Tricky Virus Keeps Coming Back

[Perryg114]

My wife's computer is sick. It got a virus, you know one of those that brings up the fake virus software. It disabled task manager and Norton antivirus. I took the disk out and did a scan on it using another machine and it found no viruses but the virus was still there. I rebooted it in safe mode and went back about a week and let it restore things. Well that worked for a day or two and now it is back again. I think she got the virus by downloading some coupon software. Should I stop messing with it and reload the machine or load a backup from a while back that is on WHS. How do I know how far to go back? Here is what I have on the virus. The window that comes up says "Security Suite Innovative Protection for your PC", yeah right. Also it tried to send me to antivpwr.com to download more viruses. Oddly enough this happened right after my wife installed IE8. This is an XP machine.

Perry

 

[C1]

A friend wants me to come over and help him remove this malware from his notebook (uses VISTA). This malware supposedly originates from England and there is quite a bit out there (off Google) on how to remove it so look at that. Probably later on this week Ill have more to say about removal experiences.

 

[zagood]

http://www.bleepingcomputer.com/virus-removal/remove-security-suite

 

[GrumpyMan]

Can't this company doing this get arrested or something? I mean it is clear who is doing this crap.

 

[Perryg114]

I would think that the credit card companies could track these guys down and get them arrested. Thanks for the info zagood. I will give it a try. I have no reason not to at this point. The computer had viruses on it before that Norton was able to fix but the wife installing IE8 may be revived some of them. I wish I knew how she got the virus so I could tell her not to do that again LOL.

Perry

 

[C1]

Looking carefully at the description as to how the malware works (note I use the term malware because I dont think it is classified as a virus per se & that's part of the issue), it relies upon one "clicking" on a link. That, effectively IS TANATAMOUNT TO YOUR AUTHORIZATION.

The malware is packaged or included usually with a main something else (like a video) that the reviewer chooses to view. Once one does that, the malware installs itself. (There may even be some warning, but it goes unnoticed by the victim as intended by the malware agent.) I suspect that the developers/distributors of Security Agent have purchased from each of the main sites the right to be included in their customer webpage download. Probably the only way to get it off the networks is for people to complain directly to the sites which host/allow its sponsoring.

As for me, just another reason why I dont waste my time with anti-virus or anti-spyware software, but use instead Centurion's "Smart Restart" (ie, the old "Drive Shield").

 

[dyn2nvu]

Did you try combofix?

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

[RavenSEAL]

Wipe that thing if you can, clean windows installs always do the trick. Just be careful with USB devices.

 

[C1]

Oh yes, forgot to add that this is one of the reasons why one is not supposed to surf in an account authorized to have Administration privileges (and why Microsoft added the big deal UAC default enable to VISTA).

Always create a separate account for yourself that does not have Administrative privileges and use that to surf. Use the Admin account for maintenance (eg, add/remove programs, modify startups, updates, etc.)

Before wiping the drive, I would attempt a malware removal:
http://deletemalware.blogspot.com/2010/08/how-to-remove-security-suite-malware.html

or

Perform a Windows "repair"

 

[Perryg114]

I got the Malware off the computer but IE says it can't access the proxy server. So how do I fix that? I used Malwarebytes to remove it. You can hit control alt delete to get into task manager and kill the files that run the virus software but you got to do it as soon as possible before the software loads. I was then able to update Malwarebytes so it would find all the viruses.

Perry

 

[spinejam]

​

To fix internet connection:

Click Internet Explorer > Tools > Internet Options > Connections > LAN Settings > Uncheck Proxy Server box > click OK.
Close all Internet Explorer windows.
Click Internet Explorer (should work now!) J​

 

[RebateMonger]

Should I stop messing with it and reload the machine or load a backup from a while back that is on WHS. How do I know how far to go back?

That's what I do if there's a WHS backup available.

If you aren't sure when the malware got loaded, you go back as far as you dare without losing too many installed programs. Then you do a second restore from WHS, restoring the latest data files, since these are seldom contaminated by malware.

If you didn't go back far enough, you just do another restore going back even further. Actually, if you know what specific files to look for, you could look over the file structure of the various WHS backups and find where the "bad" files were first introduced.

 

[lexspop]

You should run TDSSKiller from Kaspersky,
http://support.kaspersky.com/viruses/solutions?qid=208280684

If I remember correctly, the new version has a tendency to hide in your bootsector.

 

[Modelworks]

I would think that the credit card companies could track these guys down and get them arrested.

One of the problems with prosecuting malware creators is you first have to find them , they have to be in a country friendly to your countries laws, and it has to be worth the effort to cover all the cost associated with bringing it to a court.

I am probably one of the few people in the world that actually take the time to track down every single piece of malware I get. Whenever I get a system infected I don't just remove it , I track it back to where the system got it from, then how it got to that system, and so on as far back as I can go. Each time contacting whatever server hosted the malware. I also reverse engineer the malware to see who created it and if there are sites that the malware contacts to send back info like personal information I track down those too. So far in the past 5 years of doing this I have gotten a total of 3 people prosecuted out of about 200+ different malware items, so it is not easy. 2 of the people were in Europe and 1 was in the USA.

If the malware traces back to China then you can forget anything ever being done. Best hope is to contact whoever helped get it to other countries and remove that route. Of course they will find another. If more people would take the time to actually notify sites that spread infections instead of just running a program to remove it then there would be less of it.

