Fake Antivirus "XP Total Security 2011" Tools and info on how to remove.

Discussions around the setup, operation, replacement, and disposal of clerk computers, not to include using MLS
stephen500
Member
Posts: 105
Joined: Sun Feb 15, 2009 8:45 am
Location: Chester, England

Fake Antivirus "XP Total Security 2011" Tools and info on how to remove.

#1

Post by stephen500 »

[INDENT]I have spent the best part of a weekend removing a fake anti virus solution called "xp total security 2011". This is a nasty virus that appears to have been downloaded through a fake "adobe reader" update.
It disabled admin rights and hijacked browsers so that you cannot install proper anti virus products via urls or install them with discs etc.
However with some research on the internet I got rid of it.
How did I do it.
Btw I am now of the opinion that the church antivirus software "Sophos" is not fit for purpose and the church should end this contract. This is the second church computer that I have had to fix that sophos has failed in stopping and removing infections.
How to remove "Xp total security 2011"
1) Install a Dos prog called Rkill.
http://www.bleepingcomputer.com/forums/topic308364.html
it stops all malware and will allow you to go to stage 2.
Rkill only stops processes and they restart on reboot, so follow the rest of the solution before you reboot.
Stage 2) Next select "xp total security 2011" (This is the FAKE antivirus product that we are going to fool into thinking we have paid for )and click manually activate
enter the code 1147-175591-6550
Let it do it's business and then set about using its control panel to disable all functions.
Stage 3) download to a usb stick from a clean computer "superantispyware portable edition"
http://www.superantispyware.com/port...g=SAS_HOMEPAGE
Then install it on the infected computer and run and clean.
Stage 3) Reboot computer.
To read about this infection read http://www.precisesecurity.com/rogue...security-2011/
This MLS computer was infected with:
6 Trojans
3 disabled security centres
1 Trojan Agen/Gen fraud alert
1 Trojan Agent/Gen Explorer fake
1 Trojan Agent Gen Pec
Sohpos found none of them.
If you ever need any help with this e-mail me at Stephensinclair8@aol.com
I have liased with global services help desk and the MLS supervisor UK.
I am trying to persuade the Church to purchase the "non profit edition" of superantispyware portable, as we want to be honest in our dealings with men.
http://www.superantispyware.com/nonprofit_license.html [/INDENT]
Aczlan
Member
Posts: 358
Joined: Sun Jun 06, 2010 5:29 pm
Location: Upstate, NY, USA

#2

Post by Aczlan »

I agree that SuperAntiSpyware is a great program. I have used it on friends computers and it will take out bugs that nothing else will.
Out of curiosity, did you try just running SAS in Safe Mode? I have removed several of the fake AV programs with (AV 2009 and 2010 IIRC) and have only needed to boot into safe mode.

As for Sophos not catching it, we have had similar issues with Kaseprsky at work. It catches most things, but there are fringe cases that it misses. I dont know about Sophos, but Kaspersky is better than what it replaced.
When we got Kaspersky we looked at Sophos (they were both highly rated by http://www.av-comparatives.org/), but for our size organization (~700 computers in 43 locations), the Sophos central control software was overkill.

Aaron Z
stephen500
Member
Posts: 105
Joined: Sun Feb 15, 2009 8:45 am
Location: Chester, England

#3

Post by stephen500 »

I tried in safe mode but "xp (fake) total security 2011" even maintained its highjack there. The only solution that would work was the one I gave. I also had to fake purchase the product! Sophos, in my opinion is rubbish, and if the church persists with it, it will just have more infected computers.
JamesAnderson
Senior Member
Posts: 773
Joined: Tue Jan 23, 2007 2:03 pm

#4

Post by JamesAnderson »

I just sent a few fake Adobe download URLs to Blue Coat Systems (parent of K9) that showed up in spam, they added them within a day to their database as 'Suspicious', they're far more proactive about this type of thing than anyone regarding even the front door pages to these things. They block this stuff at the content filtering level, an additional layer in the antimalware regimen that will prove helpful regardless of what else you use.

