The Fake Antivirus/Rogue Antivirus/Fake Security Suites, by variant, are the most common threat that we are seeing today. There are a lot of methods that the bad guys behind it are using to try and bypass anti-virus software and pump out as many variants as possible.
McAfee has produced Stinger tools as solutions to help with special threats/infections that are difficult to deal with and we have done so for this threat and are keeping this updated with some of our newer detection signatures and technology that are not yet in the dat files. You can download the FakeAlert Stinger from the following location:
An article is available at http://service.mcafee.com/FAQDocument.aspx?id=TS100893 that discusses this tool as well as instructions for use.
Please give this Stinger tool a shot if you come across any Fake Antivirus wreaking havoc on your system. Feedback on this thread highly appreciated.
Message was edited by: Brian Mann on 1/25/10 10:46:13 PM PST
I have performed all your instructions just as outlined, I turned off restore, ran the Stinger 3 times and I am still plagued by the XP Antispyware 2010 / XP Antivirus 2010 etc... pop-ups. It even blocks me from loading 2/3 of the web pages i try to load. It first pops up with a screen that says "Internet Explorer alert. Visiting this site may pose a security threat to your system" then offers 3 options of purchase our "protection" "run a scan" "continue without security" and sometimes the continue will work must mostly it just takes me back to the page I just tried to leave or pops up an advertisement. Please Help!
Oh yeah, and either your Poll is broken or the virus prevents it's use too because all I get is an error when trying to take the Poll.
Message was edited by: IronMac on 1/26/10 10:29:21 AM CST
Message was edited by: IronMac on 1/26/10 10:30:11 AM CST
Thanks for the feedback - we're in the process of testing a newer build so will post it as soon as testing is complete.
So, I was just wondering, this new build your testing... is it due to be put out soon? I mean, are we talking a matter of hours, days, weeks? I am just trying to gauge my time waiting to see if it would just more prudent to format and re-install from scratch or wait for the new release. Any heads up?
The new version is posted available at http://download.nai.com/products/mcafee-avert/fakealertstinger.exe
Apologies for this taking longer than expected but we wanted to make sure it got some thorough QA because false detections or partial repairs can put you in an even worse position than you can be in with a virus.
Received 2 fake spyware announcements, did not click on them , ran full scan, trojan was identified as JS/Fake Alert/Kryptik(..., report said it was quarantined and removed, which was untrue. Ran another complete scan, which came up negative. Continued to receive fake warnings. Restarted computer, received real warning that I had virus Netsky 32. Activated Stinger Tool ran it 4 times, including latest version twice. Found the fake alert trojan, and said it removed 3 trojans. Did not affect fake alerts at all. Your program is completely ineffective, as far as solving my problem. Please advise.
I have the same problems as John Simpson's post. I will try the updated stinger program to see if it will sovle problem.
I am curious as to why this "problem" hasn't been delt with. I Googled the symptoms and saw there are posts from August of 2008 about this. As the previous poster said, PLEASE advise as to where this came from, how it gets into a computer, and when McAfee will finally deal with it.
I too have run the latest version of Stinger in this post, and had similar results to the two posts above mine. Stinger found the "main" JS\Fakealert\Kryptik file and I was able to delete it. This temporarily stopped the phoney pop-ups. But after a restart, it was back. This leads me to believe that there is something hidden in the registry that is re-creating the problem/file. We all need advice on how to get rid of that "hook" that calls this thing back up with a restart.
I believe this is a revamped version of some of those old FakeAlert malware trojans, and we just need updated instructions on how to wipe out the current hiding places.
BTW - the message on start up of Netsky 32 is also a fake message, not a real one. I saw that listed, verbatim, somewhere else, can't remember where. A real clue to the fake messages is the language/grammar/misspellings. Look closely...
HELP - HELP - HELP!
Message was edited by: fzpj9d on 1/27/10 5:11:47 PM CST
Replying to a couple of posts with this one:
John - The "real" warning that you got about Netsky 32 I'll say wasn't actually real. That's a common threat name that is used by many of the FakeAV threats as a scare tactic I'd like you to do another run with the Fakealertstinger.exe file, but before you do Scan Now, click on the Preferences. At the bottom you'll see Sensitivity Level with a dropdown box next to it. Use the dropdown box and change the setting there to High, then click OK. After that click Scan Now and see if this makes a difference in what you are seeing.
Firehawk - As to why the "problem" hasn't been dealt with even though there's information since 2008 is because this isn't a single threat, but instead are hundreds of thousands, with new ones coming out every day that have same/similar functionality but with different code and obfuscation techniques. Just because one has the same symptom as one years ago doesn't mean that at a code level it's the same. Think of it along the line of being sick and one of the symptoms is a headache; there are thousands of medical reasons for a headache but just based off that symptom you don't know what it is that is causing yours Hopefully the FakeAlert Stinger will help cure this headache though.