Windows Fake "Security Center" Malware

[rickhunter]

Also when have you seen a Windows 7 PC have or use 2 or 3 Quad Core CPU's.

I have a Dual Quad Core Xeon Dell Precision workstation, so yes they do exist and it's running windows 7 ultimate.  I also have a pair of Macs.  I'm an equal opportunity technology user and the Mac vs PC argument is not one that will ever end.  To each his own.  I prefer linux since it can be customized to do just about anything and it's open source (i.e. you can add your own crap to the kernel if you are so inclined).  OSX is based on linux but it's definitely "not open" as you aren't even allowed under license to do anything to the kernel files as per the apple license agreement.  OSX is by far the best OS apple has ever marketed and it's a lot easier to develop for it than the old days of MAC OS, which was bloated with stuff and totally in-efficient.  OSX is not more secure than windows, it just doesn't get the attention from malware and virus writers, because it's better to infect 80% of pc's with the same code than 10%.  The object of viruses and malware is to bombard you with ads and or retrieve information from your PC, that's why Macs get "no love" from spam and virus authors.  Once MAC OSX gets more popular, watch out.  Apple is notoriously slow at patching security holes.

[brichter]

I have MS Office for Mac 2008 Professional, which has Word, Excel, PowerPoint, Entourage (e-mail), and few other programs.

Also when have you seen a Windows 7 PC have or use 2 or 3 Quad Core CPU's.

Just saw this reply. There's no feature parity between the 2 versions of Office (Mac vs. Windows).

Office for the Mac is pretty much brain-dead, you can't even color cells, rows, or columns in Excel, and there's no VB support. That makes it a non-starter for any but the most basic user.

I use Parallels when I have to run Windows on the Mac, it takes too long to reboot into windows then back into OS X when I'm done. But for any real power usage, I just run Win7 on my dual quad core tower.

[stayouttadabunker]

Another one that's gone downhill this year is Ad-Aware. I still have it installed, but the last major release (v8) months back that changed the entire program interface is a kludge. It has become a resource hog, it should be removed by its own standards (it puts up pop-up balloons advertising their for-profit products), and they made the interface too user friendly: They no longer show you the detailed information of what they find, so it's very difficult to make an intelligent decision as to what action to take. It has also given me some false positives. I'll be removing it soon.

I had Ad-Aware for years and loved it but I have to agree that
ever since they changed it last year - it sucks. 
I haven't used it in months because of all the junk it tries to do.   :60- 
It's too bad ...it was a very good product at one time...
I'll be removing it soon too...

[xkey]

  :37-This trojan hit a few of our machines in the office today, we were able to manually clean the machine by following these steps

boot into safe mode
start taskmanager and close the process called "hotfix.exe"
search for a file named hotfix.exe, there might be a couple, but the ones that got us where time stamped with todays date and time that the infection started.
delete that file
this also created 2 files jkhkj.bat and mstsc.exe, they were located on the desktop, delete these files
open "regedit" and go to this key
HKEY_USERS\S-1-5-21-1384738610-847602051-1361462980-58697\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
and look for the "entry"  it will have a path to the batch file above, remove that entry and replace with "explorer"
reboot and you should be fine.

jon

[rickhunter]

Just saw this reply. There's no feature parity between the 2 versions of Office (Mac vs. Windows).

Office for the Mac is pretty much brain-dead, you can't even color cells, rows, or columns in Excel, and there's no VB support. That makes it a non-starter for any but the most basic user.

I use Parallels when I have to run Windows on the Mac, it takes too long to reboot into windows then back into OS X when I'm done. But for any real power usage, I just run Win7 on my dual quad core tower.

Office 2011 for Mac just came out.  That is supposed to be nearly identical to the Windows version.  I ordered a 3 pack license today to use here at the office for the Mac Folks.  It has outlook which is a big plus when migrating, the old entourage totally ?#?#$?@?#$?.

[brichter]

Just saw this reply. There's no feature parity between the 2 versions of Office (Mac vs. Windows).

Office for the Mac is pretty much brain-dead, you can't even color cells, rows, or columns in Excel, and there's no VB support. That makes it a non-starter for any but the most basic user.

I use Parallels when I have to run Windows on the Mac, it takes too long to reboot into windows then back into OS X when I'm done. But for any real power usage, I just run Win7 on my dual quad core tower.

Office 2011 for Mac just came out.  That is supposed to be nearly identical to the Windows version.  I ordered a 3 pack license today to use here at the office for the Mac Folks.  It has outlook which is a big plus when migrating, the old entourage totally ?#?#$?@?#$?.

From the first review I saw on Google:

Sadly there is a pretty big weak link in Office 2011: Outlook. It seems that Microsoft simply sacrificed brains for beauty. Don’t get us wrong. It’s definitely the best and most powerful email client we’ve ever used on OS X, but after using it for 10 minutes we honestly gave up on it. Why? Because it simply requires more work to get simple tasks done than on the Windows version. It sucks to say it, but given the choice between using the new Outlook for Mac and virtualizing Outlook for Windows, we’d go with the latter any day.

You'll need Exchange 2010 if you want to have server-side rules, and I've heard there's no compatibility with Exchange 2003 so at least 2007 is required. Let me know how it goes, I'll use your experience to help decide if I'm going to upgrade...

[rickhunter]

I still don't have it, but one of the major issues for my situation has been the migration of PC to Macs in regards to e-mail.  The outlook PST file was not supported on entourage, and all the import programs do not import addresses that are not standard US addresses right.  So for this alone it is worth it on my end.  When I get it, I'll post my experiences with it.  I already knew about the exchange issues, we have since migrated out of exchange here so that will not apply anymore.

