Register - Login
Views: 99855857
 Main - Memberlist - Active users - Calendar - Wiki - IRC Chat - Online users
Ranks - Rules/FAQ - Stats - Latest Posts - Color Chart - Smilies 		05-04-22 11:51:25 AM
Jul - Computers and Technology - Parents and viruses... New poll - New thread - New reply
Next newer thread | Next older thread
MaxKnight
710
Systems Administrator
Level: 57


Posts: 570/719
EXP: 1415853
For next: 70075

Since: 07-29-07

From: Columbus, Ohio

Since last post: 10.6 years
Last activity: 9.7 years
Posted on 09-21-08 03:12:30 AM Link | Quote
Gee, promising thread title, if you ask me. Anyways...

Trojan.Fakeavalert, it is. My dad thinks he may have agreed to install this "XP Antivirus 2008", which Norton identifies as the aforementioned trojan. It's a sneaky bastard, too. Symantec's web site has a detailed instructions to remove the trojan, but many of the names are different to what installed onto this PC. It's obfuscating itself by using random letters and numbers in it's name. It also added itself to Norton's exception log for scanning and whatnot. It even disabled the Taskmanager so that I couldn't identify it by the running processes!

I've gone around changing and deleting registry entries that needed changing, though I'm sure I didn't get them all. I've also removed the blasted program from the scan exception list, and am performing ANOTHER scan of the system. Maybe this time it'll detect it and remove it. If all else fails, I'll re-enable the Taskmanager (I didn't do it yet, as I'm not sure if enabling it will give the stupid program access to it), and remove it from memory, then systematically delete everything it installed (which it installed last Friday/Saturday). It's funny, though, as it actually has a file for un-installing , but trying to use it just causes MSVC2005 to open up a new exception log thing, since it's not a valid un-installer.

But anyways, does anybody else have any suggestions for this particular problem? I think I've found all the necessary components for complete removal, but there may always be something I missed...

____________________
Darkdata
Ruins!? ♥
Level: 103


Posts: 670/2892
EXP: 11447321
For next: 24085

Since: 07-04-07


Since last post: 203 days
Last activity: 11 days
Posted on 09-21-08 03:25:46 AM Link | Quote
Backup and reformat.

AntivirusXP is a total bitch to uninstall.

Really, this thing is insane.

____________________
Xkeeper

Level: 263


Posts: 7399/25353
EXP: 297173941
For next: 1786512

Since: 07-03-07

Pronouns: they/them/????????

Since last post: 4 days
Last activity: 7 min.
Posted on 09-21-08 03:26:58 AM Link | Quote
I would recommend doing file deletions outside of the system, e.g. with a bootcd or NTFSDOS or something similar. Always do your scaning and such in Safe Mode as well, and HijackThis can be useful to determine if it's hiding anywhere else.

Hopefully what you try works -- if not, just bring it up again and hopefully we can offer more help.

____________________


Homepage (project updates, etc)
Raspberry
Thank you for my time here. I won't ever forget..
Level: 85


Posts: 447/1823
EXP: 5727527
For next: 171013

Since: 07-07-07

Pronouns: she/her

Since last post: 1.0 years
Last activity: 78 days
Posted on 09-21-08 03:37:00 AM Link | Quote
 
My parents had this on their system just the other week, and they had to reformat. HijackThis found some stuff, but it came back even after deleting everything suspicious.

____________________
~Ninetales
"So, you guys get it? This show's all about evil overlords and extreme violence!"
~ Etna, Disgaea anime trailer
Rachel Mae

Creature of Chaos
Level: 141


Posts: 1182/5929
EXP: 33607671
For next: 512343

Since: 07-03-07

Pronouns: she/her
From: Foxglen

Since last post: 22 days
Last activity: 1 day
Posted on 09-21-08 04:00:27 AM Link | Quote
Oh, hell. This sounds like the same thing Xk and I attempted* to clean up on an acquaintance's computer. Nasty piece of work.

* we ended up reformatting and reinstalling Windows -_-

____________________
Darkdata
Ruins!? ♥
Level: 103


Posts: 671/2892
EXP: 11447321
For next: 24085

Since: 07-04-07


Since last post: 203 days
Last activity: 11 days
Posted on 09-21-08 04:04:17 AM Link | Quote
Originally posted by BMF54123
Oh, hell. This sounds like the same thing Xk and I attempted* to clean up on an acquaintance's computer. Nasty piece of work.

* we ended up reformatting and reinstalling Windows -_-


It really is, my friend had it on his computer.

