• Home
  • About 404TS
  • Contact

404 Tech Support

Where IT Help is Found

  • Articles
    • Code
    • Entertainment
    • Going Green
    • Hardware, Gadgets, and Products
    • Management
    • Network
    • News
    • Operating Systems
    • Security and Privacy
    • Software
    • System Administration
    • Talking Points
    • Tech Solutions
    • Web
    • Webmaster
  • Reviews
  • Media
    • Infographics
    • Videos
  • Tech Events
  • Tools
    • How do I find my IP address?
    • Browser and plugin tests
  • Get a Technical Consultation
You are here: Home / Articles / Security and Privacy / A Herculean Effort Against “Cyber Security” Malware in Windows Vista SP1

A Herculean Effort Against “Cyber Security” Malware in Windows Vista SP1

2010-11-03 by Jason

Last night, I was working on a laptop that was given to me for some freelance tech support with the simple description of “acting like it has a virus and won’t connect to the Internet.” I got it home and fired up the computer. It definitely had a malware infection but the side effects may have proven to be worse than the actual antivirus.

The computer was running Windows Vista SP1. There was only one account, which ran at administrator level with the User Account Controls disabled. It also had no active antivirus running while having many out-of-date applications installed. If there was ever a computer just asking to be infected, this was the one but some factors made it for a more intriguing case of cleaning up the machine and getting it up and running again.

The laptop was pretty fast  and that was fortunate since it had some scans to complete in its near future. After powering it on, I was greeted with a pop-up and noticed an unfamiliar icon in the system tray for Cyber Security. This was clearly a Fake AV and kept popping up every so often. I normally would have hoped to try killing the Cyber Security process through the task manager but the malware was blocking access to it. Figuring I could deal with that later after the malware had been removed, I headed into the Control Panel, Programs section. I was hoping Cyber Security might be one of those lax malwares that could be primarily removed from the Control Panel. Although it was listed in the Add/Remove Programs, it wouldn’t uninstall. Instead I found old Adobe Flash, Adobe Reader, and Java instances installed. I removed them so I could just install the latest versions after the computer was all cleaned up. I also found a trial of Norton 360 that clearly wasn’t doing its job so it also got uninstalled.

I installed Avast and MalwareBytes from a USB key since the computer couldn’t get online at this point. One problem at a time, I ran a Quick Scan with MalwareBytes which found 96 infected objects. I restarted the computer and resolved the error getting to the Task Manager that the Malware had created, “Task Manager has been disabled by your administrator.” I did that by deleting this key, HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr, from the Registry. I was then able to get in the Task Manager and look at the current processes and see if everything was running clean.

I still wasn’t able to get onto the Internet even after MalwareBytes removed a significant number of files related to the infection. I checked the usual settings that malware likes to change which makes recovery difficult: the HOSTS file and the proxy setting. The HOSTS file was clean and the proxy setting in Internet Explorer’s Tools, Options…, Connections, and LAN settings wasn’t set. The fact that it was connecting to ‘Local Only’ bothered me, what would cause it to not connect the rest of the way. This gave me pause to review what I’ve seen so far.

After running through everything in my mind, I looked at the properties of the Wireless network adapter and found a clue. There was a Symantec service enabled on both connections, apparently a leftover from the Norton 360 I had removed. Simply unchecking the service didn’t resolve the situation so I looked online and found a Norton Removal Tool. After running through the tool, which includes a screen where you have to answer a CAPTCHA, the Internet connected immediately upon reboot. Here’s another reason to avoid Norton like the plague.

Running the Norton Removal Tool allowed the computer to connect to the Internet so I updated MalwareBytes. Upon running the quick scan again, it found 45 infected objects with the new definitions. To hopefully prevent this from happening again, I updated Adobe Flash, Adobe Reader, and Java to their respective latest versions. I then went to move onto running Windows Updates and Windows Defender Updates but they wouldn’t connect. In the beginning I set the system date and time at the beginning from January 1st, 2001 to the correct time, so I can’t say that these dates are correct but Windows Defender was reporting that it was last able to check for updates in June, 2009. Yikes!

