Join 3,496 readers in helping fund MetaFilter (Hide)


Rogue Software Removal
May 26, 2011 10:04 AM   Subscribe

My networked work PC was infected with what appears to be XP Shield. Questions about this specific piece of malware...

I work in a small office which doesn't have an in-house IT staff. My PC was infected two days ago, Judging from the pop up window and the icon, it looked like XPShield. Afterwards, another coworker, whose computer had been out two separate times last month for what I was told was a virus infection, told me that her "virus" matched the description of my malware. I had assumed the antivirus software (was Trend Micro - but apparently not updated for malware protection) I was running on my computer would protect me.
Since I was occupied by pending project deadlines, plus fact that I was pissed that nobody took preventative measures to protect the other computers in the office in the wake of a previous infection, I just had my office manager ship it off to local computer shop instead of trying to remove it myself. Two days later, computer guy hasn't gotten around to looking at it yet, and am contemplating just going to pick it up and removing it myself. I am aware of deezil's profile and was planning on using those instructions. Since neither office manager nor computer guy seems to be stepping up to the plate to take proactive measures to protect other office computers, I feel like I need to recommend some preventative measures for other machines in the office. Two questions about this particular piece of malware:

1. Is this the type of malware that will try to replicate itself across other PCs on the network? I've I have everyone else on the network install and run Malwarebytes, will that be sufficient to protect them?

2. I'm willing to just wipe the drive and reinstall, but don't want to overract if this particular piece of malware can be removed with some certainty. On the scale of malware risks, how bad is this one?

3. Deezil's profile instructions mention a concern about infecting flash drives. I did have two USB drives connected when I discovered the infection. Do I need to worry about infection of those as well?
posted by Dr. Zira to Computers & Internet (10 answers total) 1 user marked this as a favorite
 
1. If you know the name, google it up. Microsoft/Symantec/ etc all provide a somewhat decent writeup on the various viruses. (YMMV about whether the vendors also provide removal instructions.) eg Symantec

2. I can't say off hand.

3. Tied to #1 - the writeup should say if it infects removable media (ie flash drives). However, given the variable, componentized way many viruses are written, the capabilities depend on the variant/flavor of the virus/scare-ware/fake-AV. (ie #2)

To wit, a neighbor caught the "vista home security" fake AV virus. It was an interesting bugger to remove. I wasn't going to plug a flash drive in, so all tools/utils/debug research were done on one machine, burned to CD, then ran on the target. Was a ~3-4 hr job (research what it was, how it works, what to do to remove, tools to remove, etc).

I put updated AV on their machine, but didn't plug their machine into my network, so I did not run windows update etc.

They were re-infected about 4 days later.

Krebs mentions that some bad guys are serving up junk on google image search.
posted by k5.user at 10:41 AM on May 26, 2011 [1 favorite]


Thanks for that Krebs article - I will circulate it around the office so everyone knows to be careful with their Google Images searches.

In case it makes a difference, it may have been the new "Windows XP Security 2011" malware instead of the older "XPShield" version that infected my machine.
posted by Dr. Zira at 10:57 AM on May 26, 2011


Malwarebytes will clean that up for you
posted by kanemano at 10:59 AM on May 26, 2011


Hey there :-)

1.) Viruses replicate, Malware really doesn't. So to #1, no. MalwareBytes is a good piece of software, and the business might do well to buy some licenses.
1a.) Trend Micro is very very bad at catching malware. Viruses, it's good at, malware/crapware like this, not at all in my experience.

2.) This one's pretty easy to remove. If you want a more hand-hold guide for this specific piece of nasty, look at the Bleeping Computer guide for it. On a quick glance, it's nothing more than MalwareBytes being run though.

3.) Plug the flash drive in, and run MalwareBytes while selecting that drive for the scan (full scan). If you can get everything off the drive, do that and format it.

4.) As always, make sure the AV and MalwareBytes are up to date, do all Windows Updates, and check and make sure Adobe Flash is up to date too. I need to put that one in my guide.

Feel free to MeFiMail me as well as post back here. I'm usually bad at checking back on threads, but I'll do my darndest.
posted by deezil at 12:19 PM on May 26, 2011


What deezil said, but you might need to restart in safe mode (Press F8 while you are booting up) before running Malwarebytes.

