"Backup" Virus Removal (AKA Anti-Virus Pro and Others)

The place for all kinds of software for all kinds of operating systems.

Moderator: Dposcorp

"Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Fri Oct 18, 2013 6:27 pm

Well, there is a new fun ransom-ware (Buy our anti-virus/backup software to "Fix" your machine) out there. This particular virus was found on a machine today for the first time where it popped up on the user. The machine was in an office environment and the user had claimed to have noticed this after opening a PDF file. Looking at it, the machine is 100% updated for Windows updates BUT is using Adobe version 10.1.7, so a bit out of date there. The newest recycled thing for viruses to do lately is disable your ability to open windows Task Manager. So we are going to go CMD on this viruses ass.

This one doesn't even give itself a name. It just says your machine needs to be backed up and by clicking "OK" you can go online to do this for free. ComboFix, ADWCleaner, rKill and Avast all don't even notice it running. So if you'd like to shut it down for manual killing I'd suggest the following, minus the " " as usual.


1.) Open a command prompt (Start Menu > Type the letters CMD > Press Enter)
2.) Type "tasklist" - This will list all task manager processes as you will find yourself unable to open using CTRL + ALT + DELETE due to the virus.
3.) Look through your list of processes and identify which is your culprit. One of these does not belong. Mine was named "xnwnna33.exe"
4.) Type "taskkill /im processname.exe /f" - The /im is for Image name and the /f is to force-ably close the image you specified.

Note, this will ONLY shut off the virus process that is running and will NOT remove it for good. You will still need to find the actual offending file(s) and remove them. The virus on the system I fixed the files were located at C:\ProgramData in the form of 3 files. 2 of those files were just executables and 1 was a .pf (prefetch file). Removing these manually and cleaning out windows Task Scheduler resolved issues.


You'll also want to go in under Services.msc and make sure that the Security Center service is not set to disable. If it is, set it back to Window's default of Automatic and then start the service. As usual, when removing infections, run a round of your favorite updated scanners that day and possibly the next just to make sure the Anti-Virus/Anti-Malware guys have caught up to the new infection.

Hopefully this will help someone remove crap like this off there system until the guys at the AV companies update their repository. Happy hunting Gerbils.
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

i5-2500K|Asus P67 Sabertooth|16GB Corsair 1600|MSI 7850 2GB|250gb Evo 840|Corsair 400R|ET750w PSU|Logitech G5|Dell 2420L|Corsair Vengeance 1300
Welch
Minister of Gerbil Affairs
Gold subscriber
 
 
Posts: 2639
Joined: Thu Nov 04, 2004 5:45 pm
Location: Fairbanks, Alaska

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Fri Oct 18, 2013 7:10 pm

Is it still not time to have that user run as a user instead of Admin?
Image
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.
Flying Fox
Gerbil God
 
Posts: 24422
Joined: Mon May 24, 2004 2:19 am

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Fri Oct 18, 2013 8:24 pm

You should've saved a sample to play around with (to test out other products,etc.) or at least submitted it to antimalware companies...
My subscription allows you people to exist on this site and makes me a better human being than you'll ever be
JohnC
Gerbil Jedi
Gold subscriber
 
 
Posts: 1886
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Fri Oct 18, 2013 9:59 pm

Wow, great information! I'm using AD to push install Reader 11 for network users. For the student lab I'm using Ninite Pro, which does a great job actually, updating lots of common software that doesn't come with a .msi.

I've noticed that a good bit of software, Chrome comes to mind, that doesn't require admin privileges or elevation to install. It's limited to the user profile, so at least you can nuke the profile and get clean again.
Calm seas never made a skilled mariner.
drsauced
Graphmaster Gerbil
 
Posts: 1469
Joined: Mon Apr 21, 2003 1:38 pm
Location: Here!

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Sat Oct 19, 2013 8:02 pm

I'd agree 100% with making them a user, but this was a personal machine brought to me. So disabling their ability to administer their own machine (I know funny), must isn't an option. In a network environment, hell yes. Make all used accounts and just run as administrator when needed. Describing that process to some home users is about as Greek as explaining calculus to a third grader (or myself).

