Kaseya Community

Fake Anti-Virus 2010

  • We have be follow this with success.. http://www.bleepingcomputer.com/virus-removal/remove-antivirus-pro-2010

    Legacy Forum Name: How-To,
    Legacy Posted By Username: YborTech
  • billmccl
    Has anyone else seen an increase in the # of Fake Anti-Virus 2010 infections recently? We've had PCs get infected with up-to-date McAfee, Trend, Symantec, you name it... Has anyone came up with a good method of cleaning/repair?


    Yes, we use Superantisypware and rkill to first stop the infection. Usually works the best in safe mode. We had one instance today and got rid of it in about 30 minutes.

    Also found Malwarebytes will work, but only in full scan mode. quick scan does not always find the regedit entries which needs to be removed.Wink

    Legacy Forum Name: How-To,
    Legacy Posted By Username: marcb
  • Most effective way to remove it is, of course, to format and reload the OS. However, in my time at a retailer doing computer repair, we collectively came up with an amazing process for purging this family of threats.

    Of course, where possible, you'll still want to format/reload to get rid of this.

    First method:
    SFF/MBAM.
    Easily loaded onto a flash drive, SmitFraudFix will nuke *everything*. You can then use MBAM (or any other AV program) to remove. Sometimes works, sometimes not. Dunno if SFF is still viable, haven't used it in a while.

    Killer method (posted before):
    Offline scan.
    Mount the drive under another OS. Either a bench machine designated for this task (autoplay/autorun MUST be turned off for this!), or a live CD/USB with updated AV definitions. Afterwords, boot the machine up normally (without Internet connection), clean up any boot errors you get ("cannot find file"), fix the desktop background (active desktop is often used by the infections), and re-scan with the local AV program. If there's no local AV program, sell them one, or install your freebie of choice. During the offline scan, I'll normally use the scanner installed on the scanning computer, then MBAM, and a few web-scans if I have the time.

    This second method has proved incredibly effective, as long as the virus is recognized, it will get removed, since it has no way of loading on the host machine (remember, kill autorun/autoplay or you WILL infect the scanning machine).

    For managed clients, this is an excellent opportunity to remind them not to run as administrator, and push the security agenda.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: dwujcik
  • I haven't actually just run the scan as one of the previous posts suggests. In past experience, this isn't enough. Interesting though, I just got a call from another infected user. I'll try that one on him.

    I usually find my self in Safe Mode by default, removing the Temp directory, Temporary Internet Files, CCleaner, Add/Remove items that don't belong, MSCONFIG, Malwarebytes full scan then a reboot.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: cameronpratto
  • Solution's vary as do the signatures of these infections.

    Solution this morning (manually done on site, not Kaseya'd yet):

    -Ignore mass amount of bogus windows open by malicious software
    -Reboot
    -As soon as explorer loads, as quick as it'll let you, MSCONFIG/Startup/Disable All
    -Reboot
    -Remove Proxy setting in IE enabled by malicious software
    -Install/Update Malwarebytes
    -Full Scan
    -Reboot

    I don't think it's absolutely necessary but before I scan I like to remove the Temp folder and Temporary Internet Files in their profile. I also like to use CCleaner before I scan to cut down the scan time as much as possible by having few files to scan.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: cameronpratto
  • I've had great success removing these infections with Hitman Pro http://www.surfright.nl/en/hitmanpro

    but... how can we PREVENT these infections in the first place? Sonicwall with TotalSecure used to work... but it cant keep up with the changes to these viruses anymore?

    anyone have a solution that works?

    Legacy Forum Name: How-To,
    Legacy Posted By Username: Resistance2Fly
  • Windows XP is susceptible to this, especially. Windows Vista and Windows 7 with DEP set to opt-out and UAC left on are extremely unlikely to get the worst of this infection. XP is far more protected with DEP set to opt-out mode.

    DEP in opt-out mode is everyone's friend, here. Also, keeping Java and Adobe products up to date will limit the infection surface. I've forcefully tried to infect a windows vista or 7 machine setup this way and have had zero luck, and users that call because they think they just got infected are usually fixed with a reboot. It is also great if people aren't local administrators, but thankfully Microsoft was able to somehow address this and let standard users continue to be local admins with the implementation of UAC (as long as it is not foolishly turned off.)

    On infected machines, I've had great luck UNC'ing over to the system drive and using remote registry to find the path of the primary exe driving the annoying popups. Check the startup item registry keys at HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU\Software\Microsoft\Windows\CurrentVersion\Run. You may have to figure out the SID of the user account infected on that machine and go to their registry hive that way rather than using HKCU. Once you get the path to the malware executable, use the UNC folder to browse to it and rename it. Then use taskkill from the command line (or just use the remote task manager in VSA) to kill the process that you renamed. Once that process is gone, you should be able to do whatever it is that you liketo to scan and clean it up. I will generally use malwarebytes followed by a full scan from KES (which never finds anything.) Don't forget to delete the malware reference from the registry. I also make it a point to set DEP to opt-out mode whenever I deal with a machine that got infected to help prevent it from happening again.

    RKill should work for this as well, but launching any executable with the scareware exe running is a matter of luck since it terminates whatever new processes it can. Call me old fashioned, but I don't want to rely on luck or timing.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: drodden
  • Check out CCDave's post on page 2. Even in my own experience, the only thing missing is a licensed version of Malwarebytes. Every machine needs regular maintenance, etc but to get rid of these variances of this "Fake" stuff going around, you need any up-to-date AV of substance and an extra layer of real-time malware protection.

    If I can get Malwarebytes to respond to me, I'm looking into a bucket of their MSP licensing.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: cameronpratto
  • [QUOTE=k2tech_tony;53981]There is a program out there called rkill that terminates most of the rogue anti-virus processes that are blocking the installation / execution of anti-virus programs including MalwareBytes.

