Viral agent in my comp: "NSIS:FakeAV-E [Trj]" & "Win32:FakeAlert-DB [Trj]"

Hi. Had great experiences here last year when my computer had a virus, so I’m back.
And the day my comp. got a virus last year was THE SAME DAY… =.… Sept. 11.

OK
Think this is part of the FakeAV attacks mentioned in: http://forum.avast.com/index.php?topic=48588.0
I clicked a link on a site I’d never been to before – surfthechannel.com – and…

…was greeted by a virus warning (NOT Avast – I believe it was the FakeAlert mentioned in the subject). It had the appearance of a warning from Windows (“your computer has been infected with a Trojan Horse…”), so I clicked the appropriate button. (Since I’d recently seen a malware removal tool update in the Windows updates, I thought it must be that.)
Two things opened: a new tab with the “virus treatment” procedure (with a ‘scan’ and ‘detection’ graphic), and an offer to save a file or cancel.
Avast also popped up with a Trojan Horse detection. I clicked cancel, but at this time Firefox stopped responding (I’m on IE now)…

Avast recommended to move the file(s) to the chest, so I did, but 1 at least repeatedly could not be moved because “the system [could] not find the file specified…” which unfortunately put an end to the process of moving all the little devils to the chest (it kept repeating the same couple windows). I restarted and tried again… a few times… then decided to quit trying Firefox… I did a thorough scan of the system with Avast (all drives, files, & folders), and I think it found a few more to move. Here’s the log:

9/11/2009 6:14:25 PM SYSTEM 452 Sign of “NSIS:FakeAV-E [Trj]” has been found in “http://secinstall.info/P3D6B4A0FF522AA1018D6=/install.exe?counter=1\nsis.hdr” file.
9/11/2009 6:14:39 PM SYSTEM 452 Sign of “NSIS:FakeAV-E [Trj]” has been found in “C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dv3jorc4.default\Cache\FABF4160d01\nsis.hdr” file.
9/11/2009 6:14:50 PM SYSTEM 452 Sign of “Win32:FakeAlert-DB [Trj]” has been found in “C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dv3jorc4.default\Cache\FABF4160d01$PLUGINSDIR\exdll.dll” file.
9/11/2009 6:17:23 PM SYSTEM 452 Sign of “NSIS:FakeAV-E [Trj]” has been found in “C:\DOCUME~1\User\LOCALS~1\Temp\wb2hGcDZ.exe.part\nsis.hdr” file.
9/11/2009 6:17:26 PM SYSTEM 452 Sign of “Win32:FakeAlert-DB [Trj]” has been found in “C:\DOCUME~1\User\LOCALS~1\Temp\wb2hGcDZ.exe.part$PLUGINSDIR\exdll.dll” file.
9/11/2009 6:17:52 PM SYSTEM 452 Sign of “NSIS:FakeAV-E [Trj]” has been found in “http://secinstall.info/P3D6B4A0FF522AA1018D6=/install.exe?counter=2\nsis.hdr” file.
9/11/2009 6:17:53 PM SYSTEM 452 Sign of “NSIS:FakeAV-E [Trj]” has been found in “http://secinstall.info/P3D6B4A0FF522AA1018D6=/install.exe?counter=3\nsis.hdr” file.
9/11/2009 6:18:19 PM SYSTEM 452 Sign of “NSIS:FakeAV-E [Trj]” has been found in “C:\DOCUME~1\User\LOCALS~1\Temp\CoC947Nn.exe.part\nsis.hdr” file.
9/11/2009 6:18:51 PM SYSTEM 452 Sign of “Win32:FakeAlert-DB [Trj]” has been found in “C:\DOCUME~1\User\LOCALS~1\Temp\CoC947Nn.exe.part$PLUGINSDIR\exdll.dll” file.
9/11/2009 6:26:59 PM SYSTEM 212 Sign of “NSIS:FakeAV-E [Trj]” has been found in “http://secinstall.info/P4841B40FAF22AA10188BE==/install.exe?counter=1\nsis.hdr” file.
9/11/2009 6:27:01 PM SYSTEM 212 Sign of “NSIS:FakeAV-E [Trj]” has been found in “http://secinstall.info/P4841B40FAF22AA10188BE==/install.exe?counter=2\nsis.hdr” file.
9/11/2009 6:27:02 PM SYSTEM 212 Sign of “NSIS:FakeAV-E [Trj]” has been found in “C:\DOCUME~1\User\LOCALS~1\Temp\JMnHhy+5.exe.part\nsis.hdr” file.
9/11/2009 6:27:10 PM SYSTEM 212 Sign of “Win32:FakeAlert-DB [Trj]” has been found in “C:\DOCUME~1\User\LOCALS~1\Temp\JMnHhy+5.exe.part$PLUGINSDIR\exdll.dll” file.
9/11/2009 6:35:50 PM SYSTEM 2016 Sign of “NSIS:FakeAV-E [Trj]” has been found in “http://secinstall.info/P4882B40FAF22AA1018AD7/install.exe?counter=0\nsis.hdr” file.
9/11/2009 6:35:56 PM SYSTEM 2016 Sign of “NSIS:FakeAV-E [Trj]” has been found in “http://secinstall.info/P4882B40FAF22AA1018AD7/install.exe?counter=2\nsis.hdr” file.
9/11/2009 6:36:06 PM SYSTEM 2016 Sign of “NSIS:FakeAV-E [Trj]” has been found in “C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dv3jorc4.default\Cache\A1EF4198d01\nsis.hdr” file.
9/11/2009 6:36:13 PM SYSTEM 2016 Sign of “Win32:FakeAlert-DB [Trj]” has been found in “C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dv3jorc4.default\Cache\A1EF4198d01$PLUGINSDIR\exdll.dll” file.
9/11/2009 6:37:44 PM SYSTEM 2016 Sign of “NSIS:FakeAV-E [Trj]” has been found in “C:\DOCUME~1\User\LOCALS~1\Temp\rFJViY3+.exe.part\nsis.hdr” file.
9/11/2009 6:37:44 PM SYSTEM 2016 Sign of “NSIS:FakeAV-E [Trj]” has been found in “C:\DOCUME~1\User\LOCALS~1\Temp\IPytT0oQ.exe.part\nsis.hdr” file.
9/11/2009 6:37:44 PM SYSTEM 2016 Sign of “NSIS:FakeAV-E [Trj]” has been found in “C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dv3jorc4.default\Cache\A1EF419Ad01\nsis.hdr” file.
9/11/2009 6:37:44 PM SYSTEM 2016 Sign of “Win32:FakeAlert-DB [Trj]” has been found in “C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dv3jorc4.default\Cache\A1EF419Ad01$PLUGINSDIR\exdll.dll” file.
9/11/2009 7:13:10 PM User 2364 Sign of “NSIS:FakeAV-E [Trj]” has been found in “C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dv3jorc4.default\Cache\A1EF419Ad01\nsis.hdr” file.
9/11/2009 7:19:55 PM User 2364 Sign of “Win32:FakeAlert-DB [Trj]” has been found in “C:\Documents and Settings\User\Local Settings\Application Data\Mozilla\Firefox\Profiles\dv3jorc4.default\Cache\A1EF419Ad01$PLUGINSDIR\exdll.dll” file.
9/11/2009 7:20:10 PM User 2364 Sign of “NSIS:FakeAV-E [Trj]” has been found in “C:\Documents and Settings\User\Local Settings\temp\IptMXGB2.exe.part\nsis.hdr” file.
9/11/2009 7:20:34 PM User 2364 Sign of “NSIS:FakeAV-E [Trj]” has been found in “C:\Documents and Settings\User\Local Settings\temp\IPytT0oQ.exe.part\nsis.hdr” file.
9/11/2009 7:20:36 PM User 2364 Sign of “NSIS:FakeAV-E [Trj]” has been found in “C:\Documents and Settings\User\Local Settings\temp\rFJViY3+.exe.part\nsis.hdr” file.
9/11/2009 7:20:39 PM User 2364 Sign of “NSIS:FakeAV-E [Trj]” has been found in “C:\Documents and Settings\User\Local Settings\temp\UgT_8PJo.exe.part\nsis.hdr” file.

