DemonGoddess Posted February 17, 2009 Report Posted February 17, 2009 First of all, this thing is a variant of Antivirus 2008/2009. It's got an interesting way of spreading itself, via IM, primarily MSN Messenger (any flavor). My daughter got my machine infested entirely by accident while chatting in MSN IM. Didn't click any links, accept any file transfers, nothing like that. She was simply chatting, and then all of sudden, there it was. So, been trying to clean this beastie OUT for the last few days. Here's the thing.. I deleted all associated files, killed all associated processes, and deleted all associated registry entries. NORMALLY, that will then allow a user to then run their anti malware software. Well, this thing is also a TSR, so while I did all that, it still didn't kill it enough to disable it. Which means that none of my malware removal stuff would work. As it turns it all OFF. This also tends to turn off most antivirus programs. Two of the few exceptions that I know of are Kaspersky and Avira. With Avira (I use it, so have experienced what'll happen), it turns off the Antivirus guard section. Simple enough fix, you simple turn the service back on, and the program will then continue to work as it should. So, in an effort to de-infest my machine, found a malware utility that is free, and that this thing not only doesn't turn off, the program then finds it in the memory, deletes all instances, and then your machine is once again free from the nasty. A-Squared Free This program offers a 2-in-1 package, or simply the malware removal tool. Quote
ShadowRaider Posted February 17, 2009 Report Posted February 17, 2009 First of all, this thing is a variant of Antivirus 2008/2009.It's got an interesting way of spreading itself, via IM, primarily MSN Messenger (any flavor). My daughter got my machine infested entirely by accident while chatting in MSN IM. Didn't click any links, accept any file transfers, nothing like that. She was simply chatting, and then all of sudden, there it was. So, been trying to clean this beastie OUT for the last few days. Here's the thing.. I deleted all associated files, killed all associated processes, and deleted all associated registry entries. NORMALLY, that will then allow a user to then run their anti malware software. Well, this thing is also a TSR, so while I did all that, it still didn't kill it enough to disable it. Which means that none of my malware removal stuff would work. As it turns it all OFF. This also tends to turn off most antivirus programs. Two of the few exceptions that I know of are Kaspersky and Avira. With Avira (I use it, so have experienced what'll happen), it turns off the Antivirus guard section. Simple enough fix, you simple turn the service back on, and the program will then continue to work as it should. So, in an effort to de-infest my machine, found a malware utility that is free, and that this thing not only doesn't turn off, the program then finds it in the memory, deletes all instances, and then your machine is once again free from the nasty. A-Squared Free This program offers a 2-in-1 package, or simply the malware removal tool. In addition, the MAIN trojan TSR that this thing infests you with is Trojan-Downloader.Win32.Renos.AQ and any variant of the same. Removal tool for the trojan only. Might be a good idea for people to run the thing, just in case. wow, guess I'm telling all my friends to stay off msn for the foreseeable future, and directing them to this thread. thanks for the heads up. Quote
DemonGoddess Posted February 17, 2009 Author Report Posted February 17, 2009 They can actually use MSN, they just have to be careful. Having a good malware scanner (and using it) will help. Thing is, these bugs look for and exploit known program vulnerabilities. That's the way they've always worked, regardless of the program they exploit. The other thing to remember, and I cannot stress this enough, is no browser toolbars. i.e. google, yahoo, crawler, just to name a few. The things are trojan magnets. Quote
celuthea Posted February 17, 2009 Report Posted February 17, 2009 Thanks for this, fortunately I use Yahoo! Messenger and have Norton, but thanks for the heads-up - I've sent the link to friends who have and use MSN messenger. Quote
