Had a fun time today cleaning off some trojans and rootkits.  On this one client system, while trying to go online, the Internet  turned into the Inertnet! (Hahahha! I love that one!)  As usual, I have lots of ideas why, but no real evidence and clients saying “I don’t know how it got there.”  Doesn’t really matter though, it’s there and I am going to clean it off.  I managed to easily scan for and clean off a couple of them, but one would’t detect with any scanner.  AV.exe kept popping up, showing the fake windows security center and Antivirus 2010.  I used Process Explorer to see the offender, but I couldn’t find the file, it was hidden.

I rebooted with UBCD4Win, found the file and deleted it.  Problem is, this caused a mess in Windows. Nothing would load, I always got a “Open With” dialog box.  After some Googling, I found out where to fix that in HKCR in the registry.  In there, there was a setting for .exe files to open, and it was set to use av.exe in the user profile to open them!  How do you like that?!!

I wasn’t able to fix that in the current user profile, it was locked down somehow.  Opening in the Administrator account of XP allowed me to fix it though.  The default value for “exefile” should be set to:

“%1″ %*

(Just google that for more info.)

Ok, so got that all fixed.  Fun how you clean off these bugs, only to leave windows all messed up after!  Next, did all my final scans, tweaks and other items. (lock down IE, disable scripts/Flash/Adobe, add a windows update to Trusted Sites, and force user to use Firefox.  I also changed the icon on Firefox to the one for IE so the user will pretty much always use it!)  Then I tried to get all the updates caught up, only no go!  Wait, I am on the same Internet connection as my system, and it works for me, why not the client system?  Hmm… well they are on an isolated subnet, going through the firewall separately. (keeps their bugs off my systems!)  But, wait, those are the same DNS settings?

AH! Take a look at those NIC properties in XP.  DNS is hard set to 93.188.x.x!  Nslookup shows that as some place at a .com.ua domain. Well, let’s fix that one, and set to DHCP like it should be!  Problem solved, Windows Update works!

Fun stuff!  I’ve cleaned a lot of bugs over the years, and I’ve heard of DNS hijacking, but that’s the first one I’ve seen like that.

I only need to update this once in a while, but twice now I’ve forgotten what to run after an update to /etc/login.conf.  Run this:

cap_mkdb /etc/login.conf

Well, if you’re like me, you probably love Google Chrome browser.  And although the latest version of Firefox (3.6) is much improved in speed, it launches fast and browses quick, I still like Chrome better now that I am used to it.  Especially now that it’s got my two favorite extensions, Lastpass and mouse gestures.

Anyway, to the point. Using Chrome 4.x. (It did say Beta still? weird?) Chrome has been acting kind of laggy lately on my desktop system.  It opens quick, but then is slow to show any pages and on mouse clicks they pause for a second before any action.  First I thought, disable any extensions.  Ok, did that. Relaunched Chrome, same thing.  Alright, this time I’ll remove all the extensions.  Relaunch and same thing.

At this point I thought, is there some sort of weird proxy or dns thing going on here?  No, not DNS.  If it was, my laptop would be slow too, right?  We all use the same DNS.  And I even benchmarked it with DNS Benchmark at GRC.com. (search for that at that site to download, cool little tool!) 

Firefox and IE don’t exhibit the same issues. Hmm…  not sure about this one.  Ok, fairly quick test.  Uninstall Chrome, completely, including any saved/cached data.  Make sure I don’t have any profile data in c:\users\username\appdata\google\chrome folder.  If there is, delete that folder.  (keep in mind, you will be deleting EVERYTHING saved in chrome, FYI)  No big deal though, I have all my bookmarks synced on my Gmail account and I use Lastpass to store passwords and sites. 

Reboot the computer, find and download Chrome again, run the installer.  Get my two favorite extensions and I am in business!  Now Chrome is launching fast, like it normally does!  And mouse clicks are responsive again.

Just a note, it says my version is now: 4.0.249.89 (38071)
And it doesn’t say “beta” anymore.

Maybe that’s what the issue was, there was something not upgraded automagically by Google and there was still older beta code used somehow.  Whatever it was, problem solved.

