Jump to content

Click Here!

Recommended Posts

Posted

First of all, this thing is a variant of Antivirus 2008/2009.

It's got an interesting way of spreading itself, via IM, primarily MSN Messenger (any flavor).

My daughter got my machine infested entirely by accident while chatting in MSN IM. Didn't click any links, accept any file transfers, nothing like that. She was simply chatting, and then all of sudden, there it was. :o So, been trying to clean this beastie OUT for the last few days.

Here's the thing..

I deleted all associated files, killed all associated processes, and deleted all associated registry entries. NORMALLY, that will then allow a user to then run their anti malware software. Well, this thing is also a TSR, so while I did all that, it still didn't kill it enough to disable it. Which means that none of my malware removal stuff would work. As it turns it all OFF. This also tends to turn off most antivirus programs. Two of the few exceptions that I know of are Kaspersky and Avira. With Avira (I use it, so have experienced what'll happen), it turns off the Antivirus guard section. Simple enough fix, you simple turn the service back on, and the program will then continue to work as it should.

So, in an effort to de-infest my machine, found a malware utility that is free, and that this thing not only doesn't turn off, the program then finds it in the memory, deletes all instances, and then your machine is once again free from the nasty.

A-Squared Free

This program offers a 2-in-1 package, or simply the malware removal tool.

Posted
First of all, this thing is a variant of Antivirus 2008/2009.

It's got an interesting way of spreading itself, via IM, primarily MSN Messenger (any flavor).

My daughter got my machine infested entirely by accident while chatting in MSN IM. Didn't click any links, accept any file transfers, nothing like that. She was simply chatting, and then all of sudden, there it was. :o So, been trying to clean this beastie OUT for the last few days.

Here's the thing..

I deleted all associated files, killed all associated processes, and deleted all associated registry entries. NORMALLY, that will then allow a user to then run their anti malware software. Well, this thing is also a TSR, so while I did all that, it still didn't kill it enough to disable it. Which means that none of my malware removal stuff would work. As it turns it all OFF. This also tends to turn off most antivirus programs. Two of the few exceptions that I know of are Kaspersky and Avira. With Avira (I use it, so have experienced what'll happen), it turns off the Antivirus guard section. Simple enough fix, you simple turn the service back on, and the program will then continue to work as it should.

So, in an effort to de-infest my machine, found a malware utility that is free, and that this thing not only doesn't turn off, the program then finds it in the memory, deletes all instances, and then your machine is once again free from the nasty.

A-Squared Free

This program offers a 2-in-1 package, or simply the malware removal tool.

In addition, the MAIN trojan TSR that this thing infests you with is Trojan-Downloader.Win32.Renos.AQ and any variant of the same.

Removal tool for the trojan only.

Might be a good idea for people to run the thing, just in case.

wow, guess I'm telling all my friends to stay off msn for the foreseeable future, and directing them to this thread.

thanks for the heads up.

Posted

They can actually use MSN, they just have to be careful. Having a good malware scanner (and using it) will help. Thing is, these bugs look for and exploit known program vulnerabilities. That's the way they've always worked, regardless of the program they exploit.

The other thing to remember, and I cannot stress this enough, is no browser toolbars. i.e. google, yahoo, crawler, just to name a few. The things are trojan magnets.

Posted

Unfortunately, ALL the IM programs have some vulnerabilities. AIM (as much as I don't care for it) is likely the safest of the three most commonly used, but it's also got vulnerabilities.

As far as I know, the ONLY antivirus program that will actually catch these things immediately, and is not either completely disabled or partially disabled, is Kaspersky.

It could be that it would only partially disable Norton (similar to how Avira responds to it) but as I've not used that program for a number of years myself, I couldn't say with certainty.

This bug completely disables the following:

  • AVG
  • Avast
  • MacAfee
  • Spybot Search & Destroy
  • Malwarebytes
  • SuperAntiSpyware

The above are all very good programs, but you see why this would be a problem. There are many more that this program will disable, but I can't think of 'em off the top of my head.

Posted

Thank you so much for posting this. We've been plagued by this thing on my mother's computer for the past week or so and it has been driving my father and I batty trying to fix it. The moment I saw the notice about this in my email I darted to his little 'hidey hole' (ie the other computer room) and hijacked mom's computer to fix it. I can't thank you enough right now!

Posted
Thanks so much...I downloaded the A-squared one, and found it useful. Ran without my regular firewalls going, and then loaded them back on. Much faster. :D

First of all, this thing is a variant of Antivirus 2008/2009.

It's got an interesting way of spreading itself, via IM, primarily MSN Messenger (any flavor).

