Posted by: Troy Tate
antimalware, antivirus, Internet Explorer, internet explorer history, malicious software, toolkit, troubleshooting
A user on my network recently reported their computer was displaying virus detection warnings. Investigation showed that the virus detection warnings were bogus and looked something like the screen below.
One thing to note about notifications like this is the computer displaying this message is now infected by some malware. The next thing that must happen is identifying the infected files and removing them.This process can take several steps. Some of the steps are outlined below.
- The client antivirus must be updated to see if it can detect and remove the infection.
- Scan the client using the Microsoft Malicious Software Removal tool. This is free and available for Windows systems running Windows 2000 or newer.
- If possible, use task manager to see running tasks. Find the names of any strange running processes. Then, see if you can locate the executable name on the hard drive.
- If you can locate the executable, and the previous virus scans have not detected anything, it is possible that you have a new variant or a new malware sample. To find out, submit the suspicious executable to VirusTotal for analysis by multiple virus scanning engines. This can help you determine what the depth of infection might be on this system.
In the case of this user, we also wanted to identify the particular source of infection and block it using URL filtering. This is where IE History Viewer came into action. I used the Sysinternals Psexec tool to remotely run the IEHV executable and capture the user’s browsing history. The command series I used for this purpose was as follows (this must be run under the security context of a user with administrative rights over the remote computer):
net use * \\machine-name\c$
psexec \\machine-name -w c:\ -c iehv.exe /shtml “userIEdata.html” -user username
Where machine-name can either be the fully qualified domain name of the user’s computer or the IP address. The username must also be specified on the command line in the same format as the name used on the user’s Documents and Settings folder. In other words, a user may have more than one profile copy on the computer, the command shown above will need the user’s active profile name. For example: user JBond may have profiles JBond.UK and JBond.007. If JBond.007 is the normal profile used by this user, then that will be the value used for the username variable above. So, an example for this would be:
psexec \\Goldfinger -w c:\ -c iehv.exe /shtml “JBond007-IEdata.html” -user JBond.007
So, I I mapped drive Y: to the Goldfinger computer, there would be an HTML file called JBond007-IEdata.html showing the IE history for the JBond.007 user. Since this file is HTML, it can be opened in a web browser or other HTML editors for review. I typically open the output file in Excel so I can do sorting, searching and string manipulation on the data.
This enabled me to look at the user’s internet activity around the time the bogus antivirus detection was reported. One thing you should notice in the history file shown below is the kaka:// string in front of a path to a file under the user’s Documents and Settings folder. This kaka string can help you identify where part of the malware has deposited itself. This is the file that needs submitted to VirusTotal for analysis.
The IE History Tool can be a very useful tool for fighting malware.I also found a website that I put into the URL filter blocklist called laptopantivirus.net. This is a known malware source and if you have not blocked it in your environment in some way, I recommend you take steps to block this domain.
Have you used it for any other useful purposes? Share your experiences with other ITKE readers.
Thanks for reading and let’s continue to be good network citizens!