I've also heard some nasty rumors that Sophos does not remove the viruses that infects the computer, and those rumors state that you pretty much have to call Sophos for them to go in remotely and remove the virus that Sophos identified as having infected your machine as it doesn't even quarantine whatever infected your machine supposedly. Would be worth it to know if those rumors are true or not.
stephen500
Member
Posts: 105
Joined: Sun Feb 15, 2009 8:45 am
Location: Chester, England

#5

Post by stephen500 »

I was told by the ward clerk that the fake anti virus was downloaded from what he thought was an adobe reader updater. Which ties in about what you said about fake urls for adobe. I have a heated conversation with Sophos in which I said that if I had any thing to do with purchasing anti virus software I would get rid of them. They do put things into quarantine when they find them, but you need Sophos admin rights to clean them out of there, which as butt stake clerk I know how to do. But Sophos failed to stop 9 Trojans and hijackers. They need to up their game. They gave me a phone number of customer services, so next time we get a virus they don't catch I will be on to them. I wish the church had a proper feedback contact number as I would like to report the problems we had with Sophos.
User avatar
Mikerowaved
Community Moderators
Posts: 4728
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

#6

Post by Mikerowaved »

I spend a good part of each and every day removing malware from desktop and notebook computers. Trust me when I say that no AV software is infallible. When infected, it's often a "race" to see if the malware can disable the AV software (or hide from it) before the AV software can detect and deal with the infection.

Since it's very hard to attack some viruses while they are actively running, the best way to deal with a serious infection like you've encountered is to pull the HD from the infected machine and install it on another known virus-free PC and scan it every which way from Sunday with different programs (yes, including SuperAntiSpyware) until you're satisfied it's clean. Then put it back in the original PC it and scan it again with the AV program in that PC. I've had extremely good success with this process, although it DOES take quite a bit of time.

The other way is to boot from a "live CD" and attack the virus with AV tools pre-installed on the CD.

Unfortunately, viruses are a fact of life and they are getting more and more sophisticated. It's not entirely Sophos at fault. I've seen every major brand of AV software get overrun at one point or another. With the new PC's I just installed in our stake, I set the Clerk account to a standard user in Windows 7, so hopefully if that works out, future viruses won't be able to get very far if they get accidentally introduced to the system.
So we can better help you, please edit your Profile to include your general location.
lrawlins
Member
Posts: 67
Joined: Sat Mar 27, 2010 8:59 am
Location: Corona, CA
Contact:

#7

Post by lrawlins »

Another source of information on getting rid of stuff like is http://www.pchell.com

Don't know if the firewall would block them or not but they have helped me on more than one occasion.

Bye
User avatar
MatthewEhle
New Member
Posts: 16
Joined: Fri Aug 12, 2011 2:07 pm
Location: Riverton, Utah

#8

Post by MatthewEhle »

Why not just run Linux on all of these computers? :cool:

I'm only half-joking actually. If MLS could be ported to run on Linux, why not? I'm not a ward clerk, but I have been an auditor and have worked with clerks on my mission. It seems that for most wards, Windows is not a necessity. If you think about how much money could be saved on thousands of Windows licenses, and how much hassle could be saved on anti-virus efforts, it may make quite a bit of sense to consider it.
Matthew Ehle
Access Management Engineer
User avatar
aebrown
Community Administrator
Posts: 15153
Joined: Tue Nov 27, 2007 8:48 pm
Location: Draper, Utah

#9

Post by aebrown »

matthewehle wrote:Why not just run Linux on all of these computers? :cool:

I'm only half-joking actually. If MLS could be ported to run on Linux, why not? I'm not a ward clerk, but I have been an auditor and have worked with clerks on my mission. It seems that for most wards, Windows is not a necessity. If you think about how much money could be saved on thousands of Windows licenses, and how much hassle could be saved on anti-virus efforts, it may make quite a bit of sense to consider it.
I would completely disagree with the statement "for most wards, Windows is not a necessity." Most users are not at all familiar with Linux, so it would be much more difficult to support. And there are other software applications that run on most ward and stake computers -- it's not just MLS. I've never had a virus on a ward administrative computer in my 14 years as a stake technology specialist, so in my opinion it makes no sense to incur all the pain of changing the OS to fix a problem that is not a problem for our stake at all.
Questions that can benefit the larger community should be asked in a public forum, not a private message.
jdlessley
Community Moderators
Posts: 9833
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#10

Post by jdlessley »

matthewehle wrote:Why not just run Linux on all of these computers? :cool:

I'm only half-joking actually. If MLS could be ported to run on Linux, why not? I'm not a ward clerk, but I have been an auditor and have worked with clerks on my mission. It seems that for most wards, Windows is not a necessity. If you think about how much money could be saved on thousands of Windows licenses, and how much hassle could be saved on anti-virus efforts, it may make quite a bit of sense to consider it.
There are quite a few who have advocated using Linux. It is a consideration but not an option. CHQ provides the computers and the operating system. Anything other than Windows is not supported by the GSC (GSD) and LUS. Then there is the issue of training people to use Linux.
JD Lessley
Have you tried finding your answer on the ChurchofJesusChrist.org Help Center or Tech Wiki?
Post Reply

Return to “Clerk Computers”