BleepingComputer.com: More On :Infected with fake Windows Recovery Console, trojan, FakeAlert

Following on from Infected with fake Windows Recovery Console I've got the same trojan but with some differences.

Machine: Dell laptop
OS: Win XP SP3 with current updates

My best guess is I downloaded a pdf that exploited something in the outdated Adobe pdf viewer to install a trojan but it was confusing as the operating system was updating at the time also. McAfee VirusScan Enterprise v8.7i popped up and said it had found and stopped execution of a trojan. It seemed to be promptly after the trojan started.

From McAfee logs:

17/05/2011 3:44:47 AM Engine version = 5400.1158
17/05/2011 3:44:47 AM AntiVirus DAT version = 6348.0
17/05/2011 12:12:55 PM Deleted NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\drivers\507111F.sys Generic Dropper.va.gen.t (Trojan)
17/05/2011 12:26:43 PM Deleted NEXUS\tay C:\Documents and Settings\All Users\Application Data\pEshicjyaucyYuw.exe C:\Documents and Settings\All Users\Application Data\22601508.exe FakeAlert-FAB!15770E4B7182 (Trojan)

17/05/2011 12:43:42 PM Statistics:
17/05/2011 12:43:42 PM Files scanned: 46160
17/05/2011 12:43:42 PM Files detected: 2
17/05/2011 12:43:42 PM Files cleaned: 0
17/05/2011 12:43:42 PM Files deleted: 2

Different from rjevans33 is the different driver name 1541E.sys
As for rjevans33 my desktop icons and background all disappeared and my Programs menu was empty. It had made the directories where the Programs menu links were hidden and deleted all the links in those directories. While I was stuffing around with this the machine auto rebooted.

Then 17 minutes later McAfee picked up and deleted two other executables. One of these was 22601508.exe FakeAlert-FAB!15770E4B7182 (Trojan) compared to the similar 15851300.exe FakeAlert-FAB!8295A1C79ED2 from rjevans33 picked up 16 minutes later. The second was not picked up by rjevans33

I manually fixed some of the registry settings to get my desktop back and unhid the directories. The Programs menu has the directories but the links are still missing. Then 12 days later Mcafee finds pEshicjyaucyYuw.exe Generic FakeAlert.bx (Trojan) which was previously deleted.

From McAfee logs:

29/05/2011 5:58:53 PM Engine version = 5400.1158
29/05/2011 5:58:53 PM AntiVirus DAT version = 6360.0
29/05/2011 5:58:53 PM Number of detection signatures in EXTRA.DAT = None
29/05/2011 5:58:53 PM Names of detection signatures in EXTRA.DAT = None
29/05/2011 10:49:15 PM Deleted (Clean failed) NEXUS\tay C:\WINDOWS\system32\mrt.exe C:\Documents and Settings\All Users\Application Data\pEshicjyaucyYuw.exe Generic FakeAlert.bx (Trojan)

So how did it come back and what has the virus/trojan being doing for the last 12 days?

This time I did a complete scan with McAfee and it found two more Generic FakeAlert.bx (Trojan)

From McAfee logs:

29/05/2011 11:21:48 PM Engine version = 5400.1158
29/05/2011 11:21:48 PM AntiVirus DAT version = 6360.0
29/05/2011 11:21:48 PM Number of detection signatures in EXTRA.DAT = None
29/05/2011 11:21:48 PM Names of detection signatures in EXTRA.DAT = None
29/05/2011 11:21:33 PM Scan Started COUGAR-BT\tay On-Demand Scan
.
.
.
30/05/2011 12:08:15 AM Deleted tay293 ODS c:\Documents and Settings\tay293\Application Data\Sun\Java\Deployment\cache\6.0\20\3bfa3614-48fc9237 Generic FakeAlert.bx (Trojan)
30/05/2011 1:16:53 AM Deleted tay293 ODS c:\System Volume Information\_restore{FDA8FC8C-AF8B-44C8-A185-495CC9AADD3C}\RP760\A0223142.exe Generic FakeAlert.bx (Trojan)

Does that mean they have been there since the problem first occurred and are detected now because the McAfee signature files have been updated or have they been more recently installed? Why does the trojan disable the task manager and stuff up the desktop and start menu? It isn't something you would do if you wanted to hide as it makes it really obvious there is a problem? Can I be confident the machine is fixed now?

