Results 1 to 4 of 4

Thread: ttpugfoj.exe

  1. #1
    Junior Member
    Join Date
    Sep 2013
    Posts
    3

    Default ttpugfoj.exe

    File came as a What's App VM message email. Download the .zip file, it runs an exe that installs a fake AV program. This file then locks the system, prevents opening task manager to kill the process and it was a bear to locate. Avast ~and~ Spybot say the .exe is totally safe, and I guess it more or less is, because it only opens the door for malware via websites - a process Avast did block. If I were a normal user, I'd have totally freaked out about the 32 or so critical malware detections it indicated.
    I found the name of the file because it sits in the notification area and shows the file's name. I finally managed to kill the process by logging on to another user account, opening Task manager in it, showing all processes for all users and was able to terminate (with extreme prejudice), this nasty little critter. Then I had to hunt it down manually, as it hides itself in \AppData\local from the Windows search util and am now shredding it.

    Just noticed in my FF downloads file that this malware is associated with bestholidaystoindia.com.
    Last edited by The_Evil_Dr_R; 2013-09-11 at 01:46.

  2. #2
    Junior Member
    Join Date
    Sep 2013
    Posts
    3

    Default Associated filename - TrustedInstaller.exe

    After continuing issues with slow performance and repeated attempts to install malware and direct my browser to malware sites, I traced the offending process and found that this is the prime installation package. It hijacked file/folder permissions in several critical areas. I found and eliminated about a dozen registry entries and then reset permissions on files and folders and submitted files to Avast, since their AV did not register this as malware, only the recognizable malware it tries to install. Microsoft's malware software failed to detect it miserably, as well. Hopefully this puts an end to this little nightmare.

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,955

    Default

    Hello The_Evil_Dr_R,
    Quote Originally Posted by The_Evil_Dr_R View Post
    Hopefully this puts an end to this little nightmare.
    If the issue returns someone can take a look at the system in the Malware Removal Forum

    In which case please see that forum's FAQ which also includes instructions in post #2 on how to provide DDS and aswMBR logs, which are used in the preliminary analysis.
    http://forums.spybot.info/showthread.php?t=288

    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

  4. #4
    Junior Member
    Join Date
    Sep 2013
    Posts
    3

    Default

    Yes, thanks.
    I am still having issues but am working on them at the moment, may take up that offer. Got a BSOD on last restart, an IO driver seems to have been corrupted. Fortunately, I didn't have to do a complete system restore.
    There is a consent.exe file that seems to be associated with this malware, as a search in windows shows multiple instances of the same program in several locations. Apparently a ghost user account is also created, and file/folder permissions transferred from System and admin to this user. Submitted several files found to Avast, so hopefully they will update to detect this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •