Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ever Heard of nactbyjued?


  • Please log in to reply
3 replies to this topic

#1 Khanguy

Khanguy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere
  • Local time:02:13 PM

Posted 24 January 2011 - 12:55 AM

I'll try to give as much as detail as possible while trying to make sense:

I have a laptop with a fake antivirus that restricts use of most applications namely those with .exe extensions (but it allows IE) and infected the laptop when the User accidentally clicked on an add when watching a movie online. It brings up a window that runs a scan and is called "Antivirus Scan Protecting Every Second." When trying to run IE, I get a warning that disallows access. Most of this is described in http://forums.malwarebytes.org/index.php?showtopic=71899&hl=fake+antivirus. However the instructions on it basically ask for the log files. I do not want to install ten different programs just for their lo, so I tried to resolve the issue on my own:

I first tried to run the taskmanager but the fake antivirus wouldn't allow me. So I tried a hard reboot (holding the power button for several seconds)and booted it in safe mode. I deleted all programs in the startup folder and I ran a full system scan with both Microsoft Security Essentials and MalwareBytes. Neither of these reported any infected files.

I restarted the computer with a normal boot and clicked ctrl + shift + esc rapidly before the virus could start. It worked and I searched through the processes and found a process that I haven't heard before called nactbyjuerb ( i think its called nact and Juerb is the creator). Before ending the process I right clicked on it to find its properties and found it was an application in AppData\Local\Temp\fvndyfba and called as nactbyjuerb.exe. When I terminated the process the annoying scan stopped and I gained control over the laptop, however I found that the internet wouldn't work (it would just redirect you to a page that disallowed access and said "...visiting this website may harm your computer!" and tried to redirect you to http://protectep.com/shop?abc=cGdpZD04JnI9NzguMg== that tried to sell you some malicious antivirus removal software). I found the proxy settings was set to the http: IP adress 127.0.0.1 and port 8992 which basically creates a loop back to the computer. I fixed this by disabling the use of a proxy address and enabled the automatic configuration of settings.

Now, here is my concern, if I delete nactbyjuerb.exe file or even the entire \temp\ folder manually, will it get rid of the entire virus and repair all of its damage? I say this because I think a seperate program may have caused the internet messing up while another may have caused the false scans. I also know that everyone warns to not delete the virus for it may infect other files; however, the MWB and MSE did not detect the file( I even right clicked on the application and scanned it separately several times) and the computer seemed to run fine once the process was terminated.

Any help is greatly appreciated.

PS - the laptop has IE8 and Windows Vista Business service pack 2 32 bit.
THE MWI EXPLAINS THAT WHATEVER I SAY IS ALWAYS RIGHT

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:13 PM

Posted 24 January 2011 - 01:20 AM

Can you post the scan results from Malwarebytes Anti-Malware and MSE?

#3 Khanguy

Khanguy
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Everywhere
  • Local time:02:13 PM

Posted 24 January 2011 - 07:38 PM

Nevermind, I updated definitions after I killed the process. MSE found it and removed it. I also followed the steps here t fix the registry: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Rogue%3AWin32%2FFakeSpypro.

Thanks anyways.


Edited by Khanguy, 24 January 2011 - 10:03 PM.

THE MWI EXPLAINS THAT WHATEVER I SAY IS ALWAYS RIGHT

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:08:13 PM

Posted 26 January 2011 - 06:38 AM

GOod work on resolving your issue. THats what I was looking for the name of the malware.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users