We help IT Professionals succeed at work.

XP hostile takeover by "Trusted Software" program

cfourkays
cfourkays asked
on
3,284 Views
Last Modified: 2012-05-11
Owner somehow got hijacked by what looks like it might be a legit program. Or a new form of malware.
www.trustedsoftware.com is the web on the attached
All the shortcuts have been changed to a .lnk extension.
Clicking on anything results in the attached screen.
I can access the hard drive and copied all data off.
I was able to load UBCD4WIN but there are no restore points in the registry.
Ran Superantispyware from the UBCD, foun d only the usual tracking cookies.
 Trusted Software
Comment
Watch Question

David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
from ubcdwin download Malware bytes and see if it can remove the program
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Dave BaldwinFixer of Problems
CERTIFIED EXPERT
Most Valuable Expert 2014

Commented:
They do have a web site http://www.trustedsoftware.com/ .   I would still consider it malware.  It looks like they have their own installer that takes over the computer if you download something from them.
CERTIFIED EXPERT
Top Expert 2007

Commented:

Author

Commented:
All scanners or tools, including Malwarebytes Anti....,  brings up the Trusted Software window.
Example, downloaded the Sophos tool to a flash drive, tried to run, and got the warning.
The tool is an .msi
AnythingI try to run is blocked.
I can't find any search that spells this problem out.
Here's another poor guy with the same problem and no solution.
http://forums.techguy.org/windows-xp/983593-lost-exe-files-after-uninstalling.html

Author

Commented:
Also trying Doug Knox's Association fixes don't work.
All the sip files, the Reg's when opened, have the same result.

Is this a new monster???

Author

Commented:
StuxnetScanner when opened is an .exe file which has the same result.
Although the owner of the PC is bitching, I'd like to find a fix for this.
CERTIFIED EXPERT
Top Expert 2007

Commented:
CERTIFIED EXPERT
Top Expert 2007

Commented:
Oh I see.... that window is blocking it...

and the cleanautorun doesn't fix the executables?

CERTIFIED EXPERT
Top Expert 2007

Commented:
Can you run a .com extension?
How about in safe mode is it the same?

Try ExeHelper:
http://www.raktor.net/exeHelper/exeHelper.com
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.

Author

Commented:
Exehelper.com in both normal and safe mode brought the same results. The same "The File Type Assistant" comes up.
Do we know whether this is malware?
The web site has a lot of missing links.
I only saw one other posting on this issue on another site with no resolution. Was posted last week.

I have a small PC repair business where about 50% of my calls are malware removal and I've never seen this one.

Author

Commented:
Would you Experts like me to try any fixes since this crap seems to be new?

I'm going to do a System Recovery, (hopefully), later today to get my customer's PC back.
I'd really like to find out what this is.


I deleted the files in a "File Type Assistant" folder and now I get a standard
"Windows cannot open this file"
"File:   xxxxxxx.link" or  "File:  Cleanautorun.exe"

David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Hey ve3ola,
I've already done that.
I booted wth UBCD4WIN and ran SUPERantivirus,
When you say "work on the drive in question", what do you suggest?
David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
have your tried running malwarebytes on the clients drive?? drive in question is the clients drive.. is there a reason why you can't use a repair install on the system?

Author

Commented:
Can't do a repair/install, its a 2006 HP Pavillion, no OS CD's.
I tried F10 and there's a System Recovery available.
Before I do that, I'll take the drive out, slave it, and run Malwarebytes as you suggest.
I really like to see what this is or isn't. Something like a corrupt rundll32 maybe.
Working on it right now.
CERTIFIED EXPERT
Top Expert 2007

Commented:
If it isn't a stuxnet (.lnk virus),
It could be a new rogue(or one of the family of rogues) there are many of them which offers to fix the problem it created.

Is this also active in safe mode?
If you download Process Explorer using another PC and rename it to svchost.exe or winlogon.exe or some other windows system filename it might run..... then you can look for malware processes etc, there must be a malware process running there, like a random number process in the Application Data folder etc.

Though slaving and cleaning may be an easier fix(sometimes makes it worse).

David Johnson, CDSimple Geek from the '70s
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
this is one of the extortionware programs that are floating around the net

Author

Commented:
I don't know.
This thing never brought up the usual "We'll clean it for $..."
Talked to the owner last nite.
Told me he was trying to get some music, which is suspicious in the first place, and all of a sudden this "Trusted Software" thing popped up.
I've cleaned this PC of malware a couple of times so......?
I'm trying rpg's suggestions this AM and I'll post back.
BTW, thanks to both of you for hanging in.
CERTIFIED EXPERT
Top Expert 2007

Commented:
I hope you have some luck with the renamed Process Explorer. sometimes when nasties block most program processes from running, it doesn't block critical system process that's why i suggested try renaming it to that of a system file e.g. svchost.exe or winlogon.exe.


Also try doing these steps and see if Mbam runs.

Download MalwareBytes, or download the file into a USB from another PC.

Once you've transfered the file, you then need to "Show File Extensions" like below link.
http://whatsafile.com/show-file-extensions.php

Then rename the mbam-setup.exe to to mbam-setup.com
Doubleclick mbam-setup.com to install Malwarebytes' Anti-malware.

Once installed, go to your Program Files\Malwarebytes' Anti-Malware folder and locate the mbam.exe there and rename it to mbam.com
Doubleclick mbam.com to launch Malwarebytes', click the "Update" tab and click the "Check For updates" button.
then "Perform Quick Scan", then click Scan.
When scan is complete, make sure that everything is checked, and click "Remove Selected".


I know the link is a different rogue, but if you like to try and follow the steps to make MalwareBytes run like I mentioned above and see if that helps.
http://www.geekstogo.com/forum/topic/299547-removal-instructions-for-xp-total-security-2011-and-its-clones/
CERTIFIED EXPERT
Top Expert 2007
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks to both of you.
The only way I could get that out was delete the contents of a "File Type Assistant" and then search for scraps with Regedit.
MBAM renamed wouldn't run
Unfortunately, any program or file other than the .C drive wouldn't open.
Took a chance and did a System Recovery, F10, and recovered to original with saving files and folders.
The recovery actually kept all data.

Only thing that on the first boot, I was greeted with the old configuration problem, "HP Code Purple".
Had my notes from way back and deleted the "run.py" in ConfigCheck folder and that did it.
PC's now up and running waiting for updates.
Too bad I couldn't get to the root cause.
Thanks again to both.



CERTIFIED EXPERT
Top Expert 2007

Commented:
That was a very aggressive program, one to stay away from.
Glad you got that one out, well done.
Thanks!
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.