC.  I tried the Internet auto-updating on a Dell Optiplex 745 and GX280: both worked flawlessly.

A similar CD is available from BitDefender called BitDefender Rescue CD 2008.  The CD actually boots to a screen that says BitDefender 2009. This CD is also Linux based.  The virus tests run by VB100 show a less stellar product then F-secure.  The CD, however, has a bit more functionality.  The CD boots to a XWindows environment with Firefox and a file manager called Midnight Commander. You can also manually update virus definitions by running a script from the desktop.  It appears, however, you have to have Internet access to update the virus definitions whether using the manual script or automatic update.  BitDefender gives you options for each suspect file found: leave alone or delete.

Since I was already using a WinPE 2.0 disc to push out images, I wanted to find a free solution I could add to this disc.
(WinPE 2.0 is available for free in the latest WAIK: see http://www.svrops.com/svrops/articles/winvistape2.htm)

Sophos has a free commandline scanner called Sophos SAV32CLI at http://www.sophos.com/support/knowledgebase/article/13251.html.  Sophos ranks very well at the VB100. I suggest throwing it on a network share and then just mapping a drive to that network share.  You can also use USB drives in WinPE 2.0, so you can also place the files on a USB stick.   The readme.txt lists all of the command line options you can use, but I simply use “X:avsophossav32cli.exe -di -dn C:”. This tells Sophos to show the filenames that it is scanning and to disinfect all the files it finds. There’s also a logging option “-p=” you can use to pipe the results to a file or simply put a pause statement after this command if you are running the program from a batch file. Virus updates are available at http://www.sophos.com/downloads/ide/.  Use the ZIP file version as the self-extracting file does NOT work on Vista/Server 2003.  The command line version goes out of date after 3 months, so make sure you download a new copy or the new IDEs won’t work after a while.

Mcafee has a command line scanner and virus definitions in their SuperDat virus files.  Download the SuperDat exe from ftp://ftp.nai.com/pub/antivirus/superdat/intel/.  Then extract the SuperDat file using the “/e” switch, for example: “sdat5569.exe /e”.  To scan the C: drive, you can use “scan c: /clean /winmem”.  There is a GUI wrapper included with BartPE for the Mcafee scanner if you want a GUI.

Update: As of 4/1/10, this trick no longer works.  They removed scan.exe, messages.dat, etc. from the SuperDat file.  You must now download vscl-w32-6.0.1-l.zip (Mcafee Commandline Tools) from Mcafee’s site using a grant number to get scan.exe.

Trend Micro has a program called Trend Micro System Cleaner.  This is a portable program that uses the regular spyware and virus definitions that their regular AV programs use.  Trend Micro is not rated at VB100, but seems like a very decent product. You will need manually download the virus and spyware definitions yourself.  Their web page is a bit confusing for updating the virus/spyware definitions, but upon running the program for the first time, it will give you the URL locations of what to download.  Currently, the virus definitions are lpt$vpn.XXX in ZIP format as lptXXX.ZIP from http://www.trendmicro.com/download/viruspattern.asp. The spyware definitions are ssapiptn.da5 in ZIP format as ssapiptnXXX.ZIP from http://www.trendmicro.com/download/spywarepattern.asp.

Upon running the scan from TSC in WinPE 2.0, I got an error message saying installation failed, but the program went on without any problems.  You will, however, need to run this from writable media, such as a USB stick or a network drive with write access.

EmsiSoft has a neat command-line scanner called a2cmd.  a2cmd can be downloaded here.   You can run a scan by running a2cmd C: /deep /dq.  To update the signatures, you simply need to be connected to the Internet and then run a2cmd /u.

Microsoft released a new standalone virus scanning tool in April 2011 called the Microsoft Safety Scanner. The download expires after 10 days.  It did not work in the WinPE 3.0 disc I tried, but it did work in the disc I built from the Win7PE project from reboot.pro

Still in beta, but handy none the less: Microsoft Standalone System Sweeper. This tool will download WinPE + the standalone system sweeper and definitions (the same one that that comes with Microsoft DaRT 6.x and beyond) and build an ISO for you, for FREE! Now you can boot from a clean WinPE CD and disinfect your PC in safety.

