Armed Polite Society
Main Forums => The Roundtable => Topic started by: RocketMan on September 09, 2009, 10:57:37 PM
-
There is a nasty new rogueware out in the wild called AntiSpy Protector 2009. There are also variants called PC_AntiSpyware2010 and Advanced Antivirus. It is also known by the anti-malware companies by one of its common filenames, Braviax.exe. Braviax has been out for a year or so, but this newest variant started appearing sometime last month.
Most rogues can usually be dealt with, but this one drops two extremely difficult to dig out rootkits on your system that kill almost all anti-malware processes and programs. It will not allow any of the well known anti-malware programs to run after they have been installed. It stops most file, service, or hidden process scans. It prevents the use of almost all good anti-rootkit scanners. It changes permissions on important system files, and generally causes havoc with your system.
If it pops up on your screen, just pull the plug on your PC. Unlike most other rogues, this one has been known to self-install without any user intervention at all. Granted, pulling the plug on your Windows machine can sometimes cause problems, but the misery caused by this bug is far worse. It's much easier to deal with the aftereffects of an unexpected power down than it is to root out this malware.
I've dug out a lot of malware in my time, but this one is by far the worst I have ever encountered. It took me four days of research to find a the tools and a process to dig this one out. If you run across it, shoot me a message and I will pass on what I have learned.
Be careful out there.
-
This is why good backups are essential, because sometimes is far far easier to kill it with fire and just repartition, reformat, and reinstall.
-
The gods be thanked the government is waging war against the people who write that stuff!
-
The gods be thanked the government is waging war against the people who write that stuff!
I'll sleep better tonight knowing that.
jim
-
This is why good backups are essential, because sometimes is far far easier to kill it with fire and just repartition, reformat, and reinstall.
Agreed, RaspberrySurprise. I image every machine I have to a Windows Home Server box, so no problems there.
This one that I finally killed is on a customer's box. No backups at all. Of course we are going to have that discussion.
-
I had some fun with "total Security" on my kids PC
once it was running it disabled IE, the task manager, symantic and spybot
i finally was able to taskmanager it off as it was starting, from a reboot, then use symantic to kill it off
-
I ran into this a couple of weeks ago. 4-5 machines. Would not allow any antivirus ware to even launch.
Had to nuke the drives and re-image. I concur, it's pretty nasty.
-
This is why good backups are essential, because sometimes is far far easier to kill it with fire and just repartition, reformat, and reinstall.
That, or use a Macintosh.
What the heck is malware, anyway ?
-
It's something grown-up computers get. :laugh:
-
What the heck is malware, anyway ?
That would be the clothes mal wares. You know Firefly. I guess some people just don't like his taste in shirts if they have to call them nasty.
jim
-
Combofix or Malwarebytes should work on these. If they don't, use Bitdefender rescue CD, run that, then run Combofix or Malwarebytes. The rescue cd will load a version of Knoppix and then run the antivirus against the hard disk, this prevents the rootkit from loading so it can be removed. I've used this method on this virus/malware. No need to nuke the drive.
For real bad infections I usually run all three. Combofix sometimes needs to be run twice to complete cleanup. If you can't load internet sites after cleanup you may need to reset the TCP/IP stack. Some of these infections inject a process into the stack, once it's removed by the anti-malware software internet won't work without resetting the stack.
Combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Malwarebytes
http://www.malwarebytes.org/ (http://www.malwarebytes.org/)
Bitdefender Linuxdefender rescue CD
http://download.bitdefender.com/rescue_cd/ (http://download.bitdefender.com/rescue_cd/)
How to reset TCP/IP stack
http://windowsxp.mvps.org/winsock.htm (http://windowsxp.mvps.org/winsock.htm)
-
Combofix or Malwarebytes should work on these.
Assuming the malware will let them run. A lot of them block processes now, which means they are basically impossible for Joe Enduser to deal with.
These day I usually end up pulling the drive, scanning on a clean computer with a good AV, and, Malwarebytes or Superantispyware. Then and only then, put it back in the computer and scan with native apps. Each pass finds new crap.
Oh, yeah. Current home user grade Mcafee and Norton are worthless.
-
I think I had some version of this a few months ago. None of the anti-virus or anti-malware programs would work on it. They either would not install or would not update. All the web sites for those programs were blocked.
