Zapping System Progressive Protection

Topic

New Reply

	WOODY’S WINDOWS Zapping System Progressive Protection
	By Woody Leonhard Over the holiday break, three people sent me panic messages asking about an antivirus product that was demanding money to fix their computers. If my admittedly small sample is any indication, the venerable and virulent “System Progressive Protection” rogueware is back with new infection methods to delight us all. Oh boy.

---

The full text of this column is posted at windowssecrets.com/woodys-windows/zapping-system-progressive-protection/ (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

Thanks for the great article. It just shows how careful and attentive we have to be before we madly click away! One thing that Woody didn’t mention as a solution was the matter of backups. Wouldn’t the easy answer be to restore the system with a system image restore, or am I missing something? I do regular system images plus daily folder and file backups. Surely this would fix SPP?

Reply | Quote

Very good article on ‘more to be weary of. The section that interested me the most was about the video viewing and the need of a new codec. First of all, almost all the online video players are flash based. The video’s are streamed as FLV or mp4. Logical as either can have a smaller file size without sacrificing quality. Specialty, hobby’s, and other things sometimes stream in wmv , or mov. These codecs are almost by default in every pc, except for flv. And like the boss said, installing VLC has every codec you should ever need and then some.

Back to those Flash video streaming sites. Most of the time when you see the “phoney” you need a new codec covering the screen you want to look at, there is many times a way to close the overlay. Sometimes a very tiny x, almost hidden will close it. If you do close the overlay and the player seems dead, then you can know for certain the link you clicked to get there was a dirty link. If you can’t close it it’s time to find another stream. The streaming sites and their flash based interfaces are not responsible for those overlays. You can access that same streaming site from another link or directly and won’t see all that crap.

Ethics aside, the people that facilitate streaming servers are doing it for a reason. Infecting you is not on the agenda.

The money game. Some streaming companies (for lack of better words) will throttle your stream and want you to pay a premium for fast streams. I can’t tell you what to do, but unless their free stream’s video quality is above 480p, don’t throw away your money. They don’t have video’s before the ‘other guy either. You’ll find those videos on another ‘free’ server.

When it comes to streaming and sites offering streaming links, it can become a mission for the inexperienced. I know of sites tagged as malicious yet they have the same links (and more) as popular sites such as Sidereel, and they have absolutely no spam links!

It’s all risky. Just don’t download anything from a video window, there’s no reason for it and there’s a 99% chance you don’t need it. If you can’t close the overlay just utilize another stream link.

Reply | Quote

Given the title of the article, I expected to find instructions on removing this nasty. If you do get infected, see
http://malwaretips.com/blogs/remove-system-progressive-protection-virus/

For removal instructions.

Jerry

Reply | Quote

I agree with the previous post..

when you write “this version of SPP. It digs deep into Windows, making it resistant to nearly every type of malware-scanning software I’ve used. Manual disinfection methods that work on earlier versions of SPP might be ineffective with the latest incarnation.

then give us effective methods.

Charlie

“

Reply | Quote

Given the title of the article, I expected to find instructions on removing this nasty. If you do get infected, see
http://malwaretips.com/blogs/remove-system-progressive-protection-virus/

For removal instructions.

Jerry

That site tells you to use Hitman Pro to remove the rootkit. This is not free. Hitman Pro is not an AV program, but only runs the engines of several real AV programs. While I find Hitman Pro’s findings useful in everyday cleanup and maintenance, I would never pay them to remove a rootkit. I would go to the source — the original AV vendors whose engines are used inside of Hitman Pro — and use their (paid) programs to do a proper scan and removal process.

I also noticed frequent mention in the Comments of ESET online scanner. I don’t know whether this one does the removals for free, but the ESET full product is not free.

-- rc primak

Reply | Quote

In fact, the link I posted shows how to use a couple of Anti-Malware software packages to automatically remove the infection. Can’t say enough about Malwarebytes. Its my goto program when the primary active antivirus program fails. Unfortunately, in this case you have to run another package as well to get rid of the rootkit.

Jerry

Reply | Quote

In fact, the link I posted shows how to use a couple of Anti-Malware software packages to automatically remove the infection. Can’t say enough about Malwarebytes. Its my goto program when the primary active antivirus program fails. Unfortunately, in this case you have to run another package as well to get rid of the rootkit.

Jerry

This could be a good case for the Microsoft Windows Defender Offline CD-based tool. This program is particularly adept at ferreting out rootkits and disarming them.

-- rc primak

Reply | Quote

I recently received a suspicious notice to upgrade Adobe Reader not on my computer, but while reading Outlook Exchange email on my Windows 7.5 phone. The attached file (trusted source, from work) did not open, so the second time I clicked on the “update.” Nothing seemed to happen (it kept prompting me to update) so I closed out of mail app and reopened it. This time the file opened and was readable. Nothing seems to have changed, but I’m still nervous.

Two questions:

1. Should I expect to see version updates for Adobe and similar programs on my phone?
2. Is there some sort of well-recommended virus protection for Windows based phones? I know Android malware has been given a lot of attention in the press, but I find little specific to the WP. Even a one-time scan would make me feel better at this point.

Reply | Quote

AussieMike asked if it would not be simpler to restore from an image backup – (as I have seen advised by Ask Leo and many others as a good way to recover from an infection).

However there is one form a malware which while not the same as the subject of this article, is similar. This is the type of malware that encrypts files, and has been reported as encrypting the backups on attached external drives as well. Advice on this subject often includes “do not leave the external drive connected”.

