I went head to head with a version of the “Internet Security 2010” virus. (SMSS32.exe)

My machine got infected with a version of the “Internet Security 2010” virus.  It was a nasty little critter.  I’ve seen it a bunch of times over the years.  It keeps getting smarter and smarter.  It used be possible to remove it by killing the process it started and deleting the files.  Now, there’s a lot more steps.  

The virus came from clicking on a link on a mainstream website.  McAfee popped up right away and said it caught two files (warning.html and IS2010.exe).  Unfortunately that didn’t matter.  The virus installed itself and McAfee proved once again that it’s a useless piece of crap.  Here’s what I did to get rid of it.

I first tried getting “Task Manager” to pop up.  That wouldn’t work.  I checked the folder that the virus created in program files (c:\Program Files\Internet Security 2010).  It was empty.  That’s probably because the IS2010 file was deleted by McAfee.  I shut the machine down and restarted.  The “Task Manager” item was grayed out.  I tried launching it by typing in taskmgr.exe.  Windows popped up a message stating that Task Manager was disabled.  I knew that it was something I could fix in the local group policy editor.  I ran gpedit.msc and enabled it.  Instructions are here.

Method 4:  Using Group Policy Editor – for Windows XP Professional

• Click Start, Run, type gpedit.msc and click OK.
• Navigate to this branch:

User Configuration / Administrative Templates / System / Ctrl+Alt+Delete Options / Remove Task Manager

• Double-click the Remove Task Manager option.
• Set the policy to Not Configured.

It says that you can set it to “Not Configured.”  In my case it was already set that way.  I set it to “Disabled.”  I had to reboot the machine a couple times before the virus was cleaned up.  Task Manager was disabled every time.  Switching between “Not Configured” and “Disabled” seems to be good enough.

I then tried to run Task Manager.  The virus itself would pop up an error saying that’s not allowed.  I found instructions saying that if I hit cntl-shift-esc over and over Task Manager will pop up.  That worked!!!

Follow these instructions to continue:

1. Open Task Manager by continually pressing Ctrl+Shift+Esc.
2. Navigate to the Processes tab.
3. Locate for the processes called IS2010.exe, winlogon86.exe, winupdate86.exe and 41.exe. End their processes one at a time by click the End Process button at the bottom left hand corner of Task Manager and click Yes.
4. Continue with the instructions listed below to remove Internet Security 2010 completely.

I didn’t have any of those files running in Task Manager, Processes, so I looked for those files in c:\Windows\System32.  I found some of the files there and deleted them.  I also saw a file called “winlogon32.exe.”  It didn’t look right, so I checked it out.  I found out that file was a virus, so I deleted it.  Big Mistake….Sorta.  I decided to install MalwareBytes and then reboot in Safe Mode to run it.  I rebooted into safe mode.  I logged into the machine.  It accepted the password and tried to load my profile, but it would just log itself right out.  I suspected that it had something to do with the file I deleted.  I tried to login in normal mode and had the same problem.  I found this site saying that the problem was either with the userinit.exe file or the registry entry that points to it. 

1. C:\WINNT\system32\userinit.exe , this file is corrupt or invalid or infected.
2. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\userinit, This registry key is tempered by virus/spyware.

At this point I’m stuck with a machine that’s infected and I can’t log into it.  I tried to use an XP disk to repair it, but my drive is encrypted, so the repair disk couldn’t see the hard drive.  The other suggestion the site gave was accessing the registry from a remote machine.  That WORKED!!!  I went to another machine and ran regedit.  I then clicked on “File, Connect Network Registry” and inserted the name of my machine.  I was able to connect.  If the name doesn’t work for you, try the IP address.  I found that the registry key and it was incorrect. 

I found: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit = “C:\WINDOWS\system32\winlogon32.exe”

I changed it to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit = “C:\WINDOWS\system32\userinit.exe”

I rebooted and it worked.

So I got logged back into the machine.  At this point I had pinpointed most of the files that were causing the problem.  I knew not to mess with the winlogon file just yet.  I also know I needed to get MalwareBytes running ASAP.  I decided to run Task Manager again to see if I could find and kill “winlogon32.exe.”  Something better happened.  I hit cntl-shift-esc a few times to get Task Manager up.  The virus pops up an error saying something about the administrator disabling Task Manager.  Do not close the error!  I noticed that the error message was loaded as an “Application” in Task Manager.  I had a feeling that the application would lead me back to the “process” and it did.  I right clicked on the application and selected “Go to process.”  That took me to a file I previously hadn’t noticed called SMSS32.exe.  And that’s the key to this whole ridiculous incident.  I searched Google for SMSS32.exe and found this post from McAfee.  I killed the process and the virus finally stopped.  I then ran MalwareBytes.  It found a bunch of infected files and registry entries.  Here are the results:

Malwarebytes’ Anti-Malware 1.44
Database version: 3680
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

