[False alarm] WORM ALERT: If you opened the Masaya PDF you may have worms

[MiscastDice]

EDIT: Avast is the bomb in dealing with this shit.

Copied from a message to my friend:

The actual shit is called Win32:Jifas and JS:Redirector-BN
Avast finally found it and killed it
You have to scan on boot
because if you don't, it starts up and disables your antivirus/anti-malware
Then hides behind all its spawn files, those fucked up DLLs


So, in the hours after I opened the Masaya PDF, I noticed some weird shit happening to my computer. It was slower, I had problems loading my e-mail for some reason..... and then last night I started getting a barrage of popups for no reason. I hit Task Manager to see what the fuck was going on.... and Adobe Reader was running even though I'd shut it down earlier. Not only running, but eating 700mb of memory. I shut it down, the IE popups stopped.... and I forgot it until today.

Randomly, when I'd do a google search, I had search pages that were unrelated pop up when I clicked on a link. On the advice of a friend..... I downloaded an anti-malware program (I chose Malwarebytes' Anti-Malware 1.44) and spent an hour and a half running it....

The results

Memory Modules Infected:
c:\Documents and Settings\All Users\Application Data\pabewisa\pabewisa.dll (Malware.Packer.Gen) ->
Files Infected:
c:\Documents and Settings\All Users\Application Data\pabewisa\pabewisa.dll (Malware.Packer.Gen) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\garayudi\garayudi.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\mijepubi\mijepubi.dll.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\nevoputo\nevoputo.dll.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\rilalelu\rilalelu.dll.tmp (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\welumiva\welumiva.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\zorihali\zorihali.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP363\A0045532.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP363\A0045534.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP363\A0045533.dll (Malware.Packer.Gen) -> Quarantined and deleted successfully.

While I'm not *entirely* sure I got this nasty little fucker from the Masaya PDF, it's definitely suspect: I hadn't downloaded/opened anything else suspicious (some jrock files from valid, safe sources, ordinary internet browsing -and I avoid virusy pr0n sites like the plague they are, I'd rather have my prawnz in written form anyway-) so yeah... I think this PDF is suspicious.

Edit: THIS IS FUCKING NASTY SHIT. Somehow, it restored itself, my anti-malware scanner isn't finding it now, and it's giving me popups again. /RAAAAGGGGEEE

[Ann1958]

I opened the Masaya pdf without troubles on my pc.
Probably your pc wasn't protected with an antivirus program.
If that pdf would have been malice, my antivirus program would have signaled it.

Don't misunderstood me, I hate Masaya, but his disguisting pdf wasn't affected with malware.

If you have no antivirus program, try the antivirus 'Avast', this is free and a good antivirus.

[MiscastDice]

I opened the Masaya pdf without troubles on my pc.
Probably your pc wasn't protected with an antivirus program.
If that pdf would have been malice, my antivirus program would have signaled it.

Don't misunderstood me, I hate Masaya, but his disguisting pdf wasn't affected with malware.

If you have no antivirus program, try the antivirus 'Avast', this is free and a good antivirus.

I've got TrendMicro and now MalwareBytes. MalwareBytes found the shit the first scan, deleted it, but it's reinstalled. I'm not sure if it was the Masaya document, but seeing as it seems to have started only after that I'd say it should be regarded with some suspicion. I could be wrong though.....

[Ann1958]

Well, I don't know, I just can say that I have no problems with my pc.
I opend the pdf as soon as I knew about it, that must be 2 or 3 days ago.
Maybe your antivirus wasn't up to date? I don't know.
Hope you can fix the problems on your pc.

[Maverick]

Haven't any problems either. And I also scanned my system after your advide, MD.
Besides, Masaya really has no reason to do so, as it was an information file to defend himself against the accusations.

However, maybe you should try a free online scan - i think McAfee and Panda offer that... couldn't find an English site right now, though.
Years ago I had a problem with some trojan, and it took me ages to ditch it again but I found a program that is watching running programs (also many that don't show up in the task manager). That was helping me to find all infected files, actually. Maybe you might try it:
http://www.winpatrol.com/ (there's also a free version available)

[mC]

Hm, no problems from my PC either!

[MiscastDice]

Avast free finally found it and killed it.

I'll copy what I told my friend:

The actual shit is called Win32:Jifas and JS:Redirector-BN
Avast finally found it and killed it
You have to scan on boot
because if you don't, it starts up and disables your antivirus/anti-malware
Then hides behind all its spawn files, those fucked up DLLs

*edits into the OP*

[Ann1958]

I am happy you could fix the problem 
I won't make advertise, but years ago I had very pricy antivirus on my pc, and got viruses anyway.
Now, since 5 years I have a free antivirus on my pc and had never problems since than.

[Sander]

No problems here either, looks like a false alarm...

[ElefeX]

I have just had to hand in my laptop to a local computer repair shop because of a virus/worm thing I got from something within the last few days. I did open the PDF so maybe? I am not blaming it at the moment as it could have been something else but its a weird coincidence as I have never had a problem like this before and I use the internet a lot. The guy in the shop said there were lots of problems with this virus thing from facebook but I don't use that so it couldn't have been that, I had been blaming my friend who sent me a joke picture email but no-one else seems to have been affected if it was that - just lucky old me!!!

I run McAfee at all times and it didn't detect it, even when I ran a scan after I knew I had it. It manifested itself as Vista antivirus pro 2010 or something like that and pretty much acted as if it was an antivirus and said legitimate files were problems, also lots of pop ups talking about security issues and that I had surveillance bots etc on the computer and to register and pay so much to fix it.

I am pretty useless with technology so have handed it in to a shop to get fixed as at least then I will know its properly away! Sucks though, hopefully it will not be too expensive!

[MiscastDice]

It's baaack. Fucker hides out in System Volume Information and restores itself.

[demonbefriender]

Yep, I don't think it was the pdf because my computer is totally fine.

Hope you get it off your system soon, MiscastDice. Seems like a tricky son of a bitch.

[Ann1958]

to Mistcastdice: Are your pc problems solved now?

[MiscastDice]

Yeah. Though a friend of mine got the same worm. It seems to be going around lately o.O

[Maverick]

win32 is familiar to me... i had that, as well some years ago

[MiscastDice]

yeah, win32's have been going around for a while but jifas seems to be pretty new.

[ElefeX]

Just got my Laptop back, Virus had corrupted everything so had to totally wipe it! It sucks, but luckily a few months ago I backed up most of my important stuff so it could have been a lot worse but its still annoying as hell to have got the stupid virus in the first place. The guy in the shop couldn't find a specific point where the virus had got in, he reckons it has been a link or something I clicked on : probably not the masaya pdf though if no-one else apart from MiscastDice has had any problems.

Anyway, it is a pretty nasty virus, so be careful what you click on out there!!