On 6/1/2011 3:40 PM, Al Puzzuoli wrote:
> Over the past few months, I have seen a number of instances of machines
> getting infected with variants of this Fake Alert bug. It has happened
> to several users in the office; but I have also seen it on friendís
> machines as well. Some users were running XP, others were on Windows
> 7.Some had admin rights, others didnít. Itís gotten past Nod32, VIPRE,
> and Security Essentials. Bottom line is, I have no idea what to do to
> keep this bloody thing out! Are others having similar problems? If so,
> why hasnít there been more of a general outcry to the AV companies? They
> all seem to be virtually useless when it comes to this sort of attack.
> If AV isnít the answer, then what is?
I've seen a definite uptick in the number of cases I've had in the last
couple of weeks. The only good news is that I've gotten pretty good at
removing it these days :).
I haven't been able to stop it, or figure out any way to do so. My
understanding is the code is changing enough to make it tough for virus
software to catch.
Generally to remove it, I've used a combination of malwarebytes,
combofix, tdsskiller, and going through fixing the file associations in
the registry by hand (since these inevitably will change exe, internet
explorer, and firefox to all run through their executable). The
registry part is a little annoying, since if I'm not logged in as the
user in question, I generally have to go back and fix their profile too
(even things in HKEY_CLASSES_ROOT seem to be different for different
users). Combofix seems to like to wipe out a particular pieces of
software that some of my users use (Eprime), so I've gotten away from
Last couple I've cleaned up after have also disabled the windows
firewall and screwed up automatic updates, so it's worth looking at that
I'll have to try that Standalone Sweeper thing that Matt brought up and
see how well it does. Somehow I'm pretty sure I'm going to get the
chance to do that.
> Totally frustrated,
I've moved beyond being frustrated and have reached the more resigned state.