Now that described the elaborate ways to download the programs and the signatures that go along with them, there is a real easy of having it done for you: Multi-AV Scanning Tool.  This web site is in another language, but you should be able to find the download link (look for Download von www pctipp.ch on the bottom of the page). You run the program which will extract to C:AV-CLS.  From there, just run the menu options for each and it downloads the programs and the signatures automatically.

There is an Avira command line scanner that is available with this toolkit with a hbedv.key license file generated specifically for this tool.   The Kaspersky version that comes with this version is the DOS version and won’t run on WinPE or under x64 operating systems (the author says he will remove it in future versions).

There is another program that does nearly the same thing, but unforunately it deletes the signatures when it is done scanning the drive.  This program is called AVERT.  I prefer using the Multi-Av Scanning Tool for this reason.

These products do not work in WinPE 2.0, but can be quite useful within Windows:

MalwareBytes Anti-Malware: One of the best spyware scanners I have found. Malwarebytes Anti-Malware can be found at http://www.malwarebytes.org/.  Note that the free version just has the scanning ability.  If you want the realtime access protection, you will need to purchase the program

SUPERAntispyware Portable: Simliar to Malwarebytes, but in a portable version.  I like the speed at which it scans and how it empties the recycle bin after cleaning the files so you don’t find the dormant infection again.

– Soli Deo Gloria

I had an interesting problem recently. A user called and was not able to get on the network. After arriving at the user’s desktop, I noted the PC had an APIPA address and the NIC noted that it had “Limited or No Connectivity”. After disabling/re-enabling the NIC, removing/readding it and rebooting the PC, I ended up with the same result. Thinking it was a network problem, I proceeded to switch ports on the network switch and trying another network jack. Same thing. I then tried another NIC in the PC: same thing. I then bought over a laptop and plugged it in: it got an IP address right away. I left the laptop with the user and bought the computer back to my desk for inspection.

When I tried pinging any host on the network, I would get a “y” symbol with two little dots above it. Ah, here it is: ӱ. Charmap lists this as a “Cyrillic Small Letter U with Diaeresis”. Well, thanks for clearing that up! I ran Winsock XP Fix and the PC connected to the network just fine! Weird.

About a day later, the mystery was starting to unravel. The same user called again starting that Internet Explorer wouldn’t start due to the fact that it was looking for a file called msvcrl.dll. This file looks innocent enough, so I went searching for it on another Windows XP workstation, but alas I could not find the file anywhere. Using my old trusty friend Google, I discovered that the file was “a Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data.” That’s great, on a computer that some one runs our finanicals on too!

The major threat was already gone, but how was I to repair Internet Explorer? A search of the registry did not produce any results for msvcrl.dll. Perhaps it was tucked away in some binary value in the registry? I tried to reinstall IE, but it told me that a newer version was already installed. Using the “IsInstalled” registry trick from Microsoft would not fool the computer into reinstalling IE. Bummer. After digging around on Google some more, I found IEFIX. This utility repairs Internet Explorer back to its clean state by re-registering the original files from your Windows XP CD. I ran on this on the PC in question and it was fixed (finally!).

– Soli Deo Gloria

Recently, two of my “high risk” Internet users caught a nasty spell of malware. How nasty? Try rootkit nasty! Rootkits go above and beyond spyware by replacing system files and concealing themselves from system utilities. The first PC had a combination of spyware named TSPY_QQPASS.BUY and a rootkit named Greypigeon. Both PCs had the latest version of Symantec Corporate Antivirus with the latest virus definitions.

