You are hereNasty Malware

Nasty Malware


By steve - Posted on 17 March 2010

A client of mine was hit with a nasty bit of malware. This was either part of, or became evident from, getting hit by the "Antivirus 2010" scamware.

The reason we aren't sure is because it was only after the infection and everything looked clean that a fake "authentication security measure" form showed up whilst logging into ebay. After logging in, the user was prompted with a form asking for a lot of personal information and containing things like...

"We have noticed an increasing fraudulent activity recently. In order to provide your security and protect you from fraudsters we have introduced a new system of identification that will help us to avoid any kind of fraud or unauthorised access.

Please enter as more information as possible to provide your complete identification and to activate all the features of the new system."

Clearly bogus.

Anyway, this was certainly the worst thing I've run across to get rid of, especially trying to do it remotely.

These programs cleaned up other stuff, but were worthless against this nasty:
* AVG 9.0 (running anti-root kit and it let it in!)
* Malwarebytes
* Prevx 3.0
* mbr.exe
* gmer
* Lots of other online scanners

Prevx gave me a hint, though, when they reported on their website blog that you can tell if you've been hit by the latest, if...

"If you haven't installed Prevx and you want to check if your system is infected by MBR rootkit, it's possible to check inside Windows directory, under the Temp subdirectory (%windir%\Temp) for the presence of a hidden file with its name starting with "$$$". If there is such file, your PC could be affected by the MBR rootkit."

So, it turned out to be a rootkit that was causing problems as we tried to wrap up everything else. The final solution was to use "combofix.exe" to repair everything. This handy program isn't for the faint of heart or the newbie, so I'm not recommending it as a solution for *YOU*, but it did work for me. If you find yourself with this issue, you can probably get help in the Bleeping Computer forums.

Did this help you? You can help me!


Did you find this information helpful? You can help me back by linking to this page, purchasing from my sponsors, or posting a comment!


+One me on Google:


Follow me on twitter: http://twitter.com/mojocode







Comments



Affiliation Badges