Jump to content
TLarry

New Malware - Very Nasty...

Recommended Posts

There is a new Malware out within the last week that is very nasty.

It appears to be along the same rogue lines as WinAntiVirusPro 2009, but much worse...

First, it blocks all access to every useful AntiSpyware and AntiVirus site I know of, including SuperAntiSpyware, SmitFraudFix and MalwareBytes.

Second, even if you have the utilities on hand, it prevents them from being installed/run by generating a Windows Crash every time you try.

I have not been able to find a way around this one and have had to re-image every machine so far.

Anyone else run across this?

It's very recent. Within the last week, that this was released.

The last infection I worked came from Facebook.

TL

Share this post


Link to post
Share on other sites

I've been encountering it as well.

In such cases I slave the drive for the disinfection. Following that, the scanners can be installed and the scans run again.

Share this post


Link to post
Share on other sites

I used the modified versions of SAS.EXE, RUNSAS.EXE and the manual def updates (the spyware blocks the auto updater).

It did not remove the malware.

However using the re-naming trick I renamed SmitFraudFix.exe to SFF.exe and it ran and removed Total Secure 2009.

Not all good news. What I believe is the loader for this malware was not removed by anything I ran. Symantec detects it and says it removes it, but it's back after every reboot. Typical useless Symantec. Nothing else even detects it.

The file was TDSSPQLT.SYS.

I have limits in how much time I can put into these so it has been punted for re-image.

And, unfortunately 100% of my users are remote so safe-mode is a difficult thing for me to use. This week, and this malware, has resulted in my first two re-images in some 100 spyware removal cases. Damn I hate to lose.

Share this post


Link to post
Share on other sites
where are you going to get this rogue spyware?

and how does it come in?

robin

so give me some examples of where people are going to get this nasty one?

robin

Share this post


Link to post
Share on other sites
so give me some examples of where people are going to get this nasty one?

robin

MySpace, Facebook, cracks & warez sites, etc.

amazing- the sites that are no no's have the trojan-

robin

Share this post


Link to post
Share on other sites
where are you going to get this rogue spyware?

and how does it come in?

robin

E.g. bad links in Yahoo Answers, e.g. hxxp://answers.related.resolved.yahoo.com.grewungle.com

Although I think they may have moved to other URLs. Quite a few getting infected, seems to be getting harder to remove it. Seems to be blocking access to security sites and updates, also seems to be preventing some anti-virus/spyware programs from running.

Share this post


Link to post
Share on other sites

This sounds very much like the behavior that my wife's computer has begun displaying.... (she does use myspace as well)

Not being versed in this type of thing what are the next steps that I should take?

Share this post


Link to post
Share on other sites
This sounds very much like the behavior that my wife's computer has begun displaying.... (she does use myspace as well)

Not being versed in this type of thing what are the next steps that I should take?

Have you run superantispyware on your wife's computer?

If not you should so it can kill the nasties

robin

Share this post


Link to post
Share on other sites

Hi all, I am new to the forum & found SAS because of the thread virus I had/have.

I got it from facebook and as previously mentioned it was hacked.

I got it from a contact of mine in face book & clicked on the link.

It is very nasty & it seems was the tojan ZLOB & associated with antivurs 2008/9.

It hijacks my pages & if I get close to anything that mentions removing it, the little bugger will take me somewhere unrelated.

I did a system restore to the day previous to being infected & all seemed well till I rebooted & installed Win service pack 3.

After rebooting & running SAS it was back.

Avast system monitor finds it in my system restore files...great.

The virus name is different (I have not written it down but I will next time it pops up)

It will find it in c:/systemvolumeinformation/systemrestore....and then a heap of numbers & letters after this.

Not sure what to do here.

If I need the purchased version of SAS I will do that to rid this virus.

When avast finds it ( as I scan with SAS) I delete the virus & SAS finds it also then I delete it from there but as soon as i reboot, its found again.

What to do??????

The scan just finished and I need to reboot.

I will do that & dollars to donuts it will be back again.

