Jump to content


  • Content Count

  • Joined

  • Last visited

About sixrealms

  • Rank
  1. I seem to be clean, now. I believe it is important to not click on any of the Fake AV warning pop-ups... I move them to the side when possible. It seems that clicking them, even the X to close, enables the virus to do additional destruction, as encountered by flywelder. My last SAS log of infection cleanup: SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 05/09/2011 at 11:41 PM Application Version : 4.52.1000 Core Rules Database Version : 7021 Trace Rules Database Version: 4833 Scan type : Complete Scan Total Scan Time : 01:35:17 Memory items scanned : 518 Memory threats detected : 0 Registry items scanned : 8376 Registry threats detected : 1 File items scanned : 57411 File threats detected : 26 System.BrokenFileAssociation HKCR\.exe Adware.Tracking Cookie C:\Documents and Settings\Joyce\Cookies\joyce@lucidmedia[1].txt C:\Documents and Settings\Joyce\Cookies\joyce@specificmedia[2].txt C:\Documents and Settings\Joyce\Cookies\joyce@ad.yieldmanager[1].txt C:\Documents and Settings\Joyce\Cookies\joyce@ru4[2].txt C:\Documents and Settings\Joyce\Cookies\joyce@a1.interclick[2].txt C:\Documents and Settings\Joyce\Cookies\joyce@collective-media[1].txt C:\Documents and Settings\Joyce\Cookies\joyce@invitemedia[1].txt C:\Documents and Settings\Joyce\Cookies\joyce@realmedia[2].txt C:\Documents and Settings\Joyce\Cookies\joyce@www.windowsmedia[2].txt C:\Documents and Settings\Joyce\Cookies\joyce@adbrite[2].txt C:\Documents and Settings\Joyce\Cookies\joyce@questionmarket[1].txt C:\Documents and Settings\Joyce\Cookies\joyce@tribalfusion[2].txt C:\Documents and Settings\Joyce\Cookies\joyce@media.adfrontiers[2].txt C:\Documents and Settings\Joyce\Cookies\joyce@specificclick[1].txt C:\Documents and Settings\Joyce\Cookies\joyce@imrworldwide[2].txt C:\Documents and Settings\Joyce\Cookies\joyce@media6degrees[2].txt C:\Documents and Settings\Joyce\Cookies\joyce@ads.pubmatic[1].txt C:\Documents and Settings\Joyce\Cookies\joyce@pointroll[1].txt C:\Documents and Settings\Joyce\Cookies\joyce@adxpose[1].txt C:\Documents and Settings\Joyce\Cookies\joyce@revsci[2].txt C:\Documents and Settings\Joyce\Cookies\joyce@ads.pointroll[2].txt C:\Documents and Settings\Joyce\Cookies\joyce@interclick[2].txt C:\Documents and Settings\Joyce\Cookies\joyce@serving-sys[1].txt ia.media-imdb.com [ C:\Documents and Settings\Joyce\Application Data\Macromedia\Flash Player\#SharedObjects\47867SAQ ] msnbcmedia.msn.com [ C:\Documents and Settings\Joyce\Application Data\Macromedia\Flash Player\#SharedObjects\47867SAQ ] Trojan.Agent/Gen-FakeAV C:\DOCUMENTS AND SETTINGS\JOYCE\LOCAL SETTINGS\TEMP\JAR_CACHE5582401156241880608.TMP MBAM scan executed after SAS reported: Malwarebytes' Anti-Malware www.malwarebytes.org Database version: 6543 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 5/10/2011 2:16:35 AM mbam-log-2011-05-10 (02-16-35).txt Scan type: Full scan (C:\|) Objects scanned: 252971 Time elapsed: 1 hour(s), 17 minute(s), 36 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\exqonczctruceg (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\system volume information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP1257\A0110716.exe (Trojan.FakeAlertRP.Gen) -> Quarantined and deleted successfully. MSE History reports on actions it took automatically (I didn't run a scan): Exploit:Win32/Pdfjsc.OY Severe 5/10/2011 7:54 AM Removed file:C:\Documents and Settings\Joyce\Local Settings\Application Data\Mozilla\SeaMonkey\Profiles\obrov2kz.default\Cache(4)\93746344d01 Rogue:Win32/FakeSpypro Severe 5/10/2011 2:05 AM Removed containerfile:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1257\A0110716.exe file:C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1257\A0110716.exe->[Obfuscator.JM]->(UPX) Rogue:Win32/FakeRean Severe 5/09/2011 10:26 PM Removed file:C:\Documents and Settings\Joyce\Local Settings\Temp\jar_cache5582401156241880608.tmp Rogue:Win32/FakeRean Severe 5/09/2011 10:08 PM Removed file:C:\Program Files\SeaMonkey\null0.8474681624012698.exe regkey:HKCU@S-1-5-21-4250537583-2546393392-2140395777-1005\software\classes\.exe
  2. When the FakeAV initiates on my computer, it disables MSE and MBAM, but not SAS. This infection led me to purchase SAS. Now, I have SAS resident with MSE. MBAM has found files missed by SAS. However, SAS default Scanning Controls was set to Ignore non-executable files ~ perhaps causing the difference? Irrespective, I find it best to run several programs for cleaning. I see that SAS has a repair tab to restore functions removed by the Fakes. If I look at history for my 2 residents, SAS and MSE, I see that they've both caught different attack attempts. I'm wondering why so frequently the Fake gets in. Since my 1st infection 2 weeks ago, I've been careful about selecting the sites I visit.
  3. Maybe I've had the same... Annoying, isn't it? Two weeks ago I struggled with cleaning it, and for some reason it reappeared tonight. In addition to taking over operations with its fake warnings, it disables task manager and the legit antiviral software, the ability to run exe's, and turns the firewall off. I have xp-pro and these steps work for me. A run of exefix_xp.com restores the ability to execute files, so that you'll be able to run MSE, Malwarebytes, SuperAntiSpyware, etc. I believe I found it on the web. Start/Run regsvr32 wuaueng.dll restores the firewall. Reboot into safe mode. Run full scan antivirus softwares in safe mode. Get the software updates as soon as you have the ability to open them and the firewall issue is resolved. Again run the antivirus programs in full boot. I run the 3 I mentioned, updating continually, and find that they find different components. This works for me. It takes 1 or more hours for each execution of an antivirus software, so it does take time. Good luck.
  • Create New...