Win Security 360 is a rogue antivirus application that is promoted through the use of trojans and other malware as well as sites that claim to do malware scans of your computer. Among the things that it will do is schedule itself to run when the system boots and it will perform a scan. The scan will flag normal windows files as virus infected and will want to remove them. This can cause many greater problems than you already have with your system. Please read on for how to remove win security 360.

Among the other things this rogue does while it’s active on a system is that it will terminate programs that are running and claim that they were virus infected and had to be closed, or that they crashed. Here is one of the error messages that you may see:

Application .exe has crashed because of Conficker.Worm Virus.

Infected File:

Potential Risks: Viruses is spreading over your PC and the system status is unsafe. Your service provider may lock you out of internet access, because your PC is potentially harmful.

Viruse’s actions: Steal your personal data and send it to the remote host. Spread between your friends quickly (via internet or storage drives). Send spam and malicious codes from your computer.

They do this to encourage you to purchase their software because as all of these rogues claim, that is the only way you can protect your system against these problems. Please do not fall for this scam.

You may wish to try going to the control panel first and visiting the add/remove programs area and see if it’s possible to uninstall win security 360. It may not be possible, but if it is listed and possible to uninstall it, things will be easier. If it does uninstall, you should follow up with a scan from a malware removal tool (a trusted, reputable tool such as superantispyware or malwarebytes antimalware) and a trusted, reputable antivirus (online scans like housecall from trendmicro are okay, as well as free for home use products like avg, avast, avira, etc.)

There is a link to download Malwarebytes antimalware on my virus removal toolkit page. While you are there you may also wish to download process explorer. It may be useful further in this removal process.

Due to this infection, you may need to download these programs to a usb flash drive using another computer. If that is the case, go ahead and download rkill.com from bleepingcomputer. If you download this, process explorer shouldn’t be needed.

On the affected computer run rkill.com repeatedly to kill off the running processes associated with this rogue. Don’t close windows if the rogue complains about rkill being malware, just keep running copy after copy of rkill.com if need be so that you kill off all of the running processes related to this rogue.

After that, launch malwarebytes antimalware installer and let it run a full scan of the system. (Do not reboot first.) Update and scan after the install and remove anything that is found. After this you will not need to do a manual removal of win security 360.

For your reference here is a listing of files associated with Win Security 360 in case you use a third party (linux for instance) boot disc to try to clean up from win security 360:

%user%\Application Data\WinSecurity360
%user%\Application Data\WinSecurity360\vlc.dat
%user%\Application Data\WinSecurity360\WinSecurity360.ini
%user%\Desktop\Win Security 360.lnk
%user%\Start Menu\Programs\Win Security 360
%user%\Start Menu\Programs\Startup\Win Security 360.lnk
%user%\Start Menu\Programs\Win Security 360\Website.lnk
%user%\Start Menu\Programs\Win Security 360\Win Security 360 Help.lnk
%user%\Start Menu\Programs\Win Security 360\Win Security 360.lnk
%progfiles%\WinSecurity360
%progfiles%\WinSecurity360\sk.lst
%progfiles%\WinSecurity360\Win Security 360 Help.url
%progfiles%\WinSecurity360\Win Security 360.url
%progfiles%\WinSecurity360\WinSecurity360.exe

After this you should have removed win security 360 from your system.

I’ve tried to ask myself if I’d trust someone enough to let them run a remote session on my own desktop to solve a problem. I think the answer is “it depends”. If you think about it, I do tech support for home users quite a bit and they let me come into their homes. If I were weighing someone coming into my house, or onto my computer desktop, I think I’d choose my desktop. …

But, let’s face it, any problem that is solvable by a remote desktop is probably something that could be reproduced in another user account on linux – right? If I were having an across the board problem, I might create a new user (*windows or linux*) and run a remote desktop support session that way. At least that way, none of my files would be accessible (assuming it was a Windows limited user account.) Of course, over time, if I trusted them, I might allow a remote desktop support session to my main desktop if I trusted the technician and knew what the goals of the session were (and that I was observing and could “pull the plug” at any moment.) I would not give my password information for all the tea in china…. and if for some reason I did, I’d promptly change it after the connection.