Edit: Just realized in my explanation before I said it was an office machine. I was getting it mixed up with a personal machine in the office. It is in fact a personal machine where the user was opening PDF files for his own "business" so to speak.
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

i5-2500K|Asus P67 Sabertooth|16GB Corsair 1600|MSI 7850 2GB|250gb Evo 840|Corsair 400R|ET750w PSU|Logitech G5|Dell 2420L|Corsair Vengeance 1300
Welch
Minister of Gerbil Affairs
Gold subscriber
 
 
Posts: 2639
Joined: Thu Nov 04, 2004 5:45 pm
Location: Fairbanks, Alaska

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Sat Oct 19, 2013 8:25 pm

Very useful info. My experience is that 'traditional' AV software sucks at dealing with application-level malware.
NovusBogus
Gerbil Elite
 
Posts: 516
Joined: Sun Jan 06, 2013 12:37 am

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Sat Oct 19, 2013 8:28 pm

This is off-topic, but it' is a security issue. And given the situation you described it is relevant to the conversation of maintaining good application control and security standards on your network.

There are only a handful of companies that are worthy of disdain in the IT world, Adobe is one of them. The last 2 years have seen some pretty major security breaches for them. Around this time last year they disclosed that servers they were using to compile code had been compromised, with hackers being able to digitally sign malicious code using an Adobe cert. These certs are part of how UAC verifies if an application is malicious or not.

And just a few weeks ago Adobe publicly revealed that 2.9 million user accounts had been compromised, along with an undisclosed amount of credit cards associated with those accounts. If that weren't enough source code for as yet undetermined products was also taken after the accounts were accessed. Adobe has indicated that source code for Acrobat "may" have been targeted.

But complaining about a company being terrible isn't useful unless there is a good solution. Foxit is a pretty awesome replacement for Acrobat Reader. I've been deploying it for users at various companies for years now and haven't had any issue with it. It's full featured and of the hundreds of workstations I've installed it on I can think of twice that there has been some kind of compatibility issue, and both of those were over 2 years ago. With the potentially severely compromised state of Acrobat Reader it is worth investigating if you can remove it completely from your network. If you sign up for a free account they will even provide a .msi of the installer with some xml (and if it's your thing) some group policy enhancements that allow for robust management of settings within the application (enforce security features, things like that). All for the low low cost of nothing. I am currently vetting the paid for version of Foxit for compatibility with features required for business processes, and if it is you better believe I am not deploying Acrobat or Acrobat Pro ever again.
LaChupacabra
Gerbil First Class
Gold subscriber
 
 
Posts: 136
Joined: Tue Dec 30, 2008 10:59 pm

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Sat Oct 19, 2013 9:09 pm

Or boot a WinPE disk and run RogueKiller. Or Hirens BootCD.

http://www.sur-la-toile.com/RogueKiller/

It will remove AV pro among others.
fuzzhead
Gerbil First Class
Gold subscriber
 
 
Posts: 176
Joined: Thu Mar 10, 2005 12:02 am
Location: Florida

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Sat Oct 19, 2013 11:40 pm

LaChupacabra wrote:Foxit is a pretty awesome replacement for Acrobat Reader. I've been deploying it for users at various companies for years now and haven't had any issue with it. It's full featured and of the hundreds of workstations I've installed it on I can think of twice that there has been some kind of compatibility issue, and both of those were over 2 years ago.

Hey, any idea if the free version of Foxit (more specifically the free version for Linux) does a decent job of handling PDF forms? Adobe Reader for Linux is a train wreck and none of the Open Source PDF readers seem to handle forms decently. I'm tired of being stuck with either the horrible Linux version of Adobe, or running the Windows version in a VM.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Sun Oct 20, 2013 10:20 am

just brew it! wrote:Hey, any idea if the free version of Foxit (more specifically the free version for Linux) does a decent job of handling PDF forms?


That's a great question. Wish I had a better answer than "I have no idea." I'm a relative Linux newb. From the quality of the software I have seen on the Windows side my guess is it will handle them really really well. There are a few people at work that live exclusively in the Linux world. I can see if they have any suggestions.
LaChupacabra
Gerbil First Class
Gold subscriber
 
 
Posts: 136
Joined: Tue Dec 30, 2008 10:59 pm

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Sun Oct 20, 2013 10:56 am

NovusBogus wrote:Very useful info. My experience is that [ALL] AV software sucks at dealing with application-level malware.


