XP Antispyware A Virus

[fritzi93]

Yeah, a friend got that one and asked me to fix his computer. I did most of the things already mentioned, but the damn thing had damaged the operating system files, although it was still bootable.

Luckily, when I built that computer, I had put in his computer an old small drive with clone of the OS on it. So I was able to boot to that drive and extract his data to a third drive, then format the original, etc. Still a pain in the butt though.

I'm a convert now to making disc images. The major manufacturers have a version of Acronis that does the job. It's limited, and won't do incremental backups, but a full disc backup doesn't take very long, maybe 10 minutes for an OS drive without a lot of data. I cautioned my buddy to use it once a week, we'll see.

Whoever is behind this seems to be really active lately. I've come across that virus a number of times myself at various sites. But I've had sense enough to bring up Task Manager and close the browser. It appears that anything you do in the browser window constitutes permission to install, including cancel and the close window in upper right. It's a real bastard.

[p_l]

Yup, some good advice, there.

Ctrl+Alt+Del your way out out of a page as soon as some nasty or suspicious comes up and close your browser from the Task Manager. Don't even trust the red X in the top right of your browser.

Also, sooner or later, Acronis will save your bacon.

[Cornucopia]

p_l,

I concur. Ctrl+Alt+del, TaskMgr close, no [X]. Use disc images (Acronis or other).

Scott

[DarrellS]

Whoever is behind this seems to be really active lately. I've come across that virus a number of times myself at various sites. But I've had sense enough to bring up Task Manager and close the browser. It appears that anything you do in the browser window constitutes permission to install, including cancel and the close window in upper right. It's a real bastard.

I use a program called NoAds and if I can kill the program before it starts to search then I'm OK but if I can't kill it in time then I'm usually screwed.

You would think that as popular as this virus has gotten that someone would have figured how to stop it from executing. The reason that I got rid of AVG was because it could see a virus before it attacked but could not stop it. I got Avast because it could stop the virus that AVG could see but could not stop. Now Avast is getting to where it either can't see a virus before it hits or if it does see it, it can't do anything about it. I did get one warning from Avast the last time and it told me not to worry that it had stopped the threat and a second later, the virus executed on my machine and forced me to install my back-up.

EDIT: Oh, and one of the features of the virus is that it shuts your antivirus and malware blockers off so it can do it's thing. If it starts to hit but you think you stopped it in time, check your antivirus to make sure that it is still active. If it is still active then you are probably OK.

[NICEBUD]

Cornucopia
thank you for your reply " that tells me you are still doing the same risky behavior that leads to virii/malware"
Your asuming alot .Because this came back directly after the OS install on a new HD with no internet connection
or anything installed.Before you asume the OS is dodgy it is not.In fact no dodgy cracks,hacks or any illegal software
are used.
But thanks for the advice on the link you sent.Will try some of the programs listed,looks interesting.






You never no it might help ?

[CSULB71]

Not sure. I was on the CCcovers website

Bingo.

Is that a different site than CDCovers? I sure hope so, because I've used CDCovers a lot over the last few years, and never had a problem that I know of.

[Cornucopia]

Cornucopia
thank you for your reply " that tells me you are still doing the same risky behavior that leads to virii/malware"
Your asuming alot .Because this came back directly after the OS install on a new HD with no internet connection
or anything installed.Before you asume the OS is dodgy it is not.In fact no dodgy cracks,hacks or any illegal software
are used.
But thanks for the advice on the link you sent.Will try some of the programs listed,looks interesting.
...
You never no it might help ?

Hey, I wasn't trying to accuse you of anything; sorry if it sounded that way.

However,
Troubleshooting 101 says:
Isolate each link in the chain and remove it from the equation with "known good"s to find the culprit. Or as Sherlock Holmes would say, "when you have eliminated the impossible, whatever remains, however improbable, must be the truth."
But, you must have a scientific, skeptical mind and not assume there are "ghosts in the machine".

