Windows 7 AntiVirus 2012 Malware is really making me miffed

TechLarry

TechLarry

RIP [H] Brother - June 1, 2022
Joined
Aug 9, 2005
Messages
30,481
Are you guys seeing major infestations with this crap?

It's accounting for some 50% of my ticket loads right now.

Anyone figured out the source? Is it a typical rotating ad infection?
 
They have been running rampant the past few weeks. AntiVirus 2012 and that system cleaner one that hides all your links and icons.

I got one the other day that had this and the zeroaccess malware.
 
Have seen this on 4 computers already - just inside my family. These people arn't even that bad when it comes to viruses, so this must be a really good one.

FixNCR -> RKill --> Combofix --> TDSSKiller -> Malwarebytes -> MSE seems to clear it up.
 
I just got this on my box and it took a few hours. If the attack vector was ads, Ad block plus could not help. I was running the latest Firefox (9.0.1), and Flash.

I should note only programs running with administrator privileges work. MSE did not detect it, and I could not run a scan because it ate MSE files, requiring a reinstall.
The malware also took out the boot files or the registry. I used System Restore.

What a pain.
 
EngrChris said:
I just got this on my box and it took a few hours. If the attack vector was ads, Ad block plus could not help. I was running the latest Firefox (9.0.1), and Flash.

I should note only programs running with administrator privileges work. MSE did not detect it, and I could not run a scan because it ate MSE files, requiring a reinstall.
The malware also took out the boot files or the registry. I used System Restore.

What a pain.
Click to expand...

You sure you didn't get something else, or something else and also this? I've never seen a variant of this that was THAT destructive.
 
Brak710 said:
You sure you didn't get something else, or something else and also this? I've never seen a variant of this that was THAT destructive.
Click to expand...

MSE found Alureon.TK and Sirefef.J threats. Either they came first, or the malware downloaded them.
 
The new MSE beta actually blocked it from hitting my system last night...detected and auto deleted it.
 
I got something that called itself "Win 7 Anti Virus" 2 Days ago from visiting legitimate sites. I do believe there is a java exploit in firefox if you have the JRE plugin. It keeps on popping up even after you close it. There is a process called spj.exe in your task manager, once you see it show up, kill it in there quick. Then run a combination of spybot, malwarebytes, and eset nod32 in that order. The malware detects malwarebytes from being run but not spybot. Tell spybot to remove the trojan and then once its gone, run malware bytes to remove the rest. Run antivirus to make sure its all gone. Then run Superantispyware to clean up any lingering malware.
 
Last edited:
The malware is on my box again. It would seem obvious the malware has a backdoor somewhere.
 
Last edited:
This almost sounds like the day I had today. I am currently a junior who lives close to home that normally works on hardware support during the winter/summer breaks at the university I go to. Currently I am working at the university's help desk and almost all of my tickets today had to do with win7 antivirus 2012 and several related viruses/malware type programs. Of the 8 laptops that were infected, I was able to get 7 cleaned. The cleaning process consisted of booting into safe mode and running the latest version of combofix, upon reboot, I ran tdss killer and 2 different versions of rkill (one of the baddies that gets let in is w32/Alureon.A, and I could only get rid of it with tdss killer). The last tool I ran that wiped out everything else malicious was malwarebytes. The issue I had with the last laptop which was clearly used for a long period of time after infection was that combofix would stall out, and tdss killer wouldn't even start in safe mode. Eventually I gave up trying to do things in safe mode and ran the "windows defender offline scanner" which is a preboot, that was able to remove most of the malicious software except for the win7 antivirus 2012 program. At this point I have sent the user home with instructions on how to run combfix (have a good feeling that it will take a good few hours for it to run, that and the help desk I work at closes at 4pm during winter break). If anyone has any suggestions or other antimalware software to use, chime in. Today was particularly heavy for this virus, but I have noticed an increasing trend of this virus showing up ever since the beginning of November on my campus.
 
The last thing I do is run unhide (another app from bleeping computer) that automatically unhides all or most of the files/folders that got hidden by the virus
 
My brother's new laptop just got this. It ate the registry and didn't boot after running MalwareBytes. Fresh install time. MSE didn't touch it, and was running full time since he got the laptop.
 