I ended up getting a SATA/USB adapter, pulled out the hard drive, and scanned it with my laptop with Norton and then with Malwarebytes. Norton actually caught and cleaned most of it. Malwarebytes found one more item. When I put the hard drive back in, I was able to get my anti-virus updated along with a couple other programs. No problems since then.
-
I'm not sure if what I have is the same as what you folks are talking about. Yesterday a program installed itself, and keeps giving me a constant warning that my computer is affected. If I click on the icon, I get a promotion for Antivirus Pro 2010. It won't go away, and it wasn't there before.
It lets me run my programs, but it's still a pain in the neck.
I still haven't upgraded my OS, so maybe this is the time to do so.
-
Upgraded your OS from what? If you haven't already done so, back up all of your important data, while you still can.
-
My old laptop runs Windows 2000. I only need it for one very simple purpose, so I haven't bothered to change operating systems. Somewhere around here I have Windows XP.
-
It's something grown-up computers get. :laugh:
=D
Guess I'll keep using my iBrat. =)
-
I'm not sure if what I have is the same as what you folks are talking about. Yesterday a program installed itself, and keeps giving me a constant warning that my computer is affected. If I click on the icon, I get a promotion for Antivirus Pro 2010. It won't go away, and it wasn't there before.
It lets me run my programs, but it's still a pain in the neck.
I still haven't upgraded my OS, so maybe this is the time to do so.
Sorry Dick, but you have the bug I was referring to. One of its names is Antivirus Pro 2010.
The rootkit pair that does most of the nastiness will not let any of the usual disinfection tools run. That includes ComboFix (not a tool for the faint of heart, btw) and Malwarebytes.
Pulling the drive and scanning it on another computer will not kill the rootkits. They are still present and active when the drive is placed back in the original computer and booted.
The rootkit files themselves are not visible to Windows or in a DOS box. Attempting to change their attributes does nothing to make them visible in most instances, although some have reported success with that.
Some rootkit scanners like rootkitrepeal will show them, but cannot kill them. The filenames are win32k.sys:1 and win32k.sys:2, if I remember correctly. Not to be confused with the normal win32k.sys file that is part of Windows. I need to go back to my notes to remember for sure.
You need to take care of it. One of its reported actions is a keylogger that captures passwords and such.
Unfortunately, I think this bug is going to bring a lot of business my way.
-
Dust off and nuke it from orbit.
-
Dust off and nuke it from orbit.
While the infection can be cured, it does take a fair amount of work. It may be simpler to do just what GW suggests if all backups are up to date.
-
That would be the clothes mal wares. You know Firefly. I guess some people just don't like his taste in shirts if they have to call them nasty.
jim
That would be, "What the heck does malware, anyway ?"
:police:
-
Bitdefender Linuxdefender rescue CD
http://download.bitdefender.com/rescue_cd/ (http://download.bitdefender.com/rescue_cd/)
I've found this one to be extremely useful. It boots a Knoppix environment and if it can detect an internet connection it will download the most recent patterns for BitDefender before it starts scanning your machine.
-
I've found this one to be extremely useful. It boots a Knoppix environment and if it can detect an internet connection it will download the most recent patterns for BitDefender before it starts scanning your machine.
I use BitDefender on most of my machines, but I have not heard of their rescue CD. I'll have to give it a try.
Thanks for the info, BryanP.
-
Assuming the malware will let them run. A lot of them block processes now, which means they are basically impossible for Joe Enduser to deal with.
These day I usually end up pulling the drive, scanning on a clean computer with a good AV, and, Malwarebytes or Superantispyware. Then and only then, put it back in the computer and scan with native apps. Each pass finds new crap.
Hence the reason for the whole paragraph I had written.
Combofix or Malwarebytes should work on these. If they don't, use Bitdefender rescue CD, run that, then run Combofix or Malwarebytes. The rescue cd will load a version of Knoppix and then run the antivirus against the hard disk, this prevents the rootkit from loading so it can be removed. I've used this method on this virus/malware. No need to nuke the drive.
Especially the bold part, which apparently skipped when writing your response.
Booting off a linux live cd and running the scan is the same as running the scan on another computer. As well if someone found the virus a few days ago, there is a decent chance combofix or malwarebytes has a new definition file.
