Windows 7 - Updates infected with "Antivirus Soft" virus?

Asked By Wattsfan

03-Mar-10 04:36 PM

1. New Toshiba Laptop, formatted hard drive
2. Installed Basic Toshiba drivers: Chipset, LAN, WAN, Audio
3. Connected to Wireless Network
4. Run Microsoft Update up to the point where it says do I want to activate
my license
5. Then I let Automatic Updates download and install the updates (do not have
to activate when Automatic Updates does the work for me.)
6. This pc still has XP PRO SP2
7. Downloaded 64 updates
8. Rebooted and the "Antivirus Soft" virus came up, basically locking up all
my exe files.

I have scanned everything and the virus has not been found on any of my media.
I triple checked every file with Symantec's Endpoint Protection 11.0.5, and
Microosft Security Essentials (current) and Malwarebytes. Nothing. I even
decompressed each install file from Toshiba and checked every file on the PC
after the installers ran.

Nothing.

Is it possible Microsoft Update is infected with this virus? I know, remote.

The virus infected my computer after installing the first round of updates
via Automatic Updates which there were 64 updates to download and install
including IE8 and its updates.

After the restart, Antivirus Soft took over and disabled everything.

Thanks.

03-Mar-10 06:33 PM

You are asserting that this system never visited any web sites except
the Microsoft Update site. The only way it could have become compromised
is if there was *no* firewall turned on, which is NOT the case with XP
SP2's Default installation settings, and it was exploited by using a DNS
or SMB vulnerability.

In the steps you have listed, where was Windows XP Pro SP2 installed as
it is not listed ?


The above is IMPOSSIBLE without installing a Windows OS.
Also, an *XP* system would *have* to visit the Windows Update site first
in order to opt into the Microsoft Update site.

And, you are prompted to Activate Windows during the installation
process, NOT when visiting Windows Update. When visiting WU the system
needs to be Validated by passing WGA.


OK, so when was that installed as it is not listed as any of your
previous steps ?

Rogue AVs, such as Antivirus Soft, are *installed* through User
Intervention. The fake scans that the rogues show are presented to the
User via javascript.

Said rogue AVs  will only infect the system when the *User agrees to
install it*, *clicks* the Cancel or OK buttons, BUT *not* when it is
running it is fake scan. Said fake scans are there to Socially Engineer (
scare; frighten; or entice ) the unknowing User into thinking that their
systems are infected.
If the User end tasks the browser's executable, the system will NOT be
infected.


Microsoft Security Essentials will NOT install in Windows XP until the
system has been Validated, which you claim has not taken place.

Something is either really fishy here or you have omitted some *vital*
details, either on purpose or accidentally.

Care to fill us in on all the details or should we start guessing ?


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com

03-Mar-10 07:22 PM

Where did this version of XP SP2 come from?  Did this ship with your laptop
or did you acquire it 'elsewhere'?

--


If he is too old to fight, he will just kill you."

03-Mar-10 07:43 PM

Thank you for response. I have installed clean OS's at least 200 pcs, xp, vista
and currently windows 7. A lot of experience in installing but perhaps not in
explaining because this is the first time I have been hit by a virus during a
pc setup.  This is why I posted the question and I will respond as follows. I
am not leaving anything out. I need to figure this out.

WHAT I DID

1. New Toshiba Laptop
2. New Seagate harddrive
3. Installed XP Pro OEM SP2 from a clean CD. Formatted the new seagate drive
with NTFS
4. Entered my product id
5. Put in USB stick (which was already scanned with antivirus softwarwe many
times over) and copied over to the seagate drive the Toshiba drivers to the C
drive. The drivers and usb stick have been scanned with Norton Internet
Security Version 10, McAfee Online Scanner, Symantec SEP 11.0.5,
MalwareBytes, Microsoft Essential Security, and Bitdefender Online Scanner. I
have a main machine that scans via Virtual Machines and several XP
Partitions. A workhorse desktop. This is where I scanned with Microsoft
Security Essentials, on the workhorse machine BEFORE copying over the Toshiba
drivers to the new pc. You are right, cannot install Microsoft Security
Essentials on a machine that is not validated.  I also scanned the drivers on
the virustotal website from my workhorse desktop. No viruses found.
5. Installed from manufacturer's website, the WIFI driver from the USB stick
to the C drive.
6. NO WEBSITES VISITED yet on the new Toshiba. Have not opened Internet
Explorer on the new Toshiba.
7. Connected to my internal wireless network
8. Opened Internet Explorer (which is version 6 at this point) since this is
still SP2
9. When to Windows Updates and installed all the updates up to the point
where the Microsoft page says that in order to get anymore updates I need to
activate my pc.
10. I do not activate until I know the pc is stable and working. And yes, a
WGA message pops up reminding me to activate.
11. I let Automatic Updates run (via the control panel) at that time and the
updates will download and install without activation. You have to activate
Windows if you hit the EXPRESS buttton in Internet Explorer. I also use
Microsoft Update, not Windows Update. I run the active-x controls needed for
Microsoft Update.
12. Updates start to download and install on the new hard drive, at this
point 64 updates need to download and install. Part of these updates are IE8
and WGA. SP3 presents itself later.
13. I downloaded the 64 updates and restarted
14. "Antivirus Soft" launches and all my executibles are disabled. Have to
reformat the Seagate drive again on the Toshiba.

