Discussion on:

Rogue software: How do you know?

Good article - we aren't seeing near enough about this subject. I'm the IT resource for a bunch of companies (some with IT staff, some without) I am mostly for very open systems. I don't go near Norton's or McAfee products. Consumer versions of products are not reliable. Most of my systems have Trend Micro, Avast or Sunbelt for small business as the primary anti-virus. (I've been testing Eset - it seems excellent as well)

To provide a deeper malware defense we have the spybot ver 160 immunization and either windows defender (I know but it does help) ad-aware or spy sweeper. Malware bytes and Ad-aware free are saved for sweeps and cleaning.

Having all the os updates is also critical.

Lastly - using a firewall (in a business or for most home users)is important. This helps re-enforce to users ideas of what isn't allowed or good (some IM or certain sites etc) and that its bad out there.

I just picked up the Bart (Avast) bootable CD scanner - needed it to clean two systems, its getting important to be able to scan systems without booting the disks.

One thing I'm learning is that it's almost imperative to have a LiveCD scanner. Almost every member has commented to that end.

Hi not sure which thread to pick but here's my story. My family uses my main machine (I use my new laptop)and so they do not always tell me when things 'pop up'. Instead they wait and say "it don't work anymore". I learned so much at my day job about computers that I now have a side tech business. So, I do know a lot. Ok, yes, a malware called WinWeb Security told them that it had bad things and even showed them a list. When I got to see it after a couple weeks it had grabbed hold and told them they needed to spend money to fix it. SO they just didn't say anything. well, I did some looking and of course I found a free solution that worked perfectly. Malwarebytes! Ok, that was my machine. Now, I get a call from a new client. He thinks there are viruses and can't stay online and it took over his wallpaper with a huge screen saying WARNING! I start looking around at it and see the trojans right away. 168 of 'em. I was able to get online long enough to download Malwarebytes and remove the trojans. THEN GET THIS: his machine would not log all the way in. It just would loop, log on log off. Ok, so back to my machine to look up the problem. Apparently one of the trojans attached to the userinit file. I found a solution for that online and brought my XP disks to rescue him. I like to start with safer things before doing total restore so I went in by safe mode and did a simple restore, just hoping I could get back to where it was and could log on. Well, I guess the Malwarebytes did the job good. When the simple restore was over all was good with his computer. No trojans no malware. His wallpaper was back and he could get back online to the sites he was getting kicked off of. SO, I hope this helps some. The evil of malware. Easy money for thieves!!!!!
As a tech I like to educate my clients so they can fix their own machine. Thanks Michael for all your hard work here!!

168 trojans, I can't believe the computer still worked. The must have been the wimpier ones. The new high-powered ones check the OS for other malware and remove it. Sort of making it their turf sort of thing.

I've even researched a trojan that updated the computer with the MS hotfix after it became one with the kernel, just so other malware would be able to use the same vulnerability.

Many years ago we were changing over the college network from token ring to ethernet, so we had set up a lab for students to bring their existing systems down and get switched out for ethernet cards. I had the "pleasure" of working on a machine with 85 found virus' and 245 malware products. I was in awe that this little pc still could boot into windows.


2 words....lime....wire.

I suspect that you win if we have no time limits.

I have been there and done that. Still my change over wasn't a college campus. I almost stagger at thinking about what would have been required.

Still it brings back fond memories of good times in IT. Thanks for sharing. Can anyone say Twin-X

Don?t "unload" themselves on you like rouge software does. you have to manually go out and buy/download legit software like AVG or symantec. How many times do you see popups and advertisements for these clean software?s when unsafe browsing?

Another red flag is that rogue software tries to con you into purchasing the software or tricking you into installing it by displaying an outrageously long list of Nonexistent infections on your machine that it cannot clean until it is installed.

Unless it?s a standalone virus scanner (like stinger) it wouldn?t be able to scan properly without being installed first, and if it was a legit standalone providing you this information it wouldn?t be telling you to install it.

-Bottom Line-
Professional/Home Grade Antivirus programs are for the most part passive. They do not try to download themselves to your computer without seeking them first.

