"CrimeWatch" Got tagged & removed it. Am I safe or should I Nuke?

Discussion in 'malware problems & news' started by zapjb, Nov 21, 2014.

  1. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,522
    Location:
    USA - Back in a real State in time for a real Pres
    Went to Tucows & downloaded Motorola USB x64 driver (Motorola_Consumer_Driver_Installation_MotoConnect_1.1.30_64_bit_4.6.5). Came in a Tucows stub installer. Scanned with BDIS - aok, SAS - aok, but MBAM labeled it PUP. This version of Motorola USB drivers I could not find elsewhere believe me I looked. I tried many other Motorola drivers & nonMotorola drivers, none worked on my config.

    Ok the stub has express & custom install. We all know this game. So I deselected all the junk on 2 different pages. Then this downloaded the Moto drivers. So I scanned the driver with all my 3 - clean. Deleted the stub to banish it.

    Installed the driver, rebooted & driver works. Cool beans, right? Not so fast.

    Started to surf went to a fav site & page loaded sloooow. In the rt top corner little popup Crimewatch with a counter says says 154. I say wtf. Then popups with call tech support s--- & floaters & other s---. Opened my uninstaller saw a new program called Crimewatch I know I didn't install. So uninstalled it & got rid of traces through uninstaller.

    Rebooted started surfing again. Still there in upper rt. So I did all sorts of scans. Like 6 different well rated programs. Came up clean. Crimeshat still there though. So I searched & deleted Crimewatch in c-users-me-app data-local. Deleted it. Bugger came back.

    So I booted to a Linux LiveCD. So searched (web) & theres nada on Crimewatch malware. So I started rescuing files on a jump drive. I figured wth & searched for Crimewatch in Linux. This time found 2 instances & deleted them.

    Rebooted to W7 & Crimewatch is gone. System is back to normal. Am I ok or should I nuke my ssd & start over? It's been years maybe more than 5 years since I infected a pc. And Tucows used to be ok. My responsibility yes I accept it.

    Anybody know about Crimewatch as a PUP/malware? Is it sneaky & still there? It came off pretty easily.

    Thanks.
     
    Last edited: Nov 21, 2014
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Sorry to hear ! As you went through all the precautions to avoid the PUP installs, this sounds like an Illegal install, & should be reported.

    For lols i tried to install it to see what happens, but got this ?

    serv.png

    It would have been a good idea to upload it to for eg https://www.virustotal.com

    I did = Detection ratio: 14/54

    Years ago i DL'd quite a bit from Tucows, but now it appears the've gone bad, like some others !
     
  3. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,522
    Location:
    USA - Back in a real State in time for a real Pres
    Thanks. Do you think it's necessary to nuke & start over?



    Oh & fn Tucows embracing the dark side. POS Tucows!
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    As they are "supposedly" "only" PUP's, i wouldn't nuke etc, as you "appear" to be rid of them, but it's up to you. Having said that, some of the VT results description was Trojan, which is Much worse than PUP. It "might" be due to the devious install method, rather than them being anything else ? If you don't nuke etc, keep a watch on your FW, & use Autoruns to look for unusual entries etc, & ProcessExplorer to discover what's running etc.
     
  5. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,522
    Location:
    USA - Back in a real State in time for a real Pres
    Awesome checked both aok. Going to run Dr. Web LiveDisk 900 for additional peace of mind. I've run 9 or so reputable malware catchers so far. So Dr. Web will be the last.
     
  6. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,522
    Location:
    USA - Back in a real State in time for a real Pres
    Geez I am still running dr.web CureIt. Its taking forever, 20 hours & counting. So its found 1 bad registery key that no other security software found. So I'll wait out Dr web even if its another 20 hours.
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    [QUOTE="zapjb, post: 2429823, member: 40589"Its taking forever, 20 hours & counting.[/QUOTE]

    'Fraid this is why I always take the opportunity to restore/rebuild. I kind-of see it as an opportunity to clear back to a cleaner registry, and not have any chance of infection - and really, it doesn't take that long to do, it's mainly hunting up the disks and current software, I keep reasonable licence key records. The trouble I have is that I'm never sure I'm clear, because I think more and more infections are silent, or there's a quiet RAT which will simply load up more threats if you've cleaned the visible ones.
     
  8. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,522
    Location:
    USA - Back in a real State in time for a real Pres
    Valid points. My last image is 4-6 months ago. I might do. But my banking is sandboxed with onscreen kb so I'm OK that way.
     
  9. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
    Yeah, I wouldn't nuke the entire system. Just send the Motorola_Consumer_Driver_Installation_MotoConnect_1.1.30_64_bit_4.6.5 to whatever antivirus company you use so then you're sure they're able to detect it.

    Sounds like you got rid of it though. You might always have leftover traces, like registry entries, but it's just clutter.
     
  10. roger_m

    roger_m Registered Member

    Joined:
    Jan 25, 2009
    Posts:
    5,248
    Personally, I never do a restore after getting infected. If Malwarebytes or other scanners aren't showing me as being infected anymore I believe them. In many years of dealing with malware I've only had to wipe a system twice, and that was when getting BSODs after cleaning malware with CureIt.

    The customer was happy for me do a clean install of Windows. If they were my systems I would have spent the time to find and eliminate the cause of the BSOD.
     
  11. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,522
    Location:
    USA - Back in a real State in time for a real Pres
    Thanks all. Learned my lesson lol for now anyways. After spending the last 3 days scanning my drive with almost all the reputable scan engines I could. Dozens of reboots later I'm convinced I'm aok. And I made a current OS image stored on 2 different externals. Backed up all data the same. And all essential programs again to 2 jump drives. My last OS image before today was 4 months old, that's too long between images for me.
     
  12. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    Depending on your system, you might also consider using disposable or snapshot VMs? Restore is pretty easy!
     
  13. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,522
    Location:
    USA - Back in a real State in time for a real Pres
    Thanks this old dog doesn't want to learn about VMs right now. An OS image restore takes 15 minutes using EaseUS Todo Backup Advanced Server 4.5. So I'm ok with my current system which also protects against hardware failure.



    Edit: I want to clear up a point I didn't make or wasn't clear about. I was foolish in that I know better. The original file from tucows ~ Snipped ~ was a "special" tucows downloader that downloaded the Motorola driver. The driver is fine it was the tucows ~ Snipped ~ file that was infected. I knew better to download & execute a wrapper downloader from a download site ~ Snipped as per TOS ~.
     
    Last edited by a moderator: Nov 24, 2014
Loading...