RANT

[ShinyPartsUp]

A couple days ago my computer goes nuts running an antivirus program I didn't know I had. Well, it was a trojan: FakeAV

Nothing is working. :angry2: :glare:

I'm working a lot of overtime so I leave it until this am. I run my antivirus software and get rid of it :clapping:

All looks good, but no internet connection! :blink: I try restore points and they won't run.... grrr

I end up having to call tech support to get my internet connection settings wiped out and restored.

3 hours wasted. The worst part was having no email or FJRforum fix for a couple days.

End of rant.

 

[Bustanut joker]

A couple days ago my computer goes nuts running an antivirus program I didn't know I had. Well, it was a trojan: FakeAVNothing is working. :angry2: :glare:

I'm working a lot of overtime so I leave it until this am. I run my antivirus software and get rid of it :clapping:

All looks good, but no internet connection! :blink: I try restore points and they won't run.... grrr

I end up having to call tech support to get my internet connection settings wiped out and restored.

3 hours wasted. The worst part was having no email or FJRforum fix for a couple days.

End of rant.

Come to think of it... I did notice something amiss :huh:

It was your special brand of love..

Glad yer back, eww was missed.

:jester:

 

[Silver Penguin]

A pox on all computer viruses? Is that an oxymoron? We probably have some pox experts on this forum who could tell you more than you wanted to know. Sorry to hear you got infected.

What kind of people come up with these Trojans? and why? What is their gain?

 

[ShinyPartsUp]

A pox on all computer viruses? Is that an oxymoron?

Thank you for picking up on the double entendre. Old sheep dip missed it I notice.

I'm going to go riding now... the wife needs practice being a pillion.

 

[Ignacio]

What kind of people come up with these Trojans? and why? What is their gain?

This does NOT apply to the OP, but there's a number of people in this world walking the streets, among us, that could be your friends or neighbors...or family that:

• dumb enough to reply to SPAM e-mail and buy that viagra for sale, low mortgage rates, or that they're going to get rich quick if they help out the person in Nigeria
• dumb enough to want to help their bank security by entering their password or SSN when an e-mail comes to them saying they lost their password
• think that 90 day subscription to antivirus is good for the life of their computer and never renew it

but often the stuff that's taking over computers is to zombify them and then send out e-mails to the other saps above in a vicious circle of irony, attack other computer defenses (like banks, other corporations and government agencies), as well as monitor the user putting in a password to something and try and steal their identity. I believe that internet crime proceeds exceed the old style of robbery and white collar crime these days and on the order of billions of dollars.

Viruses and botnets are big business these days by some very bad folks usually living in countries that end in -stan, as well as other emerging countries, and even the good ol' USA.

What would be nice is we could somehow tag these people with little flags and beat the crap out of them as we see them on the street.

 

[Silver Penguin]

What would be nice is we could somehow tag these people with little flags and beat the crap out of them as we see them on the street.

What a concept! Different colored flags for different affronts to society.

So many deserving cases......... so few flags.

 

[FJRBluesman]

What would be nice is we could somehow tag these people with little flags and beat the crap out of them as we see them on the street.

Mayor Ig - Don't do this abroad, as it may cause an international incident. :dribble:

 

[Ignacio]

Mayor Ig - Don't do this abroad, as it may cause an international incident. :dribble:

One does not have to go international with this. In my case a 3 hour ride from my home and I'd be able to tranquilize dart, tag, and beat the crap out of our own domestic *******.

 

[FJRBluesman]

Mayor Ig - Don't do this abroad, as it may cause an international incident. :dribble:

One does not have to go international with this. In my case a 3 hour ride from my home and I'd be able to tranquilize dart, tag, and beat the crap out of our own domestic *******.

Holy smokes! :dribble:
These guys need special jail sentences to go away, for a long, long, time.

 

[Silver Penguin]

One does not have to go international with this. In my case a 3 hour ride from my home and I'd be able to tranquilize dart, tag, and beat the crap out of our own domestic *******.

He wasn't welcoming people, from San Diego, was he?

 

[Wee Willy]

Recently went through a cleansing operation on my wifey's PC. Kidlets get to use her box to surf kiddie sites (danger Will Robinson) and guess what? It was infected and basically useless for about 3 weeks as I tried several different methods to get it back. Nothing was working...it was a very sophisticated trojan that was DL'd (basically it did away with all the tools on the computer you would use to fix it with and did it in the registry...pretty neat actually) and I was staring reloading the OS in the face. Now I'd rather have a root canal w/o anesthetic if the truth be told. But I lucked out...as I was contemplating giving the PC its last rites, I stumbled on these guys.

Bookmark this site 'cause they really ARE some white knights of the IT world. They have a set of odd rules that must be followed and they use a pretty capable freeware tool to diagnose, but once you get someone to assist you, they'll carry you all the way to the goal line. Quite a group and free to boot. PC is running like a top today and the kiddies are banned.

Cheers,

W2

 

[Silver Penguin]

PC is running like a top today and the kiddies are banned.
Cheers,

W2

Well done. How did you manage to ban the kidlets? We suspected that computer games were being played more than homework was being done, while I was working Summer School. (This was before they invented the 'net). Dad put the games onto password protect. The homework got done but weeks later, when Dad went to play his games, all the top scorers in the game were named after versions of the password. Sneaky huh?

 

[Ignacio]

Modern OS like XP or Windows 7 you can reduce the likliehood of infection via installation of software by making separate accounts on the computer. Kidlets get "Guest" account or make sure "Administrator" is not checkmarked. It's a part of the "white list" concept that reduces the chance of "zero day" icky stuff that antivirus increasingly misses.

