very nasty variant on old theme

[Gaz]

Come across the old 'fake' your system is infected with spyware scam today,
the classic red circle with a white cross on the taskbar.

This one has been around for years, but this new variant, you should be
worried about. Full scan with hijackthis, full scan with superantispyware,
scan with smitfraudfix, scan with avg rootkit revealer, found quite a few
things, but as sppm as windows is booted up, the red circle came back.

An old trick i havent seen for a while is back as well, anti spyware
software needs their .exe files changed to allow them to be opened.

Unable to fix, resorted to system restore...

Gaz

[David H. Lipman]

From: "Gaz" <gazter@msn.com>

| Come across the old 'fake' your system is infected with spyware scam today,
| the classic red circle with a white cross on the taskbar.

| This one has been around for years, but this new variant, you should be
| worried about. Full scan with hijackthis, full scan with superantispyware,
| scan with smitfraudfix, scan with avg rootkit revealer, found quite a few
| things, but as sppm as windows is booted up, the red circle came back.

| An old trick i havent seen for a while is back as well, anti spyware
| software needs their .exe files changed to allow them to be opened.

| Unable to fix, resorted to system restore...

| Gaz


You probably didn't research enough. You stopped at HJT. You should have also used
AutoRuns and Deckard's System Scanner for oddball load points then booted into the
Recovery Console and renamed the EXE/DLL files. Then you might have captured the buggers
such that they could be distributed to the anti malware vendors.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Lil' Abner]

"Gaz" <gazter@msn.com> wrote in news:6fs4s5Fcur73U1@mid.individual.net:

> Come across the old 'fake' your system is infected with spyware scam
> today, the classic red circle with a white cross on the taskbar.
>
> This one has been around for years, but this new variant, you should
> be worried about. Full scan with hijackthis, full scan with
> superantispyware, scan with smitfraudfix, scan with avg rootkit
> revealer, found quite a few things, but as sppm as windows is booted
> up, the red circle came back.
>
> An old trick i havent seen for a while is back as well, anti spyware
> software needs their .exe files changed to allow them to be opened.
>
> Unable to fix, resorted to system restore...

I got a computer in with it a couple of days ago. I think this one was
antivirXP08, just another variation like AntivirusXP2008.
I downloaded the latest Smitfraud Fix and that didn't get it, nor did
SuperAntispyware. I googled around a bit and discovered
Malwarebytes' Anti-Malware 1.24. It worked.


--
- The bible was written by the same people who said the earth was flat -

[Gaz]

"Lil' Abner" <blvstk@dogpatch.com> wrote in message
news:Xns9AF24EA137E6butter@wefb973cbe498...
> "Gaz" <gazter@msn.com> wrote in news:6fs4s5Fcur73U1@mid.individual.net:
>
>> Come across the old 'fake' your system is infected with spyware scam
>> today, the classic red circle with a white cross on the taskbar.
>>
>> This one has been around for years, but this new variant, you should
>> be worried about. Full scan with hijackthis, full scan with
>> superantispyware, scan with smitfraudfix, scan with avg rootkit
>> revealer, found quite a few things, but as sppm as windows is booted
>> up, the red circle came back.
>>
>> An old trick i havent seen for a while is back as well, anti spyware
>> software needs their .exe files changed to allow them to be opened.
>>
>> Unable to fix, resorted to system restore...
>
> I got a computer in with it a couple of days ago. I think this one was
> antivirXP08, just another variation like AntivirusXP2008.
> I downloaded the latest Smitfraud Fix and that didn't get it, nor did
> SuperAntispyware. I googled around a bit and discovered
> Malwarebytes' Anti-Malware 1.24. It worked.

Until i do a bit more research, i will get hold of this, you are a life
saver.

Gaz

>
> --
> - The bible was written by the same people who said the earth was flat -

[John Doe]

combofix also does a great job of eradicating this infector . . .

"Gaz" <gazter@msn.com> wrote in message
news:6fs4s5Fcur73U1@mid.individual.net...
> Come across the old 'fake' your system is infected with spyware scam
> today, the classic red circle with a white cross on the taskbar.
>
> This one has been around for years, but this new variant, you should be
> worried about. Full scan with hijackthis, full scan with superantispyware,
> scan with smitfraudfix, scan with avg rootkit revealer, found quite a few
> things, but as sppm as windows is booted up, the red circle came back.
>
> An old trick i havent seen for a while is back as well, anti spyware
> software needs their .exe files changed to allow them to be opened.
>
> Unable to fix, resorted to system restore...
>
> Gaz
>

[Gaz]

"John Doe" <johndoe@microsoft.com> wrote in message
news:Skgmk.4269$Lb6.1309@fe99.usenetserver.com...
> combofix also does a great job of eradicating this infector . . .
>

Shocked, as it is the first time i have seen a piece of spyware completely
evade hijackthis... The cheeky ******* even had a block on loading the exe
file... (of course a name change sorted that, but what if a variant is set
to automatically delete files on its watch list instead of just closing
them? what a ******* that would be).