DemonGoddess Posted February 17, 2009 Author Report Posted February 17, 2009 Unfortunately, ALL the IM programs have some vulnerabilities. AIM (as much as I don't care for it) is likely the safest of the three most commonly used, but it's also got vulnerabilities. As far as I know, the ONLY antivirus program that will actually catch these things immediately, and is not either completely disabled or partially disabled, is Kaspersky. It could be that it would only partially disable Norton (similar to how Avira responds to it) but as I've not used that program for a number of years myself, I couldn't say with certainty. This bug completely disables the following: AVG Avast MacAfee Spybot Search & Destroy Malwarebytes SuperAntiSpyware The above are all very good programs, but you see why this would be a problem. There are many more that this program will disable, but I can't think of 'em off the top of my head. Quote
MomoDesu Posted February 17, 2009 Report Posted February 17, 2009 Thank you so much for posting this. We've been plagued by this thing on my mother's computer for the past week or so and it has been driving my father and I batty trying to fix it. The moment I saw the notice about this in my email I darted to his little 'hidey hole' (ie the other computer room) and hijacked mom's computer to fix it. I can't thank you enough right now! Quote
Kagehoshi Posted February 17, 2009 Report Posted February 17, 2009 Thanks for the warning but I am a Mac user and not affected, but I will pass this on to others. Thank you very much. Quote
kazfeist Posted February 17, 2009 Report Posted February 17, 2009 Thanks so much...I downloaded the A-squared one, and found it useful. Ran without my regular firewalls going, and then loaded them back on. Much faster. First of all, this thing is a variant of Antivirus 2008/2009. It's got an interesting way of spreading itself, via IM, primarily MSN Messenger (any flavor). My daughter got my machine infested entirely by accident while chatting in MSN IM. Didn't click any links, accept any file transfers, nothing like that. She was simply chatting, and then all of sudden, there it was. So, been trying to clean this beastie OUT for the last few days. Here's the thing.. I deleted all associated files, killed all associated processes, and deleted all associated registry entries. NORMALLY, that will then allow a user to then run their anti malware software. Well, this thing is also a TSR, so while I did all that, it still didn't kill it enough to disable it. Which means that none of my malware removal stuff would work. As it turns it all OFF. This also tends to turn off most antivirus programs. Two of the few exceptions that I know of are Kaspersky and Avira. With Avira (I use it, so have experienced what'll happen), it turns off the Antivirus guard section. Simple enough fix, you simple turn the service back on, and the program will then continue to work as it should. So, in an effort to de-infest my machine, found a malware utility that is free, and that this thing not only doesn't turn off, the program then finds it in the memory, deletes all instances, and then your machine is once again free from the nasty. A-Squared Free This program offers a 2-in-1 package, or simply the malware removal tool. In addition, the MAIN trojan TSR that this thing infests you with is Trojan-Downloader.Win32.Renos.AQ and any variant of the same. Removal tool for the trojan only. Might be a good idea for people to run the thing, just in case. Quote
Revu Posted February 17, 2009 Report Posted February 17, 2009 Wow I'd never heard of A-Squared before, that's pretty cool. Normally when you get a really nasty Ram loading virus or TSR you need to run some kind of boot disk with anti-virus or malware removal tools to run in dos before Windows loads anything. Of course those aren't the easiest or more user-friendly tools to use to do so. If programs like these keep coming out though, people are going to stop bringing me their computers to fix! lol Thanks for the heads up on possible infections! Quote
Kanashii Posted February 17, 2009 Report Posted February 17, 2009 Thank you for the heads up on this Demongoddess: It is indeed unnerving to know that malicious people are always coming out with "better more virulent" malware and virus'. *sigh! It's better to know that we as forums and communities can alert one another and take care of our own folks. This sounds like a bad virus indeed. Thankfully I don't use "chat" programs to much. Warmly, Kanashii Quote
Brwne Byte Posted February 18, 2009 Report Posted February 18, 2009 I downloaded a squared right away. Thanks for letting us kno, because I use all the messengers, Aim Yahoo, and Msn. Very unnerving. Quote
