Nasty new Virus out in the wild

A

AMD_Gamer

Fully [H]
Joined
Jan 20, 2002
Messages
18,287
Has anyone seen this thing? We have seen it at three different clients and two of our computers in the office within the past week. It happens after login and removes everything from the start menu.


E5nkF.jpg
 
Ha, under the delay scan option:
"your computer will be restarted"

Clever

Although no doubt both options do the same thing
 
AMD_Gamer said:
Has anyone seen this thing? We have seen it at three different clients and two of our computers in the office within the past week. It happens after login and removes everything from the start menu.
Click to expand...

One of the many varients of fake antivirus / antimalware / system repair / system fixer "utilities".

Whenever we see it, single pass DBAN to the drive and reinstall.
 
I remove it daily, it's not too hard. Boot into linux, look for randomly generated files under users/userfolder/appdata/local and under c:/programdata. Delete. Restart, run MBAM then unhide.exe & problem solved.
 
saturnine2 said:
I remove it daily, it's not too hard. Boot into linux, look for randomly generated files under users/userfolder/appdata/local and under c:/programdata. Delete. Restart, run MBAM then unhide.exe & problem solved.
Click to expand...

Will keep that in mind, thanks.
 
Brak710 said:
Secure wipes are for making sure someone couldn't recover the data from the HDD. I don't think any virus can survive a Windows Installation Reformat.
Click to expand...

Probably not but an abundance of caution in these situations generally isn't a bad thing to do.
 
Been battling this one for a few weeks in various forms. Not too big of a deal for me at work because we have a properly setup Altirs server so I can perform a profile capture; reinstall windows image and redeploy all software to their machine in about 2 hours all without leaving my desk.
 
AMD_Gamer said:
Has anyone seen this thing? We have seen it at three different clients and two of our computers in the office within the past week. It happens after login and removes everything from the start menu.

]
Click to expand...

Not new...seen many of these windows utilities fakealerts since....at least last summer...

Don't delete the temp files first....some variants will move the startup menu, and documents, do a folder within there.

Several good tools out there to restore the -r -a -s -h attributes it whacks...a common one is "unhide.exe"...can find from bleeping.

A little more difficult to clean up than some of the current easy malware to clean...but certainly do-able with todays wealth of malware cleaning tools and good guides.
 
I cannot get ComboFix to run in Safe mode. Also, it has done something strange to the HDD. When i view the drive there is nothing there but a link that takes you back to the Computer screen where you were before. Very strange.
 
heatlesssun said:
Probably not but an abundance of caution in these situations generally isn't a bad thing to do.
Click to expand...
Well, it's a waste of time. There's no need to do that kind of wipe, when simply killing the index will do the same thing ( ie: quick format ).

I'll usually yank the drive and throw it in my clean system, do a full run of mbam/mse on it, then throw it back in it's home machine and finish the clean up. If that doesn't work, then it's wipe/reload.
 
Mbam in safe mode worked fine for me with this one yesterday. Tested with redirection, all good.
 
AMD_Gamer said:
I cannot get ComboFix to run in Safe mode. Also, it has done something strange to the HDD. When i view the drive there is nothing there but a link that takes you back to the Computer screen where you were before. Very strange.
Click to expand...

Unhide.exe

aka

Attrib +h C:\* is what the virus does

You can likewise do Attrib -h C:\*.* which is basically what unhide.exe does.
 
I've seen two infections of that crap this week. One bundled with a rootkit that we had to wipe and rebuild from the ground up.
 
aaronearles said:
Why bother with dban when you're going to format anyway?
Click to expand...

To explain why we do what we do is easy. I needed a simplified procedure that any tech can follow and be assured that the malware or virus infection has been eliminated. By using DBAN, we eliminate any trace of any known or unknown infection.

Since most of our clients are in the financial and medical fields, we need to be absolutely sure that any infected system is returned back to service in a clean state.

If a machine is still infected or becomes "reinfected", we don't have to question whether our cleaning methods or tools missed anything.
 
SJConsultant said:
To explain why we do what we do is easy. I needed a simplified procedure that any tech can follow and be assured that the malware or virus infection has been eliminated. By using DBAN, we eliminate any trace of any known or unknown infection.

Since most of our clients are in the financial and medical fields, we need to be absolutely sure that any infected system is returned back to service in a clean state.

If a machine is still infected or becomes "reinfected", we don't have to question whether our cleaning methods or tools missed anything.
Click to expand...

Ding ding ding...we have a winner. The part of any good system is having a known process which allows you to know where it broke. It doesn't matter if your process is 10% faster if when things go wrong you don't know where it went wrong.
 
We had a few of these a couple weeks ago. ComboFix in safe mode or regular mode would crash every time we ran it, even if we ran rkill a few dozen times before hand. Cleared out System Restore and deleted suspicious startup items from registry and msconfig. Was able to then get MBAM to run from a different user profile. Cleaned up a shit ton of stuff, ran ComboFix, unhide.exe, ESET Online Scanner, SEP 11, all came back clean. Got a call a week later saying it was back. Ended up having to wipe and re-install.
 
