Slashdot Mirror
400,000 PCs Infected With Fake "Antivirus 2009"
nandemoari writes "The second month of Microsoft's campaign against fake security software has resulted in the removal of the rogue "Antivirus 2009" application from almost 400,000 infected PCs. Microsoft claims that December's version of the Malicious Software Removal Tool (MSRT) — the free utility included in Windows Update every month — specifically targeted 'Antivirus 2009.' According to Microsoft, MSRT removed the rogue application from over 394,000 PCs in the first nine days after it was released on December 9."
"over 394,000 PCs report massive amounts of virus infections due to the accidental removal of Antivirus 2009"
Remove my win32 directory?
At my job, we've used Malwarebytes to fix about 200 PCs with this so far. It's a good alternative.
Those who believe the Internet is private,
find their privates are on the Internet.
I was tasked with getting this thing off my mom's laptop. That was tougher than any other piece of malware I've ever dealt with.
I also had to convince my dad that there was no easy way to sue the "manufacturer" of this program.
Convert FLACs to a portable format with FlacSquisher
In having to do support for assorted windows users, I've seen assorted popup/redirect stuff pushing that particular fine piece of software a lot. Most disconcertingly, it even happens to users visiting what one would think of as reputable sites, on machines with fully updated AV that reports no issues.
I really don't have the time or interest to figure out if the AV is just sucking, and not reporting infections that actually do exist, or if whoever is pushing the software has compromised a bunch of ad providers; but it seems to be a big issue in windows land(poor bastards).
Malwarebytes is awesome! The AV2009 malware is a tough one to remove, but Malwarebytes takes is right off.
Now let's hope Symantec is not going to sue them... :)
I wonder how many of the clueless will complain to microsoft that the removal tool removed software THEY HAD PAID FOR
iirc some of the malware and adware 'vendors' had eulas that forbade users to remove their programs
It'll never happen, but I'd like to see one of those guys try to sue microsoft for violating their EULA -would microsoft try to claim that the EULA was invalid?....
One can always dream.
-I'm just sayin'
The idea of MSFT deleting a program (albeit a piece of malware) from my machine bothers me.
When will their idea of malware differ from mine?
Will they always do it correctly (no collateral damage)?
Particularly bad virus. It blocked all antivirus web sites and even blocked programs on the computer. I could put Spybot Search and Destroy on the computer, but it wouldn't even start. What I finally had to do was rename combofix.exe to something else like fix.exe, and then it ran and removed MS Antivirus 2009. I did try to Malwarebytes but it wouldn't even install, even if I renamed it.
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
This family of infectors is probably, by far, the worst spyware/hijacking peice of junk I've ever seen. I can't help but feel that 400,000 isn't nearly the number that has actually been infected, simply because nobody I know actually uses MSRT, and I seriously doubt that any machine that gets infected with it could actually get back into the condition where it can download and/or install MSRT, or virtually any other software. It's just that bad.
Yep, got called round to my brothers house to fix his computer cos it had this stuff on it.
I don't know exactly what it was supposed to be doing, the computer would boot up into winxp and then just freeze. Safe mode worked but safe mode with networking did not, so I guess it was calling home somewhere (thinking about it now I should have just unplugged the network cable to see if that stopped the computer freezing).
Anyways I didn't have any stuff with me and without net access I decided the path of least resistance was to reinstall windows (my brother did not have anything he wanted to keep).
I should have brought round a ubuntu live cd with me.
*golf clap*
Anyone besides me concerned though that this piece of shit malware was eliminated on that many PCs? Doesn't that just scream that there is something fundamentally wrong with the browser and/or the OS?
To take into 2009 :-)
If I had an Ass, I'd call it Fanny Bottom, then I could slap my Ass; Fanny Bottom, on the Arse.
I do not have anti-virus/spyware/malware software installed, the only firewall I have is in my router, my computer is on and connected nearly 24/7, and I have not gotten any viruses/malware/spyware in at least 3 years. Windows XP fully updated, careful browsing/downloading habits, and liberal use of free online scanners for suspicious software before execution has served me well. The problem is too many people are click happy and ignore common sense, basic safe computing habits, and in general are looking for a quick fix they don't have to think about. This leads to people falling prey to the pop-up ads claiming their computer is infected so they can download the latest botnet zombification software. Up until a year ago, I was having to clean my sister's PC on a weekly to monthly basis due to all the crap she downloaded off the internet. After convincing her to try the safe habits I practice for a month, in which time her computer worked perfectly, she realized she was the source of her computer problems and corrected her attitude towards computer security, with no problems to this day.
Ignorance is Bliss -- And the Opposite is True -- Genius is Madness
Thanks Microsoft for thoughtfully protecting all the Zunes from this outbreak.