Unfortunately, neither Windows Defender nor Windows Update were able to connect and update the system. Internet Explorer was able to connect to the Internet but not to FTP locations (I downloaded Adobe Reader from the Adobe FTP site but had to switch to Firefox in order to download it). Windows Defender gave this error code as a result of failing to be able to connect:

Unable to connect. Error code 0x80072efd

While the Event Log gave this:

Event ID: 11

Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Unfortunately, that error message actually sent me in the wrong direction. I kept looking for solutions to that error and ended up at a Microsoft TechNet Library article that didn’t resolve the problem. Many searches and wrong paths later, I finally started over with a new search and ended up with an article on Walker News.

While I had previously checked multiple times that the proxy was disabled through IE’s Internet Options, Connections tab, the article showed different commands to run to see and disable the proxy.

netsh winhttp show proxy

netsh winhttp reset proxy

After resetting the proxy, Windows Update and Windows Defender were both able to update. They had their work cut out for them as they were both missing updates from the past year. I set them to download and finally went to sleep. I woke up, rebooted the system, and it was purring along happily and cleanly.

With updated applications, OS, and a working antivirus installed now, hopefully it will be a while before the customer manages to get the computer infected again.

Filed Under: Security and Privacy, Software, Tech Solutions

Trending

  • The science of social media posting
    In Infographics
  • NVIDIA announces the GeForce 1000 series of video cards
    In Featured, Hardware, Gadgets, and Products
  • Upcoming Tech Events Will Keep Everybody Hopping
    In Hardware, Gadgets, and Products, News

Latest Media Posts

Find Out Where To Download SNES ROMs

Find Out Where To Download SNES ROMs

Multifunctional Video Conversion Tools – Wondershare Video Converter

Multifunctional Video Conversion Tools – Wondershare Video Converter

  • Popular
  • Latest
  • Today Week Month All
  • How to ‘Unblock’ multiple files at a time with PowerShell How to 'Unblock' multiple files at a time with PowerShell
  • Command line to take ownership and change permissions Command line to take ownership and change permissions
  • Increase IIS Private Memory Limit to improve WSUS availability Increase IIS Private Memory Limit to improve WSUS availability
  • SOLVED: “This modification is not allowed because the selection is locked.” SOLVED: "This modification is not allowed because the selection is locked."
  • Creating and editing views in phpMyAdmin Creating and editing views in phpMyAdmin
  • customer contactless payment for drink with mobile phon at cafe counter bar,seller coffee shop accept payment by mobile.new normal lifestyle concept The Latest Innovations In Payment Technology
  • How Digital Technology Brought the Rise of the CMO   How Digital Technology Brought the Rise of the CMO  
  • How to Purchase Cryptocurrencies? How to Purchase Cryptocurrencies?
  • Top 6 necessary aspects to consider when hiring Angular developers Top 6 necessary aspects to consider when hiring Angular developers
  • Full guide on drawbacks and benefits of Node.js for making the perfect choice for your business Full guide on drawbacks and benefits of Node.js for making the perfect choice for your business
Ajax spinner

Elevator Pitch

404 Tech Support documents solutions to IT problems, shares worthwhile software and websites, and reviews hardware, consumer electronics, and technology-related books.

Subscribe to 404TS articles by email.

Recent Posts

  • The Latest Innovations In Payment Technology
  • How Digital Technology Brought the Rise of the CMO  
  • How to Purchase Cryptocurrencies?

Search

FTC Disclaimer

404TechSupport is an Amazon.com affiliate; when you click on an Amazon link from 404TS, the site gets a cut of the proceeds from whatever you buy. This site also uses Skimlinks for smart monetization of other affiliate links.
Use of this site requires displaying and viewing ads as they are presented.

Copyright © 2023 · Magazine Pro Theme on Genesis Framework · WordPress · Log in