XP Total Security 2011

Hans Manhave · May 26, 2011, 02:45:15 PM

Just recovered my own workstation from this Malware. Not a simple thing to do.

No idea how I acquired it, but it BSOD'd my workstation last night.

Searched on this forum for references, but couldn't find any.

Ended up using PCTools to clean, task manager to kill the vet.exe task whenever it appeared and MalwareBytes to finish up.

Not nice.

Jim Jensen · May 26, 2011, 03:02:25 PM

Rathat makes you want to punch someone, doesn't it?

Hans Manhave · May 26, 2011, 03:33:04 PM

Yes, but I cannot slap myself silly.

But if it can happen to me, then I have not much to blame someone else when it happens to them.

Time waster.

Jeff Zylstra · May 26, 2011, 03:54:54 PM

A huge time waster. And I'm not sure that machines are 100% stable afterward. Have you uninstalled your old Java versions and updated your Java, Adobe Reader, Shockwave, Flash and Windows updates? Chances are, it probably got in though an old version of Java.

Hans Manhave · May 26, 2011, 03:59:53 PM

I am suspecting a google search for the surplus lines department of the state of New Mexico. I just did one again, clicked on what it found and it went of downloading all kinds of stuff. I stopped it and just copied and pasted the url (an odd one for my mind to remember) and it went fine. There should have been sufficient anti-ware to catch it, but I guess not. Java could definitely have been involved. I just installed the latest one yesterday. Gives me a real fuzzy feeling. There are several more feelings that I have, but I will share them at a later time. ;-)

Jan Regnier · May 26, 2011, 04:48:43 PM

Quote from: HMan on May 26, 2011, 02:45:15 PM
Just recovered my own workstation from this Malware. Not a simple thing to do.

No idea how I acquired it, but it BSOD'd my workstation last night.

Searched on this forum for references, but couldn't find any.

Ended up using PCTools to clean, task manager to kill the vet.exe task whenever it appeared and MalwareBytes to finish up.

Not nice.

Hans - if this one of the zillion versions of Fake AV - the info I found - (to avoid having it load)

Do not to X out of anything! Don't Touch The Bowser window!
C-A-D to Task manager/ kill all instances of (whatever browser being used)/ Restart machine and the clear out browser history, temp files etc.

Xing out causes it to load - hence the Don't Touch the Browser instructions.

The one we had deleted some registry files and the website -Bleeping Computer - had the file to put them back( thanks to Robin for directions there). Also used Malwarebytes.

Hans Manhave · May 26, 2011, 06:38:39 PM

Maybe, but when you come in in the morning and find your station with a blue screen of death, there is not much else to do then reboot. Who knows at that point what caused it. So one reboots, and there it is all over the place. Like opening the door and turning on the light and the cockroaches are everywhere. Even c-a-d won't work. It pops up and immediately closes.

I did find that if one logs in and immediately hit c-a-d, one can start eliminating the task in active tasks and the processes, sorted by alphabet can be watched for "vet.exe". Just started ending them in any order I could click on. Worked. One would pop up the moment I would open a browser. Killing the vet.exe task also killed the browsing task. Downloaded removal tools with another machine and copied by USB key. Funny thing that no matter what the utility is, it always wants to download an update. Well, duh, I just downloaded it. It should be current enough to run. That was one of the biggest hurdles. They also needed to run more than once, with reboots. Safe mode did not appear to help a whole lot. I use a 1920x1280 display. In safe mode at 800x600 or so, it doesn't give me all the icons, it doesn't give me the second screen and it doesn't show all the programs in program manager (this can be corrected, I understand). Not all removal tools run in safe mode, yet one more interesting find. Furthermore, Windows remembers the window placement and so some windows are out of sight or too far removed and have to be minimized/maximized to work with. It was annoying. Praise God for air conditioning, I would have overheated without it. I just kept thinking "there are worse things than this" and there are many of those. It is now running a final full scan. Found some false alarms. Once that is done my machine should be clean and back up to full speed. Alert messages from Sonicwall stopped also. Maybe it found a way around it... Better not. I must go home and smell the roses. Shoot something in the morning.

Billy Welsh · May 26, 2011, 07:25:50 PM

If you are using Ultramon (realizing of course Safe Mode may not load it) you can right click the window on the inactive monitor and move it to the active one.

And if Safe Mode will not load Ultramon at boot, can you launch from Start menu?

Have fun shooting!

Hans Manhave · May 26, 2011, 11:00:56 PM

Ultramon was on my previous workstation. I don't currently have it installed, but do have two monitors.

