New Variant of "FAKE" Security Essentials to be aware of!

Some of you may remember the 2010 version of the fake Microsoft Security Essentials. In the last a totally new Aero styled twist to the previously known "protector.exe" trojan dropper that saw the fake SE or Windows Doctor scamware placed on your system has a new cousin to watch out for!

This latest malware will easily slip past any effect web guard as well as just about any av program! The user will unwittingly expose themselves to this by whatever form disguishes it to begin with.

The now called "protector-xfg.exe" trojan dropper downloads several trojans along with a fake "Security Essentials - Windows Defender". Note when trying to bring up the taskmanager to find out what process is new to end it you will find the SE along with a "Windows Process Manager" which basically takes over the taskmanager entirely preventing the disable of the scamware as well as the protector-xfg.exe trojan dropper.

Removal is basic as far as the main exe file by booting into safe mode to manually delete the file found under the user account sub folders once you have opened the file location. Here on one infected 7 laptop the protector-xfg.exe bug was first moved into a temp folder out from the user account while still being active prior to the reboot into safe mode.

With the VIPRE AV Home Premium version of that software installed and having removed several trojans already the fake SE still continued to indicate they were present risks. The obvious design of the malware was to point to already known about bugs in order to get people to buy the fake SE!

Unfortunately the laptop needed charging the first time it was looked at and the followup scan by VIPRE however revealed the quaranteened and then removed trojans as well as Fake SE seen as the last item in the scan results here.



The fake SE is dark almost black background in color with the look of any more recent software with the Aero style appearance with yellow and red coloring for text. That's quite a bit different in appearance from the 2010 version of a fake MS SE seen in the link above.

Hi there
If you are unfortunate enough to get this -- just RESTORE from a decent Virus Free backup.

Would you REALLY trust an Infected computer that had been used to clean itself.
We ALL know that NO A/V software can ever be 100% cast iron solid -- so why should you believe that the "cleansing" is 100% OK either.

In any case if the Virus is discovered AFTER the fact the you really don't know what has been happening between Infection and Discovery time. A/V software IMO is only of any use if it operates in REAL time.

If you do "Batch scans" and discover something then only a clean restore or OS re-install IMO is sufficient.

Cheers
jimbo

jimbo45 said:

Would you REALLY trust an Infected computer that had been used to clean itself.

Click to expand...

No, and anyone that would claim they can would be full of it. That's precisely why I always recommend Killdisk after an infection, to low-level (alright only manufacturer of the drive can truly low-level, but I'm talking consumer low-level) format the drive.

Any security expert would say the same thing like you or I, and if not, he or she wouldn't be an expert lol.

The problem there is that there is no system image to fall back on! The fortunate side of this however was that there was no registry involvement with this particular malware to find. The exe bug file was what launched the fake gui as well as scripted to download that along with the four trojans also confirmed present by the av program used here.

The design of this wasn't for trashing the OS but for the con job of "scare tactic make people buy fake security program"! This latest fakeware looks far more like the MS Security Essentials when compared to the blue and red color patterned fakeware seen back in 2010.

The good thing was being able to remove it completely IF you have a good malware remover as well as foresight to track things down like opening up the file location when right clicking on the fakeware gui itself. Once located you can move it into a temp folder out of the user account sub folder to keep track of it long enough to reboot into safe mode. Your malware remover can delete the remaining items once you have dealt with the main protector-xfg.exe bug file.

Unfortunately not everyone would from not being anywhere as pc savay as people you would find always looking at various pc situations as well as getting familiar with a large variety of hardware/software issues. For the novice web browsing email checking weekend user scams like this are often the result of seeing the home pc brought into a repair shop for a good fee if not getting duped into spending for a program that doesn't even exist!

heh heh I hear all you're saying - but now what is to stop somebody with knowledge to use this fake a/v program to be the scapegoat while also delivering the TRUE malicious payload on the side along with it.