I have uninstalled this parasitic piece of crap from the same guy's laptop no less than four times over a period of months, even doing my best to educate him about the situation. The Malware Removal Tool is not going to make any difference if the user is intent on reinstalling it as soon possible.
An actually responsible thing to do might be for Microsoft to run a friendly educational campaign about malware and viruses... a lovely dream.
Now OpenOffice doesn't work either!
Bite me
If only 400,000 machines were infected, then it would seem that Apple And Linux have taken over the desktop.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
www.ubuntu.com
www.opensuse.org
www.fedoraproject.org
www.freebsd.com
www.opensolaris.com
I'm not saying this as flamebait but I'm really tired of users who consistently post in forum after forum that they don't run antivirus, firewall, or antimalware applications. Then, just like you, they claim they don't have any infections. How would you know even if you had an infection without running a scanner? Online scanners are great but they only cover files that you're going to run of your own volition. They do not cover infections that occur through holes in the browser and/or OS. This is where the fundamental problem lies in your strategy.
Case in point, lets say you browse to a website that uses a hole in your browser to get code onto your system that opens a port via UPNP in your router. Then through the open port your machine starts infecting/spamming others. How would your methods guard against that?
Safe computer habits are great when you can trust your Operating System and browser to be secure all while you're not logged in with an account with "Administrator" (root) level privileges. Too bad Windows can't be trusted to be secure and, therefore, necessitates the need for antivirus, antimalware, and firewall.
To run the MSRT program you need to run mrt.exe. from the "run" dialog box or a command prompt in Windows.
You can directly download the latest mrt.exe
Why do does the malaware removal tool report back about what it finds? Do all such tools do that?
"Thanks for all the money you paid to us. We've used it to buy off ISO among other things" -Microsoft
User maintains more than a dozen sockpuppet accounts on Slashdot.
I consider myself a pretty knowledgeable computer user as I've been in IT for 6 years now working in technical support, network administration, and development. Spybot and AVG would not even run and I couldn't reinstall them. Trend Micro's online scanner would stop working half way through. I installed adaware and that removed some of the junk. Then I installed Avast and that removed a bit more. At this point I was able to run SpyBot and that removed a bit more. Finally after running malware bytes or whatever its called + spybot + adaware + avast + malware bytes again for good measure my XP system is "clean." Though who really knows? My system is speedy again, as well as my internet, but I have the sneaking suspicion my pc is working the grave yard shift for a botnet....
So how long will it take to clean up the entire population of Windows PCs?
This kind of propaganda is counterproductive. First of all, this is a negligible effect, secondly it pretends that MS takes care of Windows users, and thirdly it doesn't emphasize that safe computing is far more important than all security software in the world.
thegodmovie.com - watch it
I recently felt that same way, that it was mostly due to people downloading weird stuff. Then I browsed a cached version of a Google page, which launched some JavaScript and completely destroyed my install of Windows Server 2003 (it wouldn't boot up at all). Afterwards I switched my home browsing to Firefox with NoScript and AdBlock Plus.
Fast forward to work a couple weeks ago, running IE7, Norton Anti-Virus, and the typical corporate firewalls. All I did was have a pop-up ad from a boring site and my computer was infected through the IE 7 vulnerability.
I think what has to happen is that browsers have to be locked down and sandboxed to the point where external sources have no access to the inner workings of a machine. Otherwise there's simply too much risk with ordinary browsing.
This is more a comment about people not wanting to pay significant sums of money on an annual basis to the antivirus companies.
Quite honestly, I never had a concern about this until I had to install AV software on 7 computers.
It's bad enough they nail you for $30 to $90 for software, but then next year they want you to fork it over again.
We would all be better served if free antivirus software became the mainstream, and costly software for corporate use. Sure, AVG is alright, but with Windows being so crappy, why isn't serious antivirus/anti-trojan software distributed with it instead of trial-ware Symantec?
I am open source, and Linux baby!
I find it incredibly funny that the same people offering this rouge application are now offering a remover, which has even more malware and crap in it.
I had to remove this off of my uncle's computer over Thanksgiving. I thought I had succeeded but then I heard Howie Mandel's disembodied voice shilling for buy.com, a clear signal that some more work needed to be done. It's a tenacious little sucker; I ended up downloading Malwarebytes and having to rename the install file. I guess it recognized it and was blocking it.
There's no way to know unless you're running free software (software you're free to inspect, share, run, and modify) to do that job.
By the same token, any proprietary software (regardless of its purported task) should be troublesome. Technically there's nothing that prevents a proprietary statistical analysis program from doing things you wouldn't want done without your full consent such as removing programs, altering files, opening a remote access point for someone, or sending information about your computer somewhere.
