Kaseya Community

Fake Anti-Virus 2010

  • Has anyone else seen an increase in the # of Fake Anti-Virus 2010 infections recently? We've had PCs get infected with up-to-date McAfee, Trend, Symantec, you name it... Has anyone came up with a good method of cleaning/repair?

    Legacy Forum Name: Fake Anti-Virus 2010,
    Legacy Posted By Username: billmccl
  • we seen it as well. Malware bytes seem to remove it. Customers that we have CA proxies dont get infected. Customers that we have symantec antispam and antivirus for mail etc get infected. We started to install the link scanner and webshield for AVG on most of the machines. Atleast if the customer does a google search the link scanner will hopefully give the green checkmark to say its ok site to visit.

    Wih all the features turned on we have not seen any of the AVG get hit with this virus but we might be lucky.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: gdoubinin
  • We have Kes2.1 (AVG9) and the Exchnage module picks this up and blocks the email. They end up in the Virus Vault on the Exchnage Server - seems to do a good job of blocking it.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: PeterS
  • We saw a huge increase from the 2nd week of Jan, to about the 1st week of Feb. Most of the viruses was the Antivirus 2010 and we tried everything, but could not get it removed. Most of the time Malwarebytes would not run. You couldn't get into task manager or regedit.

    We rebuilt alot of PC during this time period. It has seemed to have died off recently.

    Kerry

    Legacy Forum Name: How-To,
    Legacy Posted By Username: kerrya
  • We found that when you reboot the machine you can get into msconfig if you get the timing down just right, then disable the start up events for one more reboot. sometimes we have to copy a malwarebytes exe over to the infected machine and fire it up before it gets deleted... super pain in the butt...

    but thankfully users seem to be getting better about not clicking on stuff that says antivirus... they call us first...

    And yes we've seen the numbers go up as well...

    EDIT:

    I suspect that it's being embeded into flash ads... I've seen machines get infected from (mail.)yahoo.com msn.com and some other very common sites... I had it pop up on me today from experts exchange...

    Legacy Forum Name: How-To,
    Legacy Posted By Username: thirteentwenty
  • We too have seen a significant increase in the number of infected machines - it is getting past both Symantec Endpoint Protection and KES/AVG9.

    We worked on a laptop today where the user was NOT a member of the local admin group, yet it somehow got totally messed up with the virus.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: lwolf
  • clearFlashCache.zip
    lwolf
    We too have seen a significant increase in the number of infected machines - it is getting past both Symantec Endpoint Protection and KES/AVG9.


    It seems to get past everything that I've tried... and to add to your list Kaspersky and ENOD too.

    lwolf

    We worked on a laptop today where the user was NOT a member of the local admin group, yet it somehow got totally messed up with the virus.


    In all but a couple of cases all users have not been in any sort of admin group (local or domain). And they're getting it from sites like (mail.)yahoo.com, msn.com and the like... This is why I think it's coming from flash (ads). Flash has a unique ability to execute code. I know where they store the files, I kind of know why the files are stored (it's a cache for people like me who play those stupid addictive flash games), now I want to know how to either a: stop the caching, or b: stop it from letting flash do stuff... I'm not flash savvy, actually I'm pretty anti-flash, so I don't know if there is some cool setting in the registry or somewhere that will disallow this sort of thing.

    Theres a host of information (or atleast there was) out there but for some reason the exact query I used in google a while back escapes me now.

    I did write up a couple of .vbs files to clear these locations (attached in .zip format). unfortunately it's reactive. I did this because I've noticed that it was a common item in all infections, but not commonly cleaned by cleanup.exe, but you can do it with CCLeaner (if a user is logged in) my .vbs will (read: should) cycle through all user profiles, and to date hasn't been blocked by the fake av2010.

    How I think it works:
    The user surfs to a site with this code in a flash ad. It gets written into one of the cache locations and spawns a new window. Normally it says something like "Your computer may be at risk Blah Blah Blah". Most users will freak and click the "Scan" button. What they don't do, and we've been teaching them to do, is read the title bar... It almost always says "Microsoft Internet Explorer" not ""

    Once that's clicked the flash file that is in their cache delivers is payload of delightful headaches.

    Something that I'm starting to ask users to do is to change their theme, this thing (Fake AV 20XX) assumes that users will be using the standard blue theme. I ask users to change it to that green/silver one, then tell them if a blue window pops up call us before touching. Its a great tell-tale. Although it takes time out of our day to go in and figure it out. It saves us much time in cleaning and rebuilding machines... Like we've all said the we've seen more and more of it, but now that we've started doing this we've been cleaning less and less.

    And another warning... I just read an article on Softpedia or CNET IIRC, that said that some variations of this scareware (technically it's not a virus by definition) is packaged with some ransome ware that will encrypt the contents of the users My Documents folder, then tell the user that if they want it back they need to send $XX.XX to someone for the decryption key... In the article they state that Malwarebytes is able to clean the ransomeware but no one has been able to decrypt the locked files. (boo). I have yet to see this (thankfully), so I can't be 100% sure it's true. But it would suck heavily if anyone gets hit with it...