DemonGoddess Posted February 18, 2009 Author Report Posted February 18, 2009 You're all very welcome. @Revu--I feel yer pain...I also did this for a living for many, many years. But not for individual users so much, as for network operations. BUT, much better to alert our users, and have the ones who CAN fix it and catch it in early stages do exactly that. Now, if it's a later stage infection, and it's infected the rootkit directory, all that can be done then is a clean install of the OS. Which is exactly what I was trying to avert for myself, and did, thankfully. Something else I forgot to mention is that of all the browsers, Internet Explorer is the most vulnerable, due to ActiveX controls. The rogues and trojans LIKE to disguise themselves as ActiveX controls. Of course, no browser is completely invulnerable, but IE is the weakest. Quote
Lanie12777 Posted February 18, 2009 Report Posted February 18, 2009 Thank you so very much about informing everyone of this threat. My last computer was completely destroyed by an extremely bad virus/spyware, and it is very frustrating that people out there use their skills in computer technology to create things like this to infect other computers and programs. I'm just glad you were able to find a way to kill it and alert the members of this site about this problem. Thank you!! Quote
Guest simplewords Posted February 18, 2009 Report Posted February 18, 2009 Ug I wish someone had warned me about this a few days ago. I got the virus on friday and I don't even use MSN or any of those instant messenger things. I got it from a website I visit everyday... It completely bipassed my Norton Security too. Six hours of work later I had gotten rid of it, but I had also taken my comp registries all the way back to december in order to fully get rid of it. It's a quick little bugger. From what I gathered after I looked over my machine is that it came from an ad (that I didn't click on , but I guess just having it up on my screen was enough). "Project Wonderful" was what it had stored in my computer as, which after some research I found was a type of online advertising company. If you google it you'll get something like 64 million links, all about advertising. Quote
DemonGoddess Posted February 18, 2009 Author Report Posted February 18, 2009 Yes, it can be killed if caught early. However, if it infects your master boot record, and goes into the rootkit directory, you'll have to reformat. No way around it. Hopefully, if that's the case, you'll have found it in time to at least salvage your working files and documents. Mind you, I THOUGHT I caught it at that point. But, turns out I did not, so I'm having to retrieve data before I reformat my drive. Good thing I've got other booting hard drives not being used. Something else to please, PLEASE remember, is that it doesn't just spread via IM programs. It also spreads via ads, browser tool bars, and ActiveX controls. Quote
PoaTB Posted February 18, 2009 Report Posted February 18, 2009 Thanks for the warning. I don't use MSN much, but I'll keep an eye out for this virus. I hope it gets better for you. Quote
Usako Man Posted February 19, 2009 Report Posted February 19, 2009 Thanks for the warning. I don't use MSN much, but I'll keep an eye out for this virus. I hope it gets better for you. Crap man... so how long before MSN or someone takes this virus out so we're no longer threatened? Quote
DemonGoddess Posted February 19, 2009 Author Report Posted February 19, 2009 Like I said, what happens is that this particular virus hides itself in a number of things. ActiveX controls being one of them. So, I had to find where I put my old 40gb (and hope it was still bootable). That worked, thankfully. Then, I started getting all my working data. Ran out of media. So NOW I'm ftp'ing it up to my site domain. UGH. Quote
BrackCatMojo Posted February 19, 2009 Report Posted February 19, 2009 I did the scan and it said I "might" have this Trojan. But to find out for sure I have to buy the program. WTF??? Quote
renegaderaine Posted February 19, 2009 Report Posted February 19, 2009 Thanks for this, fortunately I use Yahoo! Messenger and have Norton, but thanks for the heads-up - I've sent the link to friends who have and use MSN messenger. I too have Yahoo messenger, and believe me, it is also spread that way! Consider the fact that programs such as trillion are out there that allow users to chat with people on MSN, AIM, Yahoo, etc. all from the same application, therefore no messenger is safe. I had the Trojan version of the antivirus2009 virus, and was able to get rid of it with malware bytes, however, I had this other version of it to, and all malwarebytes did was take away the main source, so I no longer had symptoms of it. However, I was asked by a friend why I had tried to send her a file over the weekend, and I hadn't been online at all, I had remebered reading this thread and asked her to not open it, then sent messages to everyone on my list. I ren both programs, and want to say a big thank you! Now I have to figure out how deal with another little problem that A squared found but wasn't able to fix lol. Oh well, so is the life of computer user, right? DemonGoddess061~~ I reposted a portion of your post on my website's forum to let people there know about it. I hope you don't mind Thanks again!! -Raine Quote