The faithful are numerous and clear: Apparently setting up a slick-looking website which claims that a program is trustworthy is enough to convince many people that that program won't do something bad. Even amongst what passes for technical conversation on sites like /. the religion goes unquestioned; this view prevails despite that nobody really knows what AVG, Norton, McAfee, and so many other anti-malware programs do. You'd think that at least for security software (such as what's being discussed in this thread) you'd see numerous challenges any proprietary anti-malware software (even though logically and ethically there's no reason to limit software freedom to just security tasks).
I guess it will take some more time and more hard knocks to make people understand that price and freedom aren't the same thing and that freedom encompasses (and is a lot more valuable than) price since, with freedom, all can share as they wish commercially or not. I certainly don't have the time or skill to inspect every program I use, and I certainly don't trust proprietors to tell me the real story on what their programs do. So I'm not going to choose to cut myself off from other people inspecting what they can, improving and sharing along the way.
Digital Citizen
I mean, 2009 isn't even there yet and people think this program can exist? Pfft. I bet 80% of the infectees are car manufacturers!
My girlfriend's laptop got infected before i knew this was a common virus (i just found that out) so i was searching all over. Most virus scanners and malware programs missed it (trendmicro online scanner, norton online scanner, Ad-Aware) but MalwareBytes found it all and killed it! I was so happy when it worked!
-Taylor
Worldwide Military budgets: $2100 billion. Worldwide Space Exploration budgets: $38 billion. Really, world? Really?
I'm not sure how this happened. Our personal little website (prestopnik.com), got hit by these guys. The put some redirect rules into our .htaccess file, such that if you were visiting our site from one of about 6 different domains, it redirected you to their site. We didn't see it for a long time, because we usually just visit our site directly, but if you were coming from a link in yahoo mail, or found it via google or something you got redirected.
Our hosting tech support said one of our computers was infected, but from looking online, I didn't see signs of an infection on our side, but I'm still not 100% sure what happened, and if we are clean now. I think we run on our shared machine for hosting (linux though), maybe they got in like that?
Computers don't make mistakes. What they do, they do on purpose.
It can be very difficult to remove. I got it from visiting a website at work. It being my work computer, I simply couldn't just take out the hard drive and scan it from another computer - and the anti virus software couldn't do it either (Clamwin, Avast, and McAfee) - though McAfee did delete a few as there were installing.
In the end what worked was Hijackthis (to find out what files were starting up with Windows), Google search (to find out about the files listed) and Unlocker (to delete the running malware files). I did everything while keeping the work computer off the internet. For internet searches I used the laptop.
Google is useful for more than just searching for websites. Every known file can be discovered. What this virus did was create files with random names Google did not know about (such as "hgGxvwvT.dll"). So, I targeted them anyway since they were created the moment I was infected. In the end, the file I had to get rid of was a file I thought I needed - PSSDNSVC.exe - but this is something you have to specify to install, and since it was created the moment I got infected, I deleted it too.
Deleting a file in use can be an interesting thing. These files were being used by Winlogon, so when I hit it with Unlocker, the computer promptly crashed. The random dll files were actually decoys about 120k in size. So I don't think they serve much function other than to confuse you or perhaps do malicious things in spite of you. These were simply replaced when I deleted them. The real source of everything was PSSDNSVC.exe, deleting that got rid of the replicating dlls.
I do a similar thing but i start with knoppix and use that to access and clean windows folders, then boot windows and use hijack this to see what was referenced and make sure i've got it all.
As you say this approach seems to work with pretty much everything
Your thoughts form your reality.
I like open-source software as much as the next /. user, but there are some areas in which OSS has not caught up with the proprietary market. ClamAV is a good solution for Linux, and they have a windows port, but neither one has built-in real-time protection. You can implement it with a hack, but some people like their computer to be free of duct tape.
Convert FLACs to a portable format with FlacSquisher
My wife's Windows XP laptop was infected with this virus. This was her last straw. She came to me and asked if there is anything that can be done. I told her she can reduce her exposure to these pieces of malware if we were to install Linux on her laptop. It's been 5 days since we installed Ubuntu 8.10, and while there are some slight differences, she is enjoying it. I had been running Ubuntu for some time now.
The EULA for the software does ask if "you agree" during the install. This EULA includes a provision to collect and report statistical data. Microsoft's data is personally unidentifiable.
Google also does statistical analysis. As does Yahoo and most Internet companies.
I personally decline the malicious software install of the systems I maintain. I know the system is clean and infection is not probable.
