Malware masquerading as Microsoft Security Essentials?

M

mm

Per Dennis:

It's an option you set at install time on the remote PC.

I always set it to start itself whenever Windows starts up.

Otherwise, you have to tell the user to start it.

There's another little angle: default operation is for the
remote instance of TeamViewer to offer up a one-time password
that the user has to tell to whoever wants to connect.

e.g. 4f27px

I find that way over the top for my users - who I wouldn't even
want to have to start the app for me.

So, when I install it on the remote, I take advantage of the
"User-Defined" password at install time and make it the same
value for all the people (family members) that I support.

Going that route, I just enter that PW in my end, tell it to
remember that PW, and I can connect instantly just by
double-clicking.

The only other thing is that each remote user is identified by a
nine-digit number e.g. "475 884 409". TeamViewer offers a
facility where you can associate each users number with a name
you make up and have them appear on a list where ever/whenever
you are.

The user-defined PW route definitely is not for everybody. If
one were to do it without telling the user, I'd call that a major
breach of trust.

Well say you did set up Teamviewer to work, without the other party's
knowledge. He doesn't know you've installed it and doesn't know it
runs whenever he starts his computer. You would have to be sure he
was out of the room, wouldn't you?

If he was in the room and you were doing things, wouldn't it show on
his monitor????

OTOH, can he continue to do things on his computer when Teamviewer has
handed control off to you?? Can you share control?

And is it possible for you to do nothing but watch what the remote
party does??
 
D

Dennis

BINGO! Sounds like the problem! I just called my mom and told her to
FedEx the pc to me so I can fix it.

Well, my mom's pc arrived this afternoon. After shutting down the other
pc's on my home network, I fired it up and got the fake MSE screen.
Following the instructions that Dave provided, I first ran rkill.com. It
killed two processes. One was a program I had written for my mom and
placed in her startup folder. The other was T4w02cxEV.exe. Interestingly
enough, task manager indicated that after rkill killed it, another copy
started executing. This makes me suspicious. It resides in a folder
(under Application Data) with a name that looks like a bunch of randomly
typed chars. This program as well as several others all look like they
were installed on 10/6, which is the date my mom called me about the
problem she was having.

Then I installed and ran MBAM. It reported...

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 18

I can post the full MBAM log if you want (don't know if that is frowned
upon).

I told MBAM to remove the items. MBAM then asked me to reboot, which I
did. I tried to run MBAM a second time after the reboot. It got about
3/4 done (about 2 hours) without finding any problems but it slowed to
the point where it (and the rest of the pc) didn't seem to be doing
anything. So I shut 'er down and will try it again tomorrow morning.

I did encounter something else suspicious. While I was waiting on the
last MBAM run I started FF3 to search for T4w02cxEV.exe. I entered it in
the Google search box in the upper right corner. When I pressed <ENTER>
I got a results page that sort of looked like a Google page but the
address bar shows that I was redirected to search.find-fast.net (or was
it search.fast-find.net?). I have never seen this on my other PCs and I
wonder if there is more malware hiding on the pc.
 
D

Dennis

I tried to run MBAM a second time after the reboot. It got about
3/4 done (about 2 hours) without finding any problems but it slowed to
the point where it (and the rest of the pc) didn't seem to be doing
anything. So I shut 'er down and will try it again tomorrow morning.

MBAM ran this morning without finding any problems. But the system still
appears to be unstable. While MBAM was running a generic service host
bit the dust.

I am thinking I will need to use the recovery disks I made prior to
giving my mom the pc. Maybe I'll work on that this weekend.
 
D

Dennis

Does anyone know of malware that might masquerade as Microsoft Security
Essentials? My mother, who is 80+ years old, has a PC that I gave her
several years ago. I configured it for her and update it every time she
visits (she lives 500 miles from me). I never installed Microsoft
Security Essentials. Suddenly she is getting a popup claiming to be from
Microsoft Security Essentials saying it has detected a severe threat.
Not being there to actually see what is going on, I am suspicious that
she inadvertently downloaded some malware.

I am currently running the Kaspersky module in Multi-AV on my mom's PC.
It is inspecting a boat-load of files in C:\Documents and Settings\All
Users\Application Data\avg8\emc\Queue\ACTIVE\SYSTEM which, when viewed
in notepad, look like outgoing SPAM! So it looks like one of her
problems is that her PC has been hijacked!
 