I think it (PCTools) found all the bad stuff by now. I stopped the scan because it was finding software I wanted to keep and was done scanning the boot drive. Things like Radmin, port scanners and ip scanners.

Three Java indications were found and eliminated. Still have to remove all Java installs and download a single new one. Just deleted them at home.

Matthew Udovich · May 27, 2011, 07:50:38 AM

FWIW, CTRL + SHIFT + ESC will get you to the task manager a bit quicker. I know it makes a difference when firing up a machine, before that crap spits in your eye when you try to open task manager

Jeff Zylstra · May 27, 2011, 08:50:33 AM

Since you mentioned that this was an XP machine, don't forget to limit the user permissions on this machine. I think that I run my XP machines as "restricted" local accounts, and each of the user accounts in Active Directory are just "domain users". There are a couple of files and folders for TAM that may need permissions added, but nothing major or time consuming.

I've had much less trouble with viruses since limiting user accounts. I have figured out long ago, that anti-malware and anti-virus can never keep up since they rely on virus signatures to match up with the hashes of the viruses or malware. Just one small aspect of the virus or malware needs to change for the hash to change, which means that it is no longer blacklisted. I've started investigating whitelisting with Sophos, and I've been looking at the application control in SonicWall also. Unfortunately, I think that this may be the only way to limit these things.

Hans Manhave · May 27, 2011, 11:18:10 AM

I would like to figure out application control with SonicWall. I would like all video and sound programs to be routed through another ISP.

If only I could figure out how to do that. Now people watch the golf games through the main system as well as listen to audio streams of music.

I wish there was a step by step guide for that purpose. I can follow steps, even if there are 100 of them.

Sonicwall stopped many parts of this malware. No idea what would have happened if it was not present.

The old Sonicwall was easier to maintain for white and black listing. I know it can be done on this model, but there is so much to whitelist. We're an underwriting office and do lots of research on line.

I will have to remember Ctrl-Shift-Esc. That is indeed instantaneous. I didn't know about that one.

Jeff Zylstra · May 27, 2011, 11:44:20 AM

Quote from: HMan on May 27, 2011, 11:18:10 AM
I would like to figure out application control with SonicWall. I would like all video and sound programs to be routed through another ISP.

If only I could figure out how to do that. Now people watch the golf games through the main system as well as listen to audio streams of music.

I wish there was a step by step guide for that purpose. I can follow steps, even if there are 100 of them.

Sonicwall stopped many parts of this malware. No idea what would have happened if it was not present.

The old Sonicwall was easier to maintain for white and black listing. I know it can be done on this model, but there is so much to whitelist. We're an underwriting office and do lots of research on line.

I will have to remember Ctrl-Shift-Esc. That is indeed instantaneous. I didn't know about that one.

Yes, I have to spend more time on SonicWall to figure it out. I'm fairly sure that you would route traffic based on protocol, or route all streaming traffic to a certain WAN connection to accomplish what you want.

I know in Sophos, you can have the program "watch" the traffic and see what programs you are using, then you can whitelist them. I think you have to enter paths or executable file names in SonicWall. Not so friendly since executable file names often are buried or have soft switches.

Hans Manhave · May 27, 2011, 12:07:58 PM

I know the activity graphing on the dashboard when mousing over gives some interesting info.

Setting things up on the Sonicwall always reminds me of how interesting (not) it was to connect a printer to a Novell Netware server. You cannot just set "this service to this X1".

Jeff Zylstra · May 27, 2011, 12:50:49 PM

I believe that support is free with SonicWall. It might be worth a call. Often times, they will access your router remotely and set it up for you if you're having a problem.

Hans Manhave · May 27, 2011, 05:07:21 PM

Another observation: virus scanning software comes and goes. It appears that what was great with Windows XP is not as great with Windows 7 and vice versa.

See www.av-test.org for individual scores. Most of my subscriptions for this expire in the May-July period. Looking at replacing them individually or as a server based.

Hans Manhave · June 07, 2011, 05:09:53 PM

Adding some more, hopefully helpful, suggestions.

From www.clamwin.com download and run ClamWin. Do read what it says about itself.

Furthermore, click on the link 'anti-malware links' at the Clamwin website and look for free removal tools and try several. I ran F-Secure Easyclean and it was the one that cleaned my Google/Bing search redirections.

Remember to use www.virustotal.com for individual files. I just did and 42 different virus scanners ran. Only one had a positive determination which I am sure about being a false positive.

Mark · June 09, 2011, 08:26:08 AM

You could always put an HTTP virus scanner in the mix, too.