...at the Geek Squad. People honestly tell me "Hey, I got this sweet program and it says I have a million infections and all I have to do is send them like $40 to fix it. But I can't get spybot to run, tho." People + Computers = Catastrophe. "It's on the internet, so it must be legit."
http://forums.majorgeeks.com/showthread.php?t=35407
My laptop users at work got hit with this pretty hard, Symantec endpoint 12.5 didn't even wimper when they installed it. The users were particularly upset as they thought they were actually being responsible by making sure they had "all the security software updated." *slaps head* My desktop users were fine, as they don't have admin rights.. This is one huge PITA to remove, I gave up and just re-imaged for 'em.
Here's some fun trivia: Contrary to popular belief, Windows only rode on top of DOS through version 3.11. 95 and 98 only looked like they did, by optionally loading 16-bit legacy DOS drivers as part of the Windows startup process, and by providing both DOS VMs and an option to boot into DOS Mode (which actually was MS-DOS) for backwards compatibility with legacy DOS apps.
This page has a pretty good overview of Windows 95 architecture, with some diagrams that show the various OS components, none of which is a full copy of DOS that has a GUI riding on top of it as found in Windows 3.11 and earlier. Instead, there is a 32-bit kernel which uses 32-bit device drivers exclusively, unless the user installs a legacy DOS driver.
If any DOS apps are run within Windows 95, they run in their own DOS virtual machine, and if no DOS apps are running, no DOS VM is created. These VMs are similar to those in Windows NT; what is not similar to Windows NT is the ability to load DOS device drivers to support legacy hardware that had no 32-bit protected-mode driver.
Those DOS drivers almost always ran slower than 32-bit drivers and frequently caused problems, to the extent that one of the first steps in troubleshooting a Windows 95 system was to check the autoexec.bat and config.sys for unneeded DOS drivers, or simply renaming those files to get rid of the gunk.
If there really were a copy of DOS running underneath Windows 95, renaming autoexec.bat and config.sys would have removed all the device drivers, leaving you with no access to your CD-ROM drive due to a lack of MSCDEX.EXE, which is needed by all versions of DOS, including the "DOS Mode" of Windows 95.
My truck is like a series of tubes.
With regards to the people recommending malwarebites to remove win antivirus 2009 be warned that it does not remove the whole program. Often you are better off reinstalling.
If the Malicious Software Removal Tool really worked, it would have to remove Windows from the computer!!!!!!!
We got this $(EXPLETIVE) $(EXPLETIVE) piece of $(EXPLETIVE) on the young one's PC, and it was an absolute bear to get rid of. I'm still not entirely sure we eradicated it. It's nice to see some bigger guns applied to the issue.
Schwab
Editor, A1-AAA AmeriCaptions
I've encountered that crap. It's mean. It infects the security center and every time you manage to rip it apart and trash the files, security center brings it back to life and runs some more of the infected files to warn you that the software has now been disabled.
"Of course it was disabled, it's malware you ignorant piece of crap!" The problem was that Microsoft created a special place for the malware to infect so that it was way harder to dislodge than other malware. Usually hijackthis and a few scans is enough to fix anything. But, not that... nope.
I think it's one of those cases where Microsoft should pat itself on the back for fixing a tiny problem that they themselves caused. They deserve all the acclaim they get. Does anybody recall how fantastic Windows 2000 was? You'd switch from ME to 2000 and you'd be astounded! It's been up for three weeks straight without crashing!!!!
Bravo Microsoft.
It is no longer uncommon to be uncommon.
It is simply the best solution I have seen on the market. I use a variety of solutions, and the best I have found so far is Spybot Search and Destroy along with PSI. I can even browse porn with Windows now... Imagine that..
Some do, some don't, some are configurable. A lot of companies want their tools to check in so that they can measure how widespread something is and react accordingly. For example NOD32 can be configured anywhere from submitting no information to submitting anonymous statistics as well as files it flags as potentially unsafe but can't identify. They want the information because it helps them better update their virus database and respond to new threats faster.
Also many corporate AV/AM products can do very full reporting back to the central server. They'll check in and say when they ran, what they found, where it was, etc.
Analysts predict that 400,000 PCs will be infected with Antivirus 2010.
Well, well...at least it's OVER NINE THOUSAND!!!1
A good education is a bit like a STD - it makes you unsuitable for a lot of jobs and gives you a desire to spread it.
Honestly, the best way is to use a boot CD with Bartpe on it and use a combination of removal tools and the Remote Registry Loader plugin to get rid of it. Then boot into safe mode and run programs like spybot to remove all of the less obvious registry entries this thing puts in. I've seen variants that leverage group policy to disable regedit, the control panel, command prompt and even the display settings window.
