XP Total Security 2011

Hans Manhave · May 26, 2011, 02:45:15 PM

Just recovered my own workstation from this Malware. Not a simple thing to do.

No idea how I acquired it, but it BSOD'd my workstation last night.

Searched on this forum for references, but couldn't find any.

Ended up using PCTools to clean, task manager to kill the vet.exe task whenever it appeared and MalwareBytes to finish up.

Not nice.

Jim Jensen · May 26, 2011, 03:02:25 PM

Rathat makes you want to punch someone, doesn't it?

Hans Manhave · May 26, 2011, 03:33:04 PM

Yes, but I cannot slap myself silly.

But if it can happen to me, then I have not much to blame someone else when it happens to them.

Time waster.

Jeff Zylstra · May 26, 2011, 03:54:54 PM

A huge time waster. And I'm not sure that machines are 100% stable afterward. Have you uninstalled your old Java versions and updated your Java, Adobe Reader, Shockwave, Flash and Windows updates? Chances are, it probably got in though an old version of Java.

Hans Manhave · May 26, 2011, 03:59:53 PM

I am suspecting a google search for the surplus lines department of the state of New Mexico. I just did one again, clicked on what it found and it went of downloading all kinds of stuff. I stopped it and just copied and pasted the url (an odd one for my mind to remember) and it went fine. There should have been sufficient anti-ware to catch it, but I guess not. Java could definitely have been involved. I just installed the latest one yesterday. Gives me a real fuzzy feeling. There are several more feelings that I have, but I will share them at a later time. ;-)

Jan Regnier · May 26, 2011, 04:48:43 PM

Quote from: HMan on May 26, 2011, 02:45:15 PM
Just recovered my own workstation from this Malware. Not a simple thing to do.

No idea how I acquired it, but it BSOD'd my workstation last night.

Searched on this forum for references, but couldn't find any.

Ended up using PCTools to clean, task manager to kill the vet.exe task whenever it appeared and MalwareBytes to finish up.

Not nice.

Hans - if this one of the zillion versions of Fake AV - the info I found - (to avoid having it load)

Do not to X out of anything! Don't Touch The Bowser window!
C-A-D to Task manager/ kill all instances of (whatever browser being used)/ Restart machine and the clear out browser history, temp files etc.

Xing out causes it to load - hence the Don't Touch the Browser instructions.

The one we had deleted some registry files and the website -Bleeping Computer - had the file to put them back( thanks to Robin for directions there). Also used Malwarebytes.

Hans Manhave · May 26, 2011, 06:38:39 PM

Maybe, but when you come in in the morning and find your station with a blue screen of death, there is not much else to do then reboot. Who knows at that point what caused it. So one reboots, and there it is all over the place. Like opening the door and turning on the light and the cockroaches are everywhere. Even c-a-d won't work. It pops up and immediately closes.

I did find that if one logs in and immediately hit c-a-d, one can start eliminating the task in active tasks and the processes, sorted by alphabet can be watched for "vet.exe". Just started ending them in any order I could click on. Worked. One would pop up the moment I would open a browser. Killing the vet.exe task also killed the browsing task. Downloaded removal tools with another machine and copied by USB key. Funny thing that no matter what the utility is, it always wants to download an update. Well, duh, I just downloaded it. It should be current enough to run. That was one of the biggest hurdles. They also needed to run more than once, with reboots. Safe mode did not appear to help a whole lot. I use a 1920x1280 display. In safe mode at 800x600 or so, it doesn't give me all the icons, it doesn't give me the second screen and it doesn't show all the programs in program manager (this can be corrected, I understand). Not all removal tools run in safe mode, yet one more interesting find. Furthermore, Windows remembers the window placement and so some windows are out of sight or too far removed and have to be minimized/maximized to work with. It was annoying. Praise God for air conditioning, I would have overheated without it. I just kept thinking "there are worse things than this" and there are many of those. It is now running a final full scan. Found some false alarms. Once that is done my machine should be clean and back up to full speed. Alert messages from Sonicwall stopped also. Maybe it found a way around it... Better not. I must go home and smell the roses. Shoot something in the morning.