The end user thinks - "oh alright I cleared my system, all is good." While the black hat sits back and says "thank you for root access".

The hard truth is that once a machine is infected, no amount of going over this or that can be a guarantee to security/reliability.

Nothing is ever written in stone! After the last few weeks however no other sign of any malware has been detected since this was removed showing it was fortunate enough not to see anything else dumped on along with it!

When looking over the last IE session it was learned the kid who had borrowed the portable had been in a Google session of some type and had also installed the Chrome browser without permission suggesting the click to install without asking lead to seeing this to start with!

For the more experience user the suspicions on something and wanting to first look over information at a home page would have easily prevented this to begin with. For a newbie just about first time user lacking any common sense from experience tnis caught that one offguard.

When selecting a security program of any type here the first thing often looked is how well is the rootkit protection as well as how well it will flag any other malwares before any harm is seen. One thing I can add here is it was a good thing that a good av program was on already. I also suspect that if this had been seen on the 8 CP the updated security may have also flagged the rogue scamware since MS has obviously improved the security in the new to come version over what was seen in 7 even!

oh boy, how long it take to copy a 15 gb folder ? .... this is what it will take to replace my Linux Pinguy or my Windows 7 that I use in VM to browse Internet IF something happen....big IF here.

I never copied an entire folder but simply moved the protector-xfg.exe bug out of the sub folder it was found in to a folder used for ironically the Recycle Bin icon pinned to the taskbar. That seemed to be the appropiate place to see that one go!

Hi there
even if you don't use commercial programs like Acronis then there are excellent basic FREE one's around -.

One of the problems is that STORE bought PC's invariably (apart from the hidden recovery partition -- I think it's cheap enough these days a recovery USB should be provided instead --that's another issue however|) have everything installed on the "C" partition.

It would be better to have the OS installed in it's own say 55 GB partition and a "D" partition for users data etc.

Backing up a 55 GB image containing all your installed apps - even big one's like Adobe suite CS 5.5 and the OS with say Acronis or Macrium will only take around 25 - 35 mins AT THE MOST --even on a smallish laptop.

The problem arises with new computers that when you just have a "C" drive you can't "Image" the partition to itself and maybe some of these users don't have external drives etc and backing up to DVD's is always fraught with a bit of "Luck" element when you try and restore.

Most users probably aren't knowledgeable enough to use partition tools to re-partition the "C" drive.

Stores could do far more to help customers to make sensible backups when they get home by

1) Partition the disks when the OS is pre installed -- or change the installation program that the user first starts when he/ she gets the machine home and runs through its initial setup routine to automatically partition the disks at initial start up.


2) Stop messing about trying to push stupid unwanted security packages on people when they buy a Computer -- usually it's McAffee or Symantec -- both HIDEOUS choices for Non corporates


3) "Extended Warranties" IMO should be OUTLAWED -- the average joe is often conned into paying almost a significant percentage of the actual price of the article in question for this when the Manufacturers guarantee (one to two years - compulsory in EU and EFA) is more than sufficient.

Last week in the UK I saw some hapless 55 year oldish or so woman being pestered to spend 30 GBP extended warranty on a 45 GBP printer.

Fortunately she was more "Savvy" than most. I was in the line behind her and together we made an official complaint to the Store Manager, Consumer trading standards, the Store owners (Kingfisher), Companies House (company almost doing Rogue Trading) and the Financials services Ombudsman. We also sent a complaint to BBC's Watchdog program too.

She was too scared to do this herself but I'm quite a decent size-ish blondish almost Malevolent Viking looking so the tiny Philipino security guys kept well away while we waited for the Store Manager to emerge from his "eyrie" probably drinking his Champagne for the day.

Not that in the UK this will make an IOTA of difference but it made the Lady's day and it was quite good fun seeing a red face store manager suffering under inquisition when asked "Is this how you enjoy earning your money by robbing consumers blind".

