• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

I was fooled by a virus

Perris Calderon

Administrator
Staff member
Political User
#1
so, the " microsoftt remove malicous software" applet came up and I trusted it so I hit "ya', after it allowed it to do it's thing it then asked me to do a comlete scan, to which I have never seen before and that should have set off some whistles but I was in bed, groggy and bing, hit go

woke up to the scan asking me if it can remove a file to which I hit "ya"

since then I can only launch a program if I right click and hit "run as administrator", this includes explorer, ie, everything

seems like a strange virus though

anyway, if anyone heard of this problem please to inform of a fix, if it is a virus, beware applets that look official but ask for something you never saw before
 

ElementalDragon

The One and Only
#3
Re: might have been fooled by a virus

It seems like fake apps like this are becoming more frequently seen. I've had a few encounters already with a supposed Microsoft or Windows Antivirus Security or something, which will "scan" your computer for viruses, show a lot of "infected" files, and request that you register the software (using your credit card of course *wink wink*) in order to remove them. The BAD thing about that bit of malware.... is after it's on your computer, it starts wreaking havoc on everything. Seems like the longer it's on your system, the more control it takes over your system. Starts off with websites not being able to be opened without getting a warning from the malware. Then you can't even open Internet Explorer because it's been tagged and made incapable of being opened. On my brother's and his wife's computer.... it got to the point where even explorer.exe wouldn't run when you restarted the computer. It's a royal pain to remove, especially if you don't recognize it.

Simple rule of thumb.... if you don't remember installing it.... don't use it.
 

Perris Calderon

Administrator
Staff member
Political User
#4
Re: might have been fooled by a virus

It seems like fake apps like this are becoming more frequently seen. I've had a few encounters already with a supposed Microsoft or Windows Antivirus Security or something, which will "scan" your computer for viruses, show a lot of "infected" files, and request that you register the software (using your credit card of course *wink wink*) in order to remove them. The BAD thing about that bit of malware.... is after it's on your computer, it starts wreaking havoc on everything. Seems like the longer it's on your system, the more control it takes over your system. Starts off with websites not being able to be opened without getting a warning from the malware. Then you can't even open Internet Explorer because it's been tagged and made incapable of being opened. On my brother's and his wife's computer.... it got to the point where even explorer.exe wouldn't run when you restarted the computer. It's a royal pain to remove, especially if you don't recognize it.

Simple rule of thumb.... if you don't remember installing it.... don't use it.
malewarebyes antimaleware takes care of that, run it in safe mode after you update the app, update every time you launch the program, you might have to right click and run as administrator

they got that on the computer at work, I got rid of it but that is one nasty trojan, it doesn't show up as far as I can see in task manager, it runs in safe mode, it circumvents all other anti virus, get this, uac did not detect the install nor did the spybot sandbox, nor did the anti virus, and it is just a bear remving

it seems to launch without any acknowledgement from the user, I believe with a flash update or a flash movie

you might not even be able to dowload or launch the maleware bytes program unless you rename it or run it from a flash drive
 
Last edited:

Dublex

Quazatron R6 droid
#8
Re: might have been fooled by a virus

oy, sounds like it modifies the local security permissions group policy settings well as doing other stuff if it forced all programs to run as administrator.

We haven't seen this at work yet.
 

tdinc

█▄█ ▀█▄ █
Political User
#9
Re: might have been fooled by a virus

perris, Download the free version of Malwarebytes, update the definitions run the quick scan then run the full scan. it will find whatever is on your system.

Malwarebytes' Anti-Malware: Malwarebytes


edit, sorry perris did not see your post that you used it already.. :)
 
#11
Re: might have been fooled by a virus

Perris: yeah... i know malwarebytes can get rid of it, but either way it's still a royal pain.... especially if you get to the point where it hardly lets anything run.
 

Perris Calderon

Administrator
Staff member
Political User
#12
Re: might have been fooled by a virus

Perris: yeah... i know malwarebytes can get rid of it, but either way it's still a royal pain.... especially if you get to the point where it hardly lets anything run.
it is an amazing trojan, it circumvents uac, it circumvents spybot tea timer, it's missed by avg and avast

as far as I can see it does not show up in task manager, this I thought was near impossible so i think I must be missing it

it runs in safe mode at at times (not all the time but it does run sometimes)

when I did a search against this trojan, just about every google result was re-directed to something that had nothing to do with this trojan

here's what I think;

I believe this was written by someone who works or has worked at microsoft, it seems they might have some undocumented commands at their disposal

here's another thing I am a little concerned

why is it only malewarebytes can find this trojan?

why is that?

and there is a free malewarebytes and a pro version that scans against this in real time

this is disturbing to me too, that only one program finds the trojan, it's as if they might be partners

anyway, for now the problem is solved on the computer at work and my laptop but I do believe I am just going to reformat if it re-appears
 
#13
haha... it'd probably be easier to just reformat.

I believe it DOES show up in the task manager's processes list. Think i've seen it there already and shut it down that way, but as soon as you'd try to do something that it "decided" wasn't the best idea, it'd start right back up.

