Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Masnesaft malware?

Created: 10 Jul 2014 | 21 comments

I think that I picked up a virus that I cannot remove.

It evidences iteself as ytzef.exe and cypuife.exe in processes with the description as Masnesatf Visual Studio 2010 ... sometimes it shows as using 98% cpu resources!  Ending process(es) does not work - keeps popping up.

Running a full scan on Symantec EndPoint, I get a recurring Bloodhound Risk for a file called cypuife.exe which cannot be removed.

I have tried Symantec Help to no avail.

I can find no info on the Internet.

Evidences itself by periodically popping up requests to install Java script (various file names) and continues even though I say 'no'

Tried system restore to prior to 7/7 ... get an error on attempt.

ANY idea on how to remove?

David

 

Operating Systems:

Comments 21 CommentsJump to latest comment

.Brian's picture

Did you submit?

How to collect and submit to Symantec Security Response suspicious files found by the SymHelp utility

http://www.symantec.com/docs/TECH203027

Run a threat analysis scan using symhelp:

How to run the Threat Analysis Scan in Symantec Help (SymHelp)

http://www.symantec.com/docs/TECH215519

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

IDEAMATICS's picture

Yes, I have run SymHelp and have saved a zip file of the 5 files that all say "investigate" as status and 4 of 5 say "submit" as recommendation

 

But instructions say to not send the zip file??

IDEAMATICS's picture

I believe that I may have picked up from a phishing expedition that was spoofing the Virginia EXPass emails.

 

Suspect hyperlink is

hxxp://www.glenhaven-lton.com/components/api/SUYmjzsrDDvER7R4qZXGvE3wM4j4TBJDL8sHlZdTrd4=/toll

taken from message:

E-ZPass

Service Center

 

 

 

 

 

Dear customer,

You have not paid for driving on a toll road. This invoice is sent repeatedly,
please service your debt in the shortest possible time.

The invoice can be downloaded here.

 

Terms & Conditions | Site Map | Privacy Policy | Phishing Policy

2014 E-ZPass

 

.Brian's picture

You can use this link to send:

http://www.symantec.com/security_response/submitsa...

Once you get a caase number, call support and get it escalated.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Hi David,

Please do keep the thread up-to-date with your progress!

There are many actions you can do while awaiting analysis of those files.

Best Practices for Troubleshooting Viruses on a Network
http://www.symantec.com/docs/TECH122466

 

Here's another link that may be of interest...

Symantec Insider Tip: Successful Submissions!
https://www-secure.symantec.com/connect/articles/symantec-insider-tip-successful-submissions

 

 

With thanks and best regards,

Mick

Mick2009's picture

Just a bit of info on this particular cypuife.exe and other submitted files: they have been examined by Security Response and found to be new variants of Trojan.Zbot, Trojan.Asprox.B, and related threats.  Rapid Release Sequence 155725 or above will handle most of those, and the RR defs available within a few hours should take care of the remainder.

This article will help to deploy this protection throughout the organization:

 

How to update definitions for Symantec Endpoint Protection Manager (SEPM) using a .jdb file

Article URL http://www.symantec.com/docs/TECH102607

 

Or the RR defs can be applied to a single client:

 

How to apply rapid release definitions to a Symantec Endpoint Protection (SEP) client.

Article URL http://www.symantec.com/docs/TECH104979

 

 

The advice below, though, about not clicking on unknown pop-ups and downloading / opening suspicious mails remains crucial!

The Day After: Necessary Steps after a Virus Outbreak
https://www-secure.symantec.com/connect/articles/day-after-necessary-steps-after-virus-outbreak

 

Hope this helps!

Mick

 

With thanks and best regards,

Mick

Mick2009's picture

Hi David,

Just a ping for an update.  The thread is still marked "needs solution."  Please do supply details if there's anything else remaining?

With best regards,

Mick

With thanks and best regards,

Mick

dgenxryan's picture

Its very interesting that you asked these question today...I picked up this virus/malware/trojan yesterday. I have no idea where from. But I have Malwarebytes and whenever MB finds a virus trying to infect me, itll let me know by a little popup on the side. Well everytime i attempt delete the same thing you see...."Masnaseft Visual Studie", Itll purposely trick the malwarebytes by sending off viruses left and right while the main one hides and jumps into different areas of the computer.

 

What we have here is a pretty high end virus/infection. This is dodging some of the best anti-virus software around. I have no idea how to get rid of it. If you have an outcome please share it with everyone including me.

I have sent it to my Admins to see if they can track it down (highly unlikely). But its very easy to tell what it is..Its just a matter of finding it and destroying it but its very tricky to catch.. best of luck to us!

