Trojan.W32/Fakeav.BSE And Trojan.Multi/RedCrossAntivirus

Discussion in 'ESET NOD32 Antivirus' started by chechex80, Sep 10, 2010.

Thread Status:
Not open for further replies.
  1. chechex80

    chechex80 Registered Member

    Joined:
    Sep 9, 2010
    Posts:
    5
    Location:
    Guatemala
    Good evening friends, my question is eset detects trojan.w32/fakeav.bse viruses and trojan.multi / redcrossantivirus?

    ;) thanks, greetings
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Impossible to say without a sample. Most likely they're detected.
     
  3. chechex80

    chechex80 Registered Member

    Joined:
    Sep 9, 2010
    Posts:
    5
    Location:
    Guatemala
    thanks for your prompt reply, information from these malwares are online so I had that doubt.

    ;) greetings.
     
  4. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    It didn't detect the RedCrossAntivirus rogue as of this past Monday the 6th, which is the most recent time I've seen it. Had to clean it on a client rig with a whole bunch of tools plus a lot of manual work. RedCrossAV is quite a pain of a rogue to clean up...blocks you from logging onto desktop, including in safe mode. I had to make my first attack via safe mode/command prompt.

    Ran into RedCrossAV rogue first about 3 weeks ago.
     
  5. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Removal guide for Rogue RedCross AV here Should be accomplished with the assistance of a Security Expert.
     
  6. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    An amusing help article...the guy that wrote it obviously doesn't understand what he even stated (and I stated above)...that the rogue launches and takes over your screen before you can get to your Windows Desktop. Including (as I stated above) in safe mode.

    Now...lets review the article that you linked. Specifically steps 2, 3, 4. He says to transfer the file (rkill) to the desktop and double click it.

    Uhm...ok..lemme get this straight....help me here.
    *The rogue launches when you log in..and takes over your screen preventing you from getting to your desktop, or doing anything else for that matter but sit and stare at the rogue.
    *It does the same thing in safe mode.

    Hmmm....am I missing something here? How can I copy and/or run files on my desktop....when the rogue prevents me from going there? Who the heck wrote that article...did they even grasp what they were saying? You can't get to your desktop..even in safe mode, you can't get taskmanager, you can't minimize the rogue screen..you're stuck. Hello...McFly!

    Nope, your choices are to either remove the drive..slave to another machine..and scan/clean from that. Or...in the situation I was in, I had nothing but the infected laptop in front of me and had a few hours to clean it up right then and there, so I used safe mode with command prompt...which allowed me to navigate the directories that had infected files, delete, them, and it allowed me to run regedit..and remove the loader entries. I could then get to safe mode, w/network support...install good utilities that can clean/remove malware such as MalwareBytes, SAS, Combofix..and let them work their magic.
     
  7. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia

    siljaline - do you ever pay attention here :rolleyes: or are you too busy defending nod letting another fake malware by?? Because if you did pay attention, you would of seen from his previous postings that YeOldeStonecat knows what he is doing and not disrespected his knowledge by posting this in oh so typical DSL reports style (link - copy/paste - no substance from user experience).
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    I did not write the guide YeOldeStonecat, it is a well respected site, I go there for removal guides as do tens of thousands of others, if you have issue with it, I suggest you take it up with Bleeping Computer and not shoot the messenger, that would also apply to tobacco. :ouch:
     
  9. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Then how about adding your "OWN" valuable input instead of "link/copy/paste" ;)
     
    Last edited: Sep 11, 2010
  10. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Sakhalin,

    I couldn't agree more with Tobacco. Why don't you post your OWN guide of how to remove at LEAST ONE of those Fake AVs [Rogues] instead of sending the users requesting assistance to ESET KB links or Bleeping Computer links?

    You signature says you are a “Security Expert” so you should know how to deal with those threats yourself. Shouldn't you?.
    That style is a DSLR style.

    I have dealt myself with these nasty Trojans either cleaning friends' computers or my neighbors' and I know that once the Rogue adds itself to the start-up [ HK_LOCAL MACHINE\SOFTWARE\Microsoft\Windows\Current Version\RUN] it's nearly impossible to stop it by running the Rkill utility recommended by Bleeping Computer. Sometimes [I've seen this myself] you can't even reboot onto SAFE MODE because the Trojan corrupts some files necessary to accomplish this.

    The best approach should be to try indeed to stop the Trojan process by running Hitman Pro FORCE BREACH and then using MS Autoruns to delete the Trojan entry from the RUN key of the Windows Registry. Then disable System Restore and, then you can run Malwarebytes or SuperAntiSpyware to get rid of the Rogue and rebooting your PC afterward.

    If none of these tricks work then you could use a boot disk [Kaspersky, Avira, Dr. Web, ESET, etc] to start the PC from it and then try to clean it up.

    You see? I didn't have to point out articles to teach somebody how to get rid of a Fake AV.


    Kind regards,




    Carlos
     
  11. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    You signature says you are a “Frequent poster” because you have 224 posts :thumb:
     
  12. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA

    Hello,

    Post count is meaningless if your posts don't have anything valuable to contribute help other people or if you only use them to start flame wars.
    I've been a member of WSF since 03/2008 [ more than 2 years] and yes, my post count is only 225 measly posts.


    Thanks,


    Carlos
     
  13. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    You may note that the adware, spyware & hijack cleaning is closed. Therefore, Wilders does not offer on-site infection help other than offering suggestions for an infected machine such as this:
    Steps to take if you are infected, ESET has a comprehensive list of stand-alone rogue removal tools

    To close, off-site trusted sites such as Bleeping Computer and Malware Bytes have an excellent section of self-help guides that I offer to users that come here looking for assistance in getting disinfected.
     
  14. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA



    We've diverted way out-of-topic on this thread thanks to two posters above me but well, to put this to rest I'm not by any means endorsing the re-opening of HJT or similar forums to help people but even if both of us have been LUCKY enough for not getting infected by Rogue AVs there is a likelihood that some acquaintances might have gotten infected and we might have needed to help them to get rid of such Trojans.

    There is a web-site named “Remove Malware” whose owner [Matt Rizos] hardly sends people to go and read links to figure out how to get rid of Malware infections. Every infection, every Trojan and every computer configuration is different. Whatever works for Bleeping Computer may or may not work on my configuration so their approach should be seen as a GENERAL guide of how to fend off a Rogue infection. Furthermore, sometimes a Rogue that infects a computer is just that, a lonely Rogue but sometimes the Rogue is blended with Rootkits [TDSS, Rustock, etc.] which make the disinfection even more challenging.

    That's why I suggest that instead of sending the user to a link which he/she could've easily looked-up just by Googling why not give them a REAL-LIFE example of how we solved these problems ourselves?

    Do I make sense?



    Thanks



    Carlos
     
  15. NAMOR

    NAMOR Registered Member

    Joined:
    May 19, 2004
    Posts:
    1,526
    Location:
    Arkham Asylum
    Different variant perhaps?
     
Thread Status:
Not open for further replies.