[brichter]

I still don't have it, but one of the major issues for my situation has been the migration of PC to Macs in regards to e-mail.  The outlook PST file was not supported on entourage, and all the import programs do not import addresses that are not standard US addresses right.  So for this alone it is worth it on my end.  When I get it, I'll post my experiences with it.  I already knew about the exchange issues, we have since migrated out of exchange here so that will not apply anymore.

So, there is an application that converts .pst to .rge, which works with Erage. It's called Emailchemy.

As far as converting to Mail.app, not sure if Emailchemy (or some other application) will do that, but one solution is to create a temp folder on the Ecxchange server with Outlook, and copy portions of the pst contents to the Exchange server, then back to a local file in Mail.app.

Yup, we've been hacking around with Macs in a Winblows world for quite a while here...

[rickhunter]

Yes, that was one of the options, and for the most part getting the e-mails correcty has not been the issue, it's been the other things in outlook like contacts and addreses, specially those that don't adhere to standard US format.

[uniman]

I get home from work today to find our computer now has the "Security Tools" virus. We (wife and I) are running XP Home Edition. This popup shit only appears on the wife's logon. I can logon and surf the net with no problem. After reading up on the Security Tools virus I logon and look in the All Users - Application Files for this piece of shit. Did the Show All Hidden Files and Hidden Extension settings. I found no new files or any files that were just random numbers. Since it only affects the Mrs, I looked in her Application Files too.
Then I clicked on my Malwarebytes program and attempted to update my older version. Kept getting "cannot find - check firewall settings". I shutoff the firewall, popup blockers, lowered the security settings and still could not update. So I downloaded the latest version. When I installed it received an error message, but it did seem to install. When I opened Malware it does look slightly different so assuming it installed. Currently running it on my login and so far nothing detected after 25 minutes. I suspect it will find nothing.

Any ideas????

[proten]

Try booting in Safe Mode with networking  (F8) at boot up
Then run the update again

Paul

[uniman]

I was thinking the same thing.
Download latest version of Malwarebytes on my laptop.
Save to a stick.
Start XP computer in Safe Mode.
Run Malwarebytes.
Will try tomorrow.

[StatFreak]

I was thinking the same thing.
Download latest version of Malwarebytes on my laptop.
Save to a stick.
Start XP computer in Safe Mode.
Run Malwarebytes.
Will try tomorrow.

That sounds like the best plan. You might also search the registry for the entries that xkey mentioned. You'll have to substitute your wife's GUID in the path (where it starts S-1-5-21...)

If it happened recently, you could do a global search of the entire drive for all files created/modified after the date of infection, and you might also try using system restore to restore to a point prior to the infection.

[uniman]

I was thinking the same thing.
Download latest version of Malwarebytes on my laptop.
Save to a stick.
Start XP computer in Safe Mode.
Run Malwarebytes.
Will try tomorrow.

That sounds like the best plan. You might also search the registry for the entries that xkey mentioned. You'll have to substitute your wife's GUID in the path (where it starts S-1-5-21...)

If it happened recently, you could do a global search of the entire drive for all files created/modified after the date of infection, and you might also try using system restore to restore to a point prior to the infection.

I don't have the guts to dig into the registry, but I did do this;
I logged as my wife and then switched users as it was loading.
Then on my login I opened Task Mgr and found the little bastard was named 314616586.EXE-O5CD03AC
Shut it down and returned to the wife's login.
Found the file in C;\Windows\Prefetch
Removed the EXE extension.
When I logged back on to her side it created another one!
So tomorrow I'll run Malware in safe mode and see what happens.

[proten]

You can also go to "Start - Run"
Then type in "MSCONFIG"
That will take you to the system configuration.
then look for the  program that's
causing the problem.

[staz]

is the free version of Malwarebytes any good? i was thinking of downloading it.....

[uniman]

The free Malwarebytes has saved me on three occasions now. I should cough up the $25 and get the full version.

I just tried downloading it again and this time it loaded without errors! Running a scan and it has detected 5 infected objects so far! So it's looking good.

I bet the Sprint SmartView aircard was the cause of the incomplete download and not the virus/malware.

Would rather have this thing beat before I call it a night!

[staz]

i just ran it too it found nothing, so thats a good thing......

[CaptainHappy]

The free Malwarebytes has saved me on three occasions now. I should cough up the $25 and get the full version.

I just tried downloading it again and this time it loaded without errors! Running a scan and it has detected 5 infected objects so far! So it's looking good.

I bet the Sprint SmartView aircard was the cause of the incomplete download and not the virus/malware.

Would rather have this thing beat before I call it a night!

Jim,

I hope that got got it beat! Those things are a bitch.... I feel that virus makers should get the death penalty, immediate, and no appeals!

CaptainHappy

[uniman]

Things are looking ok now!
Malwarebytes found 4 bad files, 2 bad registry files, and 1 bad memory file. One I had already deleted, so the total would have been 8.
 This crap is just a big pain in the rear!
Thanks for all the replies!! 

Here is the scan log, I replaced my wife's name with "wife". She likes her privacy, sort of like Mrs. Columbo. (anyone remember that?)


Scan type: Full scan (C:\|F:\|)
Objects scanned: 222200
Time elapsed: 54 minute(s), 1 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
C:\WINDOWS\temp\_ex-08.exe (Spyware.Passwords) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\DownloadWare (Adware.DownloadWare) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sniffer (Spyware.Passwords) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\temp\_ex-08.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\wife\Local Settings\Application Data\314616586.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\wife\Local Settings\temp\0.4191665775512726.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\wife\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

[staz]

why dont you just do a complete factory reinstall?