Hope here’s a start, and we can work to get rid of this. :slight_smile: Thanks!

O yes, and, in desperation, I did a few times click “delete” when there was the endless cycle of detect/click move to chest/get error file: does not exist ---- I see in the stickied Advice… topic that is not recommended, so I hope this does not mess things up too badly… Thanks! :slight_smile:

I think you have one of these http://lavasoft.com/mylavasoft/company/blog/376

Download and run a quick scan with this http://www.malwarebytes.org/
click the “remove selected” button after the scan, this vil move anything found to quarantine, restart and run full scan

yes, it’s the GreenAV one. That was the name of the file it wanted me to save or cancel the download for. Thanks! I will do the scan/remove/restart/fullscan thing :).

OK, so the quick scan did not detect any infected files, but I restarted anyway and ran the full scan. It detected 2 infected files (Adware.DoubleD & Adware.MyWebSearch), and I quarantined them. What next?

Is it significant that Malwarebytes didn’t detect the files in Avast’s chest?

Thanks.

Is it significant that Malwarebytes didn't detect the files in Avast's chest?
No
What next?
restart and scan again and see if you are clean, and you can double check with this http://superantispyware.com/

I wouldn’t expect MBAM to detect anything in the avast chest, it is a protected area the contents of which are encrypted to prevent this type of thing and to stop any possible access/work with files in the chest by anything other than avast.

I would just clear your browser cache and run another avast scan.

ok, so I restarted & scanned again with MBAM, which showed I was clean. Then SUPERantispyware scanned and found 117 infected files (cookies - adware), so I quarantined them, as well.

Do you recommend deleting all these quarantined/“chested” items?

Going to try opening Firefox again (Ah!), clear the cache, and run avast again. Hope this doesn’t kick the trojan into play again. :stuck_out_tongue:

Thanks for all your help! :smiley:

Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

ok, thanks for the advice and info. I reopened Firefox successfully… I have it set to restore my tabs & windows from my last session, but this time it couldn’t restore them all so had me select which ones to restore – I was hoping for that… I unclicked the one that led to the false web doctor page that wanted to start the download of GreenAV and triggered the Trojan horse warning from Avast. That seems to have worked, but I’ll let you know if I have any more issues & I’ll follow the advice about waiting on the things in the chest. Thanks again!

Stephen

You’re welcome.

OMFG!! I am extremely relieved that I bumped into this forum… I started having the same issues yesterday and I was going nuts cause it seemed like Avast wasn’t doing what I wanted it to do it and kept alerting me to this issues… well after a few LONG hrs it seems that my laptop might be back in PERFECT conditions… I finished running MBAM, now I’m starting SAS!!.. TYVM guys for finding a simple solution that doesn’t require a reformat as someone suggested to me…

You’re welcome.

Format is an option of absolute last resort and not before seeking advice and that you did and found it wasn’t necessary. Now you can educate the person who suggested it ;D