Ran into this one about a month ago with one of our sales guys. Spent 20 minutes on it, figured it was a lost cause, and then imaged the machine... Lame, but the problem was solved in 45 minutes.
 
if you aren't joined to the domain, in other words the computer is just a workgroup, create a new user account with administrative privelges reboot the computer into that account and run combo fix, once the virus is removed you need to remove the user folder that had the virus.
in xp- documents and settings you will see the name of the account, double click on the folder and cut the folders out and move them to another folder outside of documents and settings. you won't be able to remove a couple files those are ok to leave in the directory, also make sure to view hidden files.
windows 7 again you need to view hidden files, in c:\users\ the name of the account do the same thing. move the files out to another directory,
reboot the computer and login to the account that had the virus and you should be good to go.
most of those virus seem to stay in one user account, I have gone through and removed 3 different versions of it in the last 3 weeks.
 
Last edited:
Disregard what I said about just using ComboFix. This thing is a cluster fuck, a real nasty one too. Especially for business clients.
 
Trepidati0n said:
Ding ding ding...we have a winner. The part of any good system is having a known process which allows you to know where it broke. It doesn't matter if your process is 10% faster if when things go wrong you don't know where it went wrong.
Click to expand...
That works in business environments, and is recommended, but when you are dealing with end users' home machines, the landscape changes a bit.
 
I just ran into this one 2 days ago (or one very similar, the SST rootkit) on XP and I didn't have the option of wiping the machine (usually with these redirecting rootkits I just wipe/reinstall). Here are the steps I used to clean it completely:

1. Remove Drive and scan MSE>MBAM>SAS. Let me elaborate a bit more on this step. We have a dedicated linux machine running a virtual box of XP which has MSE/MBAM/SAS on it. We remove the infected drive from the computer, hook it up via drivewire/docking station and then scan through the VM.

2:
Restore shortcuts before cleaning temp folder-
From C:\, select everything inside, right click and uncheck hidden.

Then navigate to:
C:\Documents and Settings\[username]\Local Settings\Temp\smtmp

Inside the smtmp folder you will see three folders named 1, 2, 4
1 = Start Menu Program shortcuts
2 = Current User Quick Start shortcuts
4 = All Users Desktop folders and shortcuts

Copy 1 to C:\Documents and Settings\[username]\Start Menu
Copy 4 to C:\Documents and Settings\All Users\Desktop


3:
Follow this guide to remove the redirecting rootkit:
http://www.geekstogo.com/forum/topic/267407-how-to-fix-google-redirects/

...and if TDSSKiller won’t run try this:
http://forum.kaspersky.com/index.php?showtopic=212719

4:
To restore background, right click on desktop, task manager (if any are disabled)..
Run regedit and go to:
HKey_Current_User>Software>Microsoft>Windows>CurrentVersion>Policies
Delete all of the keys inside of each of the folders

5:
To restore start menu icons like My Computer, Documents, etc:
Right click on the start menu > properties > Start menu Customize > Advanced tab > Start menu items and show all of the items (they are probably “Don’t display this item”).


I do step 2 before step 3 because step 3 may delete temp files, thus deleting all of the shortcuts you have and those are a PIA to restore.


Hope this helps anyone who has ran into this virus and doesn't have the option of wiping (which is what I would always suggest).
 
Last edited:
I've seen that one a couple times along with similar variants that do the hide everything portion first time i saw it field guy called in claiming that everything was gone, seems to be a real pain occassionally can't get combofix to work in which case i end up doing a wipe and reload on the system.
 
Remotely cleaned up one of these variants today. Booted the XP Home Edition into safe mode (thank you LMI). Used the Administrator account to download removal tools (yes I know dangerous, should have clean working tools on-hand). Started off by copying the smetmp folder (where all of the shortcuts from the desktop and start menu are moved to) in the c:\documents and settings\usernamehere\local settings\temp folder. Then tried running TDSSKiller. Wouldn't run since the .EXE file association was mangled in the registry. Ran the registry fix to restore .EXE associations back to default. Then re-ran TDSSKiller. Found a rootkit, removed it, rebooted again in safe-mode. Logged in as the local user this time. Ran combofix. Cleaned up some stuff, rebooted back to Windows.

Unfortunately it did not restore most of the desktop items or start menu. After running Malwarebytes, I ran a System Restore back to last week. That fixed the majority of the shortcuts. Re-ran Malwarebytes, TDSSKiller (nothing found), and a quick scan of MSE (nothing found). Updated Flashplayer, Reader, Java. Installed Adblockplus into Firefox. Since the client needed the computer back asap, I finished up. Looked good.
 
Change .exe extensions to .com and almost all of your programs will run, even with the virus present.
 
how is this infecting machines?

nothing hit yet in our offices luckily, knock on wood.
 
I ran into a problem with TDSKiller not running today, I just renamed it to 802830r238803423lkdlk.exe and it worked like a champ lol.
 
I usually rename combofix.exe to ccmmbbffxx.exe so it is still recognizable. I also sometimes rename .exe to .com as Protoform-X mentions.
 
eh, had two of those shits on two different computers, Could not get combofix to work.
What I found:
exes worked when run as administrator
deleted the trojan exe from the local data folder
ran system restore to last restore point
problem was solved
what I want to know is how to block the shit.
It appears to get through everything
 
You must log in or register to reply here.
Back
Top