Or separate computer and if it gets infected...reimage the sucker and junior will eventually learn that a crapped up computer is from surfing sketchy places. I read recently in some security stuff that ring tone sites at the end of Google searches are a haven of malware. Again, those targeting are smart crooks.

 

[Wee Willy]

PC is running like a top today and the kiddies are banned.
Cheers,

W2

Well done. How did you manage to ban the kidlets?

Basically did what Iggy suggests above. The youngest had been provided a limited access account on mom's machine, but she didn't like the limits all that much. Mom's account has much more privileged and can go places hers can't, so when mom stepped away Katie could and would use mom's account to go surfing to places where malware was lurking. The account had click-through protections whenever anything related to the system was going to be changed, but Katie didn't suspect that was her clue to stop (I'm surmising here...Katie doesn't remember when or where this would have occurred). Anyway, now that this computer is fixed, all our PW's have been changed and Katie is back to her own account on a different computer...one that if it gets infected, I'll just teach them how to re-image it.

Cheers,

W2

 

[ShowMeMo]

The best tool for virus/malware removal (on a windows PC) is 'System Restore' located in Start-->All Programs-->Accessories-->System Tools-->System Restore. This will restore the Windows Registry to a specific date without deleting files, emails, etc...

Most malware is dead without the appropriate Windows registry entries...

Trust me on this one ... having a small IT company, we have used this tool hundreds of times...

After the restore, simply run your antivirus to remove any files left behind by the virus...

Scott

 

[Ignacio]

Trust me on this one ... having a small IT company, we have used this tool hundreds of times...

And sometimes the malware cripples that particular process--especially the zero day exploits that get embedded before AV companies build an distribute a signature file. . Trust me on this one.....working at another IT company, we use this tool occasionally but know there are increasing malware threats that counter it.

Great when it works, but best to avoid the cooties to begin with.

 

[ShowMeMo]

Trust me on this one ... having a small IT company, we have used this tool hundreds of times...

And sometimes the malware cripples that particular process--especially the zero day exploits that get embedded before AV companies build an distribute a signature file. . Trust me on this one.....working at another IT company, we use this tool occasionally but know there are increasing malware threats that counter it.

Great when it works, but best to avoid the cooties to begin with.

Totally agree... we've generally found that the ones that are good enough to disable this process, remove rights to edit registry, disable display option components, etc.. are usually best resolved with a backup, wipe, reinstall... not in every case, but generally

 

[wfooshee]

Um, a little late to the party, but the loss of Internet connection is the result of the FakeAV app setting up a proxy in your Internet browsers, pointing to itself on your own PC. Since it wasn't running, all that would have been needed is to remove the proxy setup in the browser.

However, the FakeAV installs a rootkit, which will eventually reinstall the fakeAV app. Unless your real AV is good at rootkits, it would have come back.

Combofix kills it, though. You still have to manually remove the fake proxy settings in your browser, but it's killed.

As for how it got there in the first place, its installer comes most often from a malformed web page or an ad, which may not even present itself on the screen. What it does do, however, is take anything you do and intercepts it, passing it to Windows as permission to install. That's why your real antivirus has no clue about it when it first appears. it goes to the OS as an app with full permissions to be installed.

Once installed, it intercepts anything you try to do and claims it's infected, you have to activate your scanner. Of course, there's the fraud. "Activating" does nothing but temporarily turn off the fake and let you have the computer back. Only costs you 50 bucks!

Its only weakness is that it takes a while to start once you log on to your desktop. You can use CTRL-ALT-DEL while the desktop is starting up and go ahead and start the Task Manager, Regedit, Internet Explorer, and a Windows Explorer window, none of which it will allow once it's running. It won't kill them once they're up, though, they work just fine. You can find the process in Task Manager and kill it, and you regain control of your PC, and since IE is open, you can go get Combofix and run it. Once Combofix has completed, which takes a while, your PC is back, as it was, with nothing missing except the rootkit which would re-install the thing.

 

[Patriot]

Um, a little late to the party, but the loss of Internet connection is the result of the FakeAV app setting up a proxy in your Internet browsers, pointing to itself on your own PC. Since it wasn't running, all that would have been needed is to remove the proxy setup in the browser.
However, the FakeAV installs a rootkit, which will eventually reinstall the fakeAV app. Unless your real AV is good at rootkits, it would have come back.

Combofix kills it, though. You still have to manually remove the fake proxy settings in your browser, but it's killed.

As for how it got there in the first place, its installer comes most often from a malformed web page or an ad, which may not even present itself on the screen. What it does do, however, is take anything you do and intercepts it, passing it to Windows as permission to install. That's why your real antivirus has no clue about it when it first appears. it goes to the OS as an app with full permissions to be installed.

Once installed, it intercepts anything you try to do and claims it's infected, you have to activate your scanner. Of course, there's the fraud. "Activating" does nothing but temporarily turn off the fake and let you have the computer back. Only costs you 50 bucks!

Its only weakness is that it takes a while to start once you log on to your desktop. You can use CTRL-ALT-DEL while the desktop is starting up and go ahead and start the Task Manager, Regedit, Internet Explorer, and a Windows Explorer window, none of which it will allow once it's running. It won't kill them once they're up, though, they work just fine. You can find the process in Task Manager and kill it, and you regain control of your PC, and since IE is open, you can go get Combofix and run it. Once Combofix has completed, which takes a while, your PC is back, as it was, with nothing missing except the rootkit which would re-install the thing.

Oh OK... :dribble: