TR Forums

Well, there is a new fun ransom-ware (Buy our anti-virus/backup software to "Fix" your machine) out there. This particular virus was found on a machine today for the first time where it popped up on the user. The machine was in an office environment and the user had claimed to have noticed this after opening a PDF file. Looking at it, the machine is 100% updated for Windows updates BUT is using Adobe version 10.1.7, so a bit out of date there. The newest recycled thing for viruses to do lately is disable your ability to open windows Task Manager. So we are going to go CMD on this viruses ass.

This one doesn't even give itself a name. It just says your machine needs to be backed up and by clicking "OK" you can go online to do this for free. ComboFix, ADWCleaner, rKill and Avast all don't even notice it running. So if you'd like to shut it down for manual killing I'd suggest the following, minus the " " as usual.


1.) Open a command prompt (Start Menu > Type the letters CMD > Press Enter)
2.) Type "tasklist" - This will list all task manager processes as you will find yourself unable to open using CTRL + ALT + DELETE due to the virus.
3.) Look through your list of processes and identify which is your culprit. One of these does not belong. Mine was named "xnwnna33.exe"
4.) Type "taskkill /im processname.exe /f" - The /im is for Image name and the /f is to force-ably close the image you specified.

Note, this will ONLY shut off the virus process that is running and will NOT remove it for good. You will still need to find the actual offending file(s) and remove them. The virus on the system I fixed the files were located at C:\ProgramData in the form of 3 files. 2 of those files were just executables and 1 was a .pf (prefetch file). Removing these manually and cleaning out windows Task Scheduler resolved issues.


You'll also want to go in under Services.msc and make sure that the Security Center service is not set to disable. If it is, set it back to Window's default of Automatic and then start the service. As usual, when removing infections, run a round of your favorite updated scanners that day and possibly the next just to make sure the Anti-Virus/Anti-Malware guys have caught up to the new infection.

Hopefully this will help someone remove crap like this off there system until the guys at the AV companies update their repository. Happy hunting Gerbils.

Is it still not time to have that user run as a user instead of Admin?

You should've saved a sample to play around with (to test out other products,etc.) or at least submitted it to antimalware companies...

Wow, great information! I'm using AD to push install Reader 11 for network users. For the student lab I'm using Ninite Pro, which does a great job actually, updating lots of common software that doesn't come with a .msi.

I've noticed that a good bit of software, Chrome comes to mind, that doesn't require admin privileges or elevation to install. It's limited to the user profile, so at least you can nuke the profile and get clean again.

I'd agree 100% with making them a user, but this was a personal machine brought to me. So disabling their ability to administer their own machine (I know funny), must isn't an option. In a network environment, hell yes. Make all used accounts and just run as administrator when needed. Describing that process to some home users is about as Greek as explaining calculus to a third grader (or myself).

Edit: Just realized in my explanation before I said it was an office machine. I was getting it mixed up with a personal machine in the office. It is in fact a personal machine where the user was opening PDF files for his own "business" so to speak.

Very useful info. My experience is that 'traditional' AV software sucks at dealing with application-level malware.

This is off-topic, but it' is a security issue. And given the situation you described it is relevant to the conversation of maintaining good application control and security standards on your network.

There are only a handful of companies that are worthy of disdain in the IT world, Adobe is one of them. The last 2 years have seen some pretty major security breaches for them. Around this time last year they disclosed that servers they were using to compile code had been compromised, with hackers being able to digitally sign malicious code using an Adobe cert. These certs are part of how UAC verifies if an application is malicious or not.

And just a few weeks ago Adobe publicly revealed that 2.9 million user accounts had been compromised, along with an undisclosed amount of credit cards associated with those accounts. If that weren't enough source code for as yet undetermined products was also taken after the accounts were accessed. Adobe has indicated that source code for Acrobat "may" have been targeted.

But complaining about a company being terrible isn't useful unless there is a good solution. Foxit is a pretty awesome replacement for Acrobat Reader. I've been deploying it for users at various companies for years now and haven't had any issue with it. It's full featured and of the hundreds of workstations I've installed it on I can think of twice that there has been some kind of compatibility issue, and both of those were over 2 years ago. With the potentially severely compromised state of Acrobat Reader it is worth investigating if you can remove it completely from your network. If you sign up for a free account they will even provide a .msi of the installer with some xml (and if it's your thing) some group policy enhancements that allow for robust management of settings within the application (enforce security features, things like that). All for the low low cost of nothing. I am currently vetting the paid for version of Foxit for compatibility with features required for business processes, and if it is you better believe I am not deploying Acrobat or Acrobat Pro ever again.

Or boot a WinPE disk and run RogueKiller. Or Hirens BootCD.

http://www.sur-la-toile.com/RogueKiller/

It will remove AV pro among others.

LaChupacabra wrote:

Foxit is a pretty awesome replacement for Acrobat Reader. I've been deploying it for users at various companies for years now and haven't had any issue with it. It's full featured and of the hundreds of workstations I've installed it on I can think of twice that there has been some kind of compatibility issue, and both of those were over 2 years ago.

Hey, any idea if the free version of Foxit (more specifically the free version for Linux) does a decent job of handling PDF forms? Adobe Reader for Linux is a train wreck and none of the Open Source PDF readers seem to handle forms decently. I'm tired of being stuck with either the horrible Linux version of Adobe, or running the Windows version in a VM.

just brew it! wrote:

Hey, any idea if the free version of Foxit (more specifically the free version for Linux) does a decent job of handling PDF forms?

That's a great question. Wish I had a better answer than "I have no idea." I'm a relative Linux newb. From the quality of the software I have seen on the Windows side my guess is it will handle them really really well. There are a few people at work that live exclusively in the Linux world. I can see if they have any suggestions.