Rouge software is the monkey on your back pestering you with false warnings/infections/and popups

I always tell clients "Trust anyone that comes knocking on your monitor about as much as the guy selling time shares in Venezuela". Just a hi tech variant
of telemarketing or door to door sales of a dubious product line, "hey, I didn't want
this crap, you called me"

Some folks get it and protect themselves, some folks just don't get it and
bite, hook, line and sinker. I try to educate and inform, still a percentage maintains
the "deer in the headlights" mode of conduct.

Frustrating, absolutely but it's human nature.

I had an Ah Dah moment. You both made it so obvious, I'm a bit ashamed that I didn't think of it.

The simple fact that no legitimate AV or malware scanner forces itself upon you is probably one of the simplest yet most accurate methods to prevent 80% of this attack vector.

The lists would be good for those that are looking on the Internet and don't know whether to trust the application advertised by the Web site.

I've noticed that if there are words misspelled in the application, popup, etc., then that application, usually one purporting to be an AV scanner/remover, is not legitimate.

Something else that I should have mentioned. It is one reason why I'm still reticent to use IceSword. Even though I know that English is not the author's first language.

Best result in the propriety world is that it does not work, worst is that it is a cloud for malware.
Yes, I have been caught but not to the extent that friends have been; at least I did not pay for it as well. Maybe that is why open source software is so valuable?

Roy.

I'm not sure what open source versus propietary has to do with rogue software. Couldn't either be malware? Especially to those not able to decipher code.

Thanks oodles for the introduction to Alex.
Among other things.

I wish he would have went into more detail about the process.

It yet again has me realizing that electronic and biologic functions are more similar than I had thought.

by the resemblance of one of his 'Spam Plants' to those deep sea tubeworms that dwell in the near vicinity of hydrothermal vents. Sea anemones came to mind with a few pics, too. Very, very cool. Very cool.

http://www.sq.ro/viewer.php?i=94 (Spam Plant)

http://www.eurekalert.org/multimedia/pub/web/3546_web.jpg
(deep sea critter)

The resemblance is amazing. I wish he would talk more about his process.

Or, you interview him.

I suck at interviewing.

I'll pass that on to Jason and Sonja to be sure.

Only to the grand extent to which you suck my brains out when I correspond with you.

Go for it.

The man doesn't stand a chance with your disarming ways.

to bring along your delightful idiom.

Thanks.

Stepping stones across the Styx to a Far Side.

Use at your own risk.

You haven't listened to those podcasts I did about IPv6. That's why I said what I did.

Say, what did you think about the artist?

I discover, often to my chagrin, that what I think of my performance and what others think of my performance are contradictory.

http://techrepublic.com.com/5208-12846-0.html?forumID=102&threadID=282779&messageID=3010587

Well said my friend. I understand now.

I'm a licensed psychopomp.

I also tend to do a general search on anything I might download, and check the results for negative reports. They generally stick out like a sore thumb, just looking at the text blurbs in the results.

Is how malware developers are focusing on people with computer problems. Kind of like kicking someone when they are already down.

What did you think of the art?

So many fake malware scanners! The two guys that created AntiVirus 2008 have got a lot to answer for - I spent a week disinfecting a client computer because it got infected! I used AVG, SpyBot, MBAM, more than once! It finally had to have a rebuild because it stopped peripherals working, made stuff invisible, all because he opened an ecard!

That's why I hope articles like this may be of some use getting the word out.

