Jump to content
AmLowLife

Spyware Blocking SAS

Recommended Posts

It looks like the wife has the AVCare fake antispyware Trojan, among other things.

It wouldn't allow me to open the program the way I normally do (from an icon on the desk top--it wouldn't allow it to open) but was able to activate SAS from the little lady bug on the taskbar and remove the malware.

I thought my troubles were over but I guess the kids visited some sites that were evil.

This time around the ladybug has been removed and I can't open anything involving SAS even when I name it ABC.exe. I tried to re-download SAS (both versions) but it won't let me run them. It now won't let me even go to your website on that computer which is an interesting twist.

I then tried to open it from a thumbdrive and that didn't work, either (renamed it ABC.exe, too). Unfortunately, I put the thumb drive back in my computer and it's now trying to change the registry (which I am denying) and I am running SAS. I am sure I will be able to remove it from my computer but need help on how to do so on my wife's since I can't run SAS.

Looks like this AVCare thingy has specifically targeted SAS files and aps.

Need help!

Share this post


Link to post
Share on other sites

Just when I thought they had gotten better, things have gotten worse...

I was unable to start in the Safe Mode. It simply will not go there even I turn the computer off in the middle of everything (I read wehre that should get me into the safe mode).

Anyway, I was not able to open or run SAS and I was unable to download either the free or pay version. I was able to download another anti-virus program and run a scan. It removed a ton of evil stuff and things were going fine once again until I opened IE. Then all hell broke loose. Basically the virus took control of of the screen saver so I couldn't even get to the desktop without going through the fake software purchase page.

So, I powered down and tried to reboot in the safe mode and it won't let me do that. So, I rebooted in the "last known good configuration". I was able to get to the desktop but now the SAS icon had been deleted. I tried to open the other anti-virus and it wouldn't let me do that. Using Opera, I went to yet another anti-virus site but while I could download the software, "it" wouldn't let me run or open it.

In another note, I can't open the "remove or change" software in the control panel so it looks like this virus is pretty thorough.

Any suggestions at all or do I just download as many photos and docs as I can and start over?

Share this post


Link to post
Share on other sites

I too am seeing this same problem on my infected PC running XP. It started with execution of bogus antivirus sites such as Green AV 2009 and trojan spawned processes such as b.exe, i.exe, gav.exe and mgrdll.exe. I have eliminated these malprograms and have not seen the trojan spawn anything new but the core infection is still there and it appears to affect attempted execution of nealy all major antivirus apps such as McAfee, MalwateBytes, HiJackThis etc that could identify and eliminate the Trojan.

In the case of SAS, I ran it initially after I first detected the infection and it detected numerous inected files, registry keys and memory. I thought I had fixed it but after the Trojan spawned processes apperaed to change from b.exe to i.exe, I could no longer run SAS. Uninstalling and reinstalling the program does not work

Something in the infection changed permissions on the SAS executable so that it can't be run (and neither can other my other AV apps) In Safe Mode I am able to modify the permissions of the Program Files dirs and start a SAS scan but it dies seconds after execution, almost like a memory leak of some sort. That's where things are now. I have an infected PC with appently no ability of running any AV app including SAS to fix the problem

I have been searching the web for answers but most involve running other AV apps which are not working for me. Any help here is appreciated

Share this post


Link to post
Share on other sites

A computer at my workplace recently got hit by a similar infection. After a couple of fruitless hours the IT manager and myself detected that the malware had also installed a rootkit which was masking certain files.

Like yourselves SAS was totally disabled by the infection.

After trying other solutions we managed to kill the rootkit by using a piece of software called gmer. After the rootkit was disabled things started to get a little easier and after another half hour we managed to restore the system to a stable condition.

@ AmLowLife. In 99% of infections like this using "last known good configuration" is not a good move as there will be active parts of the malware in all restore points. In fact imho when removing infections like this one of the first things to do is turn system restore off.

I've not posted a link to gmer here as I don't know if the admins here allow it.

If you do try it extreme caution should be used as it's all too easy to completely hose your system with it.