My daughter brought her laptop home for the holidays and was complaining that it has been very slow and unable to connect to the internet for the past few weeks. I booted and found this crap installed and tried for about 4 hours to remove this crap before discussing installing Ubuntu. I copied her documents off and installed Ubuntu and she has been happily working for the past week with no issues whatsoever. Not THE solution for everyone, but she mainly uses it for research and online social networking so there were no "linux killer" applications that I had to consider with her. The printer she has will work fine with Ubuntu. Total time to copy documents, install, and then configure the installation like she wanted was 2 hours.
read NT Shell Scripting by O'really.
boot to a live dvd. (Bart's PE) and kill the bugger
after: check your head, build a good hosts file (or get MVPS) and quit clicking on the links that say free penis enlargement.
You don't *need* drivers for CDROM access in DOS. Drivers just provide an API where you can communicate with the hardware. However, if you're an application developer and you're cheeky and/or stupid, you could just code commands to the ATA device to communicate directly to the CDROM drive, which is exactly what Windows 95 does, it has it's own set of built in drivers. You can boot Win95 with out MSCDEX, or atleast, you could boot win98 with out MSCDEX.
Doesn't change the fact that the Kernel blew, or that it was complete garbage.
Non impediti ratione cogitationus.
Try deleting the hidden system files (.SYS) in the root of your boot drive and see how far Windows 9x gets while booting.
The 9x Windows did ride on top of DOS, but replaced (and I'm using the word very loosely) DOS with its own kernel and drivers. DOS was still there, hiding in the background, but most everything was handled by the 32-bit protected mode code of 9x.
Also, there was no "virtual machine" for DOS in 9x. Windows took a snapshot of the DOS environment before it took over, and was able to present this environment to the user via V86 mode. This was, more or less, the same way Quarterdesk's DesqView software worked, except without the pretty graphics of the Windows GUI. A virtual machine implies much of the hardware is emulated, which it was not.
Renaming autoexec.bat and config.sys would have no bearing on the Windows environment because once Windows took over, it used its own .ini files and the registry to store and retrieve hardware and software configuration information.
Any drivers/TSRs run before Windows started would still be present after Windows loaded. In fact, one simple change to a single file cause Windows to not even load, booting instead to a plain old C:\ prompt. One could then later start Windows by executing WIN.COM.
Even Windows ME had DOS still hiding underneath it all. Windows versions based on the NT kernel are the only ones that did not rely on some version of MS-DOS to bootstrap Windows.
I really don't think you know what you are talking about.
Also, there was no "virtual machine" for DOS in 9x. Windows took a snapshot of the DOS environment before it took over, and was able to present this environment to the user via V86 mode. This was, more or less, the same way Quarterdesk's DesqView software worked, except without the pretty graphics of the Windows GUI. A virtual machine implies much of the hardware is emulated, which it was not.
... I knew I should have actually thought a bit harder before I posted. This is wrong, as Microsoft did refer to it as a virtual machine. I'm going to ahead and blame my bit of idiocy here on the wicked head cold I picked up a few days ago. Yeah, that's it.
So wait, they are admitting that all the remaining Vista installs were infected by this malware?
A computer once beat me at chess, but it was no match for me at kick boxing. Emo Philips
A month ago I had the pleasure of removing this piece of malware from a computer owned by "female" who actually tough it was the real thing. I have to say interface is better than some of the commercial ones out there.
what about the people like me who removed it before ms's update? Im your friendly neighborhood shade tree computer nerd who fixes puters for 12 packs and promotes linux!
At first, we used to use Malwarebytes to clean this infection from our university laptop program, but after a while we just switched to "format and reinstall" when it came to Antivirus 2009.
Why you ask? Because in our dealings with the program, about 30-50% of the infections would also have the TDSS Rootkit embedded with the malicious package. It would hide everything from F-secure (not really surprised there), and although Malwarebytes had the best chance of getting the rootkit and the AV2009 application, it would occasionally be missed by MBAM as well.
We just felt that it was safer for the student as well as the network to start over, move their documents, and sleep well knowing that the rootkit is gone and not logging their credit card or other personal info.
Other interesting notes, most of the students had no idea how they got this. It was browser agnostic (Firefox and IE users would get it) and no specific place was ever found by us to infect a PC. I thought it was at first IM related, but some students had no IM installed. My guess it was either a Flash Ad infection or a Java Ad infection, but again I never found a source to test infection with. And people wonder why users use anti-banner systems like AdBlockplus and Spywareblaster.
In Soviet Russia, Trojan exploits YOU!
This particular piece of work goes out of its way to completely frak up a computer. Can't run antispyware on it because it finds it and disables it. It also fakes bluescreens that to the uninitiated look quite real.
I managed to get this gunk off your average family laptop by simply ctrl-alt-del and killing every process that wasn't a core windows process then zapping it properly with spybot. Even then it left a nice stain on the hard drive with a system-account only folder randomly named in system32.
