Two viruses and one false alarm

In an effort to possibly help other systems administrators who spend their mornings banging their heads on their desk, as well as document a few notes for myself, I am going to start recording here some of the problems and solutions to IT issues which I encounter.

We shall begin this morning with two (or three) virus issues:

A friend brought me his laptop to look over and I've found Antivirus 360 installed. For those of you not aware, AV 360 is a nasty piece of work which purports to be antivirus software, but in fact is a scam. Once installed on a machine, it will pretend to scan files and tell you that you have all sorts of problems and virus infections. Notifications will continue to pop-up, identifying legitimate files and sometimes files which don't even exist on your computer as viruses. This is all of course to get you to fork over cash for the program in order to "fix" these problems.

Fortunately, removal of AV360 is pretty straightforward:

• Open task manager. Kill the av360.exe process.
• The program will install itself to %Program Files%\av360, %Program Files&\a360 or a similarly named subfolder of %Program Files%. Delete this folder.
• Get yourself a copy of HijackThis and run it to remove the startup entries.

Fortunately, AV360 will not harm the system if it's simply deleted. Unfortunately, it's extremely likely that it will try to reinstall itself and if you have AV360, chances are you have another infection or two as well.

Such as TDSSserv.sys. This little bit often installs along with AV360 and similar types of malware. Its purpose is to hijack the browser and searches - redirecting requests for information on how to remove virus infections to websites which will install even more. It will also prevent installers from loading, which effectively prevents you from installing real antivirus software which can eliminate the infections. (This is why its nice to have utilities handy which don't require installation and which you can run off a removable disk or drive, such as HijackThis and a portable virus scanner)

Removal of TDSSserv is also pretty straightforward:

• Open task manager. Kill the TDSSserv process. (You may have to show hidden processes)
• Open device manager. Go to view and enable "Show hidden devices"
• In device manager in the tree under "Non Plug and Play Drivers" there will be a device called TDSSserv. Right-click this device and choose "disable." You cannot simply remove the device, if you do so, at reboot it will reinstall. You may have to reboot after disabling the device.
  
• Now search for the TDSSserv.sys file, it will likely be located in %WINDIR% or %WINDIR%\System32. Delete the file.
  

And that's it, except for the final cleanup, which I suggest you do with a real antivirus software program. As I said before, if you have AV360 and TDSSserv, you likely have a few more infections as well. Disabling and removing these two with these steps however should allow you to get a proper antivirus and/or malware program installed on the machine to finish cleanup, as well as eliminating the popups and allowing your internet searches to go through in an attempt to find more specific information about your infections.

In the meantime, ESET NOD32, which is otherwise a nice corporate antivirus solution if your looking for something easy to manage across a large network, made a big mistake over the weekend with a false alarm.

NOD32's virus definitions update number 3218 included information which incorrectly identifies the two Windows System files dllhost.exe and msdtc.exe as a variant of the trojan WIN32/Kryptic.JX. In addition to the system files, various Windows temp files are also identified as the same virus.

Apparently ESET noticed their mistake about ten minutes after the update went live and quickly posted a fix, but if your system is set to auto-update any time a new definitions file comes online - which is where I'm at and in my opinion best practice - then you probably got a bunch of virus warning messages.

In my case, NOD32 is set to email me a warning notification any time it finds a virus on any of my corporate network machines. So I received two or three emails (One for each file identified as a virus) for each machine in my office - which is a little disconcerting first thing on a Monday morning.

The good news is that the update corrects the issue (In fact, we are a few updates ahead, up to 3921 as of this writing) and the files had already been restored from quarantine. If your system is set to automatically delete files rather than quarantine, however, you may have a problem.

It is probably also worth noting that the two files in question live in %WINDIR%\SYSTEM32 and Kryptic.JX is the incorrectly identified virus. If NOD32 finds these files outside of SYSTEM32 or identified as a different virus, then I hate to tell you, but you DO have an infection.