Trojan:Win32/FakeSpypro & Trojan:JS/FakeSpypro

[bludgard69]

A little help,please.Got this trojan earlier.It disabled MSE,MBAM,Internet,CCleaner,and pretty much anything .exe.Claimed everything was infected...so says whatever fake AV program that came with it.(I wish I could figure out how to use the indention tool here)I had to restart,open task manager before this thing kiced in-the trojan-and end the proccess of said trojan before it could take control of my PC.I then ran MSE,nothing.Restart.Trojan takes control.Restart-LAN unpluged.Task Manager thingy.MSE finds the trojan.Removes trojan.Restart.Trojan returns.Above proccesses are repeated.Finally I tried suspending the proccess in Resource Monitor, and MSE put it in quarentine-where it remains to this posting.Onlin scanner from BitDefender found it.ESET online scanner did not.MBAM did not.All up to date.MSE colud only find it when it was a running proccess.​

Disabled internet by Changing to proxy server with no address.​

What I would like to do is be rid of it for good.Thinking about an unbloated clean install but would like to save some files first.If this wont carry infectious material with it.​

I got a zip file with this infected file.Any way for someone to check it out?Everything seem fine at the moment,yet it's still there.Any ideas?​

If anyone wants to look into this file,let me know how.​

 

[Product FRED]

First, take a deep breath, calm down. Start the computer in Safe Mode. Find a flash drive and another computer, or if you're confident it's not running in safe mode, download SUPER Antispyware. Secondly, a trojan on a friend's computer once disabled executables for me as well. Right clicking on them and picking "Run as Administrator" allowed me to run them though.

You have plenty of options to deal with this thing. The fact that you're removing it and it's coming back means it's hiding somewhere. You can try rolling back your system with system restore and see if that helps. Otherwise, I'd suggest deleting the restore points because it's usually where viruses like to hide.

 

[Tews]

How to manually remove Trojan.FakeSpypro

Files associated with Trojan.FakeSpypro infection:

iehelper.dll
Adware_Pro.exe
sysguard.exe
nwdcsysguard.exe
Trojan.FakeSpypro DLL's to remove:

iehelper.dll
Trojan.FakeSpypro processes to kill:

Adware_Pro.exe
sysguard.exe
nwdcsysguard.exe
Remove Trojan.FakeSpypro registry entries:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler{9030D464-4C02-4ABF-8ECC-5164760863C6}
HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN sysguard
RUNNING PROGRAMExplorer.EXE
HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Adware_ProMFCT
HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN system tool
RUNNING PROGRAMsysguard.exe
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerBrowser HelperObjects{3A44F370-735B-485f-B212-62007E9E6815}
HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN system tool
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerBrowser HelperObjects{CFA131B1-3A6E-4c4f-A0CC-4CC9D844B04C}
RUNNING PROGRAM\sysguard.exe
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ system tool
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser HelperObjects\{CFA131B1-3A6E-4c4f-A0CC-4CC9D844B04C}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser HelperObjects\{3A44F370-735B-485f-B212-62007E9E6815}

Hope this helps...
​

 

[bludgard69]

Gimmy a sec,thanks

 

[bludgard69]

Let me get back to you guys.I dealt with this thing for 5 hours to get my system back.I need a little time.I apreciate your timely response.

 

[Jaxryley]

Let me get back to you guys.I dealt with this thing for 5 hours to get my system back.I need a little time.I apreciate your timely response.

Copy and paste taskmgr.exe from the system 32 folder to desktop and rename to Opera.exe. Now Taskmanager will start allowing to kill the rogue's process then get a scan going with Malwarebytes, updated first of course.

Or you can go to Malwarebytes Programs folder and rename mbam.exe to Opera.exe and Malwarebytes should start even if the exe killing rogue's process is active.

You can rename to Firefox.exe as well. In fact renaming most exes to Firefox or Opera should allow them to run with this rogue active.

 

[bludgard69]

Nothing Found

Searched W Explorer for .dll & exe.Nothing.Am I possibly searching in the wrong place?No reg entries either.There were some reg entries that CCleaner found after MSE removed part of the trojan-they may have been similar to what you mentioned.I deleted them.I wish I had taken pics.Live and learn.I panicked:shock:Hopefully I did the right thing.They just looked scary.I really dont want to restart my PC until this thing is completley removed.Am I gettin' paranoid?

How to manually remove Trojan.FakeSpypro​

Files associated with Trojan.FakeSpypro infection:​

iehelper.dll
Adware_Pro.exe
sysguard.exe
nwdcsysguard.exe
Trojan.FakeSpypro DLL's to remove:​

iehelper.dll
Trojan.FakeSpypro processes to kill:​

Adware_Pro.exe
sysguard.exe
nwdcsysguard.exe
Remove Trojan.FakeSpypro registry entries:​

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler{9030D464-4C02-4ABF-8ECC-5164760863C6}
HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN sysguard
RUNNING PROGRAMExplorer.EXE
HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN Adware_ProMFCT
HKEY_CURRENT_USERSOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN system tool
RUNNING PROGRAMsysguard.exe
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerBrowser HelperObjects{3A44F370-735B-485f-B212-62007E9E6815}
HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN system tool
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionExplorerBrowser HelperObjects{CFA131B1-3A6E-4c4f-A0CC-4CC9D844B04C}
RUNNING PROGRAM\sysguard.exe
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ system tool
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser HelperObjects\{CFA131B1-3A6E-4c4f-A0CC-4CC9D844B04C}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser HelperObjects\{3A44F370-735B-485f-B212-62007E9E6815}​

Hope this helps... ​

 

[bludgard69]

Heard

Hi,Jaxryley.

Will MBAM remove this if I let it run freely again.Will it find it?I dont have real time protection through MBAM.Is ther a safe way to manipulate this thing to be rid of every thread?
EDIT:MBAM runs since MSE got it quarentined.Just doesn't even find the .zip file pasted on my desktop.I just scanned it-the .zip file- with both MBAM and MSE,neither found it a threat.
Only Bitdefender online scanner found it.

I'LL GET RID OF THIS HOSTAGE TAKING PIECE OF S***!
GAME ON!:sa:

Let me get back to you guys.I dealt with this thing for 5 hours to get my system back.I need a little time.I apreciate your timely response.

Copy and paste taskmgr.exe from the system 32 folder to desktop and rename to Opera.exe. Now Taskmanager will start allowing to kill the rogue's process then get a scan going with Malwarebytes, updated first of course.

Or you can go to Malwarebytes Programs folder and rename mbam.exe to Opera.exe and Malwarebytes should start even if the exe killing rogue's process is active.

You can rename to Firefox.exe as well. In fact renaming most exes to Firefox or Opera should allow them to run with this rogue active.

 

[bludgard69]

Here's some more CCleaner found.Should I keep deleting these?

 

[Jaxryley]

@ blugard69, Every now and then I run a microjoin exploit that drops/downloads heaps of other exploits including a new morphed exe for the rogue AV Security Suite that hardly any blacklists hit and which is uploaded to Malwarebytes for inclusion to their database.

It's really a case of that if no AV/AM has seen the new sample as yet then it won't be hit and some AV/AM's can't scan within zip archives.

If you can upload the zip to a share site and give me the link I'll make sure it gets included into MBAM's database asap.

 

[bludgard69]

Can you give me an example of a share sitr?Thanks.

UPDATE:MSE seems to be holding it at bay.Restarted a couple of times and everything is cool runnings-so far.

EDIT:AV Security Suite is exactly the name of the "scanner" that came with it.

 

[Jaxryley]

RapidShare: 1-CLICK Web hosting - Easy Filehosting

 

[bludgard69]

OK.

 

[bludgard69]

RapidShare: 1-CLICK Web hosting - Easy Filehosting

 

[Jaxryley]

kfsuiwvtssd.exe - Result: 14/41 (34.15%
Virustotal. MD5: e86fe76999d536d68199241e8de64235 Trojan.FakeAV Trojan.Generic.KD.17354 Win32/Adware.SpywareProtect2009
Installed into a VM where MBAM is used as on demand.

After the rogue is installed mbam.exe is blocked from starting so I use opera.exe to get mbam up and running.

Updated MBAM and quick scan found and deleted this rogue which was a goner on reboot.

 

[bludgard69]

Scanning............

kfsuiwvtssd.exe - Result: 14/41 (34.15%
Virustotal. MD5: e86fe76999d536d68199241e8de64235 Trojan.FakeAV Trojan.Generic.KD.17354 Win32/Adware.SpywareProtect2009
Installed into a VM where MBAM is used as on demand.

After the rogue is installed mbam.exe is blocked from starting so I use opera.exe to get mbam up and running.

Updated MBAM and quick scan found and deleted this rogue which was a goner on reboot.

View attachment 80681

View attachment 80683

View attachment 80684

View attachment 80685

 

[bludgard69]

WORD!

Much apreciated.
Repped.

About 15 hours of this.The main thing was getting my laptop up and running so I could get help with this.What a B****!I don't have another rig,so.........

See ya again,Jaxryley.Good Job.

Scanning............

kfsuiwvtssd.exe - Result: 14/41 (34.15%
Virustotal. MD5: e86fe76999d536d68199241e8de64235 Trojan.FakeAV Trojan.Generic.KD.17354 Win32/Adware.SpywareProtect2009
Installed into a VM where MBAM is used as on demand.

After the rogue is installed mbam.exe is blocked from starting so I use opera.exe to get mbam up and running.

Updated MBAM and quick scan found and deleted this rogue which was a goner on reboot.

View attachment 80681

View attachment 80683

View attachment 80684

View attachment 80685

 

[Jaxryley]

Great stuff, glad you got it sorted!

 

[Jaxryley]

I've just reran the microjoin exploit that downloads heaps including an installer for the rogue AV Security Suite and this new morphed installer goes zero day over Jottis.
ouyuerdtssd.exe - Scan finished. 0 out of 19 scanners reported malware.
ouyuerdtssd.exe - Jotti's malware scan

So in effect this one would bypass just about every major AV/AM until they get a hold of it and added to their definitions. And yes, MBAM doesn't hit this one as yet either but will within the next update or two.

When most AV's start hitting this exe the rogue authors will release a new morphed version making sure it's not detected by most.

Dunno what's up with Virus Total but seems to be playing up a bit lately?

 

[bludgard69]

Sleepy

Very interesting stuff.First time Anything has taken control of my lappy.Glad I have some support.I'll be back on later.Thing's got my eyes gritty.:shock:No monies to pay ransome fees.

See ya later!

I've just reran the microjoin exploit that downloads heaps

including an installer for the rogue AV Security Suite and this new morphed installer goes zero day over Jottis.
ouyuerdtssd.exe - Scan finished. 0 out of 19 scanners reported malware.
ouyuerdtssd.exe - Jotti's malware scan

So in effect this one would bypass just about every major AV/AM until they get a hold of it and added to their definitions. And yes, MBAM doesn't hit this one as yet either but will within the next update or two.

When most AV's start hitting this exe the rogue authors will release a new morphed version making sure it's not detected by most.

Dunno what's up with Virus Total but seems to be playing up a bit lately?