My daughter got my machine infested entirely by accident while chatting in MSN IM. Didn't click any links, accept any file transfers, nothing like that. She was simply chatting, and then all of sudden, there it was. :o So, been trying to clean this beastie OUT for the last few days.

Here's the thing..

I deleted all associated files, killed all associated processes, and deleted all associated registry entries. NORMALLY, that will then allow a user to then run their anti malware software. Well, this thing is also a TSR, so while I did all that, it still didn't kill it enough to disable it. Which means that none of my malware removal stuff would work. As it turns it all OFF. This also tends to turn off most antivirus programs. Two of the few exceptions that I know of are Kaspersky and Avira. With Avira (I use it, so have experienced what'll happen), it turns off the Antivirus guard section. Simple enough fix, you simple turn the service back on, and the program will then continue to work as it should.

So, in an effort to de-infest my machine, found a malware utility that is free, and that this thing not only doesn't turn off, the program then finds it in the memory, deletes all instances, and then your machine is once again free from the nasty.

A-Squared Free

This program offers a 2-in-1 package, or simply the malware removal tool.

In addition, the MAIN trojan TSR that this thing infests you with is Trojan-Downloader.Win32.Renos.AQ and any variant of the same.

Removal tool for the trojan only.

Might be a good idea for people to run the thing, just in case.

Posted

Wow I'd never heard of A-Squared before, that's pretty cool.

Normally when you get a really nasty Ram loading virus or TSR you need to run some kind of boot disk with anti-virus or malware removal tools to run in dos before Windows loads anything. Of course those aren't the easiest or more user-friendly tools to use to do so. If programs like these keep coming out though, people are going to stop bringing me their computers to fix! lol

Thanks for the heads up on possible infections!

Posted

Thank you for the heads up on this Demongoddess:

It is indeed unnerving to know that malicious people are always coming out with "better more virulent" malware and virus'. *sigh!

It's better to know that we as forums and communities can alert one another and take care of our own folks. This sounds like a bad virus indeed. Thankfully I don't use "chat" programs to much.

Warmly,

Kanashii

Posted

I downloaded a squared right away. Thanks for letting us kno, because I use all the messengers, Aim Yahoo, and Msn. Very unnerving. :o

Posted

You're all very welcome. :o

@Revu--I feel yer pain...I also did this for a living for many, many years. But not for individual users so much, as for network operations. BUT, much better to alert our users, and have the ones who CAN fix it and catch it in early stages do exactly that.

Now, if it's a later stage infection, and it's infected the rootkit directory, all that can be done then is a clean install of the OS.

Which is exactly what I was trying to avert for myself, and did, thankfully.

Something else I forgot to mention is that of all the browsers, Internet Explorer is the most vulnerable, due to ActiveX controls. The rogues and trojans LIKE to disguise themselves as ActiveX controls. Of course, no browser is completely invulnerable, but IE is the weakest.

Posted

Thank you so very much about informing everyone of this threat. My last computer was completely destroyed by an extremely bad virus/spyware, and it is very frustrating that people out there use their skills in computer technology to create things like this to infect other computers and programs. I'm just glad you were able to find a way to kill it and alert the members of this site about this problem. Thank you!! :o

Guest simplewords
Posted

Ug I wish someone had warned me about this a few days ago. I got the virus on friday and I don't even use MSN or any of those instant messenger things. I got it from a website I visit everyday... It completely bipassed my Norton Security too.

Six hours of work later I had gotten rid of it, but I had also taken my comp registries all the way back to december in order to fully get rid of it. It's a quick little bugger. From what I gathered after I looked over my machine is that it came from an ad (that I didn't click on , but I guess just having it up on my screen was enough). "Project Wonderful" was what it had stored in my computer as, which after some research I found was a type of online advertising company. If you google it you'll get something like 64 million links, all about advertising.

Posted

Yes, it can be killed if caught early. However, if it infects your master boot record, and goes into the rootkit directory, you'll have to reformat. No way around it. Hopefully, if that's the case, you'll have found it in time to at least salvage your working files and documents.

Mind you, I THOUGHT I caught it at that point. But, turns out I did not, so I'm having to retrieve data before I reformat my drive. Good thing I've got other booting hard drives not being used. :o

Something else to please, PLEASE remember, is that it doesn't just spread via IM programs. It also spreads via ads, browser tool bars, and ActiveX controls.

Posted
Thanks for the warning. I don't use MSN much, but I'll keep an eye out for this virus. I hope it gets better for you.

Crap man... so how long before MSN or someone takes this virus out so we're no longer threatened?

Posted

Like I said, what happens is that this particular virus hides itself in a number of things. ActiveX controls being one of them.

So, I had to find where I put my old 40gb (and hope it was still bootable). That worked, thankfully. Then, I started getting all my working data. Ran out of media. So NOW I'm ftp'ing it up to my site domain. UGH.

Posted
Thanks for this, fortunately I use Yahoo! Messenger and have Norton, but thanks for the heads-up - I've sent the link to friends who have and use MSN messenger.

I too have Yahoo messenger, and believe me, it is also spread that way! Consider the fact that programs such as trillion are out there that allow users to chat with people on MSN, AIM, Yahoo, etc. all from the same application, therefore no messenger is safe.

I had the Trojan version of the antivirus2009 virus, and was able to get rid of it with malware bytes, however, I had this other version of it to, and all malwarebytes did was take away the main source, so I no longer had symptoms of it.

However, I was asked by a friend why I had tried to send her a file over the weekend, and I hadn't been online at all, I had remebered reading this thread and asked her to not open it, then sent messages to everyone on my list. I ren both programs, and want to say a big thank you!

Now I have to figure out how deal with another little problem that A squared found but wasn't able to fix lol. Oh well, so is the life of computer user, right?

DemonGoddess061~~ I reposted a portion of your post on my website's forum to let people there know about it. I hope you don't mind ^_^

Thanks again!!

-Raine

Posted
I too have Yahoo messenger, and believe me, it is also spread that way! Consider the fact that programs such as trillion are out there that allow users to chat with people on MSN, AIM, Yahoo, etc. all from the same application, therefore no messenger is safe.

I had the Trojan version of the antivirus2009 virus, and was able to get rid of it with malware bytes, however, I had this other version of it to, and all malwarebytes did was take away the main source, so I no longer had symptoms of it.

However, I was asked by a friend why I had tried to send her a file over the weekend, and I hadn't been online at all, I had remebered reading this thread and asked her to not open it, then sent messages to everyone on my list. I ren both programs, and want to say a big thank you!

Now I have to figure out how deal with another little problem that A squared found but wasn't able to fix lol. Oh well, so is the life of computer user, right?

DemonGoddess061~~ I reposted a portion of your post on my website's forum to let people there know about it. I hope you don't mind ^_^

Thanks again!!

-Raine

far as reformatting, all I'll need to do is use the vista system recovery partition, it'll format my disk as it reinstalls windows(called re-imaging), or I can use the recovery dvds.

so, I'm happy.

Posted

The second scanner thing (not a-squared) is XoftSpySE. It appears to be a full antispyware program, not trojan removal thing. (Not that it can remove anything - not available in free version. I was stupid and installed it. >.<) The question is, was the link supposed to lead to this program? It doesn't sound very good - it didn't find half of stuff I suspected to be in cookies folder.

Posted

Just run a-squared, and it'll be fine. Ignore the other. I never did run it myself, as a-squared was finding everything.

As to posting this elsewhere, of course I don't mind. The more who know what this thing is, and how to kill it, the better. :)

heh, my hard drive woes get even better from this nasty thing. Not only did it eat the master boot record, it corrupted the boot sector to where it's having trouble for Windows to ID the capacity. CMOS sees it just fine, but the OS keeps changing the drive capacity. So, off it goes back to the factory. It literally scrambled my drive. I was at least able to retrieve my data, so that's always a good thing.

And Vista? Absolutely WORTHLESS OS. Have it on the laptop, and hate it. My old P4 (which is this machine I'm working from now) runs much faster, and has less cpu power. The laptop has a dual core and should be much faster than this. It's NEVER run faster than my old homemade desktop. Can't load up programs and such to do work like I can in XP, a host of other issues I have with that operating system. Of course, there's always the little factoid that Microsoft just gave up on it, and is already putting a NEW OS in beta, because they can't FIX the problems in Vista. Which, if you think about it, is how XP came about. They couldn't fix Win2k which was a memory leaker, among other things. ME wasn't designed to be upgraded much, which was too bad. Hence the development of XP to fix the problems with both. Mind you, they still didn't even get THAT one quite right until SP2.

Posted

Thank you. I've just finished a-squared scan and I feel a bit safer now.

I wonder what the virus uses to spread like that. Would it still go through web msn? O.o It sounds like one of the most atrocious things to ever grace internet. I hope you'll get all your stuff working without more trouble :)

Posted

guess I'm one of the lucky users, as I am able to report that it seems to be a rock solid OS.

runs just fine on my hardware.

intel core2 duo @2.0ghz

3gb of ram

nvidia geforce 8400 256mb 3d card

120gb hard drive

built in wireless

fingerprint reader

of course, it helps if you turn off things like UAC and aero theme.

as to this virus, whoever is responsible deserves to rot in prison, if not worse.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...