Just yesterday I got an email appearing to be from paypal. This wasn't the ordinary, send me your information spam. It looked very official , the links opened a page that was exactly like the paypal page in every way except the paypal address was not correct . It even had a fake ssl cert to make the site appear secure. I contacted paypal but it takes time for them to get a site taken down and in the mean time I imagine there will be lots of people taken by the site.

 

[tweakboy]

Try booting into safe mode and run spybot. You should get your malware removed doing this. Very simple. Give her a try. gl

 

[jmagg]

Some viruses hide within system restore.

 

[onetwolaugh]

These ransome ware viruses/malware get on your PC via a web page. It usually is a script that fires off and looks like a virus scan of you own PC but its just a web page running. It will then tell you that you are infected and to click here to correct. But since it is just a web page what you are doing is basically click here to install.

This is probably a real stealthy beast. It hides itself in your startup files. ie; you may be loading mouse.exe, this guy will replace mouse.exe with the virus file and rename the original file "mouse .exe" (puts a space before the dot). When startup fires off it will execute mouse.exe (the virus) which calls the mouse .exe - both files are now running.
It may alter you IE proxy setting which will now not allow you to download malware bytes. Start your PC in safe mode with networking, download malwarebytes and install, execute and get updates, scan. (if IE proxy is hosed - tools > internet options > connections tab > LAN settings - un-click proxy. exit IE and run again).
Malwarebytes will find things but it will show a bunch of your systems files as the problem because virus has assumed their names. You may have to get replacements from vendor (new drivers, DLL's or whatever.)
Good Luck

 

[Steltek]

Yeah, they usually pair the malware with a rootkit to make it harder to get rid of.

SuperAntiSpyware is also a really good tool for removing these types of malware infections, especially when used in combination with Malwarebytes Anti-malware - there aren't many things out there that can escape detection and removal by at least one of the two.

I used to use Spybot Search and Destroy, but moved to Superantispyware after I ran into several malware infections this year that I was trying to fix for other folks that it couldn't detect. No big loss, though, as the upside is I don't have to mess with Teatimer (a component of Spybot) anymore.

 

[StinkyPinky]

My wife's computer is sick. It got a virus, you know one of those that brings up the fake virus software. It disabled task manager and Norton antivirus. I took the disk out and did a scan on it using another machine and it found no viruses but the virus was still there. I rebooted it in safe mode and went back about a week and let it restore things. Well that worked for a day or two and now it is back again. I think she got the virus by downloading some coupon software. Should I stop messing with it and reload the machine or load a backup from a while back that is on WHS. How do I know how far to go back? Here is what I have on the virus. The window that comes up says "Security Suite Innovative Protection for your PC", yeah right. Also it tried to send me to antivpwr.com to download more viruses. Oddly enough this happened right after my wife installed IE8. This is an XP machine.

Perry

These type of things often hide installers in the system restore area. I always purge system restore when cleaning out these type of things.

In fact, I never enable it in the first place.

 

[bankster55]

There are thousands of these fake AV trojans, varying from bad to extremely nasty
They can shut off all anti virus/firewalls, prevent safe boot, prevent restore, prevent going on internet etc.
These guys even have fake websites for things like combofix and AVG, so you download-install even more crappola.

Just go to google images and type "fake anti-virus" and have a jaw dropping experience.

Virtually everyone I know (non geeks) have now or have had one of these things installed.

A routine I have created for the "wives/kids/employees" crowd is this.......
You must never click anywhere on any popup warning or offer
If it appears, to get rid of it you must:
Go to taskmanager and shut off Firefox while all tabs and popups are running.
Disconnect from internet.
Restart Firefox and close out all tabs that are trying to load - you will have time to do this since no internet.
Shut down FF
Restart internet.
"Start new session"

I have gotten these even tho MWB and SAS were running with latest defs - went right by them
However a neat little freeware app called Private Firewall has saved me a coupla times from fake AV that have tried to phone home on internet simultaneously with popup/popunder. This sw has a rather smallish plain GUI - nothing fancy, but it really works and co-exists nicely with other AV
http://www.privacyware.com/personal_firewall.html

Comodo will stop anything, but I find it annoying - its too good, but they also have added the sandbox so you can try stuff before allowing it to run on your system
http://www.youtube.com/watch?v=zZdgDtV9pwI&feature=related
Latest Kaspersky bootable CD/USB rescue disk is pretty good, and makes an internet connection from CD for updates
KRBD20100901.iso (2010 Sep 1)
Kas is also coming out with new "Pure" and "Chrystal" more extended protection suites

 

[Perryg114]

I finally got it off the wifes machine but it tried to come back. Norton caught some stuff as well. I had to run MWB and Norton full scans several times to get all the pieces. She got a different fake AV virus on her laptop at the same time but it was not as nasty as the one on her desktop.

Perry

 

[grandosegood]

i would suggest using malwarebytes to fight malware and rkill to temporarily stop the malware from disabling everything. then after malwarebytes was run i would use a boot cd such as avast or hiren's mini xp. paying close attention to such files that end in .sys, i would replace them with a clean copy and then clear or deactivate/activate pagefile.sys. this, in my expierence is the best method for cleaning viruses/spyware.

 

[tomatom]

1. RESTART

2. AS QUICK AS POSSIBLE , RUN>MSCONFIG>STARTUP>Uncheck
anything unfamiliar &/or NOT NEEDED

3. SPYBOT OR ANYTHING SIMILAR