You also may want to see if you can use system restore to restore your operating system to a few days before you noticed the problem. Again, you will need to do a F8 restart selecting safe mode with network support and then select the system restore option. This alone, may be sufficient to stop the bad effects and allow you to boot normally and then run Malwarebytes to remove the malware.

I just went through the second option with my daughter's computer which got infected while she was browsing some image sites.
posted by mygoditsbob at 12:41 PM on May 26, 2011


Sort of repeating what deezil said, I would also like to mention that infections are getting crappier and crappier these days, as seen by me and our primary security guy here at work... while malware may not replicate, it might dump a 'payload' on a system, which means you've been littered with a few different types of malware at the same time.

So you just need to eradicate several different baddies then, eh? True. But

a) even if it seems all of them have been removed, you really don't know 100% for sure they have been
b) no one piece of anti-crapware sw, even one of the top rated ones, can possibly get 'em all, so even though they don't always play nice together, running one or two different ones might do it

but really, your best chance of completely eradicating infections (for now) is to nuke the drive(s) clean and start over. The only reason our workplace is surviving all these recent infections is because we have a backup system that lets us 'roll back' our user systems to states prior-to-the-infections. Likely far pricier than what your size office can afford, but works great.

I can't wait for the real bad stuff to happen when peoples' data files start getting infected...


Anyway, preventative measures
- it seems the bulk of our infections these days come from websites. There are several tools out there that I think check the 'safe' validity of websites surfed-to and give you a 'yea' or 'nay' as far as safe-surf-age, accordingly, but I don't know which product in particular is best to recommend; there's a tool called "Rapport" by Trusteer that has a partnership going with banks to prevent phishing password & username scams, which might be available for you to use from your or your associates' banks.. it's designed to be used in conjunctions with AV / anti-malware tools
- tell people to really, really try not to surf anywhere that a place of business might find 'unsavory' (although this is no longer foolproof as we have been told infections have arisen from links off of respectable web sites in the last 6 mo)

good luck!

p.s. using Windows System Restore is not a failsafe... some infections seem gone, then when you use System Restore, the infection is back again!
posted by bitterkitten at 4:16 PM on May 26, 2011


bitterkitten, that's actually why I say to turn it off in my instructions. Some really fun pieces of crapware install copies into the system restore points, and it's yay fun to try to clean all those out, so I usually just say to turn off SR which deletes all the restore points.
posted by deezil at 5:46 AM on May 27, 2011


On, and to anyone watching this thread. 10AM Pacific Time, NewEgg will be putting MalwareBytes on sale for $15 for 3 hours (until 12:59PM Pacific Time) at this link. I have trusted NewEgg with thousands of my personal dollars to buy parts and electronics, and they are a great business to do business with. I'll probably be picking up a couple of licenses here to keep around. I'd suggest that if the real-time monitoring aspect is important to you, than you go by NewEgg's site and pick this deal up.
posted by deezil at 5:53 AM on May 27, 2011 [1 favorite]


Thanks, deezil. I'm going to urge my firm's partners to take advantage of the deal and get copies for everyone in the office. As to an antivirus solution, I'm debating about whether or not to recommend a switch from TrendMicro which was recommended by our computer guy. The main problem I have with TrendMicro is that it's not a very user-friendly interface for someone who's not user-friendly, so I'll probably recommend we switch over to Panda. Or can I have everyone run both Panda and our existing TrendMicro software at the same time?
posted by Dr. Zira at 7:14 AM on May 27, 2011


One AV program at a time. More than one installed on a machine and they work against each other, and the system will become unusuably slow. Malware removal programs like MalwareBytes can exist together with an AV program or another anti-malware, but never put two dedicated AV products (Trend Micro, Panda, Norton, McAfee, Avast, AVG, Microsoft Security Essentials) on the same machine together.

As far as switching to something else, I really like Avast, and they have a paid program for business use. For home, I wholly recommend Microsoft Security Essentials, but it's not for business use, and I'm all for suggesting things on the up and up. Panda's product is not bad either, but research around on cost and feature set before switching over.
posted by deezil at 7:39 AM on May 27, 2011


« Older What games are good to keep ki...   |  We just got back soil test res... Newer »
This thread is closed to new comments.