Infected!!!

[[BTF]Sigma]

Ok, so I get a Mcafee pop-up the other day and it reports that I'm infected with the "Fakealert-b" trojan.


So I click the Delete key, no dice.

Quarantine? Uh-UH

I go to search for the file manually and it's not there, not even after attrib'n the directory it's said to be located in.


****ok so just as I'm typing this, it pops up again. To me it looks like the source of this virus is somewhere on my HD and keeps trying to activate in my "C:\WINDOWS\SYSTEM32\1024 or 1033" directory(s)


 

[plastik]

best bet is to boot into a linux or dos OS, and then search the hard drive for the folders/files.  Some files can't be deleted within windows, and there is also ways of hiding them from visibility.

[[BTF]adam]

A few antiviruses have specific tools for removing a specific virus, if you do some googling for that virus' name, you might find a tool thats just for that viruses and its variants to remove it.

A few links:

http://vil.nai.com/vil/content/v_139058.htm - General info on the virus.

http://us.mcafee.com/virusInfo/default.asp?http://www.mcafee.com/anti-virus - Has a "tool box" feature, try and find a specific removal tool.
 

[plastik]

yeah, sometimes they have tools to specifically remove them.

[RRBM [NL]]

Get the AVG Free virusscanner at http://free.grisoft.com

[Mr._X]

Sometimes you need a 3rd party process manager to work with the anti-virus. Because a virus is a program, it must occupy a process. Because of flaws in windows task manager, it can be easily disabled by virus's giving a message ('this has been disabled by system administrator', even if you are) and sometimes no permission to end process as well. To combat this issue, as well because virus's are set to start at boot time to they exist for the amount of time they were designed for on your windows system. The program 'security task manager' takes care of this easily, just run it and end process and send to quarantine. It will disable the process from starting at boot time. You may also have to send several other 'buddy' processes that work with the virus, as well to the quarantine. Virus protection only does one thing, detect viruses and delete them. It does not stop the viruses from recurring on boot time (buddy processes as I call them) and it does not stop the viruses from coming back on again (a software firewal will prevent them from coming back).

[plastik]

all that is necessary to remove any on boot virus is to remove all the boot strings from all the possible places, virus programs usually do this rather than delete the file, because usually its binded with a critical windows process.  Reboot, then delete.  Problem is if it has caused any damage that was intended yet or not.  Most people see virus's as things that delete files, BUT most virus's today are just meant to spread and steal private information, along with being used as hubs for large zombie networks.

[ReCycled]

Viruses in Windows love to hide in the Registry and will load at startup. Then they can't be deleted because Windows says they're in use. Here's the location where most of them hide:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The programs in here (legit or otherwise) will run once Windows boots. Just highlight the 'suspicious' program and hit the delete key. This is essentially what MacAfee/Norton etc does when they start the cleansing process. If you're not sure which one to kill post a screenshot here. You may have more than one virus there.

 

[[BTF]Sigma]

S'ok guys....I dug up my old DOS disks and loaded up a booted shell off my (/me blows off the dust) 3.5 floppy drive. Found the files created this morning and nuked the shit outta them.


Traced the files modified by them and re-extracted them from the .CABs on my winDisk.

E-Flex like what!!!!


*post edit...... Thanks for the help and support guys!!!

[Mr._X]

Haha, you use windows.

[[BTF]Sigma]

And I use IE.


My balls are 100% Brass MFer!!!

[[BTF]Sigma]

So ..... uh..... yeah.

It's back.

  Thought I nailed it by removing all the recent files but I guess it dug in.

From the McAfee site it shows that this version of the trojan was discovered 03.27.06. That's when I noticed it affecting me.

It creates 2 webpage links on my desktop to two sites that are basically the same: hxxp://securitylist.net/ and hxxp://testsecurityonline.com/. Both of these sites are just to sell some shit (_)_) tool.

 

[PANTONE 7717C]

Hmm... this fakealert-b rings a bell (it's nasty spyware and associated with the SmitFraud trojan) but i don't remember exactly how i got rid of it. But.. since the purpose of those fakealert trojans is to make you go to their websites and download/buy their spyware removal tools, you're only helping the bastards by posting those links here ! Please remove 'em or edit the url

Some suggestions, if you haven't already;
- run the latest SpybotS&D and scan the PC in Safe Mode. http://www.safer-networking.org/
- check to see if any of the files are writeprotected
- delete cookies and other temp internet stuff

Spyware Warrior Rogue list
http://www.spywarewarrior.com/rogue_anti-spyware.htm#bogus_pages
http://www.spywarewarrior.com/rogue_anti-spyware.htm

from spywarewarrior;
hxxp://securitylist.net -- The software listed here are Rogue anti spyware applications !
They are associated with the SmitFraud Trojan and are all considered malware.
hxxp://testsecurityonline.com -- The software listed here are also Rogue anti spyware
applications ! You and everyone else don't want any of them !


Also if at any time you suspect there's some weird process running in the background, go look it up in the tasklist overview page on this site, it might be listed and tell you what it is and what it's doing.

GL

(edit; not trying to talk you into anything but this might be a good time to try installing FireFox, by default you can still use IE after you install a new browser but as described somewhere on that spywarewarrior site it's best to 'lock down' IE as much as possible by tightening IE's Privacy & Security settings.
IE's Privacy & Security settings.)

[ReCycled]

OK - first question - Is C:\Program Files\Java a legitimate file folder with a known program that you use (ie SunJavaUpdate)? Check the program icons in there also - are they square DOS icons or do they have a pic? If it isn't, it may be a candidate for deletion.
The others look legit (Nero/Itunes/McAfee). Occasionally a virus will actually hide in the McAfee directory and disable the exec in the autoexec directory. I don't have McAfee so I don't know their programs. Here's other typical places I've found viruses in:

C:\Windows
C:\Windows\System
C:\Windows\System32
C:\Windows\Temp
C:\Program Files
C:\

Go to these places in Explorer and click on the Date Modified tab at the top so they are in order by most recent date. Is there an .exe program that has a date that is very recent (like March/2006)? If so, is it something you know you just installed? If it isn't then some other process installed it without you knowing it. Write down the name of it (eg BAPXHAH.exe). After deleting it go to the Registry and do a search on this file name and delete every entry you see. Reboot and check if all is well. If the file you deleted turns out to be something you needed its still in the Recycled Bin.
Also check your autoexec/config.sys/win.ini/system.ini for similar file changes that match the above.

I've done this process many times over the years and have gotten so good at it I don't use an antivirus program. I do run a Spyware program occasionally.

Good Luck

 

[plastik]

I don't see anything wrong with that java directory...BUT I have seen java virus's that are in .cab files, they usually hide themselves in the users folders, and java unknowlingly executes these files, so it runs as a part of java rather than a seperate process.  All of those startup links look fine to me, none suspicious.