I have done this several times.

all advice appreciated

Chopper Pilot

Edited here after reboot.

During the above scan I shut off Avast resident scanner, thinking it may conflict with SAS.

I scan with SAS & I have avast in resident scanning, Avast will find it several times.

Shutting it off was a mistake as I finished the scan, the virus locked up my computer & had to force shut down....I wont do that again without advise.

I am worried to use my new PC ( first Virus ever BTW) as I read that this virus steals passwords typed also.

Man this thing sucks.

I am worried that the whole time the pc is on its doing something & it digs itself deeper into my system.

I dont want to wipe my hard drive with everything on it as I am a student pilot and I cant afford to lose my info...I cant afford anything but I cant afford to lose this stuff more.

If i have to get the full version to rid myself of this nasty virus, I will find the funds.

This thing is really annoying.

Thanks in advance.

I am rescanning and will repost when I have the names of everything it finds.

Also, just checked facebook & the person that I got the virus from has sent it to me again.

I know its not them but maybe someone wants the link.. would this help?

Repost 2.

Just ran the system again & in my system volume INFORMATION\_RESTORE{32F56AFB-E782-404C-BAB2-D10191C99F44}\RP42\A0017877.EXE a Win32:Trojan-gen {other} was found by Avast scanner

I am going to delete them as usual to get all the names.....it will be back

Share this post


Link to post
Share on other sites

I also wanted to say after reading a previous post in this thread.

I don't think people are ignorant of using facebook or myspace WE ARE UNAWARE that there is an issue with it.

Till now I have never had a virus becuase I had been careful & used programs like this.

It was not from a stranger in facebook it came from a contact I know & their password had been hacked as mine was for clicking on the damn link.

I let every one know in my facebook contacts 180+ and everone I could in my email ( using a different PC) that facebook is unsafe & to change their password and not open links unless they are sure that person sent it to them.

It is not ingorance, I didnt choose to use facebook knowing it had issues, I simply ( like others) didnt know Facebook was or could be hacked.

Just human....Chopper Pilot

Share this post


Link to post
Share on other sites

as long as you can still run superantispyware in regular mode

try this and see if this works.

Go into system restore and uncheck it

by doing this you will loose all your checkpoints but if system restore is holding the trojan doing this will wipe it out of system restore.

Now boot into safe mode

run superantispyware pro again and see if it picks up anything

also re run your antivirus program.

once done go back into regular mode

Run Superantispyware again and also your virus protection

If all is well go back into system restore and re check the box so it starts to make restore points again.

robin

Share this post


Link to post
Share on other sites

most people have no idea where they go and what they do on the internet. Only those that do frequent forums like this one and we are a minority. When one goes to purchase a computer no one there tells them this:

you need to keep your computer safe from "nasties"

you must not download p2p programs to get free music

you must not go to porn sites to get your jollies

you must not click on ads that say "come here I have something free for you that will make your computer humm )

you must not get a myspace account so you can tell everyone where you live, go to school, show your picture, or worse give out your phone number) or click on something that looks interesting and now find out you cannot start your computer)

You must not go to warez sites because you think you can get a movie that is out in the theater for free or can get the key to unlock a software program that you must purchase.

you must not go to utube to see that funny joke everyone on your elist is sending out)

you must not put a group together so that everyone knows everyone's email and can spam you or worse

you must purchase a virus protection but do not explain that you have to look at it from time to time to see if it is doing definition updates and actually doing scans

Actually they do not even tell you that you need a antispyware protection- especially now a days with Vista that has at least WD built in but no one tells you that it is actually there and is prolly running at the exact same time your antivirus program is doing its scan and you cannot imagine why at 2pm every day your computer moves to a crawl.

I can go on but then it would take you an hour to read this,

What they actually want is for you to bring it back after 3mths racked with viruses/trojans/malware so either they can charge you a fortune to fix it or convince you to purchase another one and the cycle begins over and over.

