Trojan.W32/Fakeav.BSE And Trojan.Multi/RedCrossAntivirus

Good evening friends, my question is eset detects trojan.w32/fakeav.bse viruses and trojan.multi / redcrossantivirus?

thanks, greetings

 

Impossible to say without a sample. Most likely they're detected.

 

thanks for your prompt reply, information from these malwares are online so I had that doubt.

greetings.

 

It didn't detect the RedCrossAntivirus rogue as of this past Monday the 6th, which is the most recent time I've seen it. Had to clean it on a client rig with a whole bunch of tools plus a lot of manual work. RedCrossAV is quite a pain of a rogue to clean up...blocks you from logging onto desktop, including in safe mode. I had to make my first attack via safe mode/command prompt.

Ran into RedCrossAV rogue first about 3 weeks ago.

 

Removal guide for Rogue RedCross AV here Should be accomplished with the assistance of a Security Expert.

 

An amusing help article...the guy that wrote it obviously doesn't understand what he even stated (and I stated above)...that the rogue launches and takes over your screen before you can get to your Windows Desktop. Including (as I stated above) in safe mode.

Now...lets review the article that you linked. Specifically steps 2, 3, 4. He says to transfer the file (rkill) to the desktop and double click it.

Uhm...ok..lemme get this straight....help me here.
*The rogue launches when you log in..and takes over your screen preventing you from getting to your desktop, or doing anything else for that matter but sit and stare at the rogue.
*It does the same thing in safe mode.

Hmmm....am I missing something here? How can I copy and/or run files on my desktop....when the rogue prevents me from going there? Who the heck wrote that article...did they even grasp what they were saying? You can't get to your desktop..even in safe mode, you can't get taskmanager, you can't minimize the rogue screen..you're stuck. Hello...McFly!

Nope, your choices are to either remove the drive..slave to another machine..and scan/clean from that. Or...in the situation I was in, I had nothing but the infected laptop in front of me and had a few hours to clean it up right then and there, so I used safe mode with command prompt...which allowed me to navigate the directories that had infected files, delete, them, and it allowed me to run regedit..and remove the loader entries. I could then get to safe mode, w/network support...install good utilities that can clean/remove malware such as MalwareBytes, SAS, Combofix..and let them work their magic.

 

siljaline - do you ever pay attention here or are you too busy defending nod letting another fake malware by?? Because if you did pay attention, you would of seen from his previous postings that YeOldeStonecat knows what he is doing and not disrespected his knowledge by posting this in oh so typical DSL reports style (link - copy/paste - no substance from user experience).

 

I did not write the guide YeOldeStonecat, it is a well respected site, I go there for removal guides as do tens of thousands of others, if you have issue with it, I suggest you take it up with Bleeping Computer and not shoot the messenger, that would also apply to tobacco.

 

Then how about adding your "OWN" valuable input instead of "link/copy/paste"

 

Sakhalin,

I couldn't agree more with Tobacco. Why don't you post your OWN guide of how to remove at LEAST ONE of those Fake AVs [Rogues] instead of sending the users requesting assistance to ESET KB links or Bleeping Computer links?

You signature says you are a “Security Expert” so you should know how to deal with those threats yourself. Shouldn't you?.
That style is a DSLR style.

I have dealt myself with these nasty Trojans either cleaning friends' computers or my neighbors' and I know that once the Rogue adds itself to the start-up [ HK_LOCAL MACHINE\SOFTWARE\Microsoft\Windows\Current Version\RUN] it's nearly impossible to stop it by running the Rkill utility recommended by Bleeping Computer. Sometimes [I've seen this myself] you can't even reboot onto SAFE MODE because the Trojan corrupts some files necessary to accomplish this.

The best approach should be to try indeed to stop the Trojan process by running Hitman Pro FORCE BREACH and then using MS Autoruns to delete the Trojan entry from the RUN key of the Windows Registry. Then disable System Restore and, then you can run Malwarebytes or SuperAntiSpyware to get rid of the Rogue and rebooting your PC afterward.

If none of these tricks work then you could use a boot disk [Kaspersky, Avira, Dr. Web, ESET, etc] to start the PC from it and then try to clean it up.

You see? I didn't have to point out articles to teach somebody how to get rid of a Fake AV.


Kind regards,




Carlos

 

You signature says you are a “Frequent poster” because you have 224 posts

 

Hello,

Post count is meaningless if your posts don't have anything valuable to contribute help other people or if you only use them to start flame wars.
I've been a member of WSF since 03/2008 [ more than 2 years] and yes, my post count is only 225 measly posts.


Thanks,


Carlos

 

You may note that the adware, spyware & hijack cleaning is closed. Therefore, Wilders does not offer on-site infection help other than offering suggestions for an infected machine such as this:
Steps to take if you are infected, ESET has a comprehensive list of stand-alone rogue removal tools

To close, off-site trusted sites such as Bleeping Computer and Malware Bytes have an excellent section of self-help guides that I offer to users that come here looking for assistance in getting disinfected.

 

We've diverted way out-of-topic on this thread thanks to two posters above me but well, to put this to rest I'm not by any means endorsing the re-opening of HJT or similar forums to help people but even if both of us have been LUCKY enough for not getting infected by Rogue AVs there is a likelihood that some acquaintances might have gotten infected and we might have needed to help them to get rid of such Trojans.

There is a web-site named “Remove Malware” whose owner [Matt Rizos] hardly sends people to go and read links to figure out how to get rid of Malware infections. Every infection, every Trojan and every computer configuration is different. Whatever works for Bleeping Computer may or may not work on my configuration so their approach should be seen as a GENERAL guide of how to fend off a Rogue infection. Furthermore, sometimes a Rogue that infects a computer is just that, a lonely Rogue but sometimes the Rogue is blended with Rootkits [TDSS, Rustock, etc.] which make the disinfection even more challenging.

That's why I suggest that instead of sending the user to a link which he/she could've easily looked-up just by Googling why not give them a REAL-LIFE example of how we solved these problems ourselves?

Do I make sense?



Thanks



Carlos

 

Different variant perhaps?