Neither virii nor any other type of data/program can exist in standard RAM beyond a reboot. Unlike reincarnation or resurrection, there is no life after RAM death. End of story.
That does lead one, though, to check out your BIOS firmware - it might be possible to leave a resident virus there.
Or, more likely the case, you could have a virus in your MBR. Or the "pristine" OS install disc. You never know.
Or, did you have to install any 3rd party hardware drivers? That's a good possibility. And, I hate to say it (again), but many of these virii and other problems really are PIBKAC errors. I know I've been responsible for a few. No pointing fingers, just trying to pin down the ultimate source so it can be rectified for future use.

Scott

[DarrellS]

I checked out the Malwarebytes forum and found instructions on how to remove all the variants of this virus. The key is renaming mbam-setup.exe to mbam-setup.com and mbam.exe to mbam.com. That is why I couldn't get Malwarebytes to run after the first attempt.

It also states that if you had Malwarebytes Pro that it could've prevented you from getting infected in the first place.

http://forums.malwarebytes.org/index.php?showtopic=82696

[wulf109]

That convinced me to convert from free to Pro version of MalwareBytes,it's only $25.00 for a lifetime license. Now I'm running SAS Pro,MalwarePro,WinPatrol,and AVG(free).

[aedipuss]

Cornucopia
thank you for your reply " that tells me you are still doing the same risky behavior that leads to virii/malware"
Your asuming alot .Because this came back directly after the OS install on a new HD with no internet connection
or anything installed.Before you asume the OS is dodgy it is not.In fact no dodgy cracks,hacks or any illegal software
are used.
But thanks for the advice on the link you sent.Will try some of the programs listed,looks interesting.

You never no it might help ?

just in case you still don't believe it, i'll vouch for cornucopia. as a 30 year computer veteren, there is no way it "re-occurred" the way you think. ram only holds data while it is powered on, no juice and no 1s or 0s. and if it was a brand new hard drive it is highly unlikely it has an infected mbr.

the best guess for it coming back on you is that you may be running xp with autorun turned on and you inserted an infected usb memory device. otherwise you are just flat out lying.

[TBoneit]

Since you keep going back to google image search try installing Web of Trust (WOT) http://www.mywot.com/

I stay clear of anything that isn't in the green.

[DarrellS]

Since you keep going back to google image search try installing Web of Trust (WOT) http://www.mywot.com/

I stay clear of anything that isn't in the green.

Thanks TBone!

I'm color blind when it comes to red and green but I'll know not to click anything that is dark.

[NICEBUD]

Cornucopia
sorry if I came across abit funney.But I looked into this abit futher.Same thing happened to my mate.It turns out we were
all buying these usb pen drives 4gb @ £2 from a local carboot sale.So we all brought loads of them.We tested the one that I used first
and hidden in the system folder on the pen drive was virus called POLYBOT or some similier.What is alarming ,when I opened the drive for the first time it was empty and nothing was picked up by any of the windows av or the Linux av (both av`s where up to date).
We tested all 30 drives and they all had the same virus.
But saying all this I remember about 20years ago something similier happened called the CIH virus which used to hide in the bios.It was less than 1kb long so it was very hard to detect because its size.The only way to get rid of it was to short out the bios pins on the motherboard and take the battery.
But as I said before thank you for the advice on the link .Some of the tools listed where used to rescan/clean all the drives .


Cheers

[MOVIEGEEK]

Since I first posted about getting infected I did some more research:
XP Antispyware 20xx is technically a trojan and more specifically hostageware. Antivirus programs are useless because they are scanning for .exe, .vbs, etc extensions. SuperAntiSpyware Pro(which I use) real-time protection was useless against the attack, it does however remove the trojan after being infected. Malwarebytes will also remove the trojan. The idiots who author these trojans are changing their code daily so it's hard for anti-malware programs to keep up.

The trojan is being hosted on malicious websites and it gets on your PC by exploiting open ports, it doesn't matter what browser you use. The best defense is to not allow any exceptions on your software firewall and set your router firewall to high security.

[wulf109]

Do you think MalwarebytesPRO would do any better? I notice it pops up alerts that it has blocked a malicious website. I was running SASPro but got infected also. It couldn't remove the trojan because it blocked SASpro from starting even in safe mode.