Stuff like this should be prosecuted as any malicious virus writer would be. And with a definite money trail attached to this program, it shouldn't be too hard.
First there was DOS... Denial Of Service.
Then there was WinXP... "XP" is an emote-icon for dead with tongue hanging out.
Then WinCE... Read it and wince.
Now MSRT... a Malicious, Software Removal Tool (note the comma)
The protection of your data comes from running more free software, not less. Also, I value the software for its freedom, not its features, so I'd rather work to make free software better instead of tossing aside my freedom for something else. In other words, I like powerful reliable programs too, but I'm not going to toss aside my software freedom to get it.
Digital Citizen
I ran into two machines in the last few days with AV2009, but removing them was rather tricky because there was a rootkit present as well. Despite grabbing AVG, Spybot, Malwarebytes Antimalware, Ad-Aware, Superantispyware etc etc, half of them couldn't install/update/run. I would rename the install files, rename the .exe files, change the install path, it didn't matter. Even in safe mode the rootkit was intercepting and disabling the programs. Vicious little bugger.
Ultimately, I found the culprit to be a rootkit called TDSS. A little googling will give you all the details you need, but essentially going into Device Manager, from the menu selecting Show Hidden Devices, Non-Plug and Play Drivers, and disabling anything with TDSS in the title should solve your problem. Once it's disabled you can get your anti-spyware software to run properly.
I've been out of the tech support loop for a while, and this one made me a little nuts until I found it. Hope the clue helps somebody.
I back the clients data up from a linux environment (usb stick 4tw) over the network to my file server, wipe their system, and reinstall with a slipstreamed disk that disables IE, loads firefox and no-script :P
Always works, always prevents re-infection.
...
Back when it was Antivirus 2008 (and earlier) it was pretty easy to remove (relatively). Kill two processes at once via process explorer (so the tree dies and the other process doesn't revive the killed process), remove some registry and startup entries.
I just had to deal with a new version (friend's PC)- Spyware Guard 2008. What a pain in the ass. This version installed a rootkit, a device driver, locked the HOSTS file, added hidden registry entries, hidden services, parent and child services, downloading stubs to update it to stop detection...antiviruses stopped updating.
I was determined to kill it though. I got SuperAntiSpyware Free edition- free for personal use. Picked up all of the entries (rootkit, files, registry, etc.) and removed them after a reboot, no safe mode necessary. A standalone A/V scan (McAfee boot disc with latest definitions, and a rootkit scan from an OS outside of Windows) turned out clean, which impressed me.
I've also used Malwarebytes on a few PCs- very efficient and effective. I have to PayPal some money to these developers, as these two tools are great and allow even users who were decieved into running this crap to disinfect their own PCs. It also makes a techie's job much easier- a few minutes of running tools versus hours of trying to hack at the thing manually.
I hope whoever is contributing to this P.I.T.A. malware has karma bite them in the ass.
The question of whether 9x "rides on top of" DOS is related to the two somewhat distinct issues of the use of DOS during the boot process, and support for DOS device drivers once Windows 95 has booted.
To me, the fact that the DOS 7 kernel IO.SYS is used to bootstrap Windows 95 does not indicate that 9x "rides on top of DOS" any more than the fact that LILO or GRUB might be used to bootstrap Linux means that Linux "rides on top of" LILO or GRUB.
The fact that legacy DOS device drivers can be loaded during the real-mode portion of the 9x boot process (but need not be kept around afterwards, and by default are not) only indicates that Windows has been designed to tolerate DOS device drivers in order to provide backwards compatibility.
This is a big difference between 9x and 3.x, which requires DOS drivers for sound and CDROM support. This is also the biggest difference between 9x and NT as regards DOS support - NT will not tolerate legacy DOS device drivers at all. This fact makes it perfectly clear that NT does not "ride on top of" DOS, while the fact that 9x is built to tolerate DOS drivers muddies the waters as to whether or not 9x "rides on top of" DOS. To me, the fact that these legacy drivers are not required indicates that 9x is an OS rather than a GUI, and that is the point I was getting at with the CD-ROM driver example.
Taking this reasoning a step farther, the fact that 32-bit hard disk drivers are available under Windows 3.1 leads some to consider 3.1 itself to be somewhat of an OS (or, along with DOS, one of the two components of an OS) rather than simply a GUI, because previous GUIs such as GEM for DOS had no device drivers of their own and relied entirely on DOS for driver support. There is some merit to this argument, and my take on the situation is that there isn't a clear line between GUI and OS where early versions of Windows are concerned, but rather a gradual shift from total reliance on and tolerance of DOS for bootstrapping and drivers in early versions of Windows (which were mere window managers like GEM) to a total lack of reliance on DOS code for these functions in later versions starting with NT 3.1, which first used NTLDR to begin the boot process. Windows 95's place on this spectrum is that it requires some DOS code to boot, but afterwards doesn't require any non-32-bit device drivers at all.