IDEAMATICS's picture

Note to all --- DO NOT CLICK ON POPUPS if UNKOWN SOURCE

My Symantec Tech said that the update flash player update was ok ... wrong move.

If you click on any of these popups, like unkown java scripts, it will crash your hard drive.

You get a black screen with the message "Pres Ctrl+Alt+Del to Restart"  and when you do, the system starts to boot and then redisplays the message.  The operating system is unavailable.  Booting froma a CD/DVD shows that there is no harddrive available to repair OS. Cannot even re-install new operating system.

Solution -- well sort of -- when 'restarting' press F2 and go to settings and change the harddrive type to ATA.  Then restart again and press F12 and change reboot to from the CD/DVD.  At this point you can see the drives.  The DELL Tech was MOST HELPFUL.  Using the Run Command window, we identified the volume and the partition and reset the default to the proper one on which to install the operating system.  Then we did an entire new installation of the OS -- I am using Windows 7 Professional.

While we were all stumped, this is the only solution that worked after several hours of effort.  NOTE that this solution means that you have lost everything and have to a complete system rebuild from scratch.  Hope y'all have a backup -- fortunately I have backups of all my data, but it is a pain to rebuild the machine.

I hope this helps you and everyone dealing with this really bad malware.

David

EMarkDDS's picture

This thing is nasty...it starts creating multiple processes that progressively chew up gobs of system resources.  In Task Manager I had about a dozen of them running, chewing up a couple gigs.  My laptop was putting off so much heat I could have cooked an egg.  The files are in the Roaming folder, and I can't delete them; they either tell me the file is being used by a program or that I don't have permission.  Between the "My laptop" sentence and now, I stopped three processes.  Now there's already another copy chewing up 300MB of system resources. I'm basically spending all my time stopping them so my computer doesn't overheat.  And this is the ONLY place Google tells me there's any disucssion of this bug.  HELP!!

 

.Brian's picture

Run a Threat Analysis Scan from the SymHelp tool:

How to run the Threat Analysis Scan in Symantec Help (SymHelp)

http://www.symantec.com/docs/TECH215519

 

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mick2009's picture

Hi EMarkDDS,

Run a manual scan of your computer.  See if SEP detects this file and can delete it.  If not, please submit the file.  Feel free to post your tracking number here.

Additional advice:

Best Practices for Troubleshooting Viruses on a Network
http://www.symantec.com/docs/TECH122466

 

Hope this helps!

Mick

With thanks and best regards,

Mick

EMarkDDS's picture

AVG free antivirus spotted about a dozen threats and contained them.  No sign of it in the Task Manager so far.

 

EMarkDDS's picture

Mick-

 

Sorry, but I don't use Symantec AV.  This was the only Google hit I could find on this bug, so I thought I'd chime in and offer my observations.

Mick2009's picture

Ok, thanks for the response.

Try running the Threat Analysis Scan with this tool- you don't need to have SEP installed on the computer for this to work.

How to run the Threat Analysis Scan in Symantec Help (SymHelp)

http://www.symantec.com/docs/TECH215519

It should be able to identify suspicious files, and lkely stop them.

With thanks and best regards,

Mick

dgenxryan's picture

Thank you so much.

 

The TA scan worked and got rid of the virus/trojan.

So far it hasnt showed up so hopefully that means its gone for good.

 

Thanks again

Mick2009's picture

Good to hear! Many thanks for the post.

With thanks and best regards,

Mick

JoeE1954's picture

I've also got this from Masnesaft Visual Studie 2010. It is run through a progran Keorugy.exe. I can't delete the file that is in my roamind directory. It looks like it has gone into all my .jpeg  files nad encritped them. Also added a ransom letter to unlock the files. Has alos infected my USB memory Drive

I'm just assuming that it did that as I found it at the same time.

I've to stop the process, but it comes back in in 5 seconds.

Windows Defender picke it up as a suspect file and i've sent it up to them but no resopnse.

I've got backups of all my .jpeg files, so no problem.

ManiacMikey's picture

I managed to slow it down so i could try to get rid of it by going the the application ciusinv that it had created and the denied all its permissions and made it run in compatability mode for windows 95, im running symantec help right now to try to get rid of it

 

Diangel's picture

I renamed the multiple files that this thing created (no easy task for reasons mentioned above). It takes away admin control so I switched administrator. Went to misconfig and chose Boot because it blocks function keys. Using win 8 so I have to do the stupid sign in and it automatically signs me out. It blocks antivirus software. Its built to thwart all attempts. So much so that I registered on here to leave a comment.