With backup programs which are scheduled there is an obvious operational conflict. I have been looking for reasonable solutions to this but have not found any. Having a routine to only have the external drive connected when disconnected from the internet would work, but its use is problematical, particularly with daily (or even more frequently with some data backup programs, including that in Windows 8).

It may be that for selected files, cloud backup is a solution, as even if what is there gets replaced with an encrypted version, a program which keeps earlier versions (e.g. Dropbox) would let the material be recovered.

Reply | Quote

AussieMike asked if it would not be simpler to restore from an image backup – (as I have seen advised by Ask Leo and many others as a good way to recover from an infection).

However there is one form a malware which while not the same as the subject of this article, is similar. This is the type of malware that encrypts files, and has been reported as encrypting the backups on attached external drives as well. Advice on this subject often includes “do not leave the external drive connected”.

With backup programs which are scheduled there is an obvious operational conflict. I have been looking for reasonable solutions to this but have not found any. Having a routine to only have the external drive connected when disconnected from the internet would work, but its use is problematical, particularly with daily (or even more frequently with some data backup programs, including that in Windows 8).

It may be that for selected files, cloud backup is a solution, as even if what is there gets replaced with an encrypted version, a program which keeps earlier versions (e.g. Dropbox) would let the material be recovered.

For synchronizing or File History backups, it is indeed impractical to leave the backup drive disconnected when not in use, as it is always in use. This is a drawback to these backup methods. I rely on backing up data in batches at intervals, and only after scanning (Full File System Scans) with at least two AV and AS products before attaching any external backup drive to my laptops. No infections of the backup drives, ever, when using this tactic. I also use a separate external drive to manually create and maintain System Image Backups, at less frequent intervals, and again, only on a fully scanned system.

-- rc primak

Reply | Quote

AussieMike asked if it would not be simpler to restore from an image backup – (as I have seen advised by Ask Leo and many others as a good way to recover from an infection).

However there is one form a malware which while not the same as the subject of this article, is similar. This is the type of malware that encrypts files, and has been reported as encrypting the backups on attached external drives as well. Advice on this subject often includes “do not leave the external drive connected”.

With backup programs which are scheduled there is an obvious operational conflict. I have been looking for reasonable solutions to this but have not found any. Having a routine to only have the external drive connected when disconnected from the internet would work, but its use is problematical, particularly with daily (or even more frequently with some data backup programs, including that in Windows 8).

It may be that for selected files, cloud backup is a solution, as even if what is there gets replaced with an encrypted version, a program which keeps earlier versions (e.g. Dropbox) would let the material be recovered.

Thanks, Dean-S, for your comment. Here was I thinking how smart I am with my system images, which I do fortnightly only to find they also might be at risk. That’s a bit of a blow!
Something else I also do, infrequently, is to copy my system image to a portable HDD which I keep in my car (just in case I get burgled or have a fire). The problem is to make sure I do it as often as I should (which I usually don’t!). But at least I wouldn’t lose everything. Cloud storage is useful but has its problems. It seems to me that the best we can do is to keep everything up to date, do frequent backups, keeping some off site, have a good armory of AV/malware tools…. and then hope for the best!!
Thanks for the interesting comments.

Reply | Quote

Would the use of a sandbox while online stop SPP’s from getting into your OS?

Reply | Quote

I recently received a suspicious notice to upgrade Adobe Reader not on my computer, but while reading Outlook Exchange email on my Windows 7.5 phone. The attached file (trusted source, from work) did not open, so the second time I clicked on the “update.” Nothing seemed to happen (it kept prompting me to update) so I closed out of mail app and reopened it. This time the file opened and was readable. Nothing seems to have changed, but I’m still nervous.

Two questions:

1. Should I expect to see version updates for Adobe and similar programs on my phone?
2. Is there some sort of well-recommended virus protection for Windows based phones? I know Android malware has been given a lot of attention in the press, but I find little specific to the WP. Even a one-time scan would make me feel better at this point.

Different OS entirely, and this malware is Windows (full OS or Windows 8 RT on tablets) and possibly an Android variant, last I read. Anyway, there really has been an update for Adobe Reader, so your alert is in all likelihood legit.

-- rc primak

Reply | Quote

That site tells you to use Hitman Pro to remove the rootkit. This is not free.

Bob, Hitman pro is free to use for 30 days.

Jerry

Reply | Quote

Bob, Hitman pro is free to use for 30 days.

Jerry

I’m aware of that. And of the fine print about limitations on removal even during the free Trial. I prefer longer-term solutions.

-- rc primak

Reply | Quote

I have a couple of alternate programs I use for rootkit removal as well. The point is, the instructions in the link I provided will remove the nasty at no cost. Neither I or the instructions purport to indicate you keep the removal programs long term although I am a big proponant of Malwarebytes.

By the way, I haven’t had much luck with Defender off line for removing rootkits.

Jerry

Reply | Quote

I have used MSE since the day it first came out and have had great things to say about.

HOWEVER, because of the ambiguity of the classification that we call “malicious software”, that it is advisable to run a partner program with ANY primary security package.

With Microsoft Security Essentials, the best one that I have found is Malwarebytes’ Anti-Malware Pro. I call it a “partner” program because it excels in the areas where MSE is sometimes weak. Remember, because of the fact that ALL publishers have to find a happy balance between power and the number of angry lawyers it has to deal with PLUS the ambiguity of what is and what isn’t malicious software, no single-database approach is likely to get you any better than 94-95% effectiveness

My system works, and I have the experience of over 5,000 of my clients running this combination approach with exceptional results

Gary aka the Florida Swampster

Reply | Quote