    The downside of rkill, is that it terminates the VNC server service as well. Luckily, rkill only TEMPORARILY terminates the processes. Essentially, it just does a taskkill command, so whenever you restart the application or reboot, the computer goes back to it's normal operation. In other words, it kills your remote connection temporarily.

    Rkill combined with MBAM and a full anti-virus scanner such as AVG or A-Squared has been able to clean about 95% of all the infections we have dealt with in the past.... the rest either require a manual removal, or format/reload.

    RKill can be downloaded from bleepingcomputer. (http://download.bleepingcomputer.com/grinler/rkill.pif)[/QUOTE]

    RKill is an awesome tool to use when the virus blocks you from running malwarebytes, spybot or anything like that. I've used it a number of times when I have been locked down big time.

    Also the disabled Task manager head ache. Download this tool from here:

    http://www.taskmanagerfix.com/

    HiJackthis is another tool that you can use to show running processes and manually kill them if they dont look legit, or for better practice, do a scan and save the log file and paste or upload it to www.hijackthis.de and it will rate whether the process is good or not. Note: not all processes that are rated bad are necessarily bad, have to make your own judgement on it and know whether or not its something you recognize. Like it will mark Domain name stuff as bad. But I've used this to delete loopback DNS IP that viruses have input that basically disrupt you from browsing webpages even tho you are connected to internet.

    But then again IF we can get K2 installed with this live connect we should be able to run task manager and registry before we physically log into the PC right? lol

    Would been nice 2 weeks ago when had a customer that after you logged in locally, remotely or in safe mode, virus just automatically logged you off. Had to browse to C: drive of the server from another PC and copied cmd.exe to sethc.exe and then was able to hit shift key 5 times at login prompt and bam, CMD popped up instead of that sticky shift prompt, and was able to run hijackthis to kill the virus that woudnt let me login.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: tim@xxpert.net
  • drodden
    thankfully Microsoft was able to somehow address this and let standard users continue to be local admins with the implementation of UAC (as long as it is not foolishly turned off.)


    Sadly this feature IS often turned off. Working in a repair shop we'd regularly get infected Vista machines with UAC turned off, and very rarely get them with UAC turned on. Funny how that one works. I've seen machines loaded with limewire and other illegal downloads with no AV program at all, with UAC enabled, and no infections.

    I tried shouting it standing on the counter (well, OK, I didn't actually stand on the counter and shout, but I sure wanted to), and people still don't get it.

    I wonder, is there a way to enforce UAC with Kaseya? And alert if it's turned off? Haven't gone digging yet, but there should be some reg keys we can read and manipulate.

    Now if only there was a way to tell System Restore to not back up a virus...

    Legacy Forum Name: How-To,
    Legacy Posted By Username: dwujcik
  • UAC is controlled at:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

    This is the same in Vista/7. A value of 0 means it is disabled, and a value of 1 means it is enabled.

    As for managing the settings, there is a technet article here:

    http://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx

    The registry information is at the bottom of the article.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: drodden
  • Well I was surfing around for something silly (that bit of software that makes fdd's play the imperial march... yea that would have been one fun script to deploy on my offce!) anyways, and a site linked me to our favorite bit of scareware...

    So instead of the normal routine I decided to see where it went...

    I'm pretty sure there are more sites out there that host this crap but here's the urls that I got from this encounter

    This is the site that it redirected me to.


    And it looks as though I was wrong in my previous post about its deployment method... it looks like its a gif and some js that does it...

    heres the code for the body




    Commencing Scan Procedure...





    and the payloads url is



    I'm thinking about doing up a script to block these via host file...

    Whats your thoughts...

    Legacy Forum Name: How-To,
    Legacy Posted By Username: thirteentwenty
  • I just had to deal with this virus last night and although quite challenging I managed to remove it completely all remoting in and not stepping onsite.

    Client just recently purchased the newest Symantec EndPoint package and I was in the middle of deploying it to 3 sites when it hit the remote user who I have not been able to deploy this to yet.

    First thing I wanted to make sure I had backdoor access so deployed Kaseya Agent. When remote access confirmed I then installed the SEPv12 client to machine and updated the definition. The 2010 virus will keep popping up but having the TaskMgr open i just kill "av.exe" which is the gui that controls 2 other windows that come up. After I have installed SEP client I went into the SEP policy and used "Application and Device Control Policy" to block "av.exe" from launching. This made it easier for me to go ahead and install the "clean up" tools (MBAM, HiJack, etc). I also added in the allow list the "Combofix.exe" application and this was enabled and pushed out domain wide.

    The clean up was fairly simple after this process: Installed MBAM did a full scan of which it found 4 infections and removed it. I then ran Combofix which detected over 12 other infections and also removed. Lastly, I did a free online MS Live scanner to confirm no infection remains and I was a happy camper...

    If any I think the SEP ADCP policy should help the network since this will block the pop up of any future AV.exe infections and users wont get tempted to clicking "scan now"... button.. lol

    Hope this helps someone...

    Legacy Forum Name: How-To,
    Legacy Posted By Username: JeffD
  • Can we block av.exe from running with Kaseya?

    Legacy Forum Name: How-To,
    Legacy Posted By Username: billmccl
  • Resistance2Fly
    I've had great success removing these infections with Hitman Pro http://www.surfright.nl/en/hitmanpro

    but... how can we PREVENT these infections in the first place? Sonicwall with TotalSecure used to work... but it cant keep up with the changes to these viruses anymore?

    anyone have a solution that works?



    Behavior Monitoring
    Web Reputation
    Patching.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: corpitsol