XP Antivirus 2009, XP Antispyware 2009, et all

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
How can this new iterateraition of an old threat get by up to date real-time
anti virus scanners? I've now seen it infect systems running up to date
Avast and also Micro Trend Officescan. I would image it has passed through
others.

From what I understand, this is the same crap as XP Antivirus 2007 and 2008.
Also  have read that it morphs into Antivirus VIP. Anyway, I'm mainly
confused as to how it it bypassing scanners? I suspect (because I was not
present when the infection occurred) that when an infected web page popped
up a message to click on a link to download a repair for the poor users
infected system, that they clicked on it and installed the
virus. But still, it seems to disable resident scanners.

-Frank


Re: XP Antivirus 2009, XP Antispyware 2009, et all

wrote:

Quoted text here. Click to load it


Because it is not a virus, but spy/adware.

First programs able to "handle" this malware were:
- Malwarebytes'Anti-Malware
http://www.malwarebytes.org/mbam.php
- SuperAntiSpyware
http://www.superantispyware.com/download.html

But more and more programs (antivirus, antispy-/ad-/malware) recognize
this threat.

--
Fred W. (NL)

Re: XP Antivirus 2009, XP Antispyware 2009, et all

FredW wrote:
Quoted text here. Click to load it


And are mostly able to do fuck all about it.

Gaz



Re: XP Antivirus 2009, XP Antispyware 2009, et all


Quoted text here. Click to load it

It will continue to do so, for sometime.
 
Quoted text here. Click to load it

It's an application which morphs alot. Not completely mind you, but
enough to fool most programs out there. We have spent alot of time
researching the software, so Malwarebytes tends to get almost all
versions on the first try. I am aware of some new variant that's floating
around, but It's just a matter of time before we nail it's ass to the
wall too.

Quoted text here. Click to load it

The user was probably tricked into downloading this to "fix" his/her pc
from some bogus errors the website told them they had. And yes, one
particular variant is pretty harsh on symantec and a few others.


https://forums.symantec.com/syment/board/message ?
board.id=endpoint_protection11&message.id=15665&jump=true#M15665

My newsclient might have borked this.. But, if you can follow the url you
can read an interesting thread.

--
Regards,
Dustin Cook,  Author of BugHunter
BugHunter - http://bughunter.it-mate.co.uk
MalwareBytes - http://www.malwarebytes.org
  


Re: XP Antivirus 2009, XP Antispyware 2009, et all


Quoted text here. Click to load it

Thanks Dustin. I appreciate the feedback. Sure enough, I ran Malware byte's
Anti-Malware on three infected machines and it cleaned this infection off of
every one without hassle. Thank you!

Yes, it disabled Micro Trend Officescan until after it was cleaned. Also, I
did get a user to admit that he did in fact download the program and install
it by mistake. He was tricked. I counseled him on making sure any malware
messages come from his own Antivirus software and not some apparent third
party or web page.

I also noticed, on one machine (maybe more, didn't check) it disabled the
registry editor (message says it has been protected by the "Administrator"
when you try to run regedt32). In one case (didn't check the others) it
remained this way after cleaning with Malwarebyte's Anti-Malware. How to
fix?

BTW, yes, I now see that Trend Micro Officescan signatures do recognize this
malware. I guess we got it about two days before their sig file was
released. And yes, Malwarebyte's seems to have been about the first.

Again, Thanks,

-Frank


Re: XP Antivirus 2009, XP Antispyware 2009, et all


Quoted text here. Click to load it

No problem. Glad we could help.
 
Quoted text here. Click to load it

Very wise decisions on your part. Never trust a 3rd party "warning"
message.
 
Quoted text here. Click to load it

Ahh, they've disabled the registry editor via a policy key. We already
detect this in most cases... Lets see...

http://downloads.malwareremoval.com/BillCastner/FixPolicies.exe

Double click on FixPolicies.exe to run it.
Click on Install. It will create a folder named FixPolicies on your
desktop. Open the FixPolicies folder. Double click on Fix_policies.cmd to
run it. Command Prompt will open and close quickly this is normal.  
Reboot your computer after it runs

 

Let me know if that doesn't clear up your issue.


--
Regards,
Dustin Cook,  Author of BugHunter
BugHunter - http://bughunter.it-mate.co.uk
MalwareBytes - http://www.malwarebytes.org
  


Re: XP Antivirus 2009, XP Antispyware 2009, et all

Quoted text here. Click to load it

Thank you. I'm confident it will repair the policies. However I won't be
returning to that branch office for a couple of weeks. I'll do it then.
Again, thanks.

-Frank


Re: XP Antivirus 2009, XP Antispyware 2009, et all

Quoted text here. Click to load it

XP Antispyware 2009 or other rogue antispyware softwares Should be
delete as soon as possible Always. And for me best soliution to this
problem was Spyhunter. I I always use this site http://www.pcthreat.com
they are always updating latest spyware.

Re: XP Antivirus 2009, XP Antispyware 2009, et all

Dzias wrote:
Quoted text here. Click to load it

Be aware that this is spam, and just as likely to do harm as the products it
claims to remove.

Gaz



Re: XP Antivirus 2009, XP Antispyware 2009, et all



Dzias wrote:
Quoted text here. Click to load it

Malwarebytes' Anti-Malware is free and it does an excellent job of getting
rid of XP Antispyware 2009.
It is ususally updated several times a day.



Re: XP Antivirus 2009, XP Antispyware 2009, et all

Buffalo wrote:
Quoted text here. Click to load it

be careful you need to sort out the rootkit with the newer variants first
though, as malwarebytes will not load or update.

Gaz



Re: XP Antivirus 2009, XP Antispyware 2009, et all


Quoted text here. Click to load it

That rootkit stops more than MBAM. :)


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
  


Re: XP Antivirus 2009, XP Antispyware 2009, et all



| That rootkit stops more than MBAM. :)


Aye, and its morphing.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: XP Antivirus 2009, XP Antispyware 2009, et all


Quoted text here. Click to load it

It sure is. Getting rather nasty at this point.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
  


Re: XP Antivirus 2009, XP Antispyware 2009, et all

Dustin Cook wrote:
Quoted text here. Click to load it

some more info please, some of us are out at the coalface, any developments
would be helpful... I have to say the trojan describing itself as a driver
and rootkit was pretty smart....

Gaz



Re: XP Antivirus 2009, XP Antispyware 2009, et all


Quoted text here. Click to load it

It's harder to disable inside an infected HOST os with later variants.
Later variants also disable more tools from starting up. The executables
are in an almost constant state of morphing. Signatures on them hold for
24  hours on average now, or less. We're talking entire file structure
change with the morphing. Very few aspects of the TDSS family rootkit is
still static. I'm not going to go into details concerning those aspects.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
  


Site Timeline