We shall begin this morning with two (or three) virus issues:
A friend brought me his laptop to look over and I've found Antivirus 360 installed. For those of you not aware, AV 360 is a nasty piece of work which purports to be antivirus software, but in fact is a scam. Once installed on a machine, it will pretend to scan files and tell you that you have all sorts of problems and virus infections. Notifications will continue to pop-up, identifying legitimate files and sometimes files which don't even exist on your computer as viruses. This is all of course to get you to fork over cash for the program in order to "fix" these problems.
Fortunately, removal of AV360 is pretty straightforward:
- Open task manager. Kill the av360.exe process.
- The program will install itself to %Program Files%\av360, %Program Files&\a360 or a similarly named subfolder of %Program Files%. Delete this folder.
- Get yourself a copy of HijackThis and run it to remove the startup entries.
Such as TDSSserv.sys. This little bit often installs along with AV360 and similar types of malware. Its purpose is to hijack the browser and searches - redirecting requests for information on how to remove virus infections to websites which will install even more. It will also prevent installers from loading, which effectively prevents you from installing real antivirus software which can eliminate the infections. (This is why its nice to have utilities handy which don't require installation and which you can run off a removable disk or drive, such as HijackThis and a portable virus scanner)
Removal of TDSSserv is also pretty straightforward:
- Open task manager. Kill the TDSSserv process. (You may have to show hidden processes)
- Open device manager. Go to view and enable "Show hidden devices"
- In device manager in the tree under "Non Plug and Play Drivers" there will be a device called TDSSserv. Right-click this device and choose "disable." You cannot simply remove the device, if you do so, at reboot it will reinstall. You may have to reboot after disabling the device.
- Now search for the TDSSserv.sys file, it will likely be located in %WINDIR% or %WINDIR%\System32. Delete the file.
In the meantime, ESET NOD32, which is otherwise a nice corporate antivirus solution if your looking for something easy to manage across a large network, made a big mistake over the weekend with a false alarm.
NOD32's virus definitions update number 3218 included information which incorrectly identifies the two Windows System files dllhost.exe and msdtc.exe as a variant of the trojan WIN32/Kryptic.JX. In addition to the system files, various Windows temp files are also identified as the same virus.
Apparently ESET noticed their mistake about ten minutes after the update went live and quickly posted a fix, but if your system is set to auto-update any time a new definitions file comes online - which is where I'm at and in my opinion best practice - then you probably got a bunch of virus warning messages.
In my case, NOD32 is set to email me a warning notification any time it finds a virus on any of my corporate network machines. So I received two or three emails (One for each file identified as a virus) for each machine in my office - which is a little disconcerting first thing on a Monday morning.
The good news is that the update corrects the issue (In fact, we are a few updates ahead, up to 3921 as of this writing) and the files had already been restored from quarantine. If your system is set to automatically delete files rather than quarantine, however, you may have a problem.
It is probably also worth noting that the two files in question live in %WINDIR%\SYSTEM32 and Kryptic.JX is the incorrectly identified virus. If NOD32 finds these files outside of SYSTEM32 or identified as a different virus, then I hate to tell you, but you DO have an infection.
1 comment:
AV360 is mostly fixable nowadays- but there's a variant that's really sucky -
antivirus 2009.
If you see it on a system, just nuke it. Seriously. You CAN get it clean without formatting, but it's gonna take all day and several tools (though Malwarebytes has been getting good at getting rid of it).
What I've done to save our asses on our network is to use OPENDNS as a filter - it's a free service and surprisingly effective. Essentially, set their DNS servers as your forwarders on YOUR internal DNS servers after signing up on their site, choose "minimal" filtering (phishing only), and off you go.
This way, no one winds up on those "OMG YOU HAVE AN INFECTION CLICK HERE TO FIX" ads that seem so effective.
Post a Comment