I tell my clients a computer is like a refrigerator. You open it to go into it to get your food and it all looks well. But one day you open it and there is this terrible smell coming from it. You peek into the back and see the 30 day old turkey sitting there with all the mold over it, the moldy fruit that is 10days old that is now compost and the 20day old milk container that when you smell it you are about to faint. If you cleaned this refrigerator at least once a week or more it would not kill you when you opened it.

Just because it looks nice on the outside doesn't mean when you go in what you are going to find.

That is one of the reasons I give seminars on "How to Keep Your Computer Safe" and you would be surprised at the questions that are asked to me. Yes the general public has no clue at all.

robin

Share this post


Link to post
Share on other sites

Hi

I've had two computers in the last 3 days displaying these symptoms (can't run superantispyware, can't open security related websites, can't update av definitions etc) and I have found the following way to remove the malware:

1. Download and install stopzilla (freeware)

2. Install superantivirus & update definitions

3. Reboot PC

4. Run Antispyware (if this still doesn't run, reboot one more time)

It seems that stopzilla blocks whatever it is that is stopping superantispyware from running. Stopzilla will only remove the infection if you pay for it though, hence using superantispyware.

Hope this helps someone!

Mark

Share this post


Link to post
Share on other sites

I finally found a solution for my nephews malware issue. Maybe this could help you guys too.

1st the problem we were having with the malware, was with the redirection with the google,msn and yahoo search engines. Every search was redirected from "go.google"

2ndly we were having the same problem as TLarry in his 1st post.

Until I went to this site "www.freedrweb.com/cureit/" and DLed the free program and did a full scan. Which the scan detected and deleted

"c:\windows\system32\drivers\tdsswagp.sys

infected with BackDoor.Tdss.29 "

And now I dont have any issues with this stupid malware anymore.

Share this post


Link to post
Share on other sites

Just wanted to update the progress.

After some advise I turned off system restore & rebooted in safe mode.

Ran SAS & then rebooted in normal mode.

Ran SAS again & Avast.

No problems found.

The only thing Avast says is that it cant acess system restore archives sa the system is password protected.

I wonder if SAS looks there?

Not sure how to fix that but I dont have any symptomes.

Thank you all.

I just now need to find out how to scan the archives as I really am still not 100% sure I am virus free.

It still finds Adware items but I guess you cant go on the net without picking up something.

I delete temp files every day & run Avast & SAS at least once per day.

Other wise feeling better.

Thank you all agaain.

Can I cut and paste the link that has the virus so I can send it to the Tech guys so it can be examined?

Or will even copy & pasting it infect my PC again?

Cheers

Chopper

Share this post


Link to post
Share on other sites

i got hit bad with this bug...my wife and i have spent nearly three days trying to get it down. using the alternat start for SAS seemed to work and once scanned will pick up most of the trojans, rootkits and generators as well as some adware. We couldn't even do a dell pc restore since it disables the keyboard and mouse upon boot up. Also it took out folder options so you couldn't get access to any hidden system folders to manually delete it. Also it redirects any searches to various "no name" sites that get you nowhere or just get the default IE page for unavailability. I never saw anything like this and want to personally have 5 minutes alone with the creator of this malware. i'm still picking up adware and rootkits so the root file is still there...i'm to the point where i'm just trying to do my pc restore. But give SAS some credit, they are doing everything they can to keep up with this.

Bless you REZMAN1984!

Share this post


Link to post
Share on other sites

I am currently in malware hell, and it sounds like what you've been describing here. It happened to both my home pc and my work laptop, both of which I was using Sunday on Facebook. (Not sure how... I don't remember clicking any links.)

My laptop is being reimaged, but it's my home pc that is out of control. I have popups for both Antivirus 2009 and Spyware Guard 2008. Whenever I try to visit a site to download programs for removal, I'm redirected to their own bs antivirus sites.

My latest attempt has been to download the programs on another computer, and copy them to the infected pc. The executable files copy correctly, but none of them will open. I've tried Malwarebytes Anti-malware, STOPzilla, and now SAS.

Any help on how to get these files to open and exectute??

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×