Malware meltdown :-(

[michaeldjcox]

My long serving SageTV installation is having an issue.

I downloaded an executable I thought was trustworthy and which passed the viruis scan but the next thing was the computer announced it was going to restart without any cancel option.

When it came back up Kaspersky announced SageTVService had been infected with a trojan and deleted it..

After a full scan I tried to run the (archived somewhere) 7.1.9 installer to repair but it said fatal error and rolled back.

I then tried to uninstall and reinstall and it failed again.

I tried downloading the 7.1.9 setup.exe from https://forums.sagetv.com/forums/showthread.php?t=56137 and ran that installer.

Half way through Kaspersky decided this installer was infected and deleted it and rolled back any changes it had made causing the installer to fail half way through.

Now I cannot install/uninstall or repair.

SageTV installer keeps wanting to resume the previous install that Kaspersky rolled back all sorts of changes from.

Anybody know how I can reset and start setup again rather than resume setup or forcibly uninstall (SageTV is not listed in programs and features)


Michael

[michaeldjcox]

I finally got it to install after a reboot and the virus protection turned off.

However on starting virus protection Kaspersky started deleting components of the installation and registry settings.

It claims there is trojan e.g.

06.01.2017 14.57.11;Detected object (process memory) deleted.;d:\users\michael\downloads\sagetv_v7_1_9setup.exe;d:\users\michael\downloads\sagetv_v7_1_9setup.exe;PDM:Trojan.Win32.Generic;Other malware;01/06/2017 14:57:11

similar things reported with SageTV.exe and SageTVService.exe after installation.

So I'm running with virus protection off - which is a really dumb idea.

It just seems odd that its picked out SageTVService to be bad boy.

[stuckless]

My guess, is that you still have a virus

[samgreco]

I would highly recommend running ADWCleaner and probably the Junk Removal Tool. Both can be found at BleepingComputer.com, which is very safe.

I have had ADWCleaner find things nothing else can. It will ALWAYS reboot after a cleaning, so be prepared for that.

Also, it's probably not a bad idea to boot into safe mode to run either of these.

And ADWCleaner has solved probably upwards of 90% of malware issues that I have had on customer's PCs. Whether I knew they were there or not

[michaeldjcox]

Kaspersky full scan returned no threats.

It did that before but when SageTV got going it started deleting files and registry entries.

I am just trying malware bytes which apparently has found 45 threats two minutes into the scan oh 438 threats now

I'll try your suggestion for added peace of mind.

Thanks Michael

[trallyus]

Bitdefender did the same thing with sagetvclientsetup_9.0.4.232_rc1.000.exe
with virus name : Trojan.genericKD.3812987 and I marked it up as a false positive as it only marked it that way after a few updates to the virus signatures and I had the same thing happen with a game I installed as well from gog showing a false virus warning and only got it cleared up after I sent them the exe file to examine and they looked at it and cleared the file as good :P

[michaeldjcox]

Malware bytes just seems to stop so many files in...

Guess I'll try ADWCleaner

[SomeWhatLost]

I would suggest not installing malware on you sage server in the future...
it just never ends well...

[michaeldjcox]

FYI

http://www.nirsoft.net/utils/usb_devices_view.html

I downloaded the USBReview tool from the above website and then scanned with Kaspersky.

It said was it was clean but while running it popped up a dialog saying the PC was shutting down in 1 minute.

The troubles then began - so steer clear of nirsoft

[nyplayer]

If you can best to format and start with a clean Install and keep just the wiz.bin file.

[EnterNoEscape]

Quote:

Originally Posted by nyplayer

If you can best to format and start with a clean Install and keep just the wiz.bin file.

+1

As soon as I knew I had a malware/virus situation, I would have done exactly this. It's not worth the hours of scanning and uncertainty of if you really got everything.

[MattHelm]

Quote:

Originally Posted by michaeldjcox

FYI

http://www.nirsoft.net/utils/usb_devices_view.html

I downloaded the USBReview tool from the above website and then scanned with Kaspersky.

It said was it was clean but while running it popped up a dialog saying the PC was shutting down in 1 minute.

The troubles then began - so steer clear of nirsoft

I use his software all the time, never had any issues. I'd trust it before I'd trust 99% of the anti-virus software. Way too may false positives to rely on that bad of code writers.

[michaeldjcox]

Yeah think I'm getting close to that.

I managed to get a malwarebytes scan of my D drive to complete. .

If found two items to quanrantine and then wanted to restart.

I restarted and suddenly there was a windows update to apply (I turned off windows updating long ago)

Nows it back up and kaspersky came back on again.

It has not deleted anything but now pops up this dialog claiming sage is try to access a remote machine:

66.84.24.196 port 8018

Thats nothing to do with SageTV right?

[dealsdyker]

That site is sageTV (see here)

[michaeldjcox]

Yes you correct.

I think SageTV is a false positive.

None of the warnings kaspersky pops up turn out to be evil.

I must have had an bad update.

Malwarebytes found a few scary looking things during my scan that kaspersky has no problem with.

So hard to know what to trust.

[Taddeusz]

False positives is one of the huge glaring weaknesses of signature based detection.

[Galaxysurfer]

I too had my adventures with this program & KIS 2017 not playing nice so sent an incident to Kaspersky with links to software so hopefully this will be fixed once & for all.


Galaxysurfer

[michaeldjcox]

Having thought about it a bit I seem to remember adding all the sage exes into the trusted apps list years ago.

I reckon an update from kaspersky must have cleared them off the list.

[Galaxysurfer]

Informed Kaspersky of the problem & they came up with a fix. Dont know if issue is solved
since I chose not to use my license at renewal time & moved back to Eset which I know works fine with Sagetv. I like that it is easy to set custom rules for firewall communication between server & clients. So if you out there still want to use Kaspersky product it should work again.