| Author |
Topic: WIZ- fake virus alert? |
Bent Romnes
From:
London,Ontario, Canada
|
Posted 21 Nov 2010 6:17 am |
|
Wiz, when I started the PC this morning, I was greeted with a window from "Microsoft Security Essentials alert", that told me I had an "UnknownWIN32/Trojan"
They recommended Remove. As I had not heard about this alert from Microsoft, I tried to close the window which it would not let me do
So I ran SB S&D. It wouldn't let me update, I ran scan anyway after I immunized. Immunization showed 0 items to immunize.
The scan showed 0 infections
Next I ran MBAM. It found 3 infections, one of which I remember was called C:Doc& settings\owner\appl.Data\hotfix.exe(Trojan. FakeAlert) These 3 files were quarantined and deleted successfully.
Just wanted to ask if I did this correctly and that I can be sure that all infections were removed?
Thanks for your help Wiz
PS, If I'd have used my eyes before writing this I would have seen that Randy Reeves' problem and mine were identical.
_________________
BenRom Pedal Steel Guitars
https://www.facebook.com/groups/212050572323614/ |
|
|
 |
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 21 Nov 2010 9:56 am
|
|
Bent;
You did the right things to remove this fake alert infection.
Just to be safe, update MBAM and your anti-virus and scan again with both. Run MBAM first, as it finishes faster.
After you are sure that all remnants of hotfix.exe are gone, close the vulnerabilities that allowed it to enter your PC in the first place. One good place to start, which is admittedly in my own financial interest to tell you, is to purchase a license for MBAM, which activates its real time protection and automatic updating features. If this is something you are willing to do, please use one of the links on my Malwarebytes' Anti-Malware web page. It contains instructions for applying the registration code. The Protection tab and Updating tab allow you to turn on the real time items. This should prevent the same, or similar fake security programs from getting installed at all.
Next, go to Secunia and run the online software inspector scan. It will tell you if you have insecure browser-related programs that are exploitable from the Internet. The results will also provide download links to get the current versions of any exploitable software on your PC.
The most common mode of exploitation in the past year has been the Java Virtual Machine. Second, the Adobe Reader and Acrobat. Next, Adobe Flash Player. Unpatched Windows components are frequently exploited. This can be thwarted by setting Automatic Windows Updates to full automatic. Ditto for Adobe Reader and Java.
One note about the Java updater. You access the control box via Control Panel > Java. Click the Updates tab and set it to check Daily and apply. Then check manually, using the Update button. Keeping Java updated closes Door Number 1.
Set Adobe Reader or Acrobat to automatic updating also. Open Reader, go to Edit, Preferences, Updater. Set the option to automatically download and install updates. Save and exit.
A huge number of drive-by infections exploit ActiveX controls in Internet Explorer (I call it "Exploder")If you have been using Internet Exploder as your default browser, STOP doing so and install a different browser. I recommend getting Firefox. It can import your IE "Favorites, which become Bookmarks, and your Cookies and logins. Set it as your default browser. Tell IE to Not Ask again about Not being the default browser.
If you use Firefox as your default browser, install the NoScript Add-on and learn to use it. It will save your ass if you stumble across a legitimate website that has been compromised with hostile JavaScript or iframe redirection codes, or clickjacking tricks.
Finally, depending on your operation system, change your daily browsing account type to one with less than administrator privileges. For Windows XP Home, that would be a "Limited User" account. If that was your only account, first create another user account with "Computer Administrator" privileges. Only use that account for Windows Updates, installing and uninstalling security programs, System Restore, Disk Error Checking, De-fragmenting and driver installations and updates. Do everything else from the Limited account. Use Run As to elevate to Administrator privileges when needed, to install or upgrade software. Assign the Administrator account an unguessable password and use it during Run As operations, or to logon to that account from the Welcome Screen.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Bent Romnes
From:
London,Ontario, Canada
|
|
|
|
Bent Romnes
From:
London,Ontario, Canada
|
Posted 23 Nov 2010 8:53 am
|
|
Wiz I had a nasty one again, before I had a chance to do what you told me.
This morning, upon booting up there was a window come up saying it couldn't start because of some error in system32.
I sent the error report and proceeded to do another scan with MBAM.It came up with two infections. One in C\doc&set\local service....temp int. files\content IE5\J&U8Y392\dm4[1].exe(Rootkit.TDDSS)
the next one was in the same folder except for"network service" instead of Local service...00TU)DTK\ and the same dm4 and Rootkit.TDDS
MBAM had a hard time deleting those files but after 3 tries I managed to get rid of them(I think)
When attempting to restart, the computer seemed to hang on the opening screen for a while and then switched to the black screen with the choices for safe mode startup etc. This could be because I had tried earlier to start in safe mode without success. So the next time it I restarted I chose "Start Windows in the last known good configuration"
That's where I am at now.
I then scanned with MBAM again and it reported a clean system.
Is it in fact clean since I reset to last known good configuration?
Should I go ahead and do the stuff you told me to do in the other thread?
Will I have to format to make sure I am rid of all the nasties?
I will wait for an answer from you before I do anything. Thanks again for your help!
_________________
BenRom Pedal Steel Guitars
https://www.facebook.com/groups/212050572323614/ |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 23 Nov 2010 8:34 pm
|
|
In addition to updating and scanning with MBAM and your anti-virus program, go to http://housecall.trendmicro.com, download the required local module and run an online scan. The onboard component helps remove any malware it finds. You may require Administrator privileges to remove malware.
Also, if rootkit is active, MBAM may not be able to remove it, unless it is put to sleep first. There is a special tool available from Bleeping Computers that temporarily disables rootkits, so that MBAM can do its thing. That program is called Rkill and must be used under supervision of a malware removal expert, on Bleeping Computers' Malware Removal Forum.
If the scanner at Trend Micro can remove the TDSS rootkit and anything else lurking beneath the surface, then run a followup scan with MBAM. Once all scanners say all clear, you should be safe to carry on. Otherwise, sign up at the Bleepingcomputer.com forums. After you log in with a member name, go to the Malware Removal forum and post a new topic requesting help. State you case as best you can. Read the terms of posting first and include all required details about your PC. Wait for a trained malware removal expert to answer your request. Stay with the expert until your case is resolved. Do not interject your problems into any other topics. This is a one on one forum.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