Billy Welsh · May 26, 2011, 07:25:50 PM

If you are using Ultramon (realizing of course Safe Mode may not load it) you can right click the window on the inactive monitor and move it to the active one.

And if Safe Mode will not load Ultramon at boot, can you launch from Start menu?

Have fun shooting!

Hans Manhave · May 26, 2011, 11:00:56 PM

Ultramon was on my previous workstation. I don't currently have it installed, but do have two monitors.

I think it (PCTools) found all the bad stuff by now. I stopped the scan because it was finding software I wanted to keep and was done scanning the boot drive. Things like Radmin, port scanners and ip scanners.

Three Java indications were found and eliminated. Still have to remove all Java installs and download a single new one. Just deleted them at home.

Matthew Udovich · May 27, 2011, 07:50:38 AM

FWIW, CTRL + SHIFT + ESC will get you to the task manager a bit quicker. I know it makes a difference when firing up a machine, before that crap spits in your eye when you try to open task manager

Jeff Zylstra · May 27, 2011, 08:50:33 AM

Since you mentioned that this was an XP machine, don't forget to limit the user permissions on this machine. I think that I run my XP machines as "restricted" local accounts, and each of the user accounts in Active Directory are just "domain users". There are a couple of files and folders for TAM that may need permissions added, but nothing major or time consuming.

I've had much less trouble with viruses since limiting user accounts. I have figured out long ago, that anti-malware and anti-virus can never keep up since they rely on virus signatures to match up with the hashes of the viruses or malware. Just one small aspect of the virus or malware needs to change for the hash to change, which means that it is no longer blacklisted. I've started investigating whitelisting with Sophos, and I've been looking at the application control in SonicWall also. Unfortunately, I think that this may be the only way to limit these things.

Hans Manhave · May 27, 2011, 11:18:10 AM

I would like to figure out application control with SonicWall. I would like all video and sound programs to be routed through another ISP.

If only I could figure out how to do that. Now people watch the golf games through the main system as well as listen to audio streams of music.

I wish there was a step by step guide for that purpose. I can follow steps, even if there are 100 of them.

Sonicwall stopped many parts of this malware. No idea what would have happened if it was not present.

The old Sonicwall was easier to maintain for white and black listing. I know it can be done on this model, but there is so much to whitelist. We're an underwriting office and do lots of research on line.

I will have to remember Ctrl-Shift-Esc. That is indeed instantaneous. I didn't know about that one.

Jeff Zylstra · May 27, 2011, 11:44:20 AM

Quote from: HMan on May 27, 2011, 11:18:10 AM
I would like to figure out application control with SonicWall. I would like all video and sound programs to be routed through another ISP.

If only I could figure out how to do that. Now people watch the golf games through the main system as well as listen to audio streams of music.

I wish there was a step by step guide for that purpose. I can follow steps, even if there are 100 of them.

Sonicwall stopped many parts of this malware. No idea what would have happened if it was not present.

The old Sonicwall was easier to maintain for white and black listing. I know it can be done on this model, but there is so much to whitelist. We're an underwriting office and do lots of research on line.

I will have to remember Ctrl-Shift-Esc. That is indeed instantaneous. I didn't know about that one.

Yes, I have to spend more time on SonicWall to figure it out. I'm fairly sure that you would route traffic based on protocol, or route all streaming traffic to a certain WAN connection to accomplish what you want.

I know in Sophos, you can have the program "watch" the traffic and see what programs you are using, then you can whitelist them. I think you have to enter paths or executable file names in SonicWall. Not so friendly since executable file names often are buried or have soft switches.

Hans Manhave · May 27, 2011, 12:07:58 PM

I know the activity graphing on the dashboard when mousing over gives some interesting info.

Setting things up on the Sonicwall always reminds me of how interesting (not) it was to connect a printer to a Novell Netware server. You cannot just set "this service to this X1".

Jeff Zylstra · May 27, 2011, 12:50:49 PM

I believe that support is free with SonicWall. It might be worth a call. Often times, they will access your router remotely and set it up for you if you're having a problem.