Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
This discussion is locked
58959 Views 97 Replies Latest reply: Mar 24, 2010 8:13 AM by SamSwift RSS Branched to a new discussion. Go to original post 1 2 3 4 5 6 ... 10 Previous Next
  • Newcomer 7 posts since
    Jan 27, 2010

    Updated stinger appears to be working for me as well...took forever, and still left one file unrepairable, but the red ball is gone.

     

    Unfortunately, as pointed out above - nobody mentioned turning off system restore until late in the thread, so I imagine I will have to go through this again...

  • Newcomer 11 posts since
    Jan 30, 2010

    I have been reading up on this thread since last Wed the 27th. I have worked on three machines for friends with the same "FakeAlert" problem. The first machine ("A") was an HP Laptop running Vista and IE8 in late December. He did not click on the warning bubble messages other than the upper right "X" to close. I did a "System Restore" from about two months prior in "Safe Mode" and that seemed to do the trick. I have not heard back from him concerning any new problems. The second machine ("B") was an HP Desktop running Vista and IE8. She also did not click on the pop-up message controls and only closed them with the upper right "X". I did the same "Safe Mode" - "System Restore" repair again from saved point about two months earlier. All seemed to be working right when I left. About 12 days later she reported that her internet email client (Hotmail) may have sent out emails linking to a Canadian viagra site to all of her contact list. I was surprised at the delay. I still do not know for sure if the mails were sent from her machine or if the trojan just grabbed her contact list from Hotmail (somehow) and sent them out from a different machine someplace. Today I did a scan on machine "B" with the current version of "Stinger" (downloaded late AM today) and set to "HIGH" as specified. It found nothing! Question - Why were these bogus emails sent out 12 days after the trojans were apparently removed from her machine?

     

    The third machine ("C") was a Dell Optiplex GX260 Desktop running WindowsXP with SP3 and IE7 (all current updates were in). He DID click on the "Close" button in the pop-up windows. His machine was apparently readily infected. Upon a restart there was also the symptom of changing the wallpaper to a green screen with the black and red "Warning" message in the center. Upon the next restart there was a pop-up message PRIOR to Windows startup that seemed much more legitimate than the others. This box was also clicked on ("OK" - I think) to be able to continue with the start-up process. (In reading the earlier posts this was also a bogus virus warning!) I tried "System Restore" on this ("C") system and that DID NOT work. It went fully through the process but then reported at the end that the "Restore was unsuccessful". I tried a second time with the same result. I then read up on the info on this site and applied the "Stinger" from 01-25-2010 v10.0.1.758 - data file v1000. I used the HIGH setting (NOT "Very High" as specified by Brian!) and turned OFF "System Restore" before starting the SCAN. This seemed to do the trick! (Thanks!)

    The reporting showed the following on this XP machine ("C"):

     

    C:\Windows\system32\smss32.exe

         Found the Suspect-FakeAlertKrypt trojan !!!

                (could not be repaired)

     

    C:\Documents and Settings\Administrator\Application Data|Microsoft\Internet Explorer\Desktop.htt\0000007e.js   

         Found the Generic FakeAlert!htm  trojan !!!

                    (has been deleted.)

     

    C:\Documents and Settings\User\Application Data\Microsoft\Internet Explorer\Desktop.htt\00000080.js

         Found the Generic FakeAlert!htm  trojan !!!

                    (has been deleted)

     

    C:\Windows\system32\smss32.exe  

         Found the Suspect-FakeAlertKrypt  trojan !!!

                    (has been deleted)

     

    C:\WIndows\system32\warning.html     

         Found the JS/FakealertKryptik   trojan !!!

                    (has been deleted)

     

    C:\Windows\system32\winlogon32.exe

         Found the Suspect-FakeAlertKrypt  trojan !!!

                    (has been deleted)

     

    Number of clean files:   421717

    Number of Trojans:   6

    Number of files deleted:   5

     

    The only thing I seem to have a problem with yet on the WindowsXP machine ("C") is that I can't control the wallpaper yet. It is now stuck on the "Blank" wallpaper (or "None") after the "Stinger" fix. When the trojan was active, I could not get any of the controls in the "Display Properties - Desktop" tab to work to change it away from the green screen with the black and red "Warning" message in the center. I could not even slide the sliders to see more selections of files to use for wallpapers. I could only see the bottom of that list where (Type icon - "IE") with file name "warning" showed. After the cleaning, this "Display Property"s - "Desktop" tab was still stuck. As of this writing I can't reset the wallpaper on that machine. Would you please be able to help with that too? Maybe getting this tab to work could be added to the next variant of "Stinger" so the repair could be complete. The trojan apparently makes use of the "Active Desktop" controls and sets the wallpaper to this "IE - warning" thing, using it's own green screen warning message. All the other tabs in this utility window work fine (ie: - Screensaver, Settings, etc.).

     

     

    Message was edited by: Art Nels on 1/30/10 6:31:38 PM CST
  • Newcomer 11 posts since
    Jan 30, 2010

    BTW: The link to the TS100893 document listed in this thread is not working.

  • Newcomer 2 posts since
    Jan 31, 2010

    I too have been having this same problem and am researching now on a different computer as the virus/trojan/worm has pretty much shut down Firefox and it won't let me do much at all on Internet Explorer.  It seems to know to stop anything when I start researching it.

    It also has my restore shut down saying it was shut down by a group and needs domain administrator approval to get it back.   So, I'm not sure how I disable it when I get to the point of trying to shut my computer down to restart.  I don't want it back again.

     

    so, I have been reading your entries and downloaded the stinger, copied it to flashdrive ant put it on infected computer and am running it now.

    So far it found and deleted Suspect-FakeAlertKrypt trojans

    under temporary internet files\Content.IE5\25FZCZ7X\SetuplS2010[1].exe  and Content.IE5\MZE14ZSC\dfghfghgfj[1].dll

     

    currently it is still running.

    As with other folks, no control over background screen which went to blue when infected and the popups for AntivirusPlus kept coming up,  although I did go to the AntivirusPlus program underprograms and "removed" the program under that option.  That seems to have at least temporarily stopped that annoying popup and taken it off the taskbar for now.  However, I suspect it might be back once I restart the computer.

     

    QUESTION -- since I got the virus/worm I downloaded Spyware Doctor and ran it.  It the process, when I downloaded it I used my credit card to pay for the software -- this was before I knew that this was a major breach.   Everything looked secure on the screen, but I don't believe anything now.   Do you think it is likely my credit card purchase has been hijacked now?  I think Spyware Doctor is legit????  Now i don't know.   Please tell me you have heard of them?????

  • Newcomer 2 posts since
    Jan 31, 2010

    1. How do I know I have disabled System Restore.  with my situation when I try to run system restore a message comes up saying "the group has turned system restore off and I need network administrator permission to turn it back on"   That being said, I'm not sure I trust that it may in fact still be on -- thus reassuring the hacker that once I reboot it will "restore" the problem.   It also turned off my task manager, so I feel completely blind in terms of being able to look and see what is running.  Very smart virus.  Also internet through mozilla is totally shut down and explorer is limited to a few pages, but none that will let me access you or even a google search for the worm virus.

     

    so, I am currently doing this on a different computer while running the stinger for a second time on infected computer, this time with high sensitivity.  first time was with the default.  I also checked the box to scan boot sectors.  I hope that was okay as well.

     

    First stinger results found and disabled the following:

    content.IE5\25FZCZ7X\setupIS2010[1].exe

    content.IE5\MZEI4ZSC\dfghfghgfj[1].dll

    skystem32\helper32.dll

    system32\IS15.exe

    \TEMP\rasesnet.tmp\rasesnet.tmp

     

    2. how do I restart my computer is Safe Mode once I run stinger one last time and run McAfee one last time.  I assume I want to run each one of those one more time and then reboot the computer in safe mode and then try to do a system restore to an earlier time if I can find one.    I'm also assuming that once I get in safe mode, it will be relatively easy or intuitive to find the restore option?


    3.  finally, how do I reinstate Task Manager?  do I need to try to do something with it before doing the safe mode reboot?

     

    Thanks for any and all help.