HOW I CHECKED FOR VIRUSES/MALWARE

1. I checked my USB flash with my main desktop's Antivirus which is Symantec
SEP 11.0.5. the latest and also MalWareBytes. No viruses found.
2. I checked the Toshiba drivers with my main desktop Symantec SEP 11.0.5
and Malwarebytes. No viruses found.
3. I booted off another partition on my main pc that has the consumer
version of Norton Internet Security 10 and scanned my C drive and the USB
stick. No viruses found.
4. I opened a virtual machine with Microsoft Security Essentials and scanned
all the files from the USB stick and the Toshiba drivers. No viruses found
5. I opened a virtual machine with McAfee online scanner. No viruses found
on the usb stick or Toshiba drivers.
6. Opened up a virtual machine with BitDefender. Scanned everything again.
No viruses found.
7. Scanned C drive and USB stick with Malwarebytes from a virtual machine.
No viruses found.
8. Submitted all the toshiba drivers (downloaded from toshiba's website,
verified the page sources) to virustotal.com. No viruses found.

The only software that downloaded to the new Toshiba were the 64 updates
done via the Automatic Updates in the Control Panel. These updates were not
checked by an antivirus because I did not have an antivirus loaded yet on the
new Toshiba seagate drive.

Normally, you can install even SP3 without activation. Do it all the time.
But I do not run the updates in Internet Explorer


Thank you.

Wattsfan

03-Mar-10 07:44 PM

Original OEM SP2 CD.

03-Mar-10 07:47 PM

Hi Michael, It is an original OEM SP2 XP PRO CD. Used many times.

03-Mar-10 08:11 PM

"Wattsfan" wrote:

03-Mar-10 10:23 PM

Wattsfan,

One possibility is that your wireless router might be compromised and
redirecting you to malicious websites.  I am not very familiar with the issues
involved so cannot provide much advice, but one thing you could try is explicitly
configuring your DNS servers (your ISP should be able to provide you with this
information) rather than using the DNS service provided by the router.

Harry.



--
Harry Johnston
http://harryjohnston.wordpress.com

04-Mar-10 12:01 AM

Thank you, Harry.

I am looking at that. I use OPENDNS router numbers.

Another possibility is after I installed all the updates. I went on the
default home webpage which was msn.com and clicked on clicks on the top of
the MSN page. One of the pages requested I install the adobe flash player
which I did. Also, to test the stability of th enew system, I open all the
programs that come with XP PRO and I open all the games, including the
internet games included in XP PRO. I noticed today when I opened some of the
internet based games, there were ads on the games themselves. Is this normal,
ads on the games? I need to look at that.

Anyway, I tried to reproduce the virus today without success. Installed
every driver I had on the flash drive and no "Antivirus soft", which by the
way is very hard to remove. Even in safe mode.

I have had instances where Symantec Endpoint Protection 11.0.5 was not
catching some variants of "fake" adobe flash player updaters which present
themselves as .exe files and I know to avoid them.

I did install a flash player update from an MSN top page linked site. But
the update came through Internet Explorer like it always has.

I checked my router and the DNS numbers are hard coded.

I did open Media Player and I remember it going to a BRAVO based page with
the housewives movie playing and I think that is when the virus launched.

I cannot duplicate the problem. I checked every disk and software piece I had
with several up to date antiirus/antimalware programs and nothing came up.
Norton Internet Security version 10 is pretty good at detection but no
viruses.

I know there are cases where a file is downloaded and it is not a virus.
Then the file launches, still undetected, then downloads a virus. At that
point, Symantec will catch it but it is too late, the pc is compromised.

If my router was compromised, my other pcs would also be infected. I think
they would be.

My wireless security is solid.

Thank you.

04-Mar-10 01:46 AM

What anti-virus application or security suite is installed, is your
subscription current, and when did you install it: Before or after visiting
Windows Update?  What anti-spyware applications (other than Defender)?  Has
a firewall been enabled at all times?


Maybe not.  See
http://groups.google.com/group/microsoft.public.msn.discussion/browse_frm/thread/1987fd9c8c07d067

04-Mar-10 06:24 AM

Something still sounds fishy.  I'd boot to the XP disk and start from
scratch.  The first thing I'd do after XP is installed and validated is
install MSE, then start your updates and browsing.

--


If he is too old to fight, he will just kill you."

04-Mar-10 02:04 PM

They're called Trojans. And, I have to concur with PABear ... there is a
strong possibility that a malicious link or ad on MSN was where
Antivirus Soft was "acquired". IE6 was still installed and it is
susceptible to these IFrame javascript exploits.