Understatement of the century, the entire industry is a joke with a failed model for catching malware. (but not for lining their pockets)

One of the guys who keeps a massive collection of driveby malware likes to do periodic AV tests on the last batch. I can't even remember the last time anything broke 50%, last one I saw they are struggling to hit 25. Keep in mind this is with the latest signatures they have that day, and a lot of it is months old.

PS, PDF == EXE, treat accordingly.
blah blah blah signature blah blah blah
Bauxite
Gerbil Elite
 
Posts: 609
Joined: Sat Jan 28, 2006 12:10 pm
Location: electrolytic redox smelting plant

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Sun Oct 20, 2013 11:36 am

I'd be curious how MBAM fared in that test, from what I've seen it's far more effective at dealing with post-2005 threats than AVG, Norton etc.

Foxit looks interesting, I might have to check that out. Adobe has gotten more and more frustrating over the years, not just security issues but feature bloat, pricing structure, and how they push bundling. Now you can't even buy a license for their multimedia stuff anymore, it's all web-based and you have to pay rent forever. Lame.
NovusBogus
Gerbil Elite
 
Posts: 516
Joined: Sun Jan 06, 2013 12:37 am

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Sun Oct 20, 2013 11:43 am

Bauxite wrote:I can't even remember the last time anything broke 50%, last one I saw they are struggling to hit 25. Keep in mind this is with the latest signatures they have that day, and a lot of it is months old.

Just FYI, antimalware companies usually try to add detection of "active" malware (meaning the payload files which can actually infect), not some obscure non-functioning .exe file with some malware-like text string in them. This is why these private "collections" with 100000 of random .exe files are worthless for testing/comparing these products.

NovusBogus wrote:I'd be curious how MBAM fared in that test, from what I've seen it's far more effective at dealing with post-2005 threats than AVG, Norton etc.

MBAM does nothing useful against "traditional" viruses/trojans/rootkits, it mostly deals with Adware, browser hijackers and similar things.
My subscription allows you people to exist on this site and makes me a better human being than you'll ever be
JohnC
Gerbil Jedi
Gold subscriber
 
 
Posts: 1886
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Sun Oct 20, 2013 4:22 pm

JohnC wrote:MBAM does nothing useful against "traditional" viruses/trojans/rootkits, it mostly deals with Adware, browser hijackers and similar things.

I must disagree here. I've used it to help clean up some fairly nasty infections in the past, and while it doesn't detect (or remove) everything, claiming that it does "nothing" against traditional viruses/trojans/rootkits is blatantly incorrect.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Tue Oct 22, 2013 6:07 am

MBAM actually removed the same version of this same virus from another machine 2 days later. So MBAM has for sure become apart of my regular scan routine.

I have to say that I'm also sort of getting a bit worn out of AV programs doing little to prevent viruses and just playing clean up after the fact. I'd say 1 out of every 5 or 6 virus removals I do the AV had become corrupt from the virus itself. Obviously not doing a great job.

I will saw that I've tried Avast's new Safe Zone browsing program that installs with version 9... I'm impressed. It almost acts like a virtual browser or machine but doesn't appear to have any performance hits even if you watch HD YouTube videos. I attempted to record my session in Safe Zone (started before opening) and found the recording goes blank form the duration that you stay in the Safe Zone. Tried this with FRAPS. Supposedly immune to keyloggers and any sort of remote viewing/pictures ect, supposed to use it for Banking and other online shopping. We shall see....
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

i5-2500K|Asus P67 Sabertooth|16GB Corsair 1600|MSI 7850 2GB|250gb Evo 840|Corsair 400R|ET750w PSU|Logitech G5|Dell 2420L|Corsair Vengeance 1300
Welch
Minister of Gerbil Affairs
Gold subscriber
 
 
Posts: 2639
Joined: Thu Nov 04, 2004 5:45 pm
Location: Fairbanks, Alaska

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Tue Oct 22, 2013 2:19 pm

just brew it! wrote:
JohnC wrote:MBAM does nothing useful against "traditional" viruses/trojans/rootkits, it mostly deals with Adware, browser hijackers and similar things.

I must disagree here. I've used it to help clean up some fairly nasty infections in the past, and while it doesn't detect (or remove) everything, claiming that it does "nothing" against traditional viruses/trojans/rootkits is blatantly incorrect.