But maybe i know it's much to late but i can give you the information i know about the basic install of the program.
It will install it's self using flash or javascript, usually flash.
It then installs these files
rhcn7cj0ea59.exe
rhcn7cj0ea59.exe.local
rhcn7cj0ea59Skin.dll
SMrhcn7cj0ea59
pphcj7cj0ea59.exe
lphcj7cj0ea59.exe
Antivirus XP 2008.lnk
How to Register Antivirus XP 2008.lnk
Register Antivirus XP 2008.lnk

The Link files will end up mostly on your desktop and the other files will end up in these directories
C:\ProgramFiles\AntivirusXP 2008
C:\ProgramFiles\Antivirus XP 2008
C:\windows
C:\windows\system32\

It will also add these keys
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Antivirus XP 2008
SOFTWARE\Microsoft\Windows\CurrentVersion\rhcn7cj0ea59

but this will all vary depending on the version of it you get but just run searches for the files i listed above and delete them, just make sure that you shut down all the exe files below before attempting.
pphcj7cj0ea59.exe
lphcj7cj0ea59.exe
rhcn7cj0ea59.exe
then you must stop all the dll files it is running i know of this one rhcn7cj0ea59Skin.dll it is part of the basic install.
When removing this type of infestation never use shut down to restart your computer unplug the machine from the wall to turn it off or restart. it will help preventing re-infestation. When you believe you have removed everything try a few restarts with out a network connection, then try the network.
Maybe this will help you or perhaps help someone else who runs into this crap.
:P

Download ComboFix. Great software (free) and will fix this issue.

I too spent at least 16 hours of time trying to remove this (my customer begged me not to wipe/reinstall). I stumbled across Avast 4.0 home edition, ran the boot scan, then all was peachy in Margaritaville. I use Avast to get rid of everything then install AVG Free Edition because of its ease of use for Joe Schmo user.

I will remember that as Avast is not that user friendly, yet AVG seems to be dropping the ball on this type of malware.

Thanks for the tip.

We use Trend Micro OfficeScan at work and it let the Virtumundo malware into one of our laptops. OfficeScan detected it but each time the developer restarted the pc it reacted the same way. I used Avast boot time scanner,it removed 2 dll files and voilah, no more Virtumundo!!!!

Very easy compared to Trends removal directions.

I tried malwarebytes on the AntiVirus 2009 virus and it never removed it completely whereas Avast removed it the first time I tried it.

Believe it or else, Avast has yet to fail me.

While I like your 'empathy' for the authors of rogue spyware; it is IMHO, too lenient.

My suggestion would be to boil them in oil; or at the very least, burn them at the stake.

(sarcasm)

And, if one were to perform that 'act of mercy' in an area where cannibals live; you could bang the "gong" and yell "Dinner Is Served".

(/sarcasm)

I have enjoyed / admired your work efforts.
I have 30yrs experience notched on my belt in computers

Customers ask me why all the time and I explain to them "Its not a new thing its just Industrial Spying at a newer level" for the most part.
The Spam ware tho is not its just crime period "open a shop sell you a product and close shop and run with your money and info".

The hardest part is training the user to protect themselves like mechanics telling you how often to change the oil in your car "You have to keep your protection up to date and use it constantly". I see my customers less when they follow my suggestions but it has provided me with word of mouth new customers because they are happy.

There is good free protection offered but being free it doesn?t have the backing support of a company that asks for an annual subscription fee.

I have taken the extra step also and worked with a few companies over the years ?F-Prot & PC-Safe Adwarefilter? being the latest and I worked a few weeks to help provided heuristic (hackers) reports against some of the newest SPAM-ware with great results and I thank them for providing me with the software tools and suggestions even tho a lot of the time I had no idea what I was looking at in the reports I sent back but felt pride in knowing I was helping to crack down on some of these crooks. [rant off] lol.

PC-Rock

Maybe an installation checker would solve this, if I have read it correctly. Imagine you buy a registry checker and it gets the ** access and then when you run it it does not result in what you hoped for. Bring on Linux.

Do you have any products in mind? I'm researching TPM as it's supposed to help in this regard.

Don't know if you have heard of it but Tiny Watcher is a small app that can track pretty much every change to your system; been using it for quite awhile. Sorry I don't have a link, but a search will find it.

Mark

I'll check that out. I see it's a nice small monitor. My firewall Online Armor does something similar.

And for the Spybot S&D user, there's the Tea Timer. Does the same thing.

Isn't this how the UAC prompt is supposed to work? (I mean, aside from it asking if you really, really want to change your desktop background).