Cheers
jimbo

You can't save a full image to any partition it is made from unless copying the image over from either another drive or partition even later. For laptop users a small usb external enclosure will take a 2.5" drive there for use when creating an image backup or for the additional storage space.

In fact for one older Vista laptop I removed the drive from the unit once that drive was trashed by a virus(I-Worm, Fake anti-spyware program) seeing that wiped and repartitioned and used for storing an image of a clean install on a new larger drive. Acronis True IE was used for that one.

I expect to see some but not a lot needed of improvement in the backup features 88 will be seeing since those in 7 have been reliable in every instance. That as well as Acronis will take a snapshot of the 100mb System Reserved BCD store, boot manager partition as well as the main C volume. Acronis also grabbed the small recovery partition seen on the Vista laptop there as well.

The problem seen with the 7 laptop however was not having the chance to grab an image before the owner loaned it out and whamo new bug soon seen! Fortunately I could still perform a clean install and simply use the key on the sticker for that already looking after another 7 Home Premium build if ever found necessary which would then definitely see an image created.

An image saved to an external usb drive or a drive in a usb enclosure takes quite a bit longer however then seen when saving to another internal storage drive! Try about 3.5hrs.! Timed 35min. backups from the 497gb images here made with both Acronis and the 7 image option compared to what someone will see when backing up through the USB 2.0 bus taking that long is something many would simply opt out of.

Obvioulsy most won't be seeing images quite that large unless storing a large volume of files on the main drive itself which would include having a second partition when spliting a drive to store files on. Yet recently I talked with someone who had 1.2tb across two drives(C 1tb, storage 1.5tb) he was trying to make a single image with the 7 backup option rather then using a 3rd program that would be the recommend for that. The problem was simply too much data plus two drives involved to use the Windows option there.

As far as the bloatwares and trial wares that's typical with OEM premade systems due to contracts with the software companies. You'll never see that disappear! In fact the one thing nice about a clean install on an OEM machine when needed is the instant removal of all the bloat. But you also may lose other prepackaged apps including the utility for creating a full recovery disk which may not be avvailable at that manufacturer's support site by chance.

Not good! At the trial wares can be uninstalled easily to solve a lot of that. The one thing you won't see however is the Windows is now setting up each time you turn your machine on in case you got nailed by a bug during a previous session. Who is going to want to wait while the OS reinstalls itself over and over on each new startup? NO ONE! The OEMs instead provide the full factory restore option on most new and recently new machines to do away with recovery media as well as provide a recovery option for the noob!

Hi there
I created a Windows to Go on an external USB drive using a "Reference" machine (a Desktop actually) with a load of useful apps on it.

Partition size approx. 45 GB (inc Ms office / Photoshop CS5.5 etc).

I then imaged this and installed it as the main (or Internal OS on the "C" drive on five different computers -- the different hardware worked perfectly - even the Sony VAIO integrated SD/MMC card reader with the second slot for the Sony memory sticks worked on the Sony Laptop.

After initial boot on a new machine the system just adds the devices it finds (if it can -- haven't had a failure yet) and then it's fine.

I only got asked to re-activate Office on a new machine the ist time it's used - but it's a VL (or MAK) licence so no probs with that either.

55 Mins on the slowest Machine to restore, 21 on the fastest.

Saving Gigs of User data is a different ballgame -- this should be done probably in stages - you rarely need to backup / restore TB's of user data in one go.

Cheers
jimbo

The 7 drive here now sees some 573.4++gb of data total with some temporary video files. Once removed for the image the image itself came in at 497gb for the entire host drive including the 100mb System Reserved. The previous image had been 465gb approx. when using the Windows backup option for the full system image.

For individual partitions and other drives the option for Acronis is then considered to complete any image backups. Those drives however never see any images made from since some of the older XP downloads for example once updated protections went on found bugs contained with certain zip file downloads that apparently were downloaded at one time but never used.