I have a tendency to only go to technical support as a last resort. I don’t know, maybe it’s self reliance – a joy of solving puzzles, or maybe it’s just that the first two levels of tech support walk you through things I would try anyway. For that reason, all of the above is more of a mental check as to how comfortable I would be if someone were suggesting they could help with an issue remotely.

Soon, I’ll start offering remote desktop tech support services for Windows and Linux. I don’t know what kind of acceptance there will be of it. It certainly isn’t for every problem. I suspect the main takers will be those that already know me and have had me work on their computers before. I plan on requiring 30 minutes worth of time pe-paid for new customers. ($20) (At the end of which, it can be discussed if more time is needed and why/what goals remain.) Established customers can choose to be billed after the session.

When the service rolls out payments will be processed by Paypal, mainly because that seemed the simplest most straightforward way to setup payments online. Payments are possible from credit card/bank transfer or paypal account, although the paypal account will not be required. The nice thing about letting them deal with things is that they get to deal with the credit card information, it will not be stored at (or even touch) the averyjparker.com server, which I like.

Well, I’m quite pleased at the moment with the state of the support downloads that I’ve got, I think they’re relatively easy to use, and fairly reliable. The only wish I have at this point is if I had a Mac version of things, but…. I don’t have a Mac to test with, so that will have to come later. I’ve enjoyed sharing the mashup of x11vnc and my wrapper script and hope it’s of some use to someone, it’s already been a great use to me, if for no other reason than the process of learning/envisioning a solution to a problem.

Well, I’ve got a nice way of doing “easy” one click (or one cut and paste) light desktop support for windows or linux, one uses ultravnc sc, the other uses x11vnc with a special wrapper script. So, what security flaws are there in this process? Well, for starters, I see the biggest vulnerability for the computer running the listening vncviewer (because it HAS to be available to the outside world.) That means the tech support desk must keep on top of vncviewer updates and keep the service turned off when not expecting a client connection. The other question that comes to mind is encryption though….

There are ways to encrypt ultravnc sc and x11vnc, the ultravnc sc would probably be a bit more straightforward with the dsm encryption plugin, however the x11vnc encryption, as best as I can see would have to be through a ssh tunnel. Which might not be the best (ssh tunnel would require a login on the remote machine, or a user from the remote machine to log on to the support machine…) either one of those opens up more worms than it MIGHT be worth. Why would we be concerned about encryption..? If it were a static vnc setup, with a server available most of the time, we would have password authentication and wouldn’t want someone snooping our password. SSH encryption would prevent that. However, that’s not the model that the remote tech support “single click” approach uses….

In this case the server initiates the connection to a hard coded viewer. That session could be eavesdropped on I suppose since it’s in the clear, but I don’t see it being of much value as most mitm attacks are geared at pulling text out of login sessions, text out of web page downloads (hijack domains by substituting text that’s in the clear…) It’s not obvious to me that the framebuffer binary screen refreshes could be snooped as easily, or…. in this case, what an attacker could actually do with the stream of data. Usually, such things are used to gain access to the machine, but in this case, the server goes away after the connection, so there’s no advantage to be gained there.

I hope at some point to sit down and look at what “tools” there might be to view vnc sessions and look at what they’re geared towards. The last I saw though, password information (of the vnc server login) was the goal and I don’t know that I’ll find anything otherwise. So, that angle of the security of the plain text vnc is still an open question, but I’m doubtful that this setup would be a great risk. (Plain text connections to a password protected vnc server ARE a greater risk… if you’re setting up a vncserver for permanent “outside world” accessibility, encrypt connections to it somehow.)

