Well, come watch me eat some humble pie, and I'll tell you a story of how I got bit, and how I resolved it.
As is probably obvious by this blog I am an IT person. Although I am far from perfect, I haven't had a virus or malware on my personal computer(s) in years, I mean like maybe close to a decade. Since I'm in the business, I know what precautions to take, I observe links before I click them, I know how to kill tasks in the background that look a little suspicious, etc. I probably watch what is in the web browser's address bar more than I watch anything else on the page so I can make sure I'm actually on the site I'm supposed to be.
Last night I got home and sat down at my computer and was about to begin a long session of upgrades for one of my clients. I had seen a reference to a new movie being released called Act of Valor. I knew my son had expressed an interest in seeing it and I wondered what it was rated.
So I went to fandango.com, clicked on the movie, and then suddenly I saw a browser window open with a fake antivirus. I know these screens all to well, because I'm the one called in when one of my user's get bit. But before my eyes could even focus to begin to read the screen and before I even moved the mouse, I watched it do a very quick download and reboot my computer, and bam! I had a virus. Not just any virus, but a rootkit. I've heard about these drive-by downloads, but I'd never experienced one before.
Time to Rant
I'm going to vent a little. If you want to watch, read on. Otherwise skip to the bottom to see how I removed it. I am more than a little pissed off about this. I run Windows 7 and I put up with the nagging UAC (User Access Control) prompts in the thought that this is supposed to prevent this sort of thing. I run IE9 with the smart-screen filter on. I use MSE (Microsoft Security Essentials). I keep up with patches on everything, not just Windows. And above all, I am careful. I don't surf sites that are known for serving up malware, and I don't even download torrents or questionable software. And yet...
When Microsoft first introduced UAC in Vista, I thought it was a dumb idea, and boy was it annoying. Everything you clicked, the computer would essentially ask, "did you mean to click that? Are you sure?" MS toned it down in Windows 7, and as I learned more about UAC, I began to at least appreciate what Microsoft was trying to accomplish and in fact I leave UAC on for my clients even though this has introduced a wide range of complexities with Login and Logoff scripts and general maintenance that we have to perform.
But why, to this day, with Windows 7 and UAC are rootkits still possible? What have I missed? Programs are supposed to not have direct access to the hardware without going through Windows, unless they are granted higher privileges, and UAC is supposed to ask you for permission to grant those higher privileges.
Thank you Sony for introducing the world to rootkits (see Wikipedia). This is but one of several reasons I do not buy Sony products anymore. There are other reasons, but that's for another rant. And by God Microsoft, why after all these years can you not block these damnable things? I could understand it if I booted from a CD or USB drive that the hard drive's MFT is fair game, but while I'm in Windows, surely you could devise a way to block it or at the very least alert the user before the deed is done.
OK, after I got bit and the computer rebooted I was facing the Blue Screen of Death on each reboot. I was able to boot into Safe Mode and run MSCONFIG which allowed me to disable all non-Microsoft services as well as all Startup items. This then allowed me to the boot into Windows normally without the BSOD errors. But while I was in Safe Mode with Networking I opened up Microsoft Security Essentials and saw that my virus definitions were less than a day old. I did a scan and it found nothing. Then I updated the definitions and ran another scan and this time it reported that I had the alureon.a MBR rootkit virus. It then told me that it couldn't remove the virus and suggested that I try the new Windows Defender Offline. So from another computer I went and downloaded the 64-bit version of WDO (which supposedly has the latest definitions).
I booted from the WDO CD and it says it couldn't find any infections. So MSE says I have a virus and the tool they suggest to remove can't find it? So I downloaded and burned the Kaspersky Rescue CD and booted from that. But it couldn't find anything either. Then I ran Malwarebytes and it at least said it found an infection. It reported that the file called C:\Windows\SvcHost.exe was infected and that a copy of that file was also running in memory. Malwarebytes tried to remove it but after each reboot it came back, because it is a rootkit. I had also turned off System Restore, but that didn't help either.
There is a legitimate SvcHost.exe file that lives in the C:\Windows\System32\ folder, just so you don't get them confused.
Try This, Try That
After poking around and trying some of my usual tricks, I said forget it, let me restore from last night's backup. I use the Symantec Backup Exec System Recovery. As I went through the restore options I noticed it didn't automatically offer to check "Restore the MBR" and I didn't choose that either. In hindsight, I wonder if that would've corrected my issue. But after about 45 minutes of waiting for the restore, I rebooted to find I still had the rootkit.
I then grabbed my Windows 7 install CD and booted from that, chose the Repair option, and then the Command Prompt and issued these commands:
- bootrec /FixMbr
- bootrec /FixBoot
This too didn't help.
Finally - A Fix
As I Googled around I began to see references to TDSSKiller. I remember this tool. Kaspersky made it. In fact, I had a copy in my toolkit on my hard drive. I ran that, it found and removed the rootkit. Yeah! Thanks Kaspersky.
But then I had to laugh. Why is that my copy of TDSSKiller which is dated November of 2010 found and removed something that their Rescue CD that I just downloaded didn't find? And why, with a virus that has been around for so long, couldn't Microsoft Security Essentials detect it with virus definitions that were only a day old, but could be detected by new ones? Does this mean the rootkit somehow tainted MSE? If so, that's another very serious concern.
As I was doing my research for this post (after I removed my virus) I have discovered that Kaspersky has a newer version of TDSSKiller dated Feb 7, 2012 available here:
In looking back over this ordeal, what can I do different to prevent this from happening again? At the moment, I'm not sure. I feel like I am as protected as I can be without installing multiple antivirus and anti-malware programs. I have always said, running more than one antivirus program is like wearing more than one condom. It works, but it sure takes the fun out of it.
I do know this. The next time one of my clients has malware, I will be a bit more empathetic, as it is entirely possible they really didn't do anything wrong by clicking something they shouldn't. Well, maybe not "all" of my users. Some just can't help themselves.