Your OS and programs as well as unreplacable data, files are always going to be the first consideration. But for loose files on a separate storage it's often best to simply back them up on another drive rather then risking any mix in an image due to this kind of vulnerability.

Night Hawk said:

The 7 drive here now sees some 573.4++gb of data total with some temporary video files. Once removed for the image the image itself came in at 497gb for the entire host drive including the 100mb System Reserved. The previous image had been 465gb approx. when using the Windows backup option for the full system image.

For individual partitions and other drives the option for Acronis is then considered to complete any image backups. Those drives however never see any images made from since some of the older XP downloads for example once updated protections went on found bugs contained with certain zip file downloads that apparently were downloaded at one time but never used.

Your OS and programs as well as unreplacable data, files are always going to be the first consideration. But for loose files on a separate storage it's often best to simply back them up on another drive rather then risking any mix in an image due to this kind of vulnerability.

Click to expand...

Hi there
Agreed

A Good reason therefore always to create a small OS partition (possibly with the small 100MB reserved partition if required) and store your OS / Applications on it. Even a largish installation shouldn't need much more than around 55 GB (at the most !!).

Store your data in places to suit -- there's a lot to be said for having MOST of your data not even online until you need it.

Since I installed a 120 GB SSD a laptop I've organised my data much more efficiently -- I take what I "Think" I need on an external USB drive / a couple of usb sticks. If I need something I haven't got available -- I can retrieve it from a Server at home or just wait until I get home.

Installing an SSD has the great effect of making you REALLY THINK about what data you NEED to have present on the machine since capacity is at a premium.

Backing up the 55 GB OS partition from the SSD to an HDD took around 21 mins -- well worth the time to do it.

I'm using Acronis Trie Image Home 2011 -- don't get the 2012 version -- activation procedure a pain -- and if you aren't on the net at random times when it "Phones Home" for license checking -- tough !!. - If I've paid the license why SHOULD I have to be on the Net -- EVER !!!.

People who design THAT level of security into their products will rapidly find themselves out of business. - I LIKE acronis but I'm looking for an alternative -- Macrium doesn't seem to like W8 CP.

Cheers
jimbo

Why am I not surprized at Macrium not playing well with 8? The same will be found for many programs that haven't released any updated version lately in anticipation of 8. DisplayFusion does have a newer 8 in mind version while UltraMon used here got stuck on the option to add a move button to all windows for bouncing windows back and forth between lcds.

Now as far as having drive space available on C this would be more for the desktop not portable where you would run the bulk of "C dependent" programs as well as those that require space. For a 64bit 7 install that takes up not much more then 16gb of actual drive space proceeding all updates and SP1 installs.

So where does a large volume of drive space go? For the 64bit install's Program Files folder only 3.57gb. But for the Program Files(x86) folder "Surprize!" a whopping 203gb of drive space taken. Still want any 120gb drive?

That doesn't include all programs either since several see folders at the root of C or under the users\user account name sub folders which include the MS VPC and others like VBox and VMwares. Just that stuff alone before getting into the VMs and other files in constant accummilation like various snippings taken and kept onhand would bately fit on a 320gb drive.

Besides the temporary video and other files which simply are dumped after so much time and prior to any scheduled system image the bulk of files not needed to be present and actually preferred on other then C so as not to chew up drive space and for long term storage are placed on the main storage and backed up on the secondary storage drives when space on the other HDs allows for it.

The other drives also hold or did depending on what previously acquired files, downloads for XP and Vista where the XP downloads in a few instances has seen a few slippery bugs previously undetected by other security wares! "Cutting out the Fat" however is the effort made before creating a full image backup to prevent the size from growing too big when not necessary.

Don't feel bad about the activation issues with the latest Acronis then. Fortunately the 2010 will do well here as well as the free Acronis Disk Director suite available through Western Digital or Seagate for their customer base to consider as another option when lacking a retail release. You can run into this type of situation with any number of paid for softwares.