[TreeTops]

Another question on deleting suspicious pop up that may be a virus. Can I do a alt F4 to safely get out of the program without going to task manager? (Windows 7)

[DarrellS]

Malwarebytes claims that the pro version does block XP Antispyware 20xx and all of the variants (XP Security suite, XP Security 20xx etc...).

Since installing Web of Trust (WOT) http://www.mywot.com/ that TBoneit recommended, I haven't been hit again either. Seems that 2/3 of the links on the Google image page are listed as red and unsafe. No wonder I got hit so many times the last three months (wonder why I never got hit before now, this malware has been around for years).

[aedipuss]

Another question on deleting suspicious pop up that may be a virus. Can I do a alt F4 to safely get out of the program without going to task manager? (Windows 7)

there is nothing wrong with using alt-f4, it kills the current program windows has "in focus", just make sure it closes the browser and not something else.

[Ai Haibara]

I don't know... there were reports that some variants could trap all close attempts, even Alt-F4. I'd rather use Process Explorer or something similar to kill the process from the outside, than try to close it 'from the inside.' The problem with that, though, is that you have to take a moment to open the task/process manager and end the process there. (I don't know if there's any variants that'll attempt to do something if you leave them open too long. I know there were supposedly some that installed just by the 'ad' being opened...)

[TJohns]

I've had to remove this a few times from some staff laptops at the school I work at. The real pain is the per-user registry setting it puts in to "take over" all EXE file control (log on as a different user & the "virus" isn't there!). I found that the thing it DIDN'T grab control of was the right-click RUN AS feature, so I did a RUN AS on REGEDIT, dug down to the EXE settings it'd borked (see earlier post) & just removed them

Trevor

[aedipuss]

I don't know... there were reports that some variants could trap all close attempts, even Alt-F4. I'd rather use Process Explorer or something similar to kill the process from the outside, than try to close it 'from the inside.' The problem with that, though, is that you have to take a moment to open the task/process manager and end the process there. (I don't know if there's any variants that'll attempt to do something if you leave them open too long. I know there were supposedly some that installed just by the 'ad' being opened...)

yeah there are some "drive by" mutants that install just by visiting the infected site, no user action required at all. but that isn't the same as closing the browser with alt-f4.

[DarrellS]

I don't know... there were reports that some variants could trap all close attempts, even Alt-F4. I'd rather use Process Explorer or something similar to kill the process from the outside, than try to close it 'from the inside.' The problem with that, though, is that you have to take a moment to open the task/process manager and end the process there. (I don't know if there's any variants that'll attempt to do something if you leave them open too long. I know there were supposedly some that installed just by the 'ad' being opened...)

yeah there are some "drive by" mutants that install just by visiting the infected site, no user action required at all. but that isn't the same as closing the browser with alt-f4.

Every time that I have gotten it, I have done nothing to install it. It installed on it's own every time. There have been a handful of times that I was able to use NoAds to kill it before it installed. I don't know if I was just lucky or if those times, it was a variant that wouldn't install on it's own.

[Nelson37]

This thing has dozens of mutants, and dozens of variations for each. Some carry or obtain multiple payloads, some have multiple install vectors, they have varying attack strategies. One or two have been right up there with the most pernicious, tenacious viruses I have ever seen. Some have been a simple safe mode delete.

Most of them put a "funky" exe in one of the application data directories, some do one user, some all. Most of them put a "funky" DLL in system32, with a recent date. Most of them eliminate many AntiVirus programs. Many prevent all EXE files from running. Most put loader files in Temp directories. Many put a phantom proxy in Internet Explorer settings.


Disconnect Network. Empty all Temp directories. Check all Application Data directories. Check System32 for recent DLL files with random names. If you find a suspicious file you can't delete, delete everything else and see if you can rename it, especially the extension. BadFile.Bad.

Run in Safe Mode, use Rkill to stop process, delete files, reboot, Rkill again, delete files again, usually then you can run MalwareBytes, fix, then run it again until zero found. CCLeaner useful for automated file and registry cleanup. However the first couple deletion passes should be done manually so you know what files are involved and can be alert for them to re-appear.

If EXE files won't run, often you can launch from Task Manager, and/or if smaller than 64k you can rename to COM and run normally.

[Cornucopia]

My thoughts exactly, Nelson37.

Scott