    EDIT:
    Sorry for the ramblings but I go through this about 15 times a day trying to educate end users and thought I would share my pain with all the nice people here Big Smile arn't I nice...

    Also (as I'm cleaning a machine of this mess) don't forget to turn OFF system restore BEFORE you start cleaning... some varients of this sucker can hide in there too... ugh...

    Legacy Forum Name: How-To,
    Legacy Posted By Username: thirteentwenty
  • We always go pull the hard drive from the machine in question. Then run Malwarebytes & SuperAntiSpyware with the drive plugged in to a SATA drive dock on another machine. Ensures that malware processes don't run.

    To be honest, in most cases the scans is just to quantify to the client the amount of crap on the machine. We then flatten and re-install.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: smbtechnology
  • smbtechnology
    We always go pull the hard drive from the machine in question. Then run Malwarebytes & SuperAntiSpyware with the drive plugged in to a SATA drive dock on another machine. Ensures that malware processes don't run.


    We used to do this a lot, but for the time being it's not the most efficient way of getting our clients up and running in a 'reasonable' amount of time (our reasonable is not so reasonable to them).

    smbtechnology

    To be honest, in most cases the scans is just to quantify to the client the amount of crap on the machine. We then flatten and re-install.


    Unfortunately there are a few underlying factors that make these options (though both I would totally prefer) prohibitive to us.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: thirteentwenty
  • We had a PC where McAfee found and deleted Winlogon32.exe and smss32.exe but then we couldn't login due to it not cleaning up the registry. Anyone know how to get around this?

    Thanks!

    Legacy Forum Name: How-To,
    Legacy Posted By Username: billmccl
  • I found the virus doesn't start immediately as others have mentioned. You can still FTP to the system so I put Malwarebytes in a directory, then create a shortcut in the startup folder that runs the installer as soon as the user logs in. I access the system and log in as the Kaseya admin user I've created with the agent install. The Malwarebytes starts the install and waits for input. It's behind the malware screen so you just have to remember the steps. It appears for now the malware does't stop an exe that is already running. Once the Malwarebytes is installed it will kill the crap.
    Malwarebytes has a way to download just the latest definitions. Since there is no way to do a parameter install it makes it harder. I have sent a request to Malwarebytes to ask if they will include a parameter set to force the install without any human input. That could make life easier.

    Legacy Forum Name: How-To,
    Legacy Posted By Username: tbraje
  • @tbraje - You can run the Malwarebytes installer with the following command line options:
    /SP- /VerySilent /SuppressMsgBoxes /NoCancel


    I don't mean to toot my own horn, but none of my clients who have Malwarebytes MSP running on them got infected. (knock on wood) I highly recommend starting to investigate another product to install side-by-side with whatever antivirus product you are using. These malware infections are getting worse and worse and the standard complement of antivirus programs aren't catching them. I spoke with a Symantec rep several months ago when they paid a visit and he admitted that most antivirus programs won't be able to stop these malware programs because they change their signatures each time they are downloaded/installed. Antivirus programs rely heavily on signatures/definitions to detect bad programs and are helpless when a program dynamically changes itself.

    We purchased 400 license of Malwarebytes MSP in November for $7.35/license/year. This works out to $0.62/license/month and was a very easy thing to roll into our current management pricing. We have been selling it as "proactive malware defense" and customers are snapping it up. The only downside to Malwarebytes itself is that it is complete unmanaged. I have had to build about a dozen K scripts to install, upgrade, and manage the installations. (Some of the scripts are in the forum if you search.)

    Legacy Forum Name: How-To,
    Legacy Posted By Username: CCDave
  • There is a program out there called rkill that terminates most of the rogue anti-virus processes that are blocking the installation / execution of anti-virus programs including MalwareBytes.

    The downside of rkill, is that it terminates the VNC server service as well. Luckily, rkill only TEMPORARILY terminates the processes. Essentially, it just does a taskkill command, so whenever you restart the application or reboot, the computer goes back to it's normal operation. In other words, it kills your remote connection temporarily.

    Rkill combined with MBAM and a full anti-virus scanner such as AVG or A-Squared has been able to clean about 95% of all the infections we have dealt with in the past.... the rest either require a manual removal, or format/reload.

    RKill can be downloaded from bleepingcomputer. (http://download.bleepingcomputer.com/grinler/rkill.pif)

    Legacy Forum Name: How-To,
    Legacy Posted By Username: k2tech_tony
  • billmccl
    We had a PC where McAfee found and deleted Winlogon32.exe and smss32.exe but then we couldn't login due to it not cleaning up the registry. Anyone know how to get around this?

    Thanks!


    This one, I can answer: The fake-antivirus 2010 crapware has replaced the userinit with its own executable and edited the registry accordingly. You'll want to look in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and set the userinit entry to the full path to the real userinit.exe (such as C:\WINDOWS\SYSTEM32\Userinit.exe, note the comma!).

    Legacy Forum Name: How-To,
    Legacy Posted By Username: GreyDuck
  • Thanks Greyduck!

    Legacy Forum Name: How-To,
    Legacy Posted By Username: billmccl