2/2/2010
mbam-log-2010-02-02 (16-16-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 268870
Time elapsed: 59 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 12
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\InternetSecurity2010 (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.IE5\C2XSPTAA\SetupIS2010[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BAD358BA-17F3-4527-AB8D-40D9BEF7514D}\RP533\A0065516.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BAD358BA-17F3-4527-AB8D-40D9BEF7514D}\RP533\A0066516.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BAD358BA-17F3-4527-AB8D-40D9BEF7514D}\RP533\A0071545.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\IS15.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\%username%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\%username%\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\%username%\Start Menu\Internet Security 2010.lnk (Rogue.InternetSecurity2010) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Here’s what I learned.  I’m posting this before the removal instructions because there are so many versions of this virus that your version of the virus might be different than mine.

• This version didn’t hijack my browser or search results.  That allowed me to easily download MalwareBytes.  I’ve seen other versions hijack the browser or search results.
• This version didn’t mess with the MalwareBytes installer.  Some versions of the virus will not run the installer.  You can run it if you rename it to something else.  (From mbam-setup.exe to somethingelse.exe).
• This version disabled Task Manager instead of just hijacking it.
• The core to this virus is still a process that can be killed in task manager.
• I’ve seen versions mess with Safe Mode.  One time I had to use “Last Known Good” to allow me to log into the machine.
• I’ve seen it prevent regedit from running.

Here are my instructions on dealing with this.  Their usefulness will vary depending on what you’re dealing with.

1. Don’t panic
2. Don’t reboot if you can avoid it because of the winlogon32.exe issue.
3. Right click the task bar and try to run task manager.  If that doesn’t work, hit control-shift-escape a few times until Task Manager comes up.  If Task Manager is disabled, type in gpedit.msc.  Navigatio to User Configuration / Administrative Templates / System / Ctrl+Alt+Delete Options / Remove Task Manager.  Double-click the Remove Task Manager option. Set the policy to Not Configured or Disabled.
4. Run Task Manager using the control-shift-escape method.  Don’t close any errors that pop up.
5. Go to Applications and look for any applications that look like they are the virus.  The application comes from the warning message, so it’s important to leave the warning message up.  In my case it was called “Warning.”
6. Right click on it and select “go to process.”
7. This will take you to the process that’s running the virus.  In my case it was SMSS32.exe.  Kill the process.
8. Download MalwareBytes and run it.
9. MalwareBytes should clean this thing up and you should be able to go on with your life.  If it doesn’t, then you either have a different version of the virus, or you missed a step, or something else is going on.

I hope this post helps people that are dealing with this virus.  Please post any questions and I’ll try to help.  I just cannot understand how the anti-virus companies can’t prevent people from getting infected.  I know of people using supposedly updated versions of McAfee and Kaspersky get infected.  I’m not surprised about McAfee.  It’s always been bloated garbage.  Good luck!

http://bytes.com/topic/windows/answers/752011-xp-logs-off-immediately-after-log/2#post3384974

http://www.bleepingcomputer.com/tutorials/tutorial44.html

http://community.mcafee.com/thread/20943

http://majorgeeks.com/download.php?det=5756

Advertisement

I did a focus group on SaaS and “Workday”

I was called for a focus group on Software as a Service and a company called “Workday.”  The topic was mostly focused on how to sell SaaS to IT people.  There was also time spent on sales pitch for Workday’s “Unified Human Capital Management (HCM)” service.  It was an interesting focus group as most are.  One of the big things I learned is that IT people don’t want to proactively replace the HR departments systems.  That makes sense for a number of reasons.  One is that I don’t think IT really understands what HR does.  Also, HR systems are so security and compliance sensitive that it’s just not worth the risk to get involved with them unless they are the source of problems.

One of the points that was brought up was that Dave Duffield founded Workday.  He is a co-founder of Peoplesoft.  A few of the people in the group said that is a big deal.

I got a virus from Technorati!

I was looking at Technorati a couple of days ago.  I clicked on the “Help” link.  McAfee popped up that it caught a virus and deleted it.  I then clicked help again and my machine got infected with a version of the “Internet Security 2010” virus.  What is that all about?  Was it another bogus ad pushed through to mainstream sites?  I don’t know, but it took me 3 hours to clean it up.  I’ll post about the cleanup in a little bit.  Has anyone else experienced this with Technorati?

I was running Windows XP with IE7.

The whole Bing thing is contrived

Microsoft rolled out a new search engine last year.  Of course, it needed marketing pizzaz that was Focus Group Approved®.  They decided to call it “Bing.”  God knows that the technology is unimportant as long as the name is catchy.  /sarcasm off

It stinks of Steve Ballmerism who apparently fired someone for not being “Bing” enough.  

What really set me off today was an ad like the one below where the user sees the Bing page and comments on how beautiful it is. 

