[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

XP hostile takeover by "Trusted Software" program

Posted on 2011-04-26
23
Medium Priority
?
3,247 Views
Last Modified: 2012-05-11
Owner somehow got hijacked by what looks like it might be a legit program. Or a new form of malware.
www.trustedsoftware.com is the web on the attached
All the shortcuts have been changed to a .lnk extension.
Clicking on anything results in the attached screen.
I can access the hard drive and copied all data off.
I was able to load UBCD4WIN but there are no restore points in the registry.
Ran Superantispyware from the UBCD, foun d only the usual tracking cookies.
 Trusted Software
0
Comment
Question by:cfourkays
  • 9
  • 8
  • 5
  • +1
23 Comments
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 35472126
from ubcdwin download Malware bytes and see if it can remove the program
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 35472135
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 35472218
They do have a web site http://www.trustedsoftware.com/ .   I would still consider it malware.  It looks like they have their own installer that takes over the computer if you download something from them.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 2

Author Comment

by:cfourkays
ID: 35474755
All scanners or tools, including Malwarebytes Anti....,  brings up the Trusted Software window.
Example, downloaded the Sophos tool to a flash drive, tried to run, and got the warning.
The tool is an .msi
AnythingI try to run is blocked.
I can't find any search that spells this problem out.
Here's another poor guy with the same problem and no solution.
http://forums.techguy.org/windows-xp/983593-lost-exe-files-after-uninstalling.html
0
 
LVL 2

Author Comment

by:cfourkays
ID: 35474786
Also trying Doug Knox's Association fixes don't work.
All the sip files, the Reg's when opened, have the same result.

Is this a new monster???
0
 
LVL 2

Author Comment

by:cfourkays
ID: 35474824
StuxnetScanner when opened is an .exe file which has the same result.
Although the owner of the PC is bitching, I'd like to find a fix for this.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35474825
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35474860
Oh I see.... that window is blocking it...

and the cleanautorun doesn't fix the executables?

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35474874
Can you run a .com extension?
How about in safe mode is it the same?

Try ExeHelper:
http://www.raktor.net/exeHelper/exeHelper.com
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
0
 
LVL 2

Author Comment

by:cfourkays
ID: 35476177
Exehelper.com in both normal and safe mode brought the same results. The same "The File Type Assistant" comes up.
Do we know whether this is malware?
The web site has a lot of missing links.
I only saw one other posting on this issue on another site with no resolution. Was posted last week.

I have a small PC repair business where about 50% of my calls are malware removal and I've never seen this one.
0
 
LVL 2

Author Comment

by:cfourkays
ID: 35476763
Would you Experts like me to try any fixes since this crap seems to be new?

I'm going to do a System Recovery, (hopefully), later today to get my customer's PC back.
I'd really like to find out what this is.


I deleted the files in a "File Type Assistant" folder and now I get a standard
"Windows cannot open this file"
"File:   xxxxxxx.link" or  "File:  Cleanautorun.exe"

0
 
LVL 84

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 800 total points
ID: 35478140
put the drive in another computer or boot from removable media and then work on the drive in question. once the machine boots the malware has control.
0
 
LVL 2

Author Comment

by:cfourkays
ID: 35478815
Hey ve3ola,
I've already done that.
I booted wth UBCD4WIN and ran SUPERantivirus,
When you say "work on the drive in question", what do you suggest?
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 35479293
have your tried running malwarebytes on the clients drive?? drive in question is the clients drive.. is there a reason why you can't use a repair install on the system?
0
 
LVL 2

Author Comment

by:cfourkays
ID: 35479417
Can't do a repair/install, its a 2006 HP Pavillion, no OS CD's.
I tried F10 and there's a System Recovery available.
Before I do that, I'll take the drive out, slave it, and run Malwarebytes as you suggest.
I really like to see what this is or isn't. Something like a corrupt rundll32 maybe.
Working on it right now.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35479732
If it isn't a stuxnet (.lnk virus),
It could be a new rogue(or one of the family of rogues) there are many of them which offers to fix the problem it created.

Is this also active in safe mode?
If you download Process Explorer using another PC and rename it to svchost.exe or winlogon.exe or some other windows system filename it might run..... then you can look for malware processes etc, there must be a malware process running there, like a random number process in the Application Data folder etc.

Though slaving and cleaning may be an easier fix(sometimes makes it worse).

0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 35480882
this is one of the extortionware programs that are floating around the net
0
 
LVL 2

Author Comment

by:cfourkays
ID: 35482823
I don't know.
This thing never brought up the usual "We'll clean it for $..."
Talked to the owner last nite.
Told me he was trying to get some music, which is suspicious in the first place, and all of a sudden this "Trusted Software" thing popped up.
I've cleaned this PC of malware a couple of times so......?
I'm trying rpg's suggestions this AM and I'll post back.
BTW, thanks to both of you for hanging in.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35483065
I hope you have some luck with the renamed Process Explorer. sometimes when nasties block most program processes from running, it doesn't block critical system process that's why i suggested try renaming it to that of a system file e.g. svchost.exe or winlogon.exe.


Also try doing these steps and see if Mbam runs.

Download MalwareBytes, or download the file into a USB from another PC.

Once you've transfered the file, you then need to "Show File Extensions" like below link.
http://whatsafile.com/show-file-extensions.php

Then rename the mbam-setup.exe to to mbam-setup.com
Doubleclick mbam-setup.com to install Malwarebytes' Anti-malware.

Once installed, go to your Program Files\Malwarebytes' Anti-Malware folder and locate the mbam.exe there and rename it to mbam.com
Doubleclick mbam.com to launch Malwarebytes', click the "Update" tab and click the "Check For updates" button.
then "Perform Quick Scan", then click Scan.
When scan is complete, make sure that everything is checked, and click "Remove Selected".


I know the link is a different rogue, but if you like to try and follow the steps to make MalwareBytes run like I mentioned above and see if that helps.
http://www.geekstogo.com/forum/topic/299547-removal-instructions-for-xp-total-security-2011-and-its-clones/
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1200 total points
ID: 35483251
Okay, it seems this is it.
http://www.trustedsoftware.com/what.html

This is supposed to be a little helper application that kicks in when the user try to open a file that doesn't have a viewer or player for.

 In Control Panel, Add/Remove programs uninstall "File Type Assistant" and that should be the end of it(if they even deserve the word trusted) try and see. I don't trust this program period.... no reputable program will hijack a PC like that.

I've seen rogues too much that I just don't trust any programs that I don't know much about and it always fire-up my suspicious button, specially a program that hijacks my PC.
0
 
LVL 2

Author Comment

by:cfourkays
ID: 35487228
Thanks to both of you.
The only way I could get that out was delete the contents of a "File Type Assistant" and then search for scraps with Regedit.
MBAM renamed wouldn't run
Unfortunately, any program or file other than the .C drive wouldn't open.
Took a chance and did a System Recovery, F10, and recovered to original with saving files and folders.
The recovery actually kept all data.

Only thing that on the first boot, I was greeted with the old configuration problem, "HP Code Purple".
Had my notes from way back and deleted the "run.py" in ConfigCheck folder and that did it.
PC's now up and running waiting for updates.
Too bad I couldn't get to the root cause.
Thanks again to both.



0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 35488451
That was a very aggressive program, one to stay away from.
Glad you got that one out, well done.
Thanks!
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most PC repair technicians (if not all) always start their cleanup process by emptying the temp folders before running any removal tools. It makes sense because temp folders are common places for malware installers to lurk and removing all the junk …
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question