I use HAVP, which is an open source non-cacheing proxy that utilizes ClamAV (or some commercial products if you like). I use it as a parent proxy to squid, which isn't a perfect setup, but I do believe that it can be used transparently as well.

Just a thought.

As a side note: I don't spend much time cleaning Malware here. In the past 5 years, I think I saw 3 Fake AV infections, all within a few months of each other. All I do is use taskkill to remotely kill the process then mbam it and be done.

Jeff Zylstra · June 09, 2011, 09:05:58 AM

+1 for the remote taskkill, Mark! Whenever one of these things happens, it's real easy to lose your head and forget about some of the little "tricks" of the trade like taskkill. This website shows how to use taskkill remotely, and also shows a very simple batch file that will kill the task(s) for you. Very nice.

http://blog.jeffharbert.com/index.php/2009/03/using-taskkill-to-end-remote-processes/

Bloody Jack Kidd · June 09, 2011, 09:41:27 AM

Have had 3+ incidences in the past 30 days - FakeAV. Everytime, Symantec and MBAM failed to clean. Sophos did the job though. Symantec has really be letting us down recently.

Jeff Golas · June 09, 2011, 10:18:41 AM

Tell me about it...over the past 2 years...I think it truely blocked one instance where something came in. Other than that the comps got infected and had to be re-imaged.

Hans - just food for thought...with these spyware infections, yeah you got rid of the annoyance part of it, but are you sure its completely gone? My rule with spyware nowadays...if it got infected, there's prob no 100% method of cleaning it out. Who knows what else is in there or if there's a backdoor left behind.

Mark · June 09, 2011, 10:19:59 AM

Quote from: Bloody Jack Kidd on June 09, 2011, 09:41:27 AM
Have had 3+ incidences in the past 30 days - FakeAV. Everytime, Symantec and MBAM failed to clean. Sophos did the job though. Symantec has really be letting us down recently.

That's why you need the layered approach. It can be very difficult for these things to be caught by real-time scanners and Symantec has been venting about that for a while now -- and crying for people to submit them when they find them. I think most people are just so frustrated with Symantec in that moment that they often don't submit anything. I can say that I never have.

mbam has done the trick for me every time though. Maybe I've just been lucky.

Mark · June 09, 2011, 10:37:32 AM

Quote from: Jeff Golas on June 09, 2011, 10:18:41 AM
Tell me about it...over the past 2 years...I think it truely blocked one instance where something came in. Other than that the comps got infected and had to be re-imaged.

I just don't have these problems here. Don't know what to tell ya.

My users are Power Users & not allowed to install anything
I use Squid + HAVP as I've said before.
We use OpenDNS free

I added a Cisco IPS this year, but haven't seen it block anything yet

Other than that, I don't know what else might be different.

Hans Manhave · June 09, 2011, 11:02:51 AM

Also using OpenDNS free.

MBAM was able to clean some stuff, but not all. It does a very good job at preventing outgoing effects from this particular infection, showing several a minute and stopping them, but it couldn't remove it. There were very complex instructions for people, running hijackthis or others and submitting logs, taking more advised action etc. Running the FSecure Easyclean (free) did do the trick. Amazing what features were suddenly restored after it finished running (including a reboot and some more running). Microsoft Security Essentials is easily defeated by this trojan (XP Total Security 2011).

Jeff Zylstra · June 09, 2011, 12:30:11 PM

Glad that it worked for you Hans, but I've found mixed results with just about everything that I've tried. Either the anti-virus misses the infection, or if it detects it, it can't both completely remove it and also fix all of the damage that was done. Many of the "repairs" on sites like BleepingComputer.Com have to do with arcane registry fixes that may or may not affect daily operation of your computer. I suspect that they probably do catch all of the mischief, but I'm also sure that the day is either coming or is already here when these things will leave some kind of a "backdoor" into systems, even after being removed.

I liked that thought of Microsoft's "steady state" software, but this won't run on anything past Windows XP. I've found that Faronic's DeepFreeze has some management issues as far as unfreezing to allow Windows and software updates and then "refreezing" the computer to armor it again. I haven't used SandBoxie on my own system, but haven't found it stable enough to run on other systems. I'm also wondering if these sandbox type programs are truly as invincible as they say they are. If so, they may be worth it. At least for the producers and agency owner's machines.

Mark · June 09, 2011, 01:04:53 PM

The most important thing is and always will be education. We can have all the tools/scanners/blockers/fixes/etc in the world at our disposal, and if users aren't properly educated, we will still end up with these infections.

Everyone has heard this before, I am sure. I just don't know how much it's actually bought into, but trust me -- a little education goes a LONG way!