And i don't think it was a matter of not being detected by AVG..... i think in every instance i've seen of it, it completely disabled any antivirus software that was previously installed.
 

Perris Calderon

Administrator
Staff member
Political User
#14
haha... it'd probably be easier to just reformat.

I believe it DOES show up in the task manager's processes list. Think i've seen it there already and shut it down that way, but as soon as you'd try to do something that it "decided" wasn't the best idea, it'd start right back up.

And i don't think it was a matter of not being detected by AVG..... i think in every instance i've seen of it, it completely disabled any antivirus software that was previously installed.
if you shut it down in taskmanager but it relaunches when you do anything, it hasn't shut down at all

which leads me to believe it installs a service that is set on automatic restart
 

Dublex

Quazatron R6 droid
#15
To be honest if your gettings something that keeps resetting back to "borked" settings rebuilding is faster, if you have a recently saved image.

You can wrestle with entrenched systems but you either have to have really crucial data on there or alot of time to do it.
 
#16
Re: might have been fooled by a virus

it is an amazing trojan, it circumvents uac, it circumvents spybot tea timer, it's missed by avg and avast

as far as I can see it does not show up in task manager, this I thought was near impossible so i think I must be missing it

it runs in safe mode at at times (not all the time but it does run sometimes)

when I did a search against this trojan, just about every google result was re-directed to something that had nothing to do with this trojan

here's what I think;

I believe this was written by someone who works or has worked at microsoft, it seems they might have some undocumented commands at their disposal

here's another thing I am a little concerned

why is it only malewarebytes can find this trojan?

why is that?

and there is a free malewarebytes and a pro version that scans against this in real time

this is disturbing to me too, that only one program finds the trojan, it's as if they might be partners

anyway, for now the problem is solved on the computer at work and my laptop but I do believe I am just going to reformat if it re-appears
Think your looking at it the wrong way, yes only malwarebytes detects it, but thats because it's the real deal. Perhaps you should be worried why the others don't? I would find another AV solution with a higher detection rating.

Also this malware is running as an admin on your system, why should it have problems not showing in task manager (lots of things don't). Also if your not 100% sure you got everything you might wanna backup/format to make sure it's all gone.
 

Perris Calderon

Administrator
Staff member
Political User
#17
xie said:
Think your looking at it the wrong way, yes only malwarebytes detects it, but thats because it's the real deal. Perhaps you should be worried why the others don't? I would find another AV solution with a higher detection rating.

Also this malware is running as an admin on your system, why should it have problems not showing in task manager (lots of things don't). Also if your not 100% sure you got everything you might wanna backup/format to make sure it's all gone
xie, nod32 didn't see it or remove it either, nor do I think too many av's can if it's a root kit, which disables av's and every program that even looks like it might be after it

I have never come across a root kit before and I am guessing this is one of them, if it is I need a reformat to insure the compromised kernal is clean

again, if it is a root kit, malewarebytes should not be able to clean it up either but it does, malewarebytes being as you say, "the real deal" or not, a root kit usually cirvumvents and disables anything that goes near it's files, it does not do this "by running as an adminsitrator" as you suggest, most programs can run as an administrator yet they are still in task manager

it runs stealth a number of methods, one by replacing "root" (kernel) files and programs, thus "root kit", for others that might not knoq, root is a unix term which basically comes down to "as the operating system"... a far more appropriate term in windows would be "a kernel kit" the method these programs use to run without being seen by task manager is to disguise or rewrite themselves as "root" or actual kernel administrative processes, another method they can use, they might actually be loading as a virtual os on boot, another, they might intercept kernel calls and change that call

this trojan has all the ear marks of such a kernel kit, it executes without acknowlegement from the user and it is almost definatley running in task manageer but probably with another process or as kernel administrative process...this is how it might keep popping up even after it's files have been purged.

running "as an administrator" does not preclude processes being seen in task manager, it needs far more then that

in the end, if it appears again on either my box or work I will reformat since I don't want to go through the trouble of correcting code with the use of a second box

I am rue to do a reformat since in the past I have always been able to repair systems that don't have hardware issues

anyway, the reason I authored this thread was to raise the alarm

I was fooled by a trojan, it disguised itself in the form of a microsoft applet and I allowed the trojan to install, once executed to install it was not detected by my av or any real time av I tried since

point being, even processes you usually trust, if you did not ask for a service then deny it from running no matter how much you think you trust the process

[on edit]

I have re-installed avg (version 9) and then I did some forensics to see if the newere build would detect this particular trojan if it tries to execute and it did prevent the execution, of course if it managed to finish execution I doubt the av would be able to clean the files

I did the same forensics with avast and it did not prevent an install execution by this trojan
 
Last edited:

Johnny

.. Commodore ..
Political User
#18
Nod32 is not a very good antivirus. You would be better off using duck tape and shrink wrap than that pos ..
 

Perris Calderon

Administrator
Staff member
Political User
#19
just to update this thread, I don't follow anti virus technology anymore but the new avg (both free and pro) both have anti root kit technology
 

Members online

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,962
Messages
673,248
Members
89,017
Latest member
Seggar