Windows Media Player went to the Bravo based page despite the fact that
you did NOT click any link to it ?


Besides all of the installation media, which I *assumed* were not
infected, I failed to mention the possibility of malware compromising
the router. Since no other systems on your network became infected, it is
safe to say that the router has not been exploited by the "chuck norris
bot" .
http://www.pcworld.com/businesscenter/article/189868/chuck_norris_botnet_karatechops_routers_hard.html

Since I have never played the games that come with XP, one suspects that
ads are to be expected with the internet based games. They are there in
Vista internet based games.


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com

04-Mar-10 05:28 PM

Thank you for the link. Yup. Also, Media Player opened up the Bravo Housewife
ad/movie without me clicking on it as asked by MowGreen. I believe I was
infected by a virus that attacked my IE6. But I did not click on any ads on
MSN. I never do. But I did click on clicks on the MSN home page.

At this point, I will NEVER go to any website without antivirus and never
trust any main page's link which could be infected. That was my error.

I just reinstalled the laptop (formatted and started from scratch) and
everything is perfect. No viruses. Clean as a whistle.

Thank you all.

04-Mar-10 05:31 PM

Thank you for the link to the router exploit. My router looks right.

Last night, I checked again all my install disks and drivers and no viruses
found. It had to have been a link on MSN that was infected with a virus that
attacked my Internet Explorer 6. Since I did not have, yet, any antivirus
installed. What a time consuming and humbling lesson.

Wattsfan

04-Mar-10 07:19 PM

Thanks for laying out all the details and specifics. it is really nice to
work with a knowledgeable User who is so detailed about what was
specifically done.

I am sorry you had to go through this absurd experience just because IE 6
is so susceptible to malware but, as you have stated, it is just another
lesson. I try to push folks to upgrade to IE8 or run a Mozilla based
browser with the NoScript add on installed but some people insist on
using IE6 because it works web sites that have not been updated and one
can save "stuff" in the TIF location that cannot be saved in IE8 due to
it is sandboxing feature. Think music and movie files <w>

Even doing that ensures nothing these days as the criminals have
unlimited funds that they use to hire top notch "developers".
No matter what anyone says, XP is inherently insecure OOB and anyone who
can afford it should move up to Windows 7, ASAP. I'd say Vista, too, but
why even bother with it with 7 being out now ?


MowGreen
================
*-343-* FDNY
Never Forgotten
================

banthecheck.com

04-Mar-10 08:31 PM

You did not have an anti-virus application installed?

Do you have one installed now and is the computer fully-patched at Windows
Update, including WinXP SP3?

05-Mar-10 08:46 PM

re: You did not have an anti-virus application installed?

I know. It was a mistake. Never again will I surf the internet without an
antivirus loaded. Or as MowGreen suggested, Firefox with Nosript.

This is the first time that I have been infected from a top link from a major
webpage. And not clicking on any ads. I test the internet access by going to
a couple of websites from a top search provider. MSN happens to be the
default on the XP PRO SP2 CD. The links I clicked were things like NEWS, Real
Estate Images, Shopping. And I stayed on MSN. Bing is the search engine that
runs in MSN.

In this case, I bought a Toshiba with XP Home Premium. But I needed XP Pro.
I took out the hard drive which was a 5400 RPM drive and installed a 7200 RPM
drive. And I use our XP licenses.

My error is not activating until the pc is stable and solid and that I am
keeping the pc. In the past, I had too many activated pcs that die in a week
and have to be returned.

I burn a pc in for 72 hours before sending it off. The final customized pc
has an antivirus, a limited account if needed, and tight security. And the pc
is scanned by Symantec Endpoint Protection 11.0.5, MalwareBytes,
BitDefender's online scanner, McAfee's online scanner. I check the system
with Autoruns, TCPView, Process Explorer, ProcessMonitor and HijackThis for
any odd entires in the registry/file system.

After I install Windows XP and the basic drives like the chipset, video,
sound, lan, and wifi, I am immediately intalling Symantec Endpoint Protection
before testing it out.

Thank you for your time.

06-Mar-10 02:23 AM

Repost:

06-Mar-10 09:16 AM

[snip]

Is IE7 not as secure as IE8? If not, in what ways is IE8 more secure?

Is it possible to harden IE6 so that it is just as secure as IE8?

06-Mar-10 01:39 PM

A1. No.  See, e.g.,
http://technet.microsoft.com/en-us/library/dd919181(WS.10).aspx

A2. No.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Client - since 2002

07-Mar-10 12:48 AM

Protected Mode, first introduced in Internet Explorer 7

I think there ishould be an asterisk on that sentence.
*  in W2003S and Vista but not XP.

And I am not even sure about the W2003S but that is where I first saw
IE6sp2  was released.


Robert
---

07-Mar-10 01:39 AM

We ranted for months about that when we first saw it and yet it is never been
changed.

Anyway, PMIE is basically a function of UAC, which is not a WinXP 'feechur.'