ShadowRaider Posted February 19, 2009 Report Posted February 19, 2009 I too have Yahoo messenger, and believe me, it is also spread that way! Consider the fact that programs such as trillion are out there that allow users to chat with people on MSN, AIM, Yahoo, etc. all from the same application, therefore no messenger is safe.I had the Trojan version of the antivirus2009 virus, and was able to get rid of it with malware bytes, however, I had this other version of it to, and all malwarebytes did was take away the main source, so I no longer had symptoms of it. However, I was asked by a friend why I had tried to send her a file over the weekend, and I hadn't been online at all, I had remebered reading this thread and asked her to not open it, then sent messages to everyone on my list. I ren both programs, and want to say a big thank you! Now I have to figure out how deal with another little problem that A squared found but wasn't able to fix lol. Oh well, so is the life of computer user, right? DemonGoddess061~~ I reposted a portion of your post on my website's forum to let people there know about it. I hope you don't mind Thanks again!! -Raine far as reformatting, all I'll need to do is use the vista system recovery partition, it'll format my disk as it reinstalls windows(called re-imaging), or I can use the recovery dvds. so, I'm happy. Quote
Dhuaine Posted February 23, 2009 Report Posted February 23, 2009 The second scanner thing (not a-squared) is XoftSpySE. It appears to be a full antispyware program, not trojan removal thing. (Not that it can remove anything - not available in free version. I was stupid and installed it. >.<) The question is, was the link supposed to lead to this program? It doesn't sound very good - it didn't find half of stuff I suspected to be in cookies folder. Quote
DemonGoddess Posted February 23, 2009 Author Report Posted February 23, 2009 Just run a-squared, and it'll be fine. Ignore the other. I never did run it myself, as a-squared was finding everything. As to posting this elsewhere, of course I don't mind. The more who know what this thing is, and how to kill it, the better. heh, my hard drive woes get even better from this nasty thing. Not only did it eat the master boot record, it corrupted the boot sector to where it's having trouble for Windows to ID the capacity. CMOS sees it just fine, but the OS keeps changing the drive capacity. So, off it goes back to the factory. It literally scrambled my drive. I was at least able to retrieve my data, so that's always a good thing. And Vista? Absolutely WORTHLESS OS. Have it on the laptop, and hate it. My old P4 (which is this machine I'm working from now) runs much faster, and has less cpu power. The laptop has a dual core and should be much faster than this. It's NEVER run faster than my old homemade desktop. Can't load up programs and such to do work like I can in XP, a host of other issues I have with that operating system. Of course, there's always the little factoid that Microsoft just gave up on it, and is already putting a NEW OS in beta, because they can't FIX the problems in Vista. Which, if you think about it, is how XP came about. They couldn't fix Win2k which was a memory leaker, among other things. ME wasn't designed to be upgraded much, which was too bad. Hence the development of XP to fix the problems with both. Mind you, they still didn't even get THAT one quite right until SP2. Quote
Dhuaine Posted February 23, 2009 Report Posted February 23, 2009 Thank you. I've just finished a-squared scan and I feel a bit safer now. I wonder what the virus uses to spread like that. Would it still go through web msn? O.o It sounds like one of the most atrocious things to ever grace internet. I hope you'll get all your stuff working without more trouble Quote
ShadowRaider Posted February 24, 2009 Report Posted February 24, 2009 guess I'm one of the lucky users, as I am able to report that it seems to be a rock solid OS. runs just fine on my hardware. intel core2 duo @2.0ghz 3gb of ram nvidia geforce 8400 256mb 3d card 120gb hard drive built in wireless fingerprint reader of course, it helps if you turn off things like UAC and aero theme. as to this virus, whoever is responsible deserves to rot in prison, if not worse. Quote
Recommended Posts