MS Security Essentials comes through again
08 Feb 2010 - DaveI had to deal with another friend’s badly infected computer this weekend. This computer had AVG and Spy-bot installed but neither was able to detect an infection.
With the computer connected to the Internet something was launching Firefox and sending it to websites designed to cause more problems.
The computer would also generate AXWIN frame window errors at random. Sometimes when you answered the warning dialogs the computer would reboot.
For the last year we’ve made short work of viruses and spyware. We simply boot from the UBCD (Ultimate Boot CD) and let it do an offline antivirus scan. That makes short work of the worst viruses. There was a problem with the UBCD this time though. Antivir was failing to get updates. Without updates it found nothing. I’m assuming that the UBCD needs re-compiled with newer components.
I’ve had some success finding Rootkits from the command line while in this offline mode. I look in the Windows system folders for newer files that look suspicious. A word of warning — you need to know what you are looking for. If you don’t stay out of here!
# Change to the system32 directory
cd C:\Windows\system32
# Use dir switches
# to sort by date in reverse order [ /o-d]
# and pause after each page of file listings[ /p ]
dir /o-d /p
# ...look for suspicious files with recent modified dates
#
# Change to the drivers directory
cd C:\Windows\system32\drivers
dir /o-d /p
# ...look for suspicious files with recent modified dates
The atapi.sys file in the drivers folder was new. That qualifies as suspicious but it is an important system file so I left it alone. I later found out that the rootkit infected the computer but one of my rules is stick to the motto: first, do no harm…
The next step was to uninstall AVG and install MS Security Essentials. MSSE immediately found Zango and JS/Iframe.F but there were still errors with the system. I used the built-in Windows utility msconfig to start in a ‘clean boot’ state. A Full scan by MSSE then found Alureon.F which was the rootkit. Alureon.F infected the system driver atapi.sys that I’d noticed in offline mode. MSSE safely removed the infection.
There are still problems with the system but the infections are gone. Microsoft Security Essentials did a good job here.
Another post on MS Security Essentials.
update: How not to respond to a targeted malware attack – October 2, 2009
“…I have been on multiple customer systems this week to clear up infections, and in every case, Symantec/Norton missed it, but the new Microsoft Security Essentials found and cleaned it. MSE had the definitions more than a week ago. Not bad for free, eh?”