The worst case there that I see is that someone can eavesdrop on the support session by viewing it. (Much the same way jpg’s can be displayed from a hijacked browsing stream?) Maybe keystrokes from the client could be parsed, but with the tools I just looked at, there aren’t *easy* ways to do it, like there are easy ways to capture say, an email login over pop3….

It looks as though the x11vnc writer is looking at integrating stunnel ssl encryption in a future release, that MIGHT be a great answer to simplify encrypting the linux remote tech support connection, but shared libraries might get in the way of wide-compatibility.

As for the wrapper script, that’s the achilles heel in the linux version of this. I think, it would be possible for someone to alter the $REMOTELISTENER machine name on the fly and hijack a session that way. Of course, they could also hijack the initial wget yoursite.com call and substitute some other file in place of the script. Of course, I would think for someone to take that effort, they would be intent on targetting you specifically. (given that it’s a text string I wonder if that could be substituted in a binary download of the ultravnc sc as well? There it would probably have to be the same length as the original…)

As I think about the script there may be ways to improve the error checking on that to make it harder for such a hijack to happen. I think the chances of someone trying that are probably low and would indicate a TARGETTED interest in monitoring/hijacking a specific persons connection through the scripted run.

I’ve got to say, one of the things I really like about linux are the myriad of options for remotely administering a system. SSH is the one I use the most, but for the graphical you have x (especially on the LAN), nxserver (which is a compressed and optionally encrypted wrapper of the X protocol….), vnc can be used, although as I’ve noted in the prior articles one problem with either nxserver, X or vnc is that you can’t by default connect to a running X session. x0rfbserver CAN, but only if a user is logged in (as far as I know….) I found an interesting trick with x11vnc that let’s you run it even if the system is at the greeter. (the login screen for X).

This was kind of neat because it would save me a trip to the other end of the house a few times…. anyway…. I just downloaded my x11vnc binary to the machine using ssh…. (so, you DO have to have ssh access to the machine, then wget the x11vnc binary that you’ve precompiled, or install x11vnc on the system/compile from source, apt-get, urpmi, whatever works for you….) I should note there are a variety of precompiled binaries on the x11vnc site.

Anyway, once you’ve got the binary downloaded (and chmod +x so you can run it….) you can run it like this…. x11vnc -desktop :0 …. but wait… there’s a problem – YOU don’t own the x display at this point, it’s still the greeter.

So, you’re told that you need to add -auth and include the path to the auth file…. how to find this magic file? The help gives a hint…. “ps wwaux | grep auth”, so in my case it was at /var/run/xauth/A:0-IJeAuS (changes each time you restart X, or re-visit the greeter…) and you really ought to be root, so you could (at least sudo….) su and then start the x11vnc server, or…

sudo x11vnc -desktop :0 -auth /var/run/xauth/A:0-IJeAuS

(again the authfile changes each time the server’s restarted so use the ps wwaux | grep auth above to find it…)

Then you can connect with a viewer, or if you have a viewer -listening already…. just add -connect address.of.listening.pc and your looking at THE greeter for the active display (not A greeter served up virtually). This could be useful for remote tutoring sessions where you wanted to illustrate EVERYTHING from logging in, etc… OR, let’s say you want to get some work done on your home PC, but…. don’t think you’ll finish everything up and have time to close the session only to restart later, this way, you can log in remotely, when you come back the work should still be up on the desktop (assuming no power interruptions….) the next time you connect or sit down. And what about security, what if someone’s sitting watching what I do remotely. Depending on the circumstance (tutorial/tech support) that’s fine, but if it’s desktop work, web browsing, etc… not fine. It’s possible (I read there’s a patch for this) for x11vnc to switch on DPMS power saving on the monitor when it runs, which isn’t bullet proof OBVIOUSLY, but would be a discouragement of casual snooping. I think they discussed the idea of kicking the screensaver immediately if the power saving was awakened and then the remote vnc’er would know something was up. The bottom line is, if you’re concerned about people accessing your pc while you’re away, you really need to find a way to control physical access to it anyway. Because the same one that could be watching your remote web-browsing, could be booting up a knoppix disc and accessing the drive anyway….

