ttpugfoj.exe

The_Evil_Dr_R

New member
File came as a What's App VM message email. Download the .zip file, it runs an exe that installs a fake AV program. This file then locks the system, prevents opening task manager to kill the process and it was a bear to locate. Avast ~and~ Spybot say the .exe is totally safe, and I guess it more or less is, because it only opens the door for malware via websites - a process Avast did block. If I were a normal user, I'd have totally freaked out about the 32 or so critical malware detections it indicated.
I found the name of the file because it sits in the notification area and shows the file's name. I finally managed to kill the process by logging on to another user account, opening Task manager in it, showing all processes for all users and was able to terminate (with extreme prejudice), this nasty little critter. Then I had to hunt it down manually, as it hides itself in \AppData\local from the Windows search util and am now shredding it.

Just noticed in my FF downloads file that this malware is associated with bestholidaystoindia.com.
 
Last edited:
Associated filename - TrustedInstaller.exe

After continuing issues with slow performance and repeated attempts to install malware and direct my browser to malware sites, I traced the offending process and found that this is the prime installation package. It hijacked file/folder permissions in several critical areas. I found and eliminated about a dozen registry entries and then reset permissions on files and folders and submitted files to Avast, since their AV did not register this as malware, only the recognizable malware it tries to install. Microsoft's malware software failed to detect it miserably, as well. Hopefully this puts an end to this little nightmare.
 
Yes, thanks.
I am still having issues but am working on them at the moment, may take up that offer. Got a BSOD on last restart, an IO driver seems to have been corrupted. Fortunately, I didn't have to do a complete system restore.
There is a consent.exe file that seems to be associated with this malware, as a search in windows shows multiple instances of the same program in several locations. Apparently a ghost user account is also created, and file/folder permissions transferred from System and admin to this user. Submitted several files found to Avast, so hopefully they will update to detect this.
 
Back
Top