You're right, it can remove some of them, but as I said, it's not the primary function of this program.

Welch wrote:I have to say that I'm also sort of getting a bit worn out of AV programs doing little to prevent viruses

You need to use good ones, not junk that is also available as a "free version" :wink: I've had 0 infections so far with the "plain" version of Kaspersky antivirus (the "internet security" version is unnecessary waste of $$$ and system resources) and I remember being impressed by it warning me of "suspicious behavior" of one of the Planetside 2's official updates (back when I used to play it many months ago) and showing the detailed log of the changes the PS2's patcher attempted to do (including the creation and then deletion of .jpg files in a hidden temporary folder). It also warned me about "suspicious behavior" of certain cheating framework (I cannot name it) I've been using, for obvious reasons, even when PunkBuster was doing absolutely nothing (as usual) :wink:
My subscription allows you people to exist on this site and makes me a better human being than you'll ever be
JohnC
Gerbil Jedi
Gold subscriber
 
 
Posts: 1886
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

AV, staying crappy since 199X

Postposted on Tue Oct 22, 2013 3:07 pm

JohnC wrote:
Bauxite wrote:I can't even remember the last time anything broke 50%, last one I saw they are struggling to hit 25. Keep in mind this is with the latest signatures they have that day, and a lot of it is months old.

Just FYI, antimalware companies usually try to add detection of "active" malware (meaning the payload files which can actually infect), not some obscure non-functioning .exe file with some malware-like text string in them. This is why these private "collections" with 100000 of random .exe files are worthless for testing/comparing these products.


Just FYI, this is a collection of pcaptures from websites with drive-by malware. Thanks for playing, please come again.
blah blah blah signature blah blah blah
Bauxite
Gerbil Elite
 
Posts: 609
Joined: Sat Jan 28, 2006 12:10 pm
Location: electrolytic redox smelting plant

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Tue Oct 22, 2013 5:21 pm

You may believe in whatever you want to, doesn't mean that it's (the private collection consisting of active malware) actually true.
My subscription allows you people to exist on this site and makes me a better human being than you'll ever be
JohnC
Gerbil Jedi
Gold subscriber
 
 
Posts: 1886
Joined: Fri Jan 28, 2011 2:08 pm
Location: NY/NJ/FL

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Tue Oct 22, 2013 6:38 pm

For pdf files I have substituted foxit reader 2.0 for a few years. It is fast , small, and efficient. It is a standalone exe program, but will register itself in win XP. Newer windows will require an "open with" registration or a newer version that installs, registers, and is larger.

I have found that the older machines are more responsive with Adobe reader removed.

Jim
xgsound
Gerbil
 
Posts: 61
Joined: Wed Jul 20, 2005 10:48 pm
Location: Pittsburgh, PA

Re: "Backup" Virus Removal (AKA Anti-Virus Pro and Others)

Postposted on Thu Oct 24, 2013 5:02 am

I've not been using junk AV programs and myself have not found a single virus on my system in years. Avast Internet Security has proven to be very effective. Rarely I'll come across a machine infected by a user or two who are famous for going places they shouldn't, clicking on things they shouldn't, and disabling the damn antivirus when they shouldn't. Its why I love Avast's SOA console where I can lock down the AV with a centralized password that's required to interact withit at a (including disabling it)

You should also know that Kaspersky, which I've also used extensively, detecting suspicious activity with Planetside 2. The latest update to Planetside 2 is back at it and Avast also shows that same warning and blocks it unless made an exception. Sony just hasn't done a good job of coding the .exe and or its now a legitimate virus. Sony is still the target of hacker efforts, not unlikely that their legit updates have been compromised by hacker efforts.
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

i5-2500K|Asus P67 Sabertooth|16GB Corsair 1600|MSI 7850 2GB|250gb Evo 840|Corsair 400R|ET750w PSU|Logitech G5|Dell 2420L|Corsair Vengeance 1300
Welch
Minister of Gerbil Affairs
Gold subscriber
 
 
Posts: 2639
Joined: Thu Nov 04, 2004 5:45 pm
Location: Fairbanks, Alaska


Return to General Software

Who is online

Users browsing this forum: No registered users and 1 guest