The thing is still being worked on apparently, as this version was setting the background, and locking down parts of the system not mentioned in the guides. (And had randomly named processstrings, Joy.)

He had to do a reformat/reinstall.

____________________
MaxKnight
710
Systems Administrator
Level: 57


Posts: 571/719
EXP: 1415853
For next: 70075

Since: 07-29-07

From: Columbus, Ohio

Since last post: 10.6 years
Last activity: 9.7 years
Posted on 09-21-08 04:09:46 AM (last edited by MaxKnight at 09-21-08 01:36 AM) Link | Quote
Yes, it seems sufficiently nasty...

But I will not give up yet. It seems that this particular piece of crapware has definitely evolved over time, since it's naming scheme has changed enough to make it unrecognizable... Thing is, I see it for what it really is. If I can stop the thing from starting up upon windows startup, I may be able to actually clean the thing out.

What's more annoying than the malware, though, is Norton constanly bringing up a notification in the corner about blocking the trojan and saying the computer is secure. I may have to temporarily disable Norton before trying to continue my efforts.

Oh well, wish me luck. It's time to see if that last scan finished...

EDIT: False alarm, people. I apparently got the retarded version of it, as it had no precautions other than disabling Taskmanager to stop me from removing it from memory. Since most people wouldn't know how to re-enable it, it's actually pretty smart in that regard. Heck, it even disabled the actual Windows Security Center and changed the Desktop Background. After removing it from memory, I deleted the two folders in question that formed the trojan (garbled letters and numbers: one in Program Files and one in Application Data within the Documents and Settings folder), and restarted the computer. It didn't load automatically, the Add/Remove programs window couldn't find anything about it to remove, so I took it out of that interface, and started up the Security Center Service (Administrative Tools is quite useful, yes?). I even changed the background back to normal. Everything should be normal from here on out. If it happens again, I think I might even be able to walk my dad or mom through the steps necessary to remove it!

Anyways, thanks for the concern, everybody. It turned out okay.

____________________
Rachel Mae

Creature of Chaos
Level: 141


Posts: 1183/5929
EXP: 33607671
For next: 512343

Since: 07-03-07

Pronouns: she/her
From: Foxglen

Since last post: 22 days
Last activity: 1 day
Posted on 09-21-08 04:48:16 AM Link | Quote
Originally posted by MaxKnight
If I can stop the thing from starting up upon windows startup, I may be able to actually clean the thing out.
Good luck with that. Even if you do remove all traces of the actual malware from the system, there's no guarantee the system will ever work 100% properly again. The particular one Xk and I dealt with changed a very large number of system settings, in order to disable things like Task Manager and Command Prompt, and installed various hooks all over the system to make sure you couldn't get rid of it. Of course, the program made absolutely no record of said changes, and the system was left in a very broken state, broken enough that even a repair install from the CD failed.

I don't mean to be such a downer, I just want to make sure you realize how big of a turd these things drop on XP, so you're not wondering several days or weeks down the line why something still isn't working right.

____________________
Joe
Common spammer
🍬
Level: 111


Posts: 522/3392
EXP: 14502775
For next: 365585

Since: 08-02-07

From: Pororoca

Since last post: 13 days
Last activity: 9 hours
Posted on 09-21-08 05:29:01 AM Link | Quote
Put the hard disk in a machine that works and has a virus scanner.

It would be a good opportunity to make a backup, too.

____________________
モノ江
Monoe
Hiryuu

Level: 207


Posts: 4796/14435
EXP: 127636186
For next: 2147968

Since: 07-06-07


Since last post: 11.8 years
Last activity: 11.7 years
Posted on 09-21-08 04:04:41 PM Link | Quote
Actually...I'm pretty DAMN sure I removed a similar version of this off a computer at the office not too long ago. The main reason I was given was 'they used P2P software during office hours' which translates to they were downloading MP3s and watching/surfing pr0n since it's guys here...

You want to talk fun shit to remove...I'm surprised I did it within 2 hours.

____________________
MaxKnight
710
Systems Administrator
Level: 57


Posts: 572/719
EXP: 1415853
For next: 70075

Since: 07-29-07

From: Columbus, Ohio

Since last post: 10.6 years
Last activity: 9.7 years
Posted on 09-21-08 06:29:42 PM Link | Quote
The only reason it took me longer is because I was sure it was Adware, and wanted to scan the computer using Ad-Aware 2008 before doing anything else. I then wound up scanning it with Norton Antivirus (twice) before just saying "screw it" and removing it the easy way. It was a really lame attempt to stop me from accessing Task Manager, since it took me no effort to re-enable it (I was already in RegEdit, and finding the key to disable/enable Task Manager was pretty much cake). I'm kind of surprised it didn't have a way to re-load the program should it be removed from memory, but then again, it probably didn't think anybody would be able to do that, what with Task Manager disabled.