By the way, this is one of my favorite reasons to use Firefox or Chrome over Internet Explorer. There are many others, but this is a big one, IMHO.  You can actually remove the browser and all the settings and cached data from your system.  You can’t with IE.  Even with the options to delete any saved data in IE, the program is still on your system, doing who-knows-what in there.  The only way I know of to really clear out any issues with IE is to create a new user profile on the system, login as that user and test if IE still has an issue. If it does not, your problem is in IE in your old user account.  That’s really a huge pain!  Much easier to remove the program and any associated data and reload it to clear out any bugs.

I had a client recently that had their browsers hijacked. Everything they typed in the browser ended up redirecting them to some test_s.php file at “www.fes.sk”.  (Don’t open that, or you might end up with a virus!  I just wanted people to find this in case it might help clean this bug off!)

Not sure what this virus was, but it disable Microsoft Security Essentials and blocked even MalwareBytes and SuperAntispyware from detecting it.  I couldn’t find it and I was almost to the point of just reloading the computer because in this case it would have been faster to just copy the docs of and reload Windows XP.

I thought, let’s search that URL?  This was key, because it brought up some forum posts and someone mentioned HitMan PRO.  www.surfright.nl/en/hitmanpro

Never heard of this program, but thought since it had a 30 day trial I’d give it a quick shot.  I was very impressed, it scanned in litterally a few minutes. (like 2 or 3!)  It found a “Rootkit”, nothing more than that though, in a file called “ipsec.sys” in the system32/drivers directory.  Then it said, “Reboot to clean.” 

My client was very pleased to see it reboot, do another very quick scan, and he was able to browse the web again.

Hitman Pro was free for 30 days, but you had to activate it.  I believe it has a subscription price of just under $30/year for 3 PC’s. (as of 02/09/2010)  That’s not too bad I think.  Keep in mind though, this looks like a “remover” , not a real-time antivirus protection program.  You’ll still want Norton, NOD32, MSSE, whatever you like, for that.

Now, I have to ask… because all my clients are starting to ask… why do they need this when they already have MSSE, Norton, etc?  Why doesn’t the AV real-time protection actually protect them in the first place?  Well, I can’t answer that one.  But it drives me nuts, and it make it worthless to pay for a subscription to Norton or McAfee (or any other) when all they do is get subverted and taken down, even if it’s the clients fault.  Because of this I will only suggest a free product for now, at least until I start seeing the “for pay” products doing what they were paid to do.  And if I see a Rootkit or Trojan that I can’t easily clean off, I’ll recommend HitmanPro for now.  If that can quickly remove bugs for my clients every time I use it, I’ll tell them (my clients) to use it and even purchase it as a quick cleaning tool in addition to MSSE.

I have Windows 7 Ultimate x64, but I think this might be problem in any version. I keep having issues with MsMpEng.exe hogging the cpu.  Basically, using a large amount of resources, like 100%!  It’s eating the CPU time and a lot of memory.  The system will work just fine, even after running for hours, when suddenly the system slows to a crawl, almost to the point I have to reset the system.  I finally narrowed the culprit to MsMpEng.exe, the scanner for MSSE (Microsoft Security Essentials).

Good news is, I think the cpu hog problem is solved! I found a link on a Google search about adding exclusions, which I suspected would be a problem for things like my backup programs.  I added Crashplan and Syncback programs already, but what I found in that Google search was that you need to add the MSSE directories in C:\ProgramData to the exclusion list.  WHAT!!???  Are you kidding me?  MSSE doesn’t already exclude itself?  Come on MS!!  I really like MSSE,  but that’s pretty stupid.

I went ahead and added these to MSSE exclusions:

C:\ProgramData\Microsoft\Microsoft Antimalware

C:\ProgramData\Microsoft\Microsoft Security Essentials

C:\Program Files\Microsoft Security Essentials

Now, for a couple days, I have had no more issues!!!  We’ll see in a week if it really fixes it.  That’s an easy fix, but completely annoying!  I still like MSSE regardless.  It’s not perfect, but I’d rather have it than anything else.

I am curious to know if anyone else found this fix to work?

Note:  I do recommend people run a manual scan with MalwareBytes and SuperAntispyware once in a while, along with the real time scanner in MSSE.  MSSE didn’t catch a recent trojan at one of my clients, same one was blocking MalwareBytes too.  Only SuperAntispyware cleaned the system properly.

EDIT 02/10/2010:

It’s been about a week and a half, still working fine! It appears that this fixed the problem!