Comments on: Rogue of the Week: Windows Recovery

By: Fake UPS Document Installs Fake Microsoft Patch Payload « Webroot Threat Blog

Fri, 17 Jun 2011 15:34:30 +0000

[...] rogue takes on much of the appearance of a previous Rogue of the Week, named Windows Recovery. In fact, Windows XP Restore looks to be a very slightly modified duplicate of that [...]

By: Andrew Brandt

Andrew Brandt — Wed, 01 Jun 2011 22:35:42 +0000

TDSS is bad news. It interferes with low level hooks to the kernel and filesystem that we use to remediate infections. It’s causing headaches for every AV vendor.

By: Andrew Brandt

Andrew Brandt — Wed, 01 Jun 2011 22:33:27 +0000

Various forms of TDSS/TDL rootkits seem to correlate with rogue infections; As TDSS seems to be as much a rootkit as a delivery mechanism for other malware, it’s likely the case that the rogue is being delivered by TDSS in some cases, not the other way around, but it can happen either way.

By: JL

JL — Fri, 27 May 2011 17:18:21 +0000

Great info here, thanks. I helped someone who was taken over by “XP Total Security 2011.” It operated nearly identical to the Windows Recovery Rogue discussed above. It hid programs, files, and desktop, disabled task mgr, and even forced restart command when trying to download WR online. Running the manual commands and registry key revisions allowed me to install WISE from a disc in safeboot with networking, and use task mgr to continuously end the rogue’s process while installation proceeded. Note, this XP Total Security rogue took over his ESET Smart Security 4 software and Firewall. We uninstalled that, ran a full scan, which caught ~15 various rogues with ~80 items quarantined. Amongs the variety of fake antivirus rogues and trojan downloaders caught, there was a manipulated adobe file, and XsscWvvgUnQhD.exe that I think was the ringleader of this gang. He’s quite content now that it’s all fixed up – thanks so much for your expertise!

By: Josh

Josh — Fri, 27 May 2011 04:40:54 +0000

I have a Vista version of this rogue on a clients machine. You mentioned that it asks if you would like to restart. My client said they were surfing on google (so it could have been a part of the OBL attacks as of late) and the laptop suddenly just restarted without user intervention, when it restarted the rogue just took over. Is the TDL3 or TDL4 versions of the TDSS rootkit involved with this rogue? When I find out if you guys don’t know I will post the results for you guys.

By: BMR777

BMR777 — Wed, 25 May 2011 17:39:28 +0000

My girlfriend’s PC got hit with this, but it went under Windows XP Recovery instead of just Windows Recovery. Unfortunately it came bundled with the TDSS rootkit. I was able to remove the rogue but not the rootkit, which would launch IE in the background every chance it got.

I tried tdsskiller from Kaspersky and that didn’t want to run on the system. Other rootkit programs wouldn’t find it either. Another symptom I couldn’t get rid of was the Google redirects to random sites in Firefox.

Considering this was the third virus my gf got in the past month, I decided to install Ubuntu for her.

By: rl

rl — Sun, 22 May 2011 10:04:18 +0000

Thanks for this info. The first time through your article, I missed the detail about the shortcuts being hidden in the temp/sntmp folder. By the time saw it, I had deleted my temp folders. Might be good to mention that in the “how to reverse the modifications” section so other people don’t miss it. Also, might be good to mention rkiller or malwarebytes for the folks like me who find your article first on google.
Thanks again