-
Mike, your statement presumes that the BitDefender rescue CD is even keyed to find and delete those particular rootkit files. It may not be.
-
Mike, your statement presumes that the BitDefender rescue CD is even keyed to find and delete those particular rootkit files. It may not be.
It was when I used it the other day, it has as good a chance as taking a drive out and sticking it in another computer. It even updates itself before running if a network connection is attached.
And FWIW, that day Combfix and Malwarebytes didn't work on their own. They did two days later for the same piece of malware.
-
Taking the drive out and scanning it on another computer does not work with this particular bug. BTDT, doesn't work. It removes a lot of the ancilliary files, but does not find and kill the rootkit files.
And that was scanning with BitDefender, MalwareBytes, SuperAntiSpyware, etc.
-
Yes, but did you try running PC_AntiSpyware2010? :lol:
-
I did try that one, fistful, but weird stuff happened. I can't explain it.
-
Watch out for these other root kits going around.
http://images.google.com/images?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&um=1&sa=1&q=roots+kit&btnG=Search+images&aq=f&oq=&aqi=
-
What if any antivirus were you all running when you got your bug? Was it up to date at the time?
I haven't went through all the articles yet but do any of you think you might have got it from a common source?
jim
-
Taking the drive out and scanning it on another computer does not work with this particular bug. BTDT, doesn't work. It removes a lot of the ancilliary files, but does not find and kill the rootkit files.
And that was scanning with BitDefender, MalwareBytes, SuperAntiSpyware, etc.
Look, I don't know what your problem is with me. You thank another user that was actually quoting me for suggesting the Bitdefender rescue CD. Then claim it doesn't work, even though you've never even tried it; when I point out to another user that it's essentially the same thing as plugging it into another computer sans the OS.
Perhaps Bitdefender didn't work for you because they were both Windows OS machines, it did work for me on the same exact malware when using the rescue CD. It broke the root kit so that Combofix and Malwarebytes could do their thing.
-
It's something grown-up computers get. :laugh:
Fisty for the win. =D
My brother picked up "Personal AntiVirus 2009" the other day and it hosed his computer up real good. Fooled me at first glance.... it has a logo emblem very much like Norton Antivirus.
I dug the bugger out of the computer and the registry though, so there's nothing left.
-
I was screwing around with the brother of Antivirus 2009 today, Antivirus Pro 2010. I went through the registry, the program files, everything, but there were still enough parts of the virus left to make it annoying.
I did a search on Antivirus Pro 2010, and found articles on some software that gets rid of it. Installed the software and it found the remnants of the virus. When it came time to have the software get rid of the virus, it was time to register (pay for) the software.
So, there's a virus that gets into folks' PC's, and looks like anti-virus software. Click on the warning, and you're invited to purchase the software. If you don't, it bugs you until you realize it's not a nice antivirus program. So you find an antivirus program to get rid of the antivirus scam program, but it's going to cost you money.
Gee, do you think the purveyors of the anti-anti-virus software may have come up with the anti-virus software in the first place to create demand for their anti-anti-virus software? ;)
-
a buddies wife used her credit card to buy the licence for the remover
I advised them to cancel that card
-
Mike, I don't have a problem with you at all. I apologize if I offended you, as that was not my intent.
My reference to using the BitDefender rescue CD was for future antivirus work. I had already managed to kill the Antivirus Pro 2010 rootkit on my current client's machine with a mix of different tools.
I went back and read your post where you said you had used the BitDefender Rescue CD. I had missed the part where you said you managed to nuke this particular bug. In misreading it, I thought you were speaking about its general appication.
Again, my apologies.
-
I was screwing around with the brother of Antivirus 2009 today, Antivirus Pro 2010. I went through the registry, the program files, everything, but there were still enough parts of the virus left to make it annoying.
I did a search on Antivirus Pro 2010, and found articles on some software that gets rid of it. Installed the software and it found the remnants of the virus. When it came time to have the software get rid of the virus, it was time to register (pay for) the software.
So, there's a virus that gets into folks' PC's, and looks like anti-virus software. Click on the warning, and you're invited to purchase the software. If you don't, it bugs you until you realize it's not a nice antivirus program. So you find an antivirus program to get rid of the antivirus scam program, but it's going to cost you money.