With NeoDVD in order to preserve the activation when buying the latest version at the time for 7 the support stated "I had to be" connected online when going to uninstall first the full version before moving up from beta to RC or RC to retail. When explained I was testing 7 back at the time the tech extended the number of reinstalls which did get used up. That would be one needing a newer version on a clean install of Windows at this time.

I suspect the backup features in 8 will be as good if not improved a little while access to the new Metro styled repair tools can be more of a real project when trying to repair in a live session! :huh: If an 8 install gets whammed by a bug or sees another unable to boot issue it will take a bit longer to access the repair tools simply to locate and restore a full image if not using the automatic repair or manual command prompt options.

As for the need of a clean install of 7 any time soon? I could still see that done in a day or so given time to reinstall everything presently on now without restoring a system image. Everything present on C excluding VHDs as well as various user files not downloaded programs kept onhand would simply be backed up before wiping C entirely.

Hi there Nighthawk

I have on a USB stick a folder called "Installables" where I have either the ISO's or the install files for the applications I want to run on my W7 / W8 systems. Serial numbers if any are stored with each application as APPLICATION.TXT.

The main ones are Adobe CS5.5 suite
Office Enterprise
Acronis 2011 True image Home
AVS Video converter
TmpGenc DVD authoring
Partition Wizard
Visio
Project
Winamp
some Music streaming applications
Some stock exchange analysis programs such as Metastock
VLC
AnyDVD
Vmware workstation (although possibly will use Hyper-V in W8)
Winrar
one or two video converters
Squeezebox server (for Music streaming)
Special drivers like Sony double card reader, Webcam etc.

This takes approx 12 GB on a 16 USB stick.

So if I WIPE a W7 / W8 installation - after re-installing it I just insert the usb stick and re-install all the applications . Doesn't take too long even from Scratch

With all those apps installed My "C" drive on W8 was around 40 GB -- I made it 50 GB just in case of adding more apps.

The other 70 GB I use for data I NEED to have on the PC at that moment when it's too inconvenient to use an external device.

Having an SSD DOES make you get stuff organized -- before I did this I could spend ages looking for old CD's / searching old USB drives etc for individual applications.

Now even a complete OS re-install with all the applications is a doddle.

On a 32 GB stick I can even store the image of the OS in addition to the application installables so it's even easier to restore the whole kybosh and keep everything in one place.

These days it should be really simple to image the OS - whatever program you use it shouldn't take long backing up a 40 GB OS partition.- and even on large spinners keep the user data in separate folders / partitions and back these up as and when.

So if you get infected with Malware and have this type of approach then it won't take long to either recover the OS or in extreme cases re-install everything quickly and easily.

(Of course with things like Office 2010 after a re-install there will be a myriad of updates until new service packs are available -- but at least your system is up and running while downloading the updates).

Cheers
jimbo

Unfortunately many of the programs here the installation from the physical media namely cd or dvd. Some programs would not be able to be reactivated either. That tends to limit the options here for a full recovery on those in particular.

As far as anything downloaded like utilities I never have to worry if the host drive simply went DOA since the downloads typically go to the primary storage drive's folders as well as the backup of those folders on the next drive used for storing VMs, VHDs, and even to the external HD depending on just the download is.

IE Favorites, bookmarks from other browsers are backed up to the primary storage in case of a reinstall or newer version of same since the previous system image will lack anything new added as well as any new programs or updates since. But for any malware event or other situation like a drive failing the system image can put you back in the running in a much shorter period of time.

The clean install comes at some point when the registry is polluted over a lengthy period of time and Windows starts dragging it's feet on you. The fastest install time so far has been seen with 7. The CP install to the second OS drive literally took a full hour when installed from a dvd burn. I'll likely wait for the RC when trying out the USB Install Key and mounted iso installs to see how those fare.