Malware masquerading as Microsoft Security Essentials? - Page 3

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Malware masquerading as Microsoft Security Essentials?



Steel" <""Fake99XX1199999fake\"@(Big)(Steel)theXfactor.com wrote:
Quoted text here. Click to load it

:)
Buffalo



Re: Malware masquerading as Microsoft Security Essentials?

wrote:

Quoted text here. Click to load it

Well, my mom's pc arrived this afternoon. After shutting down the other
pc's on my home network, I fired it up and got the fake MSE screen.
Following the instructions that Dave provided, I first ran rkill.com. It
killed two processes. One was a program I had written for my mom and
placed in her startup folder. The other was T4w02cxEV.exe. Interestingly
enough, task manager indicated that after rkill killed it, another copy
started executing. This makes me suspicious. It resides in a folder
(under Application Data) with a name that looks like a bunch of randomly
typed chars. This program as well as several others all look like they
were installed on 10/6, which is the date my mom called me about the
problem she was having.

Then I installed and ran MBAM. It reported...

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 18

I can post the full MBAM log if you want (don't know if that is frowned
upon).

I told MBAM to remove the items. MBAM then asked me to reboot, which I
did. I tried to run MBAM a second time after the reboot. It got about
3/4 done (about 2 hours) without finding any problems but it slowed to
the point where it (and the rest of the pc) didn't seem to be doing
anything. So I shut 'er down and will try it again tomorrow morning.

I did encounter something else suspicious. While I was waiting on the
last MBAM run I started FF3 to search for T4w02cxEV.exe. I entered it in
the Google search box in the upper right corner. When I pressed <ENTER>
I got a results page that sort of looked like a Google page but the
address bar shows that I was redirected to search.find-fast.net (or was
it search.fast-find.net?). I have never seen this on my other PCs and I
wonder if there is more malware hiding on the pc.

--

Dennis

Re: Malware masquerading as Microsoft Security Essentials?

wrote:

Quoted text here. Click to load it

MBAM ran this morning without finding any problems. But the system still
appears to be unstable. While MBAM was running a generic service host
bit the dust.

I am thinking I will need to use the recovery disks I made prior to
giving my mom the pc. Maybe I'll work on that this weekend.

--

Dennis

Re: Malware masquerading as Microsoft Security Essentials?


Quoted text here. Click to load it
 
I ran into it 3 days ago on a computer that was infected with all sorts of
things as per my post in alt.privacy.spyware. The subject line in that
thread was "AntivirusGT" which was what I started out with. The fake MSE
came alonmg after I had gotten rid of the GT one. It turns out it had a
rootkit infection in the master boot record called Rootkit Whistler.
ComboFix detected it but didn't fix it. fixmbr in the recovery console is
what finally ended it all. I really have no idea if the fake MSE thing was
connected or not. I kind of doubt it.

--
        --- Everybody has a right to my opinion. ---

Re: Malware masquerading as Microsoft Security Essentials?




Quoted text here. Click to load it



| I ran into it 3 days ago on a computer that was infected with all sorts of
| things as per my post in alt.privacy.spyware. The subject line in that
| thread was "AntivirusGT" which was what I started out with. The fake MSE
| came alonmg after I had gotten rid of the GT one. It turns out it had a
| rootkit infection in the master boot record called Rootkit Whistler.
| ComboFix detected it but didn't fix it. fixmbr in the recovery console is
| what finally ended it all. I really have no idea if the fake MSE thing was
| connected or not. I kind of doubt it.

You said...
"...fixmbr in the recovery console is what finally ended it all."

I can only surmise you had that rare variant of the TDSS that actually
trojanizes the MBR.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



AVG8 Exploit? (was: Malware masquerading as Microsoft Security Essentials?)

wrote:

Quoted text here. Click to load it

I am currently running the Kaspersky module in Multi-AV on my mom's PC.
It is inspecting a boat-load of files in C:\Documents and Settings\All
Users\Application Data\avg8\emc\Queue\ACTIVE\SYSTEM which, when viewed
in notepad, look like outgoing SPAM! So it looks like one of her
problems is that her PC has been hijacked!

--

Dennis

AVG8 Exploit? (was: Malware masquerading as Microsoft Security Essentials?)

wrote:

Quoted text here. Click to load it

I am currently running the Kaspersky module in Multi-AV on my mom's PC.
It is inspecting a boat-load of files in C:\Documents and Settings\All
Users\Application Data\avg8\emc\Queue\ACTIVE\SYSTEM which, when viewed
in notepad, look like outgoing SPAM! So it looks like one of her
problems is that her PC has been hijacked!

--

Dennis

Re: AVG8 Exploit? (was: Malware masquerading as Microsoft Security Essentials?)


| wrote:

Quoted text here. Click to load it

| I am currently running the Kaspersky module in Multi-AV on my mom's PC.
| It is inspecting a boat-load of files in C:\Documents and Settings\All
| Users\Application Data\avg8\emc\Queue\ACTIVE\SYSTEM which, when viewed
| in notepad, look like outgoing SPAM! So it looks like one of her
| problems is that her PC has been hijacked!

Hi Dennis:

You would have to query AVG/Grisoft (Forum ?) about what is...

%appdata%\avg8\emc\Queue\ACTIVE\SYSTEM

--
Dave
New, Multi-AV v7.03
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: AVG8 Exploit? (was: Malware masquerading as Microsoft Security Essentials?)

On Thu, 14 Oct 2010 17:24:17 -0400, "David H. Lipman"

Quoted text here. Click to load it

No point now. I am halfway thru the recovery disks. AVG has a feature
where you can tell it to send problem reports to an email address. It
looks like that was hijacked. That folder contained about 65,000 .CF and
.DF files. It looks like they were queued up for AVG to send (AVG
couldn't since I had the PC disconnected from the internet). It also
looks like the SMTP and POP settings in AVG were hijacked.

Fortunately, my mom only used the PC for email and browsing. She has
never done any online banking or purchased anything over the internet. I
think the only thing that could have been compromised is her email
password, which I have since changed.

--

Dennis

Re: AVG8 Exploit? (was: Malware masquerading as Microsoft Security Essentials?)


| On Thu, 14 Oct 2010 17:24:17 -0400, "David H. Lipman"

Quoted text here. Click to load it


| No point now. I am halfway thru the recovery disks. AVG has a feature
| where you can tell it to send problem reports to an email address. It
| looks like that was hijacked. That folder contained about 65,000 .CF and
| .DF files. It looks like they were queued up for AVG to send (AVG
| couldn't since I had the PC disconnected from the internet). It also
| looks like the SMTP and POP settings in AVG were hijacked.

| Fortunately, my mom only used the PC for email and browsing. She has
| never done any online banking or purchased anything over the internet. I
| think the only thing that could have been compromised is her email
| password, which I have since changed.

Mind if I pass this info on ?

--
Dave
New, Multi-AV v7.03
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: AVG8 Exploit? (was: Malware masquerading as Microsoft Security Essentials?)

Quoted text here. Click to load it

That *is* interesting, and AVG is not the only program with its own SMTP
engine.



Re: AVG8 Exploit? (was: Malware masquerading as Microsoft Security Essentials?)

On Thu, 14 Oct 2010 19:18:12 -0400, "David H. Lipman"

Quoted text here. Click to load it

I wish you would.

--

Dennis

Re: AVG8 Exploit? (was: Malware masquerading as Microsoft Security Essentials?)


| On Thu, 14 Oct 2010 19:18:12 -0400, "David H. Lipman"


Quoted text here. Click to load it






| I wish you would.

Danke Dennis.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Site Timeline