I will once again will voice my displeasure with Symantec. They claim that SAV does greyware detection and therefore you should disable Windows Defender if you are running Windows Vista. However, this is the second time in 3 months that Symantec has completely failed us. It did detect the spyware on the first PC, but it was unable to clean it. It was also impossible to unload or terminate SAV to clean off the virus, as it pops in your face every time you try to delete a file. Removing the spyware was impossible: I spent over 2 hours trying to get it off only to have the executables keep returning. I ended up doing a System Restore within Windows XP to restore startup sanity and then cleaning up the dormant spyware files by hand (neither Symantec nor Mcafee would identify the majority of the bad files: I ended up Googling some of the files I kept seeing reappear like “gg.exe” and “zz.exe” and then backtracked other filenames mentioned in the article like newinfo.rxk, then deleted those one-by-one).

The spyware was clever, quite clever actually. Most spyware files are dated with the date they infect the system. However, this spyware was pre-dated back to August 2004, along with most of the other legitimate Windows files. Someone went through a lot of trouble to keep this stuff hidden, as this is the date that service pack 2 was released for Windows XP, therefore most legitimate files are dated 8/4/04. The spyware also took on legitimate looking Windows names, such as rpcs.exe and svchost.exe. Not being digitally signed, however, gives them away.

On to the next PC…this time it was called into the Help Desk as being a problem with Microsoft Excel. It seems that data in Excel wasn’t scrolling when the user scrolled with the mouse cursor using the right side bar. Excel was also slow and “crash prone”. I suggested we try to remove Microsoft Office and reinstall it. Upon trying to doing this, I noted the system was extremely sluggish. Opening the process list in Process Explorer revealed 4 copies of svchost.exe running: unsigned of course, along with something called rpcs.exe that was kicking off iexplore.exe and other files such as “nortons.exe” and “winform.exe”. Cleaning this up was easy actually: using a combination of Process Explorer and Autoruns, I was able to clean off most of the bad guys, except rpcs.exe kept showing back up after reboots.

Unfortunately, Rootkit Revealer would just freeze up on this system. I then tried the System Repair Engineer from kztechs.com. Right away SRE lets me know that something is wrong:

Clicking on details gives me this:

The really funny part is if you go into Windows explorer and go to C:windowspss, you will see nothing there. That’s because this rootkit is incepting our calls to see this directory and is feeding us false information. If you were boot from BartPE, you would actually see the files there. We’ll proceed to the Smart Scan within SRE…all this does is create a text report of any bad stuff going on with our system. From this report, we are warned once again about C:windowspss3.dll being a dangerous API hook, as well as 3.exe running as a hidden process. SRE also goes through the services and shows us any services that aren’t digitally signed. I find that Greypigeon installed a service for us! Pigeons usually crap all over the place and this is no exception: attacking via a service is not common attack vector and therefore will likely get missed (I missed it myself the first few passes).

SRE also has a few nifty repair utilities in, including the ability to restore hijacked file extensions, restore Winsock back to its default state, restore default Windows policies and restore safe mode services (some spyware removes the Safeboot key to keep you from booting into safe mode to remove them). Unfortunately, SRE cannot terminate hidden processes or locked files: we have to use Icesword for that. Icesword was written in Chinese and was translated to English, so you don’t get any documentation with it. However, it’s pretty easy to use and who ever reads documentation anyways? As Dogbert once said: “While you’re waiting, read the free novel we sent you. It’s a spanish story about a guy named “Manual” .”

We can click on the Process icon and find our victim:

We can then go back into SRE and delete the GreyPigeon service:

If someone could combine Autoruns, Process Explorer, Icesword and SRE into one product, that would be so cool!

If you want to play around with this rootkit, I’ve uploaded it here. Make sure you only load it into Virtual PC or VMware and not on your PC! THIS FILE IS FOR EDUCATIONAL PURPOSES ONLY AND I CANNOT BE HELD RESPONSIBLE FOR ANY RESULTS YOU GET FROM RUNNING IT! YOU HAVE BEEN WARNED!

So the lesson here is that just because a user gets malware does not mean we have to wipe the machine. What would we learn if we wiped the machine? Interacting with various types of malware and program bugs brings us a closer understanding of the operating system.

– Soli Deo Gloria