I was fooled by a virus

Perris Calderon

Perris Calderon

dealer
Staff member
Political Access
Joined
24 Jan 2002
Messages
12,388
so, the " microsoftt remove malicous software" applet came up and I trusted it so I hit "ya', after it allowed it to do it's thing it then asked me to do a comlete scan, to which I have never seen before and that should have set off some whistles but I was in bed, groggy and bing, hit go

woke up to the scan asking me if it can remove a file to which I hit "ya"

since then I can only launch a program if I right click and hit "run as administrator", this includes explorer, ie, everything

seems like a strange virus though

anyway, if anyone heard of this problem please to inform of a fix, if it is a virus, beware applets that look official but ask for something you never saw before
 
Re: might have been fooled by a virus

It seems like fake apps like this are becoming more frequently seen. I've had a few encounters already with a supposed Microsoft or Windows Antivirus Security or something, which will "scan" your computer for viruses, show a lot of "infected" files, and request that you register the software (using your credit card of course *wink wink*) in order to remove them. The BAD thing about that bit of malware.... is after it's on your computer, it starts wreaking havoc on everything. Seems like the longer it's on your system, the more control it takes over your system. Starts off with websites not being able to be opened without getting a warning from the malware. Then you can't even open Internet Explorer because it's been tagged and made incapable of being opened. On my brother's and his wife's computer.... it got to the point where even explorer.exe wouldn't run when you restarted the computer. It's a royal pain to remove, especially if you don't recognize it.

Simple rule of thumb.... if you don't remember installing it.... don't use it.
 
Re: might have been fooled by a virus

ElementalDragon said:
It seems like fake apps like this are becoming more frequently seen. I've had a few encounters already with a supposed Microsoft or Windows Antivirus Security or something, which will "scan" your computer for viruses, show a lot of "infected" files, and request that you register the software (using your credit card of course *wink wink*) in order to remove them. The BAD thing about that bit of malware.... is after it's on your computer, it starts wreaking havoc on everything. Seems like the longer it's on your system, the more control it takes over your system. Starts off with websites not being able to be opened without getting a warning from the malware. Then you can't even open Internet Explorer because it's been tagged and made incapable of being opened. On my brother's and his wife's computer.... it got to the point where even explorer.exe wouldn't run when you restarted the computer. It's a royal pain to remove, especially if you don't recognize it.

Simple rule of thumb.... if you don't remember installing it.... don't use it.
Click to expand...
malewarebyes antimaleware takes care of that, run it in safe mode after you update the app, update every time you launch the program, you might have to right click and run as administrator

they got that on the computer at work, I got rid of it but that is one nasty trojan, it doesn't show up as far as I can see in task manager, it runs in safe mode, it circumvents all other anti virus, get this, uac did not detect the install nor did the spybot sandbox, nor did the anti virus, and it is just a bear remving

it seems to launch without any acknowledgement from the user, I believe with a flash update or a flash movie

you might not even be able to dowload or launch the maleware bytes program unless you rename it or run it from a flash drive
 
Last edited:
Re: might have been fooled by a virus

perris said:
after reading your linkt, it seems this is the same trojan that infected us at work, will give the malewarebytes a go on my box
Click to expand...
yup, malewarebyes fixed the problem
 
Re: might have been fooled by a virus

oy, sounds like it modifies the local security permissions group policy settings well as doing other stuff if it forced all programs to run as administrator.

We haven't seen this at work yet.
 
Re: might have been fooled by a virus

perris, Download the free version of Malwarebytes, update the definitions run the quick scan then run the full scan. it will find whatever is on your system.

Malwarebytes' Anti-Malware: Malwarebytes


edit, sorry perris did not see your post that you used it already.. :)
 
Re: might have been fooled by a virus

Perris: yeah... i know malwarebytes can get rid of it, but either way it's still a royal pain.... especially if you get to the point where it hardly lets anything run.
 
Re: might have been fooled by a virus

ElementalDragon said:
Perris: yeah... i know malwarebytes can get rid of it, but either way it's still a royal pain.... especially if you get to the point where it hardly lets anything run.
Click to expand...
it is an amazing trojan, it circumvents uac, it circumvents spybot tea timer, it's missed by avg and avast

as far as I can see it does not show up in task manager, this I thought was near impossible so i think I must be missing it

it runs in safe mode at at times (not all the time but it does run sometimes)

when I did a search against this trojan, just about every google result was re-directed to something that had nothing to do with this trojan

here's what I think;

I believe this was written by someone who works or has worked at microsoft, it seems they might have some undocumented commands at their disposal

here's another thing I am a little concerned

why is it only malewarebytes can find this trojan?

why is that?

and there is a free malewarebytes and a pro version that scans against this in real time

this is disturbing to me too, that only one program finds the trojan, it's as if they might be partners

anyway, for now the problem is solved on the computer at work and my laptop but I do believe I am just going to reformat if it re-appears
 
haha... it'd probably be easier to just reformat.

I believe it DOES show up in the task manager's processes list. Think i've seen it there already and shut it down that way, but as soon as you'd try to do something that it "decided" wasn't the best idea, it'd start right back up.

And i don't think it was a matter of not being detected by AVG..... i think in every instance i've seen of it, it completely disabled any antivirus software that was previously installed.
 
