By Stephen Ham and Andrew Brandt
This week’s rogue, once again, mimics a system utility and not merely an antivirus product. Either way, the scam is the same: Convince the victim that their computer is broken, then coerce them to pay for useless snake oil.
These rogue system utilities go by the names Windows Troubles Killer or Windows Salvage System; They are, for all intents and purposes, identical programs which have been “skinned” with different names. They actually appear to be a hybrid rogue, carefully blending a customized mix of malarkey and baloney into some sort of shenanigans smoothie. The program claims not only to be able to scan your computer for problems with software settings and other system optimization-sounding stuff, but also to perform some sort of check of your “Computer Safety” and “Network Security.” Oh yes, and there’s an antivirus component too, just to round out the complete package.
All in all, it’s a fairly rudimentary rogue to remove (whether you choose to do it manually or use our software), but it performs some unique system modifications that disable some legitimate security software, turns off some important Windows features, mimics some of Microsoft’s own software, and generally acts as a nuisance while reducing the actual security level of an infected computer. I’ll detail those after the jump.
The software installs itself to the %appdata%Microsoft path, using a random, six-alphabetic-character filename.The icon looks like a wooden shipping crate…because there is no material known to humankind with a better reputation for strength, protection, and durability than wood, amirite?
Once installed, the rogue looks like yet another variation on the typical ransomware-type rogue app theme: It starts up with Windows, prevents the Desktop from loading, and only grants access to its “fix error” features if you pay for a license key.
The Settings tab in the rogue’s user interface has some options which allows the victim to close the app temporarily and continue loading the Desktop. But just getting to the desktop doesn’t mean you’ll be able to do anything on the computer once you get there: The rogue prevents most Windows apps from loading, such as the Task Manager, Command Prompt, or Internet Explorer.
For power users, the rogue also “detects” Microsoft’s Process Explorer as malware, and suppressed or killed other manual removal or analysis apps like HijackThis, Process Monitor, TCPView, or PEiD.
The rogue also executes itself when you reboot into Windows’ Safe Mode, sadly with no loss in functionality. In fact, when you boot into Safe Mode, the rogue displays a handy little dialog box that explains (from the perspective of an illiterate malware clown) what Safe Mode is (even though the rogue refers to it as Safe Boot).
The rogue also suppressed 3 other process viewers that I tried to use — Process Hacker, PrcView, and NirSoft CurrProcess — though it didn’t immediately suppress any of them like it did Process Explorer. Instead, the rogue allowed each process monitoring tool to run long enough until it was used to try to kill the rogue, then it tried to terminate the tool. NirSoft CurrProcess was able to kill the rogue’s process before the rogue could fight back, and the rogue did not automatically reload until Windows rebooted.
In addition to actively suppressing analysis tools, the rogue also sets several so-called IFEO (image file execution options) keys in the Registry. When the debugger value is set in any IFEO key, it launches the filename specified in that debugger value instead of the program named in the key. While IFEO keys in general serve a valid purpose, they have been abused for years by rogues and password stealers that want to prevent certain antivirus products from starting up or functioning properly.
IFEO keys are in the following location in the Registry:
HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionimage file execution options(program name)
Among the programs targeted by the rogue’s IFEO keys were Avast Firewall, Avast Antivirus, Eset Smart Security, Windows Defender (the real one from Microsoft), and Microsoft Security Essentials (msascui.exe shown above). On an infected system, these programs would fail to start after a reboot, and you’d see svchost.exe start up momentarily and then quit — if you could get to the Task Manager. The rogue also terminates the Microsoft Malware Protection Service and the Windows Defender service (if present), then sets the services to disabled so they can’t restart after a reboot.
In addition, the rogue sets the following keys that disable functionality on the system:
HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem | enablelua | 0 HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem | consentpromptbehavioradmin | 0 HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionpoliciessystem | consentpromptbehavioruser | 0 HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsystemrestore | disablesr HKEY_CURRENT_USERsoftwaremicrosoftwindowscurrentversioninternet settings | warnonhttpstohttpredirect | 0
These keys, when set as shown above, disable User Account Controls, turn off all the prompting that happens when you try to run a program that needs administrative access, disable the System Restore feature on the computer, and stops IE from warning you when you are entering data into a form that is being submitted to an unsecured HTTP Web site — for example, the order form for Trouble Killer/Salvage System.
I have had a lot of trouble with malware especially of the ‘scareware’ type, fake antivirus tools. This happens because I sometimes browse in places where a prudent person shouldn’t browse. But I’m retired and get bored. I usually get around the problem by using a restore point and sometimes have to boot into safe mode to do it.
I read your blogs which are excellent but I’m not a power user and there was much I didn’t understand. I did notice that there appeared to be no solutions to these infections implying that I would have to buy one of your products to fix or prevent.
Isn’t this the same tactic used by the malware distributors? I would like to buy you stuff but am a bit hesitant. I now run MSE, Malwarebytes, and Avira and use MS firewall on Vista Home Premium. MBAM routinely stops the same two malwares and gives the IPs. I traced one to Nanjing, China and assumed the other was in China also.
The only thing I don’t like about MSE and MBAM is that they are too slow. I start the program then go downstairs, have a leisurly lunch, mow the lawn, paint the house and when I get back several hours later, the program has finished. I have Vista on a 128 GB partition.
There are a lot of reasons why your scans may take longer than they need to and I won’t assume to know all of them but I can suggest a couple of possible causes.
Most likely I would think is a lacking amount of RAM on your system. Vista built computers are notorious for a) having low amounts of RAM available and b) Vista itself using a lot of what is there. Vista will typically take up to a full GB of RAM and some unfortunate machines with Vista have only a GB in the first place, they were later making low end Vista machines with 2GB as a baseline but plenty of people ended up with those 1GB systems before this habit was adopted.
Another possibility, and again I don’t know your habits, might be that you’re running other programs while the scans are going on. This will also reduce available RAM that could be used to speed up the scans. These could be programs like web browsers or mail client programs that you might start up almost automatically or could be programs that actually start with Windows which, you may or may not, be aware of. Some examples of common programs in this group might be an instant messenger like AIM or Yahoo messengers or system utilities like a registry cleaner/scanner.
Despite your note of not being a power user you do seem like an above-average computer user, in my opinion, so some or all of these may be things you already know.
You’re probably only missing the shortcuts to your files and applications, but they’ve likely only been moved, not deleted. The rogue stores those files in the %temp% directory.
Click Start, then Run, and paste the following into the text box:
%temp%smtmp
If the rogue moved your shortcuts, they’ll very likely be in that location.
We do only have support techs available during business hours because we do not outsource any of our technical support staff to another country.