I was fooled by a virus

Discussion in 'Windows Desktop Systems' started by Perris Calderon, May 9, 2010.

  1. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,332
    Location:
    new york
    so, the " microsoftt remove malicous software" applet came up and I trusted it so I hit "ya', after it allowed it to do it's thing it then asked me to do a comlete scan, to which I have never seen before and that should have set off some whistles but I was in bed, groggy and bing, hit go

    woke up to the scan asking me if it can remove a file to which I hit "ya"

    since then I can only launch a program if I right click and hit "run as administrator", this includes explorer, ie, everything

    seems like a strange virus though

    anyway, if anyone heard of this problem please to inform of a fix, if it is a virus, beware applets that look official but ask for something you never saw before
     
  2. Xie

    Xie - geek - Subscribed User Folding Team

    Messages:
    5,275
    Location:
    NY, USA
  3. ElementalDragon

    ElementalDragon The One and Only

    Messages:
    3,159
    Location:
    Lehighton, PA
    Re: might have been fooled by a virus

    It seems like fake apps like this are becoming more frequently seen. I've had a few encounters already with a supposed Microsoft or Windows Antivirus Security or something, which will "scan" your computer for viruses, show a lot of "infected" files, and request that you register the software (using your credit card of course *wink wink*) in order to remove them. The BAD thing about that bit of malware.... is after it's on your computer, it starts wreaking havoc on everything. Seems like the longer it's on your system, the more control it takes over your system. Starts off with websites not being able to be opened without getting a warning from the malware. Then you can't even open Internet Explorer because it's been tagged and made incapable of being opened. On my brother's and his wife's computer.... it got to the point where even explorer.exe wouldn't run when you restarted the computer. It's a royal pain to remove, especially if you don't recognize it.

    Simple rule of thumb.... if you don't remember installing it.... don't use it.
     
  4. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,332
    Location:
    new york
    Re: might have been fooled by a virus

    malewarebyes antimaleware takes care of that, run it in safe mode after you update the app, update every time you launch the program, you might have to right click and run as administrator

    they got that on the computer at work, I got rid of it but that is one nasty trojan, it doesn't show up as far as I can see in task manager, it runs in safe mode, it circumvents all other anti virus, get this, uac did not detect the install nor did the spybot sandbox, nor did the anti virus, and it is just a bear remving

    it seems to launch without any acknowledgement from the user, I believe with a flash update or a flash movie

    you might not even be able to dowload or launch the maleware bytes program unless you rename it or run it from a flash drive
     
    Last edited: May 12, 2010
  5. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,332
    Location:
    new york
  6. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,332
    Location:
    new york
  7. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,332
    Location:
    new york
    Re: might have been fooled by a virus

    yup, malewarebyes fixed the problem
     
  8. Dublex

    Dublex Quazatron R6 droid

    Messages:
    624
    Location:
    Hertfordshire, UK
    Re: might have been fooled by a virus

    oy, sounds like it modifies the local security permissions group policy settings well as doing other stuff if it forced all programs to run as administrator.

    We haven't seen this at work yet.
     
  9. tdinc

    tdinc █▄█ ▀█▄ █ Political User

    Messages:
    3,507
    Location:
    Sterling Heights, MICHIGAN
    Re: might have been fooled by a virus

    perris, Download the free version of Malwarebytes, update the definitions run the quick scan then run the full scan. it will find whatever is on your system.

    Malwarebytes' Anti-Malware: Malwarebytes


    edit, sorry perris did not see your post that you used it already.. :)
     
  10. gonaads

    gonaads Beware the G-Man Political User Folding Team

    Re: might have been fooled by a virus

    Try Hitman Pro sometimes there are leftovers of these trojans and stuff.

    It gives you a 30 day free run and it. 32 and 64 bit versions.

    give it a read.

    Hitman Pro 3 - SurfRight
     
  11. ElementalDragon

    ElementalDragon The One and Only

    Messages:
    3,159
    Location:
    Lehighton, PA
    Re: might have been fooled by a virus

    Perris: yeah... i know malwarebytes can get rid of it, but either way it's still a royal pain.... especially if you get to the point where it hardly lets anything run.
     