Anyway, I thought the remote login on the REAL display was a neat plus which I’ve already made use of a couple times. I wish there were a way to do that in Windows without having to run vnc as a service (I seem to recall logging in on a few machines using vnc when I had it running as a service…) The big problem, is that I don’t LIKE the idea of leaving a vnc server running all the time when you only need it on occasion, which is one reason I like the Ultravnc SC idea, the “click when you need support idea” is very similar to something I had setup with tightvnc on an internal lan, where they all have an icon on the desktop that says “Allow remote administration”, when then would start a vnc server, I’d ssh in through the gateway, and do an vncviewer -via connection (connect via the ssh gateway.) The advantage there is that the username/password info is encrypted.

As I said in the earlier posts, I was essentially looking for a “Single click” solution for linux VNC remote desktop support. A solution that doesn’t require the remote support client to change firewall settings, install software, etc. What I’ve settled on is closer to a single cut and paste solution, which is fairly simple. The next problem I had was compatibility of the x11vnc binary. The first problem was the xfixes library not being a part of Mandrake 10.0, then xdamage, xrender, xrandr – none of those libraries were found… so, I started looking at the compile options for x11vnc (and the optimization, because I wanted a smaller file size.)

The first binary I got was about 2 Mb, which was a bit large (the windows version of UltraVNC single click is about 160 kb..) Finally, I stripped out a bit and have managed to get it down to a still large 1.3 Mb…. admittedly, I don’t plan on suggesting this to anyone on dial up, it’s about a 3-5 second download on our cable connection, and I figure maybe as much as 10 seconds or so on some slower DSL lines. (Still I’d like to optimize further if possible.)

Anyway, here are the options I’ve passed to it.


env CPPFLAGS="-DWIREFRAME=1 -DNOPW=1 -DSCROLL_COPYRECT=1 -DXDAMAGE=0 -DREMOTE_CONTROL=0 -DFILEXFER=0 -DSMALL_FOOTPRINT=3" ./configure --without-xrandr --without-xfixes --without-xinerama --without-xdamage --without-pthread --without-filetransfer --without-xtrap --without-xrecord && make


If I took out the gui entirely, I lost the little “accept” box that pops up when the connection is made, which I really wanted to keep. ultimately, I quit using the _other_ gui because it required wish which was not reliably installed on the systems I tested. (If you look at the switches for x11vnc one is -gui which I set to icon,ez in my initial testing which gave a little icon sized window hovering over the desktop showing that it was active. However, as I noted, it required wish, and that didn’t appear on a few systems I tested, and it was a bit buggy and crashed out without crashing out the vnc session.)

Anyway, if there are any suggestions for how to squeeze the binary even smaller without giving up compression algorithms… that would be helpful. What would really be nice is to be able to “hard code” the machine to connect to, as well as the timeout, so you wouldn’t have to pass those in the download script.

Anyway, with the build options above, I’ve tested on a pretty good variety of livecds that I’ve got as well as linux installs. I’ve tested successfully on a few different Knoppix versions (4 being the most recent), knoppix std 0.1, dsl, kubuntu dapper (and ubuntu/xubuntu dapper), Mandriva 2006, Mandrake 10.0, livecd based on Mandrake 9.1 (which had to use curl and prompted that script modification (I think that was the one lacking wish for the ez gui…), linspire 5, pclinuxos preview 8 (I doubt that’s the most current, haven’t looked though.), MEPISLite-3.3.1, morphix .35….

The only unsuccessful so far was a Mepis cd from June 2003 and that seemed to be more a firewalling issue with that machine (because I couldn’t get several other things to work like sshd)…. so it seems to be fairly reliably able to run on x86 linuxes from at least the last 3 years. That’s about as wide compatibility as I probably could hope for.

Of course, the obvious note is that it would have to be an x86 based system, not x86_64, or ppc…. (unless you specially compiled the binary for those architectures. Which currently I don’t have a good way to do unless I boot up kubuntu x86_64 in qemu and then build it there?) I really like the fact that it seems as effective with a live cd as it does with a desktop, so if I want to test out a live cd on a box in the back room, just wget and sh the script and I can sit at my usual desk and take a look at the livecd without disrupting the desktop pc. (Of course, there’s qemu for that too, but that’s another story.)

So, the idea is that I wanted something “like” the Ultranvnc Single Click download, only for linux. The main idea being is that if someone is looking for a bit of desktop tech support on linux, we don’t need to be giving instructions for 5 different package managers, or source compilation, or anything more than MAYBE something to cut and paste. In fact, something like this…. wget http://www.mysite.com/remote-support && sh remote-support could be easily pasted into a console window (which hopefully we can give instructions on finding), or a run command in kde for instance. Then the remote-support script should do the rest. *(By the way, the script doesn’t have to be chmod’ed to executable when we use sh to invoke it…)

So, basically this is what I’ve got for the script right now – addresses changed…..

#!/bin/bash

X11VNCDOWNLOAD=http://www.mywebsite.com/x11vnc

#where are we going to get our vnc server from


REMOTEVIEWER=the.helpdesk.machine.com

#this is where the support tech is waiting
# "listening" for the connection


TIMEOUT=5


#we don't want the program to try forever to connect and
#stay open if the "listener" is not there

#not everyone has wget so we need to detect wget
#or curl - the first command above
#could be changed to curl -O http://mywebsite..... if necessary


if [ -x /usr/bin/wget ] ; then
DOWNLOADER="/usr/bin/wget"
else
if [ -x /usr/bin/curl ] ; then
DOWNLOADER="/usr/bin/curl -O"
fi
fi


$DOWNLOADER $X11VNCDOWNLOAD

#this is the download bit - take our download command and
#the address of the vnc binary


chmod +x x11vnc
#make it executable

./x11vnc -connect $REMOTEVIEWER -timeout $TIMEOUT \
-accept popup -norc -q -solid
#time to connect

#the above connects to the machine at $REMOTEVIEWER
#(port 5500 is the vnc listen by default)

#also we want to do a prompt on connect for the
#user to authorize the connection
#-norc - do not use any pre-existing rc file for x11vnc
# -q quiet - don't give a bunch of information
#if they're running in the console
#-solid - change the background to a solid background.


#we must be done now

rm ./x11vnc
#clean up - remove the x11vnc executable

rm ./remote-support
#clean up - remove the remote-support script


Obviously, if you were deploying this on an internal lan you could use an internal ip like 10.0.0.4 as the $REMOTEVIEWER or on the web you could either use a static ip or domain name (mycomputer.dyndns.org or some such) Whatever domain points to your LAN from the outside world.

(I’ve setup two versions of this – one for the internal lan which I’ve tested out on a number of livecd’s internally and one for the internet side.)

One thing I really like about the above script is the way it cleans up after it’s done. At this point I’ve done quite a bit of testing and only found one linux distro (an old Mepis livecd) that I couldn’t run the binary on, but the nice thing is if I run into a problem with the binary I can deal with that seperately. In order to make the binary I’m using, I did a bit of tweaking to the compile time options and rebuilt one myself (to disable some of the newer X extensions that were causing problems on older systems.) More on that in another post.

By the way, the above script is freely re-distributable/usable for whatever purpose you like. Feel free to take it and use it. I doubt I’m the first to mashup x11vnc like this, but I sure couldn’t find any others online. (Believe me I searched while I was trying to run ultravnc sc in wine….)