Share this post


Link to post
Share on other sites

I have some good news. I'm no longer blocked with SAS. After doing some investigating I learned my virus was likely a rootkit issue. I installed Sophos Anit-Rootkit and ran it. It identified more suspicious executables and hidden files. I had the tool delete the following files:

C:\WINDOWS\SYSTEM32\ns5\I40F3TG.exe (also flagged by McAfee as a PUP during Sophos scan)

C:\WINDOWS\msa.exe

C:\Documents and Settings\All Users\Application Data\gav\wsdt05.exe

C:\Program Files\Adobe\Audition 1.5\Audition.exe (when I saw this file I remember Adobe running unexpectedly during web surfing after which I started immediately started getting blasted with the bogus AV apps and b.exe and i.exe which was likely the start of this virus)

(Also there was a temporary internet file I deleted related to SuperAntiSpyware which appeared with a [1] appended to the filename. Since I had already uninstalled SAS I believed this to be a suspicious file and deleted it.)

There were other hidden files identified by Sophos including dll's. Not everything Sophos lists is necessarily an infected file or trojan so I stuck with initially deleting only suspicious executables (after doing a google search on each to see if they were associated with known threats)

After deleting the files above and rebooting, I was finally able to install SAS and run a new scan uncovered more suspicious files and registry items.

McAfee scans are still not working so I have more investigating to do withe the Sophos results but I'm breathing a little easier right now at no longer being blocked running SAS.

Share this post


Link to post
Share on other sites

New to this forum and though I've searched for an answer to my problem, I didnt find one concerning my OS.

I can't open Superantispyware no matter what I do, either version. Even renaming the exe file don't work. It downloads, installs but when I open it I'm asked if I want to check for updates. No matter which answer I choose, the program freezes my system. Sometimes it actually downloads the updates, then just sits there.Ctl+alt+dele tells me its not responding. Clicking on the taskbar icon yields nothing also. I had this program years ago and it started acting strange so I uninstalled it, now I want it back. If it helps any, I'm running Winme.

Share this post


Link to post
Share on other sites

Quick followup to my last post. I am not out of the woods yet. I discovered that while SAS is running and scanning, the SAS executable file is 'modified'. The initial scan completes because the SAS process is in memory but any attempts to run it again will result in : "Windows cannot access the specified device". There are two workarounds to this:

1) uninstall SAS, manually remove the infected SAS executable left behind and reinstall (although this will allow for only one scan before the infection happens again)

-or-

2) After installing SAS, copy the executable to another directory or drive. After the file is modified by the infection during the scan, rename it and then copy the good version into the C:\Program Files\SUPERAntiSpyware directory to perform additional scans. I am assuming the infection corrupts the SAS file vs changing its attributes - if anyone knows more about this please pass it on.

Unfortunately the last successful complete scan of SAS did not detect any new infected files even though the executable was modified during execution so I have not eliminated all the sources of the infection.

A couple of other things I discovered about this Trojan:

1) Adobe Reader versions before 7.0 are subject to infection. I uninstalled AR 6 and Adobe Audition 1.5 (the Audition executable was flagged as possibily infected when running Sophos, probably because it had no owner after being modified)

2) I'm guessing McAfee scanning fails to run because the scanner executable 'mcods.exe' was modified /corrupted the same way the SAS executable was. I will have to reinstall McAfee. mcods.exe turns up as a suspect file in my Sophos scan.

Share this post


Link to post
Share on other sites
New to this forum and though I've searched for an answer to my problem, I didnt find one concerning my OS.

I can't open Superantispyware no matter what I do, either version. Even renaming the exe file don't work. It downloads, installs but when I open it I'm asked if I want to check for updates. No matter which answer I choose, the program freezes my system. Sometimes it actually downloads the updates, then just sits there.Ctl+alt+dele tells me its not responding. Clicking on the taskbar icon yields nothing also. I had this program years ago and it started acting strange so I uninstalled it, now I want it back. If it helps any, I'm running Winme.

You can run updates manually, this would be my first option. I hate Windows ME because Microsoft is no longer updating that Operating system.

Hope that helps!!

Share this post


Link to post
Share on other sites

Thanx Laforge, but even if I clicked NO to auto-update, the program wouldn't open. Then I came across a forum where I found if you can't open SAS fron the icon, to open if from Programs. In Programs it said 'Alternative Start-up'. I clicked that and was told SAS needs Windows 2000 or later. So even though their web site states all Windows, that isn't the case.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×