Windows Premium Guard - Malware

[V.T. Eric Layton]

A friend whose system I had just revived/refurbished a few weeks ago, came by yesterday with his tower in the back seat of his car. He was complaining about how the anti-virus program I put on his system kept nagging him to purchase a premium version. Hmm... I only installed MS Security Essentials on his system and it does NOT nag.

 

Turns out my friend must have been surfing some naughty sites somewhere because he was the victim of a drive-by installation of Windows Premium Guard, which doesn't guard against anything, actually. It's a trojan that infects your system with loads of nasties. It disables your real anti-virus, disallows task manager access, and locks down regedit use. Nasty booger here, folks.

 

I had to use this tutorial from bleepingcomputer.com to clean the system up --> http://www.bleepingc...s-premium-guard Once I did all this, I ran Ccleaner, an MSE scan, and installed FF w/ noscipt/adblock for him. I checked that all was updated properly and I left malwarebytes (trial version) on his system just in case I needed it again.

 

I just revived/refurbished his mom's system not two weeks ago. He's claiming it's all bogged down and not starting up properly already. I'll check mom's system one more time. If it's all corrupted again, I'm giving these folks the option of switching to a Linux distro of some flavor or take their systems to Best Buy for service next time.

[amenditman]

I love bleepingcomputer.com for these sorts of problems. Always find a fix that works there.

[V.T. Eric Layton]

If it weren't for the fact that I just recently set his system up from the get-go for him, I probably would have nuked the whole shebang. In this case, though, it was better to repair with the small rock hammer rather than the sledge.

[frapper]

No clean image, Eric?

[V.T. Eric Layton]

Nope. No space on that old system for fancy stuff like that.

[zlim]

You could teach him to use a portable browser on a USB stick then only the stick would need to be nuked rather than the entire computer.

[V.T. Eric Layton]

yeah, but if you switch them to linux, they won't need to pay you for your services

 

They're not paying customers now.

[V.T. Eric Layton]

You could teach him to use a portable browser on a USB stick then only the stick would need to be nuked rather than the entire computer.

 

I don't think that would have prevented this infection, Liz. That Windows Premium Guard is some UGLY stuff. Once it got in and disabled the MS Sec Essentials, it left the door wide open to lots of other badies. In just the few days that it was like this, the system acquired 763 distinct pieces of malware and 4 separate trojans.

[frapper]

That Windows Premium Guard is some UGLY stuff. Once it got in and disabled the MS Sec Essentials, it left the door wide open to lots of other badies. In just the few days that it was like this, the system acquired 763 distinct pieces of malware and 4 separate trojans.

 

Not exactly familiar with this drive-by stuff, Eric. Is there nothing that would have prevented it, or alerted the user? MBAM, WinPatrol, SpywareBlaster?

[V.T. Eric Layton]

I'm sure there is, Norm. You know me, I'm not an MS Win user these days; not much, anyway. I'm sure Corrine or Aryeh (Goretsky) would know more about it than I do.

[frapper]

I wish Fran or Corrine would weigh in on this "drive-by" stuff. It's not just oogling ta-ta's anymore. They say religious sites are more dangerous.

 

Web wanderers are more likely to get a computer virus by visiting a religious website than by peering at porn, according to a study released on Tuesday.

 

"Drive-by attacks" in which hackers booby-trap legitimate websites with malicious code continue to be a bane, the US-based anti-virus vendor Symantec said in its Internet Security Threat Report.

 

Websites with religious or ideological themes were found to have triple the average number of "threats" that those featuring adult content, according to Symantec.

 

http://news.yahoo.co...-192552733.html

[Corrine]

I saw a reference to the Symantec report but don't have access to information on what other types of sites are targets. Without a doubt, sites that discuss sensitive issues are likely to be a target. However, as far as I'm concerned, all types of search results are poisoned. I think most of us have been around security discussions long enough to know that using P2P and visiting porn sites will definitely put a computer in greater jeopardy.

 

We also know that keeping up to date with security updates and third-party software (Oracle Java and Adobe products in particular), antivirus software, firewall, and router will help but still no guarantee. I have a friend at MS in security who was searching for something about servers. One of the links was poisoned. He immediately pulled the plug.Yesterday, I was searching information on Microsoft newsletters. There was a site with a lot of information -- it also had links that ESET immediately blocked as containing potentially dangerous content -- they redirected to China. Many times, Malwarebytes Anti-malware Pro has blocked malicious search results that weren't identified by WOT as containing potentially dangerous content.

 

Bottom line, it can happen to anyone at any time. I've been fortunate that my security software has always protected my computer.

[V.T. Eric Layton]

It's my understanding that many of these drive-by infections of Windows Premium Guard and similar slime are being initiated by infected host servers also. My friend who had this issue claims that he went to a legitimate Chinese manufacturer's website while on the phone with a representative of the company. My friend is a manufacturer's rep here in Florida for electrical, tile, and plumbing products. Anyway, he claims that the computer freaked out as soon as it finished loading the page for the company. The company's rep has apologized and claims to be checking on their hosting service (another Chinese company) to see what the issue is.

[frapper]

Would having NoScript blocking everything at an unfamiliar site add another layer of protection against these poisoned hosts...or not?

[Corrine]

Certainly it would, frapper, since NoScript can block JavaScript, Java and Flash as well has providing providing both cross-site scripting and anti-clickjacking protection.

[Guest LilBambi]

In addition to javascripting, NoScript can also block Silverlight and other plugins, like it does Java and Flash. I love NoScript.