Fake Alert issues

My PC (vista) got infected with a FakeAlert trojan. This is the second time I've gotten it and the second time ESET did not block it despite my daily signature database updates.

That in and of itself is frustrating. The trojan essentially disables any program you try to launch by saying it is infected. The last time I got it, I was able to start in safe mode and run a scan, and it caught the virus.

This time, however, ESET starts to run in safe mode, takes a few hours, and then the box simply closes and the virus is still there when I re-start my PC.

I simply do not know what to do at this point.

 

Hello Troncone,

Can you please submit the sample to the ESET virus lab?
http://kb.eset.com/esetkb/index?page=content&id=SOLN141

Thank you,
Richard

 

I wish I could. Unfortunately, I can't determine which files are infected. Whatever got past ESET has completely taken away my ability to open any applications. It's essentially rendered ESET helpless.

 

What to do if you are currently infected

 

Troncone,

I firmly believe that an ounce of prevention is a lot better than a pound of cure.

You're using Windows Vista which is a good thing. Vista and Windows 7 are safer than Windows XP but even so you always have to take your precautions because nothing in the software universe is 100% bulletproof.

First, let's focus on your PC not being infected for a third, forth of even a fifth time.

Try to switch to a more secure browser than MS Internet Explorer [ even at version 8 ]. Example: install Firefox [ the most recent version is 3.6.9 although, you can test version 4 which is currently beta if you'd like ].

Secondly, add to Firefox a very important extension named NO-SCRIPT. By doing so you will be blocking a big chunk of Java Scripts on the majority of web-pages you visit. Java Script is used by those Rogue AV creators to display the FAKE ALERT that says falsely that “YOUR COMPUTER IS INFECTED”. Then, by using NoScript on FF you can grant permanent permissions to web-sites you trust so they can display correctly in your browser. Just don't be a little bit hasty and grant permanent permissions to ALL web-pages you encounter because you'd be defeating the purpose of NoScript.

Actually, I always grant just TEMPORARY permissions to all web-sites I visit, even the ones I trust. When I close my browser session all the information is forgotten by NoScript and when I re-open my Firefox browser, I have to give temp permissions again [ just a minor inconvenience I can live with but I put safety over inconvenience ].

Thirdly, install Sandboxie [ if you don't want to buy a license just keep it using it after 30 days and it will revert to a “free” but nagware version but still functional ]. From that point onwards, if you want to start Firefox, you may as well right-click on its icon on your desktop and, from the drop-down menu select RUN SANDBOXED. Everytime you grant a permission to a trusted web-site to use Java-Script and that site happens to have become infected, Firefox running within a Sandbox can save your day.

Fourth, Install a copy of Malwarebytes Antimalware and a copy of SuperAntiSpyware on your PC [ free versions of both should suffice ] and do a scan once a week so they can catch whatever NOD32 could've missed [Although, I do not anticipate any infections on your PC if you follow these rules].

Fifth, you can also install another extension for Firefox [ AdBlock Plus ] to block adds for the pages you have given permissions to display Java-Scripts or you can better off install MVPS Hosts file so you can replace your current Windows Vista Hosts File with this one that will block malicious web-sites and bad advertisements alike.

Lastly, get a USB thumb-drive and download a copy of HitMan Pro, MS Autoruns, MS System Explorer; with HitMan Pro, if your PC gets infected by a Trojan Fake AV and you can't open any applications including your AV, starting HitMan Pro, by holding down the LEFT CTRL on your computer keyboard and clicking on Htiman Pro icon on your USB drive you can kill all non-essentials processes running on your PC including the Fake AV process then, using MS Autoruns, you can locate and delete the start-up entry on the RUN key on the Windows Registry that is associated with the Fake AV. Also download a rescue disk ISO Image [ e.g. Kaspersky, ESET, Avira, etc.], burn it to a CD and keep it handy because if your PC gets infected and you can boot from it and clean it.

Another thing, consider demoting yourself form Administrator to Standard User [ I know you can still get a Rogue infection by running as Standard User but the likelihood of the Trojan writing entries on the HK_LOCAL MACHINE key of the Windows Registry gets minimized ].


Kind regards,





Carlos