I would have preferred to add this in a reply to rjevans33 post but it says "You cannot reply to this topic". Looking in the help it says "do not have permission to post in the forum, in which case you will see "You cannot reply to this topic"." but I can't figure out why.

This post has been edited by Blade Zephon: 30 May 2011 - 10:32 AM
Reason for edit: Moved to AII as no logs provided and Prep Guide not followed. ~BZ

Hi KenT66,

to BleepingComputer. My name is Jason, and I'll be helping you. You can call me by my screename jntkwx or Jason is fine.

 KenT66, on 30 May 2011 - 12:31 AM, said:

This is likely the case. Many times, these fake rogues install themselves through vulnerabilities in outdated versions of Adobe Reader, Flash, and Java.

 KenT66, on 30 May 2011 - 12:31 AM, said:

If you haven't updated Adobe Reader, Java and/or Flash to their latest, secure versions, you can still get infected.

 KenT66, on 30 May 2011 - 12:31 AM, said:

Both are possible. It is more likely that the signature files were updated and thus why it detected these additional files.

 KenT66, on 30 May 2011 - 12:31 AM, said:

Some viruses disable the Task Manager, among other things, to make it more difficult to remove the virus. Yes, while it is sometimes obvious there is a problem, occasionally, the easiest way to stop a file from running is through killing the process with the Task Manager, which obviously can't be done if the Task Manager is disabled. Make sense?

 KenT66, on 30 May 2011 - 12:31 AM, said:

You do not have permission to reply to that topic because only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else does not have permission to post to another user's log. This is done for several reasons: less confusion when there is one person being helped per topic, and also so that whoever is being helped is being given correct malware removal instructions (which can only be guaranteed from a member of the Malware Response Team or Moderators).

 KenT66, on 30 May 2011 - 12:31 AM, said:

Let's double check you're computer is free of malware:

Let's reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu with several options. Press the arrow keys until Safe Mode with Networking is selected. Press Enter. Please see here for additional details.

Once in Safe Mode with Networking, download Rkill

Run Rkill (iExplore.exe) If you cannot find the iExplore.exe icon that you downloaded, click on the Start menu and then click on the Run menu option. In the Open: field enter %userprofile%\desktop\iExplore.exe and press the OK button. If Windows prompts you to allow it to run, please allow it to do so.

Please be patient while the Rkill looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If it appears like Rkill did not stop the malware from running, please try running RKill again until the malware is no longer running. If you continue having problems running RKill, you can download the other renamed versions of RKill from the rkill download page. All of the files are renamed copies of RKill, which you can try instead. Please note that the download page will open in a new browser window or tab.

Do not reboot your computer after running RKill as the malware programs will start again!


Still in Safe Mode with Networking, please download Malwarebytes' Anti-Malware and save it to your desktop.

Download Link 1
Download Link 2

Malwarebytes' may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet and double-click on mbam-setup.exe to install the application.
  For instructions with screenshots, please refer to this Guide.
  
• When the installation begins, follow the prompts and do not make any changes to default settings.
  
• Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  
• If an update is found, the program will automatically update itself. Press the OK button and continue.
  
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

• Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  
• Click on the Scan button.
  
• When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  
• Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  
• Make sure that everything is checked and then click Remove Selected.
  
• When removal is completed, a log report will open in Notepad.
  
• The log is automatically saved and can be viewed by clicking the Logs tab.
  
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  
• Exit Malwarebytes' when done.

Note: If Malwarebytes' encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes' from removing all the malware.


Download Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.


In your next reply, please include:

• The Malwarebytes' log file
  
• How's the computer running now?