  • Newcomer 4 posts since
    Jan 31, 2010

    I have had McAfee software for years and keep it current. So how did worm.win32.netsky get by the McAfee guard dogs? I recognized it as "fake" and somehow got rid of the red X and did not opt to purchase the bogus security 2010 software. OK, so what do I do now? I ran McAfee Quick Scan and everything looked good. Red X at bottom of screen was gone and worm.win32.netsky warning was gone. I ran a full scan and it quit/froze somewhere in about 38% of scanning on a file that had "dll" as part of it. I tried to reboot to no avail (i.e ctrl+alt+delete). Ended up taking battery out and powercord. Tried to restart and now it signs on and immediately signs off and I am unable to go anywhere or do anything. I have tried "F8" to get into safe mode and tried Safe Mode, Safe Mode with Networking, Safe Mode with Command Prompt. None work. I cannot do any of the fixes suggested on this site or any other sites that I have found. Any time I think I have a chance of getting back on I cannot get past my sign-on screen. It starts playing the windows sign-on tune and then just as quickly switches to the windows sign-off tune. What do I do next???? I am too busy and post-call and have a lot of files that I cannot access now. How do I fix this? How do I get my files back? Do I have to spend big bucks for the Geek Squad? Is McAfee going to fix this for all of its subscribers or just charge us another fee? Please advise. BTW: I am a Windows XP user.

     

     

    Message was edited by: docdo on 1/31/10 4:19:09 PM EST
  • Newcomer 4 posts since
    Jan 31, 2010

    Firehawk, I am having the same problem and was wondering if you have found any fixes yet?

  • Newcomer 4 posts since
    Jan 31, 2010

    Hey John, where did you go to get it fixed? Don't want to pay if they cannot get it right. And did you get your files and programs back or did you lose them?

  • Newcomer 11 posts since
    Jan 30, 2010

    harveygust,

     

       Looks as though the experts are away for a bit. I will try to give you some hints. I am not a computer expert but have some thoughts on your questions.

     

       (1) - You do not seem to have control of the "System Restore" anymore. I suggest waiting for one of the "experts" to tell you how to by-pass the trojan and be able to control "System Restore" again.

     

       (2) - As your computer restarts - and before Windows starts up! - push the "F-8" key repeatedly and slowly as your BIOS loading shows. (If the BIOS load is not visible - start pressing the "F-8" key from about 3 seconds after you turn on the power and about every one second until Windows starts to load). This should bring you to a black screen showing "Safe Mode" as the top selection of ways to start up Windows. Rather quickly, make your selection ("Safe Mode") and push "Enter". This will start Windows in "Safe Mode". The screen will look a bit different that usual once "Safe Mode" starts. In the four corners of the screen you will see "SAFE MODE" in white type. If you need to try and have this machine connect to the internet when in "Safe Mode", select "Safe Mode with Networking" instead. (I do not suggest this though. The idea of "Safe Mode" is to be safe! Connecting out is not that safe.) Load any suggested software from a CD you make of the downloaded software from your other non-infected machine. DO NOT use a flash drive (thumb drive - memory stick - whatever) as these could possibly be infected by your first machine (the infected one) and you will move the infection to your other machine (non-infected one) once you put this flash drive back into any other machine. A CD can't be re-written to so a virus can't "backwash". Also DO NOT use a CD-RW for the same reasons unless you "finalize" it to prevent any other writing to the disk in the future.

     

       (3) - Try an alternative task manager like "Process Explorer" ( http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx ) or "Security Task Manager" ( http://www.neuber.com/taskmanager/ ). Either of these are good and MAY get you past the problem of not being able to open "Windows Task Manager". I have not tried loading these once the trojan is in place on a machine. The trojan MAY see these too and block them from starting - maybe not.

     

    Hope this helps a bit. Maybe the "experts" can weigh-in on your questions too. Again, I am not an expert but these questions were pretty simple.  Good Luck! (Sounds like you will need it.)

  • Newcomer 11 posts since
    Jan 30, 2010

    Hello again harveygust,

     

       If you are able to get into one of the "Task Manager" alternate programs I suggested earlier, try looking for one of these as the process that is running for the virus/trojan. These are what I could identify as processes running on the WindowsXP machine ("C") I spoke of earlier.

     

    SLdNJBGzlvwb wMfcpexefhBLRgc

     

    sysdata.xml

     

    Good luck again!

1 2 3 4 5 6 ... 10 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (9)