If, when we say that Windows 3.11 "rides on top of" DOS 6, we mean that Windows 3.11 is an application environment which takes advantage of the filesystem and driver support provided by DOS, I don't think that we can accurately say the same thing about Windows 95, which is an OS with a 32-bit kernel and some 16-bit components which uses DOS for bootstrapping but does not need any DOS filesystem or driver support once it's up and running. To me this doesn't equate to having DOS "hiding underneath" Windows 9x. It seems more accurate to me to say that Windows 9x has built-in support for DOS drivers and apps for backwards-compatibility reasons, and uses it during the boot process.
My truck is like a series of tubes.
You make it sound as if Linux is some horribly complicated OS that requires instruction. With Ubuntu, you click on Add/Remove..., install what you want and you're done.
It's only with Windows that the user is enslaved to third party repositories that may or may not be credible or authenticated. This is one of the huge selling points of Linux. I daresay no one using Linux does not know this.
The io file just renamed the autoexec.bat and config.sys files, that's why you couldn't find them. A cursory examination with the Still River shell would have told you that.
This hasn't changed with XP and Vista, it's still MSDos commands that make them work. If you don't know Dos directory navigation, you're just a social worker monkey pushing buttons.
If you want the OS itself to be able to access the CDROM drive, and not just your one application, you *need* drivers for CDROM access in DOS. Hard-coding ATA CDROM support in a DOS app would have resulted in an app that didn't work with SCSI CDROM drives, and it would also be a serious case of reinventing the wheel. MSCDEX was already written, hardware manufacturers wrote device drivers to work with it, and it was the only serious choice for getting CDROM support in DOS.
Windows 95, like Windows 98, used modular, 32-bit drivers for CDROM access and generally did not require MSCDEX. If MSCDEX were present in the autoexec.bat and a matching device driver were present in the config.sys, it would be used instead of the 32-bit drivers, and this would generally degrade performance significantly as opposed to just using the proper 32-bit Windows driver. Windows 3.1, on the other hand, relied on DOS for its CDROM support, therefore it needed MSCDEX.
My truck is like a series of tubes.
... but afterwards doesn't require any non-32-bit device drivers at all.
I think you've forgotten some sound card drivers... Win95 more-or-less forced the use of 16 bit sound card drivers.
OK, so ISA (the default for sound cards in '95) was a 16 bit bus, but Win95 definitely still needed 16 bit drivers. In fact, MS kinda forced the BIOS makers to break ISA PnP for sound cards, because they couldn't get the 32 bit drivers right.
".... and over half of the 394,000 machines were running the linux operating system"....
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
Comment removed based on user account deletion
Microsoft AV. So damn good, they had to give it for free.
Back in the day I installed plenty of ISA and PCI sound cards that didn't need 16-bit drivers under Windows 95. There were some older ISA cards that needed them, especially if they weren't popular enough to get a Microsoft-written driver, but in my experience (thousands of cases) that was the exception rather than the rule. Your mileage may have varied if you had a lot of funky old cards.
My truck is like a series of tubes.
By the same token, any proprietary software (regardless of its purported task) should be troublesome. Technically there's nothing that prevents a proprietary statistical analysis program from doing things you wouldn't want done without your full consent such as removing programs, altering files, opening a remote access point for someone, or sending information about your computer somewhere.
This is what permissions are for. There's no reason some random piece of software should have full access to your sensitive files or the Internet. The answer isn't to condemn all proprietary software. The answer is to reduce the amount of software you have to trust, and to limit the damage when the trust is broken.
http://www.ubuntu.com/
Without software freedom you have no idea how or if the permissions you attempt to set are being paid attention to in the way you'd want. Microsoft, for example, was known for having secret APIs to allow their apps to do things their competitors couldn't. There's no technical reason an OS proprietor's secret API couldn't grant them access to anything on the system regardless of your permissions. By contrast, implementing secret APIs in a free software OS isn't viable; any attempt runs the risk of being discovered, edited out, and competing derivatives distributed as an improvement which the community can switch to.
