26 replies to this topic

[scotthocum]

Have you heard of a new virus called smart fortress 2012 I just got it on a copmuter but nothing will catch it?

[grinler]

Sounds new. Can you harvest some samples, zip em up, and upload them here?

[scotthocum]

what kind of samples should I get? Thanks

[Soleil120]

My wife's computer got it an hour ago too and I have no idea how to get rid of it.

[Estevek]

I just got infected by this as well. Rather nasty. Let me know what I can send along to diagnose. I am in a windows 7 pro machine.

[supertommy6]

A user on my network contracted this today as well. Windows Vista Business. Let me know if there's anything I can do to help get rid of this thing!

[cwq1]

Got this today as well.

I found these files under C:\ProgramData\<random-alpha-numeric-string> on a W7 Pro machine. It intercepts Task Manager from launching among other things, so far I have a stable system in Safe Mode - it could be contained to just the user's profile at this point I'm hoping.

Attached Files

•  smartfortress2012.zip   322.47KB   35 downloads

[Norseman]

I just got it on my older computer that I use for business (CAD work), so I really need to get after this one. Its an HP XW6400 running WinXP 64bit system, and unfortunately I had just shut down my anti-virus program in order to repair an un-registered .dll in my SolidWorks CAD program. This really sucks!

[d3nm4rk]

Windows XP machine it was under \Documents and Settings\All Users\Application Data\<random-alpha-numeric-string>. Deleting it seems to be working for now, got a virus scan running now. I may just end up re-imaging the computer to completely get rid of it.

[grinler]

Checking out samples now. We should be able to get you guys fixed up soon

[Norseman]

 cwq1, on 27 February 2012 - 06:31 PM, said:

Got this today as well.

I found these files under C:\ProgramData\<random-alpha-numeric-string> on a W7 Pro machine. It intercepts Task Manager from launching among other things, so far I have a stable system in Safe Mode - it could be contained to just the user's profile at this point I'm hoping.

I have not been able to boot into safe mode, is it possible this trojan could be preventing that? I know whenever I try to open the uninstall program option in Control Panel, it blocks it. As well as several other programs like EndItAll and my AV program.

[cwq1]

I noticed another user's post had ran their file through this website. Here's the results for the file I posted:

https://www.virustot...sis/1330385554/

8 / 43 scanners recognize it as something. I guess I'll go try the tools that found it, to see if they will remove it.

[Fatdcuk]

Hi folks and welcome to the MBAM Research Center.

Looks like you all have something that is very new,the only google result for the name is pointing back to this forum so they dont come any hotter off the press then this..


We don't usually work on malware removal in this part of the forums so for those that need further assistance.
Please read and follow the directions here, skipping any steps you are unable to complete. Then create a NEW topic here.
One of the expert helpers there will give you one on one assistance when one becomes available.

Please note that it may take 48 hours or more for you to receive a response in the malware removal forum, as it is often busy at times. Please do not reply to your own post asking for help unless its been more than 48 hours since you originally posted, as this can make it appear as though you are being helped and take longer for you to get help.

If you are unable to do all or any of the steps in the link to the directions above, just post your problem into the forum I gave you a link to anyway and someone will be able to assist you.

If you prefer to be assisted via email you may contact support@malwarebytes.org and one of our support staff members will assist you directly.

If you are a reseller, affiliate, technician, corporate, business, educational, government or non-profit customer then please contact corporate-support@malwarebytes.org and include full contact details along with your Reference # when you do to ensure that you receive prompt assistance.

Thank you

[Fatdcuk]

 cwq1, on 27 February 2012 - 06:31 PM, said:

Got this today as well.

I found these files under C:\ProgramData\<random-alpha-numeric-string> on a W7 Pro machine. It intercepts Task Manager from launching among other things, so far I have a stable system in Safe Mode - it could be contained to just the user's profile at this point I'm hoping.

 cwq1, on 27 February 2012 - 06:37 PM, said:

I noticed another user's post had ran their file through this website. Here's the results for the file I posted:

https://www.virustot...sis/1330385554/

8 / 43 scanners recognize it as something. I guess I'll go try the tools that found it, to see if they will remove it.

Looking into this data now guys...Thankyou for your assistance

[Estevek]

Back again...on my Win 7 pro machine I was unable to boot in safe mode without the infection. I did a restore and no I am operating again BUT nervouse about what, where and when this occurred.

[Cerbrus]

I got the virus just now.
For me (Win XP 32bit), it's located in C:\Documents and Settings\All Users\Application Data\F4D561B4000BEA160003C315D151FC84\
I'm guessing the last bit is random, but you never know...

It's 2 files:
F4D561B4000BEA160003C315D151FC84.exe (360.448 bytes)
And just plain
F4D561B4000BEA160003C315D151FC84 (328 bytes)

I can't remove the .exe, but I can rename it. It'll rename itself back, though.
The other file can be removed, but gets remade,

So, any idea how to remove this thing? It shuts down everything I try to start.

[grinler]

 Estevek, on 27 February 2012 - 06:47 PM, said:

Back again...on my Win 7 pro machine I was unable to boot in safe mode without the infection. I did a restore and no I am operating again BUT nervouse about what, where and when this occurred.

I can almost guarantee you are running outdated programs on your computer, which causes a hacked website or malvertisement to slip this goody onto your OS.

My suggestion is to use Secunia PSI to check for outdated programs. I have a guide on that here.

http://www.bleepingc...th-secunia-psi/

[Fatdcuk]

 Cerbrus, on 27 February 2012 - 06:49 PM, said:

I got the virus just now.
For me (Win XP 32bit), it's located in C:\Documents and Settings\All Users\Application Data\F4D561B4000BEA160003C315D151FC84\
I'm guessing the last bit is random, but you never know...

It's 2 files:
F4D561B4000BEA160003C315D151FC84.exe (360.448 bytes)
And just plain
F4D561B4000BEA160003C315D151FC84 (328 bytes)

I can't remove the .exe, but I can rename it. It'll rename itself back, though.
The other file can be removed, but gets remade,

So, any idea how to remove this thing? It shuts down everything I try to start.

There is more to it then just that..It has created an execution hijack in the registry so that it launches itself everytime you try to run something new.

Trying to work a fix for it

[Cerbrus]

I manages to change the virus' folder's security settings to only display the folder, no read access. (In safe mode)
It did prevent the virus from starting on a reboot, now I've just gotta get rid of it.

[Cerbrus]

Or at least, it looks like it didn't start (How do I edit posts here?)