8 Replies Latest reply on Jan 23, 2011 4:35 PM by Peter M

    Help with Antivirus software alert

      My computer seems to be infected with BankerFox.A virus and I can't do anything on the computer as various warning pop ups keep appearing.

       

      We have McAfee security center and all the reports are saying the computer is protected and is fine.  From reading some advice on the McAfee community, I put the computer in safe mode and ran a right-click scan.  This came back clear.  I then downloaded Stinger 10101327 and ran it.  It came back to say that 3 files were infected and 2 had been deleted.  It didn't say which file was still infected or how to deal with it.

       

      I then noticed that someone on the website it said that I should disable the system restore before running Stinger.  However, this option isn't available in Safe Mode and the pop ups won't allow me to access this area in the normal PC mode (we have windows Vista).

       

      I have now run a stinger report and this is what it says:

       

      C:\Users\Graeme\AppData\Local\Temp\csrss.exe

      Found the FakeAlert! Downloader-CEW trojan !!!

      C:\Users\Graeme\AppData\Local\Temp\csrss.exe is infected with the FakeAlert! Downloader.CEW virus !!!

      Number of clean files: 237777

      Number of infected files 1

       

      I can't even find the above file in my system to attach.  If I can find the file, do you think I can just delete it?

       

      Should I have included the Recovery (E) drive in the original scan as I only selected the C drive?

       

      I would be grateful for any help to get rid of this virus!

       

      Thank you

       

      Claire

        • 1. Re: Help with Antivirus software alert
          Hayton

          First things first. There is actually no such thing as the "Bankerfox.a virus". If you are getting messages about it, or the "Win32/Nuqel.E" virus, what you do have is a fake security program called "Spyware Protect 2009" (or probably 2011 by now). This fake has arrived because of a Trojan infection, and McAfee knows about this and how to get rid of it according to this description from the Threats Database.

           

          Of course, if this is a new variant of the infection, it could be different enough that it slips past the McAfee checks. This might explain why you said you'd run a scan in Safe Mode and it came up clean; I'm assuming that your virus definitions are up to date (the DAT version I have is 6234).

           

          Someone else on another forum reported that csrss.exe was infected by this Trojan, and in that case too had run a Stinger scan which failed to delete the file. I advise you not to delete this file yourself, since it is

          An essential subsystem that is active at all times. Csrss.exe is the user-mode portion of the Windows subsystem, and it maintains console windows and creates or deletes threads. Csrss stands for client/server run-time subsystem.

           

          Better to let one of the reliable detection & removal programs do this for you.

           

          If the McAfee scan has failed the next thing to try is Malwarebytes, a reliable standby which specialises in removing these fake programs. You can download it from here and it's free - you don't need to buy the premium version.

           

          Download it and run it in Safe Mode,

          Edit - Let it scan as many drives as you have active. That includes any memory sticks or other data storage devices that you use

          then let me know whether it's removed your PC infection. If not, there are other tools available we could try.

           

           

          Message was edited by: Hayton on 23/01/11 12:58:12 GMT
          1 of 1 people found this helpful
          • 2. Re: Help with Antivirus software alert
            Peter M

            You can initiate System Restore (to go to a time before all this happened I hope) in Safe Mode.

             

            Once booted into Safe Mode click the Start orb, then All Programs, then Accessories, then System Tools.  System Restore is shown there and can be started in Safe Mode.

             

            If a restore is successful don't forget to immediately update Windows and any time-sensitive software that updates regularly, such as McAfee (right-click the taskbar icon and select 'Check for updates'.

             

            System Restore is only good to use if you are absolutely sure you are going to a point when the system was free of infection.

             

            As far as that alert is concerned you should perhaps run a scan using an independent anti-malware application.

             

            Download, install and update (important) before running, the FREE version of THIS software.

            • 3. Re: Help with Antivirus software alert

              Peter

               

              Thank you so much for your help.  Your instructions were very clear and easy to understand. I am back up and running again which is a huge relief!  Claire

              • 4. Re: Help with Antivirus software alert
                Peter M

                Glad you are OK now.  You might want to temporarily disable System Restore to delete the infected files.

                1 of 1 people found this helpful
                • 5. Re: Help with Antivirus software alert

                  Can you tell me how I would go about temporarily disabling the system restore? Thanks again for your help.

                  • 6. Re: Help with Antivirus software alert
                    Peter M

                    Click the Start orb, then right-click Computer and select Properties.

                     

                    The over at the left click System Protection.

                     

                    Click Continue if you get a UAC prompt.

                     

                    You should see a windows something like this:

                     

                    Capture.JPG

                     

                    I mutli-boot so have highlighted the C: (System) drive.  It should look simpler in your example.

                     

                    Uncheck it, click Apply and OK and OK any prompts you get of course.

                     

                    After a reboot you can enable it all again and the infected restore point will have been erased but be warned this will erase all system restore points.

                     

                    In this case that shouldn't be an issue.

                    1 of 1 people found this helpful
                    • 7. Re: Help with Antivirus software alert

                      Perfect, thanks again.  That has been a big help.

                      • 8. Re: Help with Antivirus software alert
                        Peter M

                        That's what we are here for.  All the best.

                         

                        ;-)