Microsoft Antispyware is disabled - BEWARE!!!!

[Guest]

Microsoft Antispyware and Grisoft's AVG were disabled and being prevented
from running and/or re-installing. Although I was unable to save the
infected files as I was "fighting" it, I can tell you that there were two
files running in Task Manager and also had registry settings (there were
actually two instances of each running at the same time). They were:

ANTIAV_EXE.EXE / AUTO_ANTIAV_KEY
HLOADER_EXE.EXE / AUTO_HLOADER_KEY

I performed a search for these files, renamed them and then I was able to
"End Task" each of them, without them recreating themselves again and again.
I also found a bogus subdirectory under Windows filled with about eight EXE's
containing numeric filenames. I'm assuming this was a holding queue or cache
for HLOADER.

This problem was discovered and resolved on November 2, 2005.

I hope this helps. Again, I'm sorry I was unable to isolate any of these
files for your examination.

 

[Bill Sanderson]

David - if you have those executables, please consider any or all of the
following actions:

1) submit each of them to:

http://www.virustotal.com
http://virusscan.jotti.org

there's a browse window at the top right of each page.

Consider zipping both of them together, password protecting the zip folder
(use "infected")

and sending it to my email address--drop the .plugh.org off the end of my
address as posted here. I can make sure these are submitted to both the
antivirus and antispyware folks at Microsoft.

 

[Guest]

Nice work David

There is probably other files dropped onto the system besides the files
showing in task manager so It may be a good idea to run a couple of online
virus scanners to be sure the system is now clean. One of these files
(HLOADER) may relate to Trojan Lodear but I'm not sure about the other AntiAV
file (Possibly a Trojan.KillAV or Bankash variant)

For Online scans if you need them try these:

Trends Housecall

http://housecall.trendmicro.com/housecall/start_corp.asp

Panda scan:

http://www.pandasoftware.com/activescan/

eTrust AV web scanner (Computer Associates)

http://www3.ca.com/virusinfo/virusscan.aspx


There is a removal tool available from symantec if one of the files relate
to Trojan.Lodear (Bagle.dk)

W32/Bagle.dk

http://vil.nai.com/vil/content/v_136751.htm

Trojan.Lodear

http://securityresponse.symantec.com/avcenter/venc/data/pf/trojan.lodear.html

Removal Tool Available here :

http://securityresponse.symantec.com/avcenter/venc/data/trojan.lodear.removal.tool.html


Here's some infections that would target Microsoft Antispy in a similar way
when executed (There is many variants but these are just a few examples)

http://securityresponse.symantec.com/avcenter/venc/data/trojan.bankem.html

http://securityresponse.symantec.com/avcenter/venc/data/trojan.killav.f.html

http://securityresponse.symantec.com/avcenter/venc/data/[email protected]

http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.bankash.d.html


All The Best

Andy

 

[Guest]

I just checked these file names in more detail and it is Trojan.Lodear that
you had on your system so there is other files such as a dll called
'hleader_dll.dll' and the antiav_exe.exe. file is Trojan.Lodav.A, Again there
is also a dll on the system called 'antiav_dll.dll' but the removal tool will
remove any traces of Trojan Lodear and Trojan Lodav from your system if they
exist.

Removal Tool :

http://securityresponse.symantec.com/avcenter/venc/data/trojan.lodear.removal.tool.html

Trojan Loadav

http://securityresponse.symantec.com/avcenter/venc/data/trojan.lodav.a.html

Trojan Lodear

http://securityresponse.symantec.com/avcenter/venc/data/trojan.lodear.b.html

Regards

Andy

 

[Bill Sanderson]

Thanks Andy--I did a quick look for those execuables and didn't find them.
Glad you could ID it accurately, so that he can run the tool and be sure
he's cleaned up.

 

[Guest]

No Problem

Id not heard of them untill I saw this topic and wasnt get much info' back
from search engines but it looks like they have only just been released a
couple of days ago so Symantecs done well to have a removal tool available
already, The search engine bots will probably catch up in a couple of days
when they revisit the AV sites

It doesn't list Microsoft Antispyware as a target for these trojans so
hopefully there isnt other problems on the system but I'm sure the online AV
scanners would detect anything that remained after using the Removal Tool.

 

[Bill Sanderson]

Yeah--I quit posting the list of viruses that target Microsoft
Antispyware--bankash didn't seem to go anywhere, and it got boring, and I
forgot to keep checking Symantec's site--also, since they came out with
their own product, searching on "antispyware" in Symantec's site became
somewhat problematic!

I don't think any of the ones that genuinely target Microsoft Antispyware
has ever had broad distribution--I think the number of likely instances
we've seen in these groups is very small--between 2 and none, I suspect.

 

[Guest]

I also found an infected computer with the same problem and MS AntiSpyware
doesn't automatically find any of the files on a quick scan. I haven't tried
a full scan. I tried submitting a suspected spyware report but it gave me
that proxy error that MS AntiSpyware usually gives when trying to submit that
report.

I uploaded the malicious files to my website at:
http://www.altmantc.com/downloads/MSSSRT_ANTIAV.ZIP
http://www.altmantc.com/downloads/MSSSRT_ANTIAV.XML

Hopefully Microsoft will add them to the MS AntiSpyware definitions.