  12. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,332
    Location:
    new york
    Re: might have been fooled by a virus

    it is an amazing trojan, it circumvents uac, it circumvents spybot tea timer, it's missed by avg and avast

    as far as I can see it does not show up in task manager, this I thought was near impossible so i think I must be missing it

    it runs in safe mode at at times (not all the time but it does run sometimes)

    when I did a search against this trojan, just about every google result was re-directed to something that had nothing to do with this trojan

    here's what I think;

    I believe this was written by someone who works or has worked at microsoft, it seems they might have some undocumented commands at their disposal

    here's another thing I am a little concerned

    why is it only malewarebytes can find this trojan?

    why is that?

    and there is a free malewarebytes and a pro version that scans against this in real time

    this is disturbing to me too, that only one program finds the trojan, it's as if they might be partners

    anyway, for now the problem is solved on the computer at work and my laptop but I do believe I am just going to reformat if it re-appears
     
  13. ElementalDragon

    ElementalDragon The One and Only

    Messages:
    3,159
    Location:
    Lehighton, PA
    haha... it'd probably be easier to just reformat.

    I believe it DOES show up in the task manager's processes list. Think i've seen it there already and shut it down that way, but as soon as you'd try to do something that it "decided" wasn't the best idea, it'd start right back up.

    And i don't think it was a matter of not being detected by AVG..... i think in every instance i've seen of it, it completely disabled any antivirus software that was previously installed.
     
  14. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,332
    Location:
    new york
    if you shut it down in taskmanager but it relaunches when you do anything, it hasn't shut down at all

    which leads me to believe it installs a service that is set on automatic restart
     
  15. Dublex

    Dublex Quazatron R6 droid

    Messages:
    624
    Location:
    Hertfordshire, UK
    To be honest if your gettings something that keeps resetting back to "borked" settings rebuilding is faster, if you have a recently saved image.

    You can wrestle with entrenched systems but you either have to have really crucial data on there or alot of time to do it.
     
  16. Xie

    Xie - geek - Subscribed User Folding Team

    Messages:
    5,275
    Location:
    NY, USA
    Re: might have been fooled by a virus

    Think your looking at it the wrong way, yes only malwarebytes detects it, but thats because it's the real deal. Perhaps you should be worried why the others don't? I would find another AV solution with a higher detection rating.

    Also this malware is running as an admin on your system, why should it have problems not showing in task manager (lots of things don't). Also if your not 100% sure you got everything you might wanna backup/format to make sure it's all gone.
     
  17. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,332
    Location:
    new york
    xie, nod32 didn't see it or remove it either, nor do I think too many av's can if it's a root kit, which disables av's and every program that even looks like it might be after it

    I have never come across a root kit before and I am guessing this is one of them, if it is I need a reformat to insure the compromised kernal is clean

    again, if it is a root kit, malewarebytes should not be able to clean it up either but it does, malewarebytes being as you say, "the real deal" or not, a root kit usually cirvumvents and disables anything that goes near it's files, it does not do this "by running as an adminsitrator" as you suggest, most programs can run as an administrator yet they are still in task manager

    it runs stealth a number of methods, one by replacing "root" (kernel) files and programs, thus "root kit", for others that might not knoq, root is a unix term which basically comes down to "as the operating system"... a far more appropriate term in windows would be "a kernel kit" the method these programs use to run without being seen by task manager is to disguise or rewrite themselves as "root" or actual kernel administrative processes, another method they can use, they might actually be loading as a virtual os on boot, another, they might intercept kernel calls and change that call

    this trojan has all the ear marks of such a kernel kit, it executes without acknowlegement from the user and it is almost definatley running in task manageer but probably with another process or as kernel administrative process...this is how it might keep popping up even after it's files have been purged.

    running "as an administrator" does not preclude processes being seen in task manager, it needs far more then that

    in the end, if it appears again on either my box or work I will reformat since I don't want to go through the trouble of correcting code with the use of a second box

    I am rue to do a reformat since in the past I have always been able to repair systems that don't have hardware issues

    anyway, the reason I authored this thread was to raise the alarm

    I was fooled by a trojan, it disguised itself in the form of a microsoft applet and I allowed the trojan to install, once executed to install it was not detected by my av or any real time av I tried since

    point being, even processes you usually trust, if you did not ask for a service then deny it from running no matter how much you think you trust the process

    [on edit]

    I have re-installed avg (version 9) and then I did some forensics to see if the newere build would detect this particular trojan if it tries to execute and it did prevent the execution, of course if it managed to finish execution I doubt the av would be able to clean the files

    I did the same forensics with avast and it did not prevent an install execution by this trojan
     
    Last edited: May 26, 2010
  18. Johnny

    Johnny .. Commodore .. Political User

    Messages:
    5,015
    Location:
    Happy Valley
    Nod32 is not a very good antivirus. You would be better off using duck tape and shrink wrap than that pos ..
     
  19. Perris Calderon

    Perris Calderon Moderator Staff Member Political User

    Messages:
    12,332
    Location:
    new york
    just to update this thread, I don't follow anti virus technology anymore but the new avg (both free and pro) both have anti root kit technology