Gaz

[David H. Lipman]

From: "Gaz" <gazter@msn.com>


| "John Doe" <johndoe@microsoft.com> wrote in message
| news:Skgmk.4269$Lb6.1309@fe99.usenetserver.com...
>> combofix also does a great job of eradicating this infector . . .


| Shocked, as it is the first time i have seen a piece of spyware completely
| evade hijackthis... The cheeky ******* even had a block on loading the exe
| file... (of course a name change sorted that, but what if a variant is set
| to automatically delete files on its watch list instead of just closing
| them? what a ******* that would be).

| Gaz



HJT is limited in it scope and it is not an anti malware utility. It is ONLY a tool for
identifying some OS loading points so you shold not be shocked.

The fact is that some malware will hide from HJT and it is suggested to rename the EXE
file to something else to negate this.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[Dustin Cook]

FredW <fredw@blackholespam.net>> wrote in
news:964j94hd66aa1pktv44er9abprsq5g2sod@4ax.com:

> On Wed, 6 Aug 2008 09:46:23 +0100, "Gaz" <gazter@msn.com> wrote:
>
>>
>>"Lil' Abner" <blvstk@dogpatch.com> wrote in message
>>news:Xns9AF24EA137E6butter@wefb973cbe498...
>>> "Gaz" <gazter@msn.com> wrote in news:6fs4s5Fcur73U1
@mid.individual.net:
>>>
>>>> Come across the old 'fake' your system is infected with spyware scam
>>>> today, the classic red circle with a white cross on the taskbar.
>>>>
>>>> This one has been around for years, but this new variant, you should
>>>> be worried about. Full scan with hijackthis, full scan with
>>>> superantispyware, scan with smitfraudfix, scan with avg rootkit
>>>> revealer, found quite a few things, but as sppm as windows is booted
>>>> up, the red circle came back.
>>>>
>>>> An old trick i havent seen for a while is back as well, anti spyware
>>>> software needs their .exe files changed to allow them to be opened.
>>>>
>>>> Unable to fix, resorted to system restore...
>>>
>>> I got a computer in with it a couple of days ago. I think this one
was
>>> antivirXP08, just another variation like AntivirusXP2008.
>>> I downloaded the latest Smitfraud Fix and that didn't get it, nor did
>>> SuperAntispyware. I googled around a bit and discovered
>>> Malwarebytes' Anti-Malware 1.24. It worked.
>>
>>Until i do a bit more research, i will get hold of this, you are a life
>>saver.
>
>
> http://www.malwarebytes.org/mbam.php
> Free for Personal Use.
> Just download (do NOT buy) and install.
>

slight advantages the paid version has, besides showing your support for
it's continued development....


--
Regards,
Dustin Cook - http://bughunter.it-mate.co.uk
BugHunter v2.2e AntiMalware Removal Utility
For Windows users, I highly recommend:
http://www.malwarebytes.org - MalwareBytes AntiMalware

[Dustin Cook]

"Gaz" <gazter@msn.com> wrote in news:6fttadFd3knnU1@mid.individual.net:

> "John Doe" <johndoe@microsoft.com> wrote in message
> news:Skgmk.4269$Lb6.1309@fe99.usenetserver.com...
>> combofix also does a great job of eradicating this infector . . .
>>
>
> Shocked, as it is the first time i have seen a piece of spyware
> completely evade hijackthis... The cheeky ******* even had a block on
> loading the exe file... (of course a name change sorted that, but what
> if a variant is set to automatically delete files on its watch list
> instead of just closing them? what a ******* that would be).
>
> Gaz
>
>
>

Not really an issue if you scan outside the host os.


--
Regards,
Dustin Cook - http://bughunter.it-mate.co.uk
BugHunter v2.2e AntiMalware Removal Utility
For Windows users, I highly recommend:
http://www.malwarebytes.org - MalwareBytes AntiMalware

[Gaz]

"Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
news:Xns9AF2D91E2366HHI2948AJD832@69.16.185.247...
> "Gaz" <gazter@msn.com> wrote in news:6fttadFd3knnU1@mid.individual.net:
>
>> "John Doe" <johndoe@microsoft.com> wrote in message
>> news:Skgmk.4269$Lb6.1309@fe99.usenetserver.com...
>>> combofix also does a great job of eradicating this infector . . .
>>>
>>
>> Shocked, as it is the first time i have seen a piece of spyware
>> completely evade hijackthis... The cheeky ******* even had a block on
>> loading the exe file... (of course a name change sorted that, but what
>> if a variant is set to automatically delete files on its watch list
>> instead of just closing them? what a ******* that would be).
>>
>> Gaz
>>
>>
>>
>
> Not really an issue if you scan outside the host os.
>

Do you do that on a regular basis? Is it not a bit messy 'on site' to do
that?

Gaz