PDA

View Full Version : Is kbremote malware?



ledzep
22-12-2011, 01:25 PM
I'm pretty careful on my PC and have anti-virus and firewalls installed. Earlier this week on startup Zonealarm reported two exe's trying to access the internet which I didn't recognise. I subsequently identified kbremote.exe and diagview.exe, installed at the top level of documents and settings folder, and were being called from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run on startup. I also found a file called resultalg.exe in the internet temp folder. All 3 files were 64 kB in size and had identical icons, and arrived on my system at about the same time. I conclude it was some type of malware, but they were easy to remove and all is well. However, googling I cannot find any reference to any of these files (malware or otherwise) and my Vipre anti-virus doesn't flag them as malware when I scan them. Has anyone seen these before, any ideas?

1101
22-12-2011, 03:21 PM
"Vipre anti-virus"
Really ??

Download & install malware bytes
Download & install MSSE or Kaspersky(just for the scan, then remove it)

Vipre may be really good :lol: :lol: , but i wont trust a product that seems to have a lot of self
written reviews all over the net. Too much dodgy self promotion.

or Upload those files to
http://www.virustotal.com/

it will scan them with multiple av scanners

kahawai chaser
22-12-2011, 03:33 PM
Visit Microsoft support (http://support.microsoft.com/) for any reference to kbremote (or related terms, plurals, etc; kb = knowledge base, maybe), or Google site search MS. (http://www.google.co.nz/#sclient=psy-ab&hl=en&source=hp&q=site:http%3A%2F%2Fsupport.microsoft.com%2F+kbrem ote.exe&pbx=1&oq=site:http%3A%2F%2Fsupport.microsoft.com%2F+kbre mote.exe&aq=f&aqi=&aql=&gs_sm=e&gs_upl=29239l30563l4l31568l2l1l1l0l0l0l894l894l6-1l2l0&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=b022d9a00a4d3080&biw=1024&bih=444) The diagview.exe might be diagnostic viewer. (http://diagnostic-viewer.software.informer.com/) The resultalg.exe might be related to the standard alg.exe (result - being a prefix or variant) of application layer gateway.

SP8's
22-12-2011, 03:50 PM
Sorry 1101 ... but I'd recommend getting rid of Vipre and installing MSSE (http://www.microsoft.com/download/en/details.aspx?id=5201) and keep it. The way your post reads is to download it, scan and then remove it.

I'd also suggest Spybot (http://www.safer-networking.org), Malwarebytes (http://www.malwarebytes.org/) and Superantispyware (http://www.superantispyware.com/)

Basically got everything covered that way.

pctek
22-12-2011, 03:56 PM
I'm pretty careful on my PC and have anti-virus and firewalls installed.
Not careful enough.
1 antivirus but several antispywares, AVs don't pick up a lot of spyware....

And a known good AV too....NOD32 or MSSE.

SP8's recommendations - get them, you never know what you may find.

Still ZA was always good for that - flagging suspect things trying to phone home...

ledzep
23-12-2011, 09:26 AM
Yes, some good points. Not careful enough! (The PC does get a lot of use and perhaps sometimes goes to places it shouldn't).
Some progress here. Firstly, it was a Trojan. I didn't remove it first time (it reincarnated itself after reboot), and Vipre didn't detect or remove it the first time.

The saver was Zonelarm, alerting me to unauthorised programs attempting to access the internet.

Each time the trojan recreates itself the exe file names are different - other names like dfw*95.exe and nlsmonitor, etc. Vipre doesn't recognise the exe's as malware, but on subsequent scans it did detect and report Trojan downloader Win32.agent. However, after it said it had removed it and I rebooted, the Trojan was back again, so my confidence in Vipre has been shaken. I have subsequently done a lot of manual clearing of temp files, internet cache, etc and subsequent scans with Vipre, Blacklight, fs-online scanner, Spybot, etc. and several reboots show it now to be completely clean.

So how did I get the Trojan? Don't know, but I am suspicious in that every time I change antivirus program I seem to get spyware. A year ago I changed from eset32 to Webroot spysweeper. On changeover I had spyware to clean. In the past 2 weeks a problem with Spysweeper updates caused me to change to Vipre, and again I've got a Trojan. There is a short period of time of susceptibility between removal of one product and reinstallation of the new one. Or perhaps AV manufacturers embed a trojan in their software which gets installed on your system when you remove it? Or perhaps a Trojan is installed with the new AV program which shows up and is removed to prove to you that the money you spent on the new product is justified? Or maybe I am very cynical (likely)!

My confidence in the new Vipre product has been shaken. I've been through McAfee, Norton, Trend-Micro, Avast, AVG, eset, Spysweeper. Couldn't get Kaspersky or Panda to install properly when i tried them. There are a few I haven't tried. Vipre is very light on PC resources, and is cheap (great price for 3-10 PC license), but if it doesn't detect and remove spyware it isn't worth having.

GameJunkie
23-12-2011, 09:39 AM
Nod32 or MSE

Speedy Gonzales
23-12-2011, 09:42 AM
Make sure there is ONLY 1 verssion of Java installed (If you use it / the latest version). Older versions have vulnerabilities. And you can get trojan downloaders from old versions. I wouild disable system restore, install a better AV program, then scan the whole hdd. Then use something like ccleaner to remove temp files etc. With all of these AV programs you've tried, did you uninstall ALL of them except one?? Probably not a good idea having 10000 of them running all at once

pctek
23-12-2011, 11:19 AM
Each time the trojan recreates itself the exe file names are different

every time I change antivirus program I seem to get spyware.

My confidence in the new Vipre product has been shaken. I've been through McAfee, Norton, Trend-Micro, Avast, AVG, eset, Spysweeper.

Anti-virus programs are for detecting viruses.

Anti-spyware programs are for those types of malware that are not classified as a virus.

NOD32 remains the best antivirus but if you think that's it, well you will get spyware. Add Spybot, Malware Bytes and Superantispyware to it, update and scan weekly at least.

Then you won't have a problem, well, short of self inflicted ones.

It's common for those types of malware to rename, hide and persist. Not that hard really though, once you get the main file.

Hijackthis is a good tool for those.