NovusBogus wrote:

Very useful info. My experience is that [ALL] AV software sucks at dealing with application-level malware.

Understatement of the century, the entire industry is a joke with a failed model for catching malware. (but not for lining their pockets)

One of the guys who keeps a massive collection of driveby malware likes to do periodic AV tests on the last batch. I can't even remember the last time anything broke 50%, last one I saw they are struggling to hit 25. Keep in mind this is with the latest signatures they have that day, and a lot of it is months old.

PS, PDF == EXE, treat accordingly.

I'd be curious how MBAM fared in that test, from what I've seen it's far more effective at dealing with post-2005 threats than AVG, Norton etc.

Foxit looks interesting, I might have to check that out. Adobe has gotten more and more frustrating over the years, not just security issues but feature bloat, pricing structure, and how they push bundling. Now you can't even buy a license for their multimedia stuff anymore, it's all web-based and you have to pay rent forever. Lame.

Bauxite wrote:

I can't even remember the last time anything broke 50%, last one I saw they are struggling to hit 25. Keep in mind this is with the latest signatures they have that day, and a lot of it is months old.

Just FYI, antimalware companies usually try to add detection of "active" malware (meaning the payload files which can actually infect), not some obscure non-functioning .exe file with some malware-like text string in them. This is why these private "collections" with 100000 of random .exe files are worthless for testing/comparing these products.

NovusBogus wrote:

I'd be curious how MBAM fared in that test, from what I've seen it's far more effective at dealing with post-2005 threats than AVG, Norton etc.

MBAM does nothing useful against "traditional" viruses/trojans/rootkits, it mostly deals with Adware, browser hijackers and similar things.

JohnC wrote:

MBAM does nothing useful against "traditional" viruses/trojans/rootkits, it mostly deals with Adware, browser hijackers and similar things.

I must disagree here. I've used it to help clean up some fairly nasty infections in the past, and while it doesn't detect (or remove) everything, claiming that it does "nothing" against traditional viruses/trojans/rootkits is blatantly incorrect.

MBAM actually removed the same version of this same virus from another machine 2 days later. So MBAM has for sure become apart of my regular scan routine.

I have to say that I'm also sort of getting a bit worn out of AV programs doing little to prevent viruses and just playing clean up after the fact. I'd say 1 out of every 5 or 6 virus removals I do the AV had become corrupt from the virus itself. Obviously not doing a great job.

I will saw that I've tried Avast's new Safe Zone browsing program that installs with version 9... I'm impressed. It almost acts like a virtual browser or machine but doesn't appear to have any performance hits even if you watch HD YouTube videos. I attempted to record my session in Safe Zone (started before opening) and found the recording goes blank form the duration that you stay in the Safe Zone. Tried this with FRAPS. Supposedly immune to keyloggers and any sort of remote viewing/pictures ect, supposed to use it for Banking and other online shopping. We shall see....

just brew it! wrote:

JohnC wrote:

MBAM does nothing useful against "traditional" viruses/trojans/rootkits, it mostly deals with Adware, browser hijackers and similar things.

I must disagree here. I've used it to help clean up some fairly nasty infections in the past, and while it doesn't detect (or remove) everything, claiming that it does "nothing" against traditional viruses/trojans/rootkits is blatantly incorrect.

You're right, it can remove some of them, but as I said, it's not the primary function of this program.

Welch wrote:

I have to say that I'm also sort of getting a bit worn out of AV programs doing little to prevent viruses

You need to use good ones, not junk that is also available as a "free version" I've had 0 infections so far with the "plain" version of Kaspersky antivirus (the "internet security" version is unnecessary waste of $$$ and system resources) and I remember being impressed by it warning me of "suspicious behavior" of one of the Planetside 2's official updates (back when I used to play it many months ago) and showing the detailed log of the changes the PS2's patcher attempted to do (including the creation and then deletion of .jpg files in a hidden temporary folder). It also warned me about "suspicious behavior" of certain cheating framework (I cannot name it) I've been using, for obvious reasons, even when PunkBuster was doing absolutely nothing (as usual)

JohnC wrote:

Bauxite wrote:

I can't even remember the last time anything broke 50%, last one I saw they are struggling to hit 25. Keep in mind this is with the latest signatures they have that day, and a lot of it is months old.

Just FYI, antimalware companies usually try to add detection of "active" malware (meaning the payload files which can actually infect), not some obscure non-functioning .exe file with some malware-like text string in them. This is why these private "collections" with 100000 of random .exe files are worthless for testing/comparing these products.

Just FYI, this is a collection of pcaptures from websites with drive-by malware. Thanks for playing, please come again.

You may believe in whatever you want to, doesn't mean that it's (the private collection consisting of active malware) actually true.

For pdf files I have substituted foxit reader 2.0 for a few years. It is fast , small, and efficient. It is a standalone exe program, but will register itself in win XP. Newer windows will require an "open with" registration or a newer version that installs, registers, and is larger.

I have found that the older machines are more responsive with Adobe reader removed.

Jim

I've not been using junk AV programs and myself have not found a single virus on my system in years. Avast Internet Security has proven to be very effective. Rarely I'll come across a machine infected by a user or two who are famous for going places they shouldn't, clicking on things they shouldn't, and disabling the damn antivirus when they shouldn't. Its why I love Avast's SOA console where I can lock down the AV with a centralized password that's required to interact withit at a (including disabling it)

You should also know that Kaspersky, which I've also used extensively, detecting suspicious activity with Planetside 2. The latest update to Planetside 2 is back at it and Avast also shows that same warning and blocks it unless made an exception. Sony just hasn't done a good job of coding the .exe and or its now a legitimate virus. Sony is still the target of hacker efforts, not unlikely that their legit updates have been compromised by hacker efforts.