D

Dennis

Does anyone know of malware that might masquerade as Microsoft Security
Essentials? My mother, who is 80+ years old, has a PC that I gave her
several years ago. I configured it for her and update it every time she
visits (she lives 500 miles from me). I never installed Microsoft
Security Essentials. Suddenly she is getting a popup claiming to be from
Microsoft Security Essentials saying it has detected a severe threat.
Not being there to actually see what is going on, I am suspicious that
she inadvertently downloaded some malware.

I am currently running the Kaspersky module in Multi-AV on my mom's PC.
It is inspecting a boat-load of files in C:\Documents and Settings\All
Users\Application Data\avg8\emc\Queue\ACTIVE\SYSTEM which, when viewed
in notepad, look like outgoing SPAM! So it looks like one of her
problems is that her PC has been hijacked!
 
D

David H. Lipman

From: "Dennis" <[email protected]>


| I am currently running the Kaspersky module in Multi-AV on my mom's PC.
| It is inspecting a boat-load of files in C:\Documents and Settings\All
| Users\Application Data\avg8\emc\Queue\ACTIVE\SYSTEM which, when viewed
| in notepad, look like outgoing SPAM! So it looks like one of her
| problems is that her PC has been hijacked!

Hi Dennis:

You would have to query AVG/Grisoft (Forum ?) about what is...

%appdata%\avg8\emc\Queue\ACTIVE\SYSTEM
 
D

Dennis

You would have to query AVG/Grisoft (Forum ?) about what is...

%appdata%\avg8\emc\Queue\ACTIVE\SYSTEM

No point now. I am halfway thru the recovery disks. AVG has a feature
where you can tell it to send problem reports to an email address. It
looks like that was hijacked. That folder contained about 65,000 .CF and
..DF files. It looks like they were queued up for AVG to send (AVG
couldn't since I had the PC disconnected from the internet). It also
looks like the SMTP and POP settings in AVG were hijacked.

Fortunately, my mom only used the PC for email and browsing. She has
never done any online banking or purchased anything over the internet. I
think the only thing that could have been compromised is her email
password, which I have since changed.
 
D

David H. Lipman

From: "Dennis" <[email protected]>

| On Thu, 14 Oct 2010 17:24:17 -0400, "David H. Lipman"

| No point now. I am halfway thru the recovery disks. AVG has a feature
| where you can tell it to send problem reports to an email address. It
| looks like that was hijacked. That folder contained about 65,000 .CF and
| .DF files. It looks like they were queued up for AVG to send (AVG
| couldn't since I had the PC disconnected from the internet). It also
| looks like the SMTP and POP settings in AVG were hijacked.

| Fortunately, my mom only used the PC for email and browsing. She has
| never done any online banking or purchased anything over the internet. I
| think the only thing that could have been compromised is her email
| password, which I have since changed.

Mind if I pass this info on ?
 
F

FromTheRafters

David H. Lipman said:
From: "Dennis" <[email protected]>

| On Thu, 14 Oct 2010 17:24:17 -0400, "David H. Lipman"


| No point now. I am halfway thru the recovery disks. AVG has a
feature
| where you can tell it to send problem reports to an email address.
It
| looks like that was hijacked. That folder contained about 65,000 .CF
and
| .DF files. It looks like they were queued up for AVG to send (AVG
| couldn't since I had the PC disconnected from the internet). It also
| looks like the SMTP and POP settings in AVG were hijacked.

| Fortunately, my mom only used the PC for email and browsing. She has
| never done any online banking or purchased anything over the
internet. I
| think the only thing that could have been compromised is her email
| password, which I have since changed.

Mind if I pass this info on ?

That *is* interesting, and AVG is not the only program with its own SMTP
engine.
 
D

Dennis

From: "Dennis" <[email protected]>

| On Thu, 14 Oct 2010 17:24:17 -0400, "David H. Lipman"


| No point now. I am halfway thru the recovery disks. AVG has a feature
| where you can tell it to send problem reports to an email address. It
| looks like that was hijacked. That folder contained about 65,000 .CF and
| .DF files. It looks like they were queued up for AVG to send (AVG
| couldn't since I had the PC disconnected from the internet). It also
| looks like the SMTP and POP settings in AVG were hijacked.

| Fortunately, my mom only used the PC for email and browsing. She has
| never done any online banking or purchased anything over the internet. I
| think the only thing that could have been compromised is her email
| password, which I have since changed.

Mind if I pass this info on ?

I wish you would.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top