Gee, do you think the purveyors of the anti-anti-virus software may have come up with the anti-virus software in the first place to create demand for their anti-anti-virus software? ;)
It's always the anti's fault.
jim
-
PC_AntiSpyware2010 and Advanced Antivirus. It is also known by the anti-malware companies by one of its common filenames, Braviax.exe.
Fixed one of these this week. A bitch.
The customer is on contract, so it wasn't a time and materials thing, fortunately for them.
Bitdefender live CD ran, found stuff. The scanner crashed (*poof* and it's gone) shortly after being told to deal with what it found. Too bad. If it'd worked, it would have been a nice thing to give to the end users, for them to run first before they call me in.
Couldn't get anywhere near cleaning it with tools running on the system itself. Stuff just kept coming back.
Pulled the drive, scanned it with 1)Symantec Endpoint Security, 2)Malwarebytes and 3)Superantispyware. Each successive program found more stuff.
Reinstalled the drive. Scanned with locally installed Malwarebytes and Superantispyware. Had to run a TCP/IP fix to get malwarebytes to update itself. Each found yet more stuff. Cleared some security blocks that the nasty had left in place (to keep you from running task manager and regedit). And....Couldn't run Windows updates. Couldn't start the Event Log service -- some missing critical piece.
"Aw, ***t!"
Repair install of Windows, plus all updates.
Then, something along the way had put a limit on the user profile size (computer is not on a domain, BTW). A bit of Googling found the fix.
Way, way too much trouble. Next time it gets backed up and blowed away.
-
Yesterday my wife's PC got infected with "Alpha Antivirus" which, among other things, prevented her from using IE. I'm not sure if this is the same malware you had, but rebooting in "safe mode with networking", then running Malwarebytes (full scan) got rid of it.
-
That, or use a Macintosh.
What the heck is malware, anyway ?
(https://armedpolitesociety.com/proxy.php?request=http%3A%2F%2Fcad-comic.com%2Fcomics%2F20060513.jpg&hash=655b9f412d9e919b01522793340c1aad308f8767)
-
Got a call from a buddy last night,
His wifes laptop got hit
She took it into the School districts tech and he fixed it
He blew away 5 years of work files and reinstalled a clean OS
fixed it good he did
My buddy is investigating partition recovery tools
He didn't format it, he just replaced the OS and lost the old directories
-
"There was a Malware goin' 'round, puter caught it and it died last spring,
Now my hard drive doesn't want to do much of anything..."
I seem to be fariing well with my spy doctor. No hints otherwise.
-
(https://armedpolitesociety.com/proxy.php?request=http%3A%2F%2Fcad-comic.com%2Fcomics%2F20060513.jpg&hash=655b9f412d9e919b01522793340c1aad308f8767)
Well, here's something we can agree on: you deserve a pc !
:laugh:
-
My lifelong dream is to create an international team of hitmen, "tactical operators" and spies to deal with the people who make these programs... that and the pirates. (somali ARRGHHHH pirates, not software pirates)
-
I had to deal with the 2009 version of that one last year. In the end, I decided it was time for a bigger hard drive anyway. I put the old drive into another machine as a D: drive, copied off only the data files we wanted to save, then installed Xp onto a new hard drive, reinstalled the key apps we use, and copied the data files back onto the new hard drive.
Much work, but it succeeded where none of the virus tools we had would touch it.
The people who create this stuff should be flayed alive, then staked out on an ant hill.
-
The people who create this stuff should be flayed alive, then staked out on an ant hill.
Why do you just want to coddle these ne'er-do-wells? How about some real punishment, or are you afraid to hurt their widdle feelings? :rolleyes:
Seriously though, I'm with you. When folks like this are caught and convicted, hanging is too good for 'em.
-
The people who create this stuff should be flayed alive, then staked out on an ant hill.
"I'd like to live just long enough to be there when they cut off your head and mount it on a pike as a warning to the next ten generations not to screw with my computer. I would look up at your lifeless eyes and wave, like this." --Vir Cotto
(https://armedpolitesociety.com/proxy.php?request=http%3A%2F%2Fb5thoughts.files.wordpress.com%2F2008%2F06%2Fvlcsnap-651497.png&hash=d04e0fd134ca5f53b9ca551621b645fc5ce5f459)
-
I guess he didn't want to debate after all.
-
I think this was what hit me, and made me try Linux...