Altogether, a very lame virus. I give it a 2/10.

____________________
neotransotaku
Member
wonders why OSX does not come with their version of MSPaint?
Level: 53


Posts: 391/603
EXP: 1084816
For next: 72303

Since: 08-24-07

From: The Landmark @ One Market

Since last post: 2.6 years
Last activity: 42 days
Posted on 09-22-08 11:28:55 PM Link | Quote
I got something similar to that, except I was smart enough not to accept the virus scan. Adware and several other programs claimed they got rid of it, only for me to restart my computer and have it returned. After finding more information about the virus, I dug into regedit and found the malware installs itself at startup. Once I removed the startup entry, and manually removed the bad programs, my computer went back to normal. I heard variants of some viruses come with an SMTP server and spam the world using your computer and internet connection.
Hiryuu

Level: 207


Posts: 5109/14435
EXP: 127636186
For next: 2147968

Since: 07-06-07


Since last post: 11.8 years
Last activity: 11.7 years
Posted on 10-20-08 06:03:45 PM Link | Quote
HAY GUYS

GUESS WHAT

____________________
Xkeeper

Level: 263


Posts: 7844/25353
EXP: 297173941
For next: 1786512

Since: 07-03-07

Pronouns: they/them/????????

Since last post: 4 days
Last activity: 7 min.
Posted on 10-20-08 06:16:32 PM Link | Quote
Hope you can do a reinstall cuz you're boned.

____________________


Homepage (project updates, etc)
Hiryuu

Level: 207


Posts: 5110/14435
EXP: 127636186
For next: 2147968

Since: 07-06-07


Since last post: 11.8 years
Last activity: 11.7 years
Posted on 10-20-08 09:27:08 PM Link | Quote
Naw we fixed it. :\

____________________
Teconmoon
Catgirl
User 275
Level: 84


Posts: 996/1772
EXP: 5452605
For next: 209347

Since: 09-17-07

From: Edmonds, WA

Since last post: 12.5 years
Last activity: 12.5 years
Posted on 10-21-08 01:26:11 AM Link | Quote
My parents idea of a virus is AVG saying that it's starting a scheduled scan...

YEA

____________________
これは私の署名だ。
CarCat

Level: 51


Posts: 142/572
EXP: 997127
For next: 16811

Since: 10-17-07

From: LA

Since last post: 13.0 years
Last activity: 11.9 years
Posted on 10-21-08 02:38:30 AM (last edited by CarCat at 10-24-08 06:37 PM) Link | Quote




Originally posted by TeKitty
My parents idea of a virus is AVG saying that it's starting a scheduled scan...

YEA



My grandma thinks Microsoft Word is Windows.

Ignorance is not really a healthy thing to have over the Internet. But luckily I'm here, so she doesn't give the computer e-cancer.

____________________
~CaR-CaT


MaxKnight
710
Systems Administrator
Level: 57


Posts: 578/719
EXP: 1415853
For next: 70075

Since: 07-29-07

From: Columbus, Ohio

Since last post: 10.6 years
Last activity: 9.7 years
Posted on 10-24-08 05:55:47 PM Link | Quote
What, Hiryuu got hit by this one? Like I said, it's easier to clean than most people on the internet claim.

And it seems he fixed it anyways, so everything's fine.

____________________
Hiryuu

Level: 207


Posts: 5200/14435
EXP: 127636186
For next: 2147968

Since: 07-06-07


Since last post: 11.8 years
Last activity: 11.7 years
Posted on 10-25-08 02:42:34 AM Link | Quote
Originally posted by MaxKnight
What, Hiryuu got hit by this one?...


Not quite.

Worker at the office got nailed by this...on work comps.

Dunno what ghey pr0n he was downloading. He claims it was farm animals.


____________________
Next newer thread | Next older thread
Jul - Computers and Technology - Parents and viruses... New poll - New thread - New reply


Rusted Logic

Acmlmboard - commit 47be4dc [2021-08-23]
©2000-2022 Acmlm, Xkeeper, Kaito Sinclaire, et al.

31 database queries.
Query execution time: 0.111411 seconds
Script execution time: 0.038901 seconds
Total render time: 0.150312 seconds