I find Microsofts attempt to promote a search engine with a cheesy name and pretty pictures contrived, disingenuous, and vomit inducing.

That said, Bing actually has actually attracted Googles attention acording to this post on InfoWorld. 

Google announced last Friday that its search engine will highlight structured data in order to provide direct, factual answers to search queries instead of merely pointing the user to a site that may contain the answer. If this all sounds familiar, it’s because Microsoft introduced the same feature when it rolled out its Bing search engine.

We’ll see if Microsoft’s strategy of throwing $80-$100 Million of marketing while having a catchy name and flashing lights is enough to make a dent in the search market.

Duplicate Machine SID’s are not an issue except when they are an issue.

I came across an article on InfoWorld about a blog post from a Microsoft tech regarding Windows Machine SID’s and the myths that surround them.  The InfoWorld article is mostly fluff, but the blog post is well worth the read.  Basically, machines that are imaged without being sysprepped usually have the same machine SID’s.  It’s long been believed that this is a security issue.  It turns out that’s not the case.  Machines can be on the same network with the same SID”s if the machine is not already connected to a domain, not going to be promoted to a Domain Controller, and if there isn’t an application that reacts badly to it.  (The example given is applications that use the Machine SID as their own ID’s.)  The bottom line is that machines SHOULD BE SYSPREPED to prevent any known and unknown issues.  Also, Microsoft will not support machines that don’t have unique SID’s.  Sysprep is easy to run.  Don’t slack off just because it might not cause a problem.

The reason that I began considering NewSID for retirement is that, although people generally reported success with it on Windows Vista, I hadn’t fully tested it myself and I got occasional reports that some Windows component would fail after NewSID was used. When I set out to look into the reports I took a step back to understand how duplicate SIDs could cause problems, a belief that I had taken on faith like everyone else. The more I thought about it, the more I became convinced that machine SID duplication – having multiple computers with the same machine SID – doesn’t pose any problem, security or otherwise. I took my conclusion to the Windows security and deployment teams and no one could come up with a scenario where two systems with the same machine SID, whether in a Workgroup or a Domain, would cause an issue. At that point the decision to retire NewSID became obvious.

I realize that the news that it’s okay to have duplicate machine SIDs comes as a surprise to many, especially since changing SIDs on imaged systems has been a fundamental principle of image deployment since Windows NT’s inception. This blog post debunks the myth with facts by first describing the machine SID, explaining how Windows uses SIDs, and then showing that – with one exception – Windows never exposes a machine SID outside its computer, proving that it’s okay to have systems with the same machine SID. Note that Sysprep resets other machine-specific state that, if duplicated, can cause problems for certain applications like Windows Server Update Services (WSUS), so MIcrosoft’s support policy will still require cloned systems to be made unique with Sysprep.

You can read the full article here.

You should also read this follow-up post by Microsoft tech Aaron Margosis that explains the difference between Machine SID’s and Domain SID’s.  The key statement in his post: “So while it’s OK to clone a system before it joins a domain, doing so after it joins a domain (and is assigned a domain computer account and a corresponding domain SID) will cause problems.”

Invision Power Board

I support a website for a small organization that needs a web presence.  The site was built in 2000 using FrontPage.  They want to make the site current and add a few features including a discussion forum.  I did a lot of searching to find bulletin board software that had a “news” feature and could be updated fairly easily.  A photo gallery was a plus.  I was pretty well settled on VBulletin, but I didn’t like that I had to pay for software that hadn’t been released yet.  I kept looking around and I started paying more attention to Invision Power.

I recently purchased Invision Power Board and their add-on apps (IP Content, IP Gallery, and IP Downloads).  I couldn’t be happier with the results.  Invisions software met my requirements perfectly.  I was able to build  a front end website with a private board, photo gallery, and download section for forms and documents.

There are two things that make IPB 3 special and unique.  One is that all the software comes from Invision.  I don’t have to purchase unreliable and sparsely supported 3rd party mods.  The other is that the admin tool is very easy to use.  From navigation to configuration, IPB’s admin tool is sophisticated without being complicated.  I feel like Invision has thought about the many requirements of a modern discussion forum, and included them in their software.

IPB is also extremely configurable.  I have been able to change every single setting that I’ve needed to.  Users can also create new settings when needed (though that’s way over my head). 

A lot of people ask the VBulletin vs. IPB question.  In fact, I was one of them.  I tried demos for both VBulletin 3.x and IPB 3.x.  I chose IPB because they had more features that I needed, the IPB admin tool was much better organized, and there was no drama.  I couldn’t be happier now that I’ve seen it in action.

I do have one criticism of Invision.  Their support needs improvement.  They have a 2 day turnaround time for tickets for people with standard contracts.  That’s far too long.  They try to prioritize incidents where the system is completely down.  Invision probably needs to roll out more support options for those that need it.