Ok, some time back I’d done a writeup on UltraVNC SC, which is a nice customizable (windows version) VNC server that essentially let’s someone doing remote support build their own downloadable .exe that runs and automatically tries to make a direct connection to a “listening” vnc viewer. It’s good for helpdesk environments as an easy download and run, and I’ve done some trials at using it over the internet with some of my existing computer service customers. Very soon, I’ll be adding a page and information about Remote Tech support services using this same method. I have run into some problems with it though. There are multiple advantages to this approach though (the main being NO firewall config for the user needing remote support – all firewall config is done at the “support center” end. Another advantage being that it’s “hardcoded” to connect to a specific given address and if that fails it gives up and uninstalls itself. The last advantage being that it completely uninstalls after a successful session as well. (Well, technically it never “installs” to begin with.))

The main problem I saw at the start is that the ultravnc sc server only provides a limited number of rendering/compression algorithms and using it with anything but ultravnc client is painful. I did however, find it very easy to “install” and run the ultravnc client under wine (on linux) on my primary desktop. In fact, I did an alias to make life a bit easier ( alias ultravnclisten=’/usr/bin/wine /home/path/to/ultravnc/viewer/vncviewer.exe -listen’ )…. in this example, I didn’t even install it, just downloaded the binary viewer and ran it with the wine executable. It even loads it’s icon in the taskbar and is fairly responsive loading. VNC performance is reasonable on the dsl/cable connections I’ve tested with.

Obviously, using this for tech support is limited to minor issues. You certainly can’t ask someone to download www.averyjparker.com/mycustomizedvncserver.exe if they can’t get to the internet to begin with, so it must be assumed that the hardware can boot windows and get to the internet. But, I was a bit bugged that this was a Windows-only support option. I work with a few linux installs (outside my own.) And for that matter would love to do more linux tech support. (Many times you hear that’s the main reason people are reluctant to try, not knowing who to turn to for answers to questions.) Anyway, I tried running the vnc server under wine and that didn’t work. I can’t say I was terribly surprised at this, but I basically saw complaints about various stubs that were being called (placeholders for unfinished parts of wine). So, it was obvious I couldn’t distribute a wine-ified ultravnc sc for linux desktop support.

So, I did a bit of thinking. Well, linux has so many ways to do remote administration, but all require some setup (especially if you’re behind a firewall.) VNC under linux is usually not quite the same as it’s windows counterpart. Some setups use vnc to serve out a fresh desktop session (not what’s visible on the display AT the machine.) That certainly has advantages, but not for what I’m interested in. So…. I kept looking, I wanted something (a vnc server) that would be able to connect to a “listening” vncviewer and share out the current viewable desktop. x0rfbserver is one such vnc server that I’ve used for sharing a current desktop, but I couldn’t seem to find a -connect option, so I kept looking.

Finally, I ran across x11vnc It looked like it supported exactly what I was looking for. (Frankly it took quite a bit of searching to discover this one, I finally ran across it in adept on my kubuntu testbox.) I installed and tested and it did exactly what I had hoped – it connected to my ultravncviewer correctly and shared the existing desktop. But, I wanted something even better. I can’t assume that anyone looking for linux desktop support is going to have it installed can I?

I thought for a moment about giving installation instructions which unfortunately would vary wildly by distribution. Then I looked to see if it was even available for Mandrake 2006 (no – but it is in cooker.) Hmmmm…. then as I read the website, I saw that the writer suggests that the binary x11vnc itself should be fairly portable as long as it’s not an ancient system. So, I started testing and sure enough I was able to get it to run as is on 2 boxes (Mandriva 2006 and Kubuntu dapper (which is where it had come from.)) Nice start, but I tried the Mandrake 10.0 server I have setup and it gave an error about not finding libxfixes. Ok – so I may need to work on that end of things….

I still can’t assume that it’s just going to be on any system, so I’ve got to do some sort of script to “wrap around” it. I’ve seen codeweavers do some pretty straightforward installaton instructions for their .sh scripts … basically they suggest wget ourinstaller.sh and then sh ourinstaller.sh from what I recall. So, in a slight fit of inspiration I had mashed up exactly what I wanted….. I’ll post the script in the next article.