ElementalDragon said:
haha... it'd probably be easier to just reformat.

I believe it DOES show up in the task manager's processes list. Think i've seen it there already and shut it down that way, but as soon as you'd try to do something that it "decided" wasn't the best idea, it'd start right back up.

And i don't think it was a matter of not being detected by AVG..... i think in every instance i've seen of it, it completely disabled any antivirus software that was previously installed.
Click to expand...
if you shut it down in taskmanager but it relaunches when you do anything, it hasn't shut down at all

which leads me to believe it installs a service that is set on automatic restart
 
To be honest if your gettings something that keeps resetting back to "borked" settings rebuilding is faster, if you have a recently saved image.

You can wrestle with entrenched systems but you either have to have really crucial data on there or alot of time to do it.
 
Re: might have been fooled by a virus

perris said:
it is an amazing trojan, it circumvents uac, it circumvents spybot tea timer, it's missed by avg and avast

as far as I can see it does not show up in task manager, this I thought was near impossible so i think I must be missing it

it runs in safe mode at at times (not all the time but it does run sometimes)

when I did a search against this trojan, just about every google result was re-directed to something that had nothing to do with this trojan

here's what I think;

I believe this was written by someone who works or has worked at microsoft, it seems they might have some undocumented commands at their disposal

here's another thing I am a little concerned

why is it only malewarebytes can find this trojan?

why is that?

and there is a free malewarebytes and a pro version that scans against this in real time

this is disturbing to me too, that only one program finds the trojan, it's as if they might be partners

anyway, for now the problem is solved on the computer at work and my laptop but I do believe I am just going to reformat if it re-appears
Click to expand...

Think your looking at it the wrong way, yes only malwarebytes detects it, but thats because it's the real deal. Perhaps you should be worried why the others don't? I would find another AV solution with a higher detection rating.

Also this malware is running as an admin on your system, why should it have problems not showing in task manager (lots of things don't). Also if your not 100% sure you got everything you might wanna backup/format to make sure it's all gone.
 
xie said:
Think your looking at it the wrong way, yes only malwarebytes detects it, but thats because it's the real deal. Perhaps you should be worried why the others don't? I would find another AV solution with a higher detection rating.

Also this malware is running as an admin on your system, why should it have problems not showing in task manager (lots of things don't). Also if your not 100% sure you got everything you might wanna backup/format to make sure it's all gone
Click to expand...

xie, nod32 didn't see it or remove it either, nor do I think too many av's can if it's a root kit, which disables av's and every program that even looks like it might be after it

I have never come across a root kit before and I am guessing this is one of them, if it is I need a reformat to insure the compromised kernal is clean

again, if it is a root kit, malewarebytes should not be able to clean it up either but it does, malewarebytes being as you say, "the real deal" or not, a root kit usually cirvumvents and disables anything that goes near it's files, it does not do this "by running as an adminsitrator" as you suggest, most programs can run as an administrator yet they are still in task manager

it runs stealth a number of methods, one by replacing "root" (kernel) files and programs, thus "root kit", for others that might not knoq, root is a unix term which basically comes down to "as the operating system"... a far more appropriate term in windows would be "a kernel kit" the method these programs use to run without being seen by task manager is to disguise or rewrite themselves as "root" or actual kernel administrative processes, another method they can use, they might actually be loading as a virtual os on boot, another, they might intercept kernel calls and change that call

this trojan has all the ear marks of such a kernel kit, it executes without acknowlegement from the user and it is almost definatley running in task manageer but probably with another process or as kernel administrative process...this is how it might keep popping up even after it's files have been purged.

running "as an administrator" does not preclude processes being seen in task manager, it needs far more then that

in the end, if it appears again on either my box or work I will reformat since I don't want to go through the trouble of correcting code with the use of a second box

I am rue to do a reformat since in the past I have always been able to repair systems that don't have hardware issues

anyway, the reason I authored this thread was to raise the alarm

I was fooled by a trojan, it disguised itself in the form of a microsoft applet and I allowed the trojan to install, once executed to install it was not detected by my av or any real time av I tried since

point being, even processes you usually trust, if you did not ask for a service then deny it from running no matter how much you think you trust the process

[on edit]

I have re-installed avg (version 9) and then I did some forensics to see if the newere build would detect this particular trojan if it tries to execute and it did prevent the execution, of course if it managed to finish execution I doubt the av would be able to clean the files

I did the same forensics with avast and it did not prevent an install execution by this trojan
 
Last edited:
Nod32 is not a very good antivirus. You would be better off using duck tape and shrink wrap than that pos ..
 
just to update this thread, I don't follow anti virus technology anymore but the new avg (both free and pro) both have anti root kit technology
 
You must log in or register to reply here.

Members online

No members online now.
Total: 282 (members: 0, guests: 282)

Affiliates

lunarsoft.net techzonez.com

- Contact us to trade links -

OSNN OSNN NTFS XP-erience

Latest profile posts

Steevo
Steevo
Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
•••
Steevo
Steevo
Any of the SP crew still out there?
•••
Xie
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
•••
N
Nismo83
hello peeps... is been some time since i last came here.
•••
Electronic Punk
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.
•••

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back