Digital Citizen
As a brief addendum to my earlier comment, the most powerful reason to reject proprietary software isn't technical it's ethical; it's the most prominent dividing line between the philosophies of the free software and open source movements: how we treat one another matters. Social solidarity matters. Keeping users helpless to aid their fellows and themselves is unethical, and that's what proprietary software does because nobody but the proprietor can tell you how that proprietary program really works or grant you permission to change that program. The open source movement was defined to not raise any ethical challenge to business because that movement's proponents wish to speak to businesses, including those which make and distribute proprietary software. They want to end the conversation at software development methodology and convenience. So when faced with powerful reliable proprietary software, open source proponents will ultimately accept the software and lose their software freedom while a free software activist will reject the program and work toward making a free replacement for that program so nobody is tempted in the future: (from the aforelinked essay)
Digital Citizen
I'm all for open source operating systems, but even there you need a layered approach to security. With the current Linux kernel, there are millions of lines of source code that you have to trust. And that's just the kernel. There's way too much trust required in software, open source or not.
As for your addendum, I don't consider proprietary software unethical, per se. Keeping the source code secret is the most straightforward way for an author to protect his investment. Users can also enjoy the benefit of a free market. Yes, there are downsides, but I don't see proprietary software going away.
If using Ubuntu live boot CD to get the malware off, you need Hardy or greater to write access NTFS partitions. The free ClamAV then does a great job of rooting out the malware, but boy is it slooooooooow. (It is equally slow under Windows itself.)
Just because it's a good idea doesn't make it a requirement.
Which seems to be a large majority of the philosphy behind DOS/Windows. Like proper user account security. Or a decent webbrowser. Good idea, but it's not a requirement.
Non impediti ratione cogitationus.
Had a friend's machine in over the holidays. It would boot, get to Welcome screen, then after logging in machine would log straight back out. You weren't able to interact with the system at all.
Tried safe mode - same symptoms. Therefore I was of the opinion that it was a driver, winlogon-hooked DLL or a service that was tagged to run in safe mode.
The WinPE preinstallation environment allowed me to find/remove some of the offending parties, but still no dice. Snagged UBCD and pulled updates for all of the antivirus / antispyware tools.
Booting to UBCD got _some_ results... Spybot found a large number of nasties (including some identified as Antivirus 2009); A-Squared found some, as did AVG. Even after running all of them, the actual root cause persisted. Unfortunately, SysInternals autoruns wasn't much help, as it retrieves startup info from the currently running system, rather than of the inactive o/s (anyone know whether there's a tool that'll do this?)
Ultimately I waved the white flag and pulled out a repair install of Windows to bring the machine back up, at which point I found the culprit - a process called winlogon.exe in \windows rather than \windows\system32 and invoked via the winlogon registry keys. I kicked myself for not spotting this, but also note that none of the scanners in the UBCD (updated as of 28 Dec) were capable of identifying this as foul.
The offending file has been sent to various AV vendors in the hope that this one can be spotted in future.
I have a coworker who has infected her computer on 4 different occasions with "Antivirus 2009" and it's variants, 2 of those occasions were on the same day.
There is no free market with proprietary software because only the proprietor has the freedoms of free software for those programs. Only the proprietor can share copies, modify the software, or inspect what the program is doing. Nobody else is allowed to deal in Apple's MacOS X like Apple can, WordPerfect the way Corel can, or Microsoft Money the way Microsoft can. The proprietor exercises their power under copyright law to restrict you from doing these things. This has nothing to do with one's technical skill, I'm talking about legal permission and technical access to source code under a free software license. One could write alternatives (as some hackers are doing for Microsoft Windows with ReactOS) but the alternative isn't the same software even if it is 100% compatible. Free software, on the other hand, is a free market because everyone is allowed to deal in the software (even commercially) limited only by their abilities and desires. Proprietary software is what proprietors use to avoid a free market, not instantiate one. They don't want competition and they have many weapons in their arsenal to avoid competing on a neutral ground. Furthermore, "protect[ing] his investment" is nowhere near as important as society's need to organize and help one another. It's high time we stopped putting business interests ahead of our own interests as people and citizens. The most viable means to do this with computer software is to support software freedom for its own sake.
Digital Citizen
A free market must include the possibility that somebody is allowed to provide you software without source code. Society needs to function, but competition within society is part of that.
uuvinehigtu.dll: status: clean
To me, the idea that Windows is riding on top of DOS is answered by one simple question.
Can you enter the DOS environment prior to loading the Windows GUI?
This was true with Windows 3.11, and was the default behavior. You typed "win" to load the win.com/win.exe which loaded the GUI.
The default behavior was changed with Windows 95, but with some configuration tweaks it could also start up to a command prompt by default, then the GUI could be entered via the long-standing method.
Also, if Windows riding on top of DOS is a function of whether it calls down to the 16-bit interface, Windows 3.11 included optional 32-bit disk access that bypassed DOS entirely. It was included due to the long delay releasing Windows 95, they basically retrofitted Win95's 32-bit disk access into Win 3.x, but it never really worked all that well.