Had a user come in after vacation yesterday morning who had this. It's a PITA!
 
After about 12 hours split unevenly between 2 afternoons, the student's laptop I was working on is finally clean. Ended up having to do the registry fix and ran malwarebytes followed by superantispyware to fix the problem(s).
 
Are you guys who are getting infected with this using AV with web filter? Something like Avast. MSE's network detection is not the greatest.
 
Just an FYI, if you're trying to help someone remotely or over the phone, you can get around of some of the pop up annoyance with the infection if you click the yellow padlock that's labelled registration or activation, then choosing the "manual activation" option, and then entering this "registration code" for it: 3425-814615-3990

You can also try killing the process and then deleting the exe before it restarts itself, and then use Kaspersky's AVZ program and use its system restore feature to repair file associations in the registry. Makes it really easy to clean up after that.
 
jbailey said:
You can also try killing the process and then deleting the exe before it restarts itself, and then use Kaspersky's AVZ program and use its system restore feature to repair file associations in the registry. Makes it really easy to clean up after that.
Click to expand...
I've never heard about AVZ. I have it downloaded and see it has a lot of options. What have you noticed are the best features?
 
Combofix seems to do a number on it. Seems to. I've thought I was clean multiple times.

Aggravating damn infection.
 
Looks like this last case from 2 days ago is going to be a rebuild... Lesson learned, if you are infected, STOP using the computer.
 
When I get these type of infections, I just check the location of the file it's running, from the shortcut that is created on the desktop. Often in 7 they drop the file in c:\programdata. It will be a randomly name .exe Just switch accounts and delete the files or boot to a live disc and delete them. Then when your back on the account, delete any shortcuts or startup items that were created. Most scareware products on XP and 7 can be removed without any AV tools at all.
 
I have a system i am working on for someone which is infected with this piece of shit now.

I've ran Malwarebytes
MSE
Super Anti Spyware
Spybot S&D
AVZ
TDSSKILLER
Rootkit Buster
HiJack This
ComboFix

The AV2012 is removed... but I still have a browser redirect that I can't find. I've also made sure the host file is not touched, DNS is correct, and that IE settings are reset. Actually, all browsers are being redirected. It does not redirect URL's typed directly in. It is redirecting links that you click through google search.

Help!
 
Volcanon said:
For company stuff I just reimage, too much hassle and no way to guarantee the machine is clean with this stuff.
Click to expand...

Completely agree. I've seen this thing kick about 20-30 machine's asses since early last year and removal tends to not be complete. I can't vouch for those user's habits online but I know some of the reinfections had to be result of an incomplete removal versus re-infection :mad:

I can't be horribly upset that it keeps me earning a living, though :cool:
 
Thankfully I found that the recovery partition was still intact. I had to use GPARTED desktop to flag the recovery partition as a boot drive. The recovery software launched properly.
 
At the risk of jinxing myself, how many of you that are seeing this on Windows 7 are up to date on Windows updates? I have a large Win7 deployment, and haven't seen this kind of malware since we moved from XP.

Additionally, how up to date are the java, adobe reader, and flash/shockwave installs?
 
I think most of these types of malware cannot be gotten very easily unless you have out of date software.
 
Win 7 AntiVirus has some competition now.

ZWcjK.jpg
 
Roscowgo said:
Combofix seems to do a number on it. Seems to. I've thought I was clean multiple times.

Aggravating damn infection.
Click to expand...

Agreed...the first thing I run with the latest Win AV 20xx infections is run combofix then MBytes. Pain in the ass to remove if they (users) had a click fest party before contacting me.

PS: make sure to turn off system restore first though to prevent any possible re-infections.
 
cortexodus said:
This is probably the same infection manifest in a different way as far as GUI is concerned. I've seen probably 5-6 variants on this theme. They all suck though... :mad:
Click to expand...

I agree, I keep paying them for them to clean the crap off my computer but all they ever seem to clean out is my bank account. ;)
 
Last client laptop I had to clean this infection/variant and "friends" of this virus off of had to have the boot record rebuilt. I think this virus is starting to morph a little.
 
You must log in or register to reply here.
Back
Top