Jump to content

Trojan.FakeAv.KUE

debsilverman
 Share

Recommended Posts

debsilverman

debsilverman

Posted
Posted

Malwarebytes removes two offending files, but I am guessing it is missing the root files. I scan the system, two files are found and removed, then eventually I scan again and I am infected. I purchased the software to fix problems - hackthis software is risky and I wouldn't know what to remove.

The two files it finds are in the registry Broken.OpenCommand

HKEY_CLASSES_ROOT\scrfile\shell\open\command(default)

HKEY_CLASSES_ROOT\regfile\shell\open\command(default)

I REMOVE successfully then they come back.

Please assist? I am not a free customer. My ID 3PG39-B41QS I am running V1.44

thanks

Link to post
Share on other sites
debsilverman

debsilverman

Posted
  • Author
Posted

Here is the text from the scan:

Registry Data Items Infected:

HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

These are not infections. Basically all there is to this is that the default settings for these commands are no longer set at their defaults. This could be from you changing them or some other software of Malware. If you have another program that monitors Registry changes like AdAware or Spybot or WinPatrol then they could be preventing or restoring this setting when we change it.

Also make sure your definitions are up to date, current database is: 3907

Check your other programs and make sure they're not blocking or restoring the change.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

I've not heard of Lenovo doing that. If it is then there should be an alert or dialog box or a log of actions that you can review.

Go manually change the setting yourself in Regedit and see if something pops up to block it or changes it back. Wait a few seconds and do a refresh and see if it changed back.

Link to post
Share on other sites
dreamer

dreamer

Posted
Posted

1. I found the trojan.fakeav.kue via charters virus checker. it removed it. but it keeps coming back. symptoms are fake virus checkers keep popping up and running.

Files found were : Trojan.fakeav.kue.

and other tiimes it found : Trojan.generic.354066. After I removed the kue file and run the checker again it would find the generic.354066 file.

2. It got to where I could not go to malwarebytes.org site from IE. I loaded Chrome and same thing. ( other sites worked. weather, ebay, etc) AVG site did not work it. came back site not found. I have no idea if this is related but surely appears to be based malware failed update below.

3. I downloaded malwarebytes via another computer and transfered it to bad one. Got Malware to load. Tried running the update and it came back with error 732 (12007,0) Contact Malware support.

The update verison it downloaded was 3510.

4. I ran the scanner anyway. and it found the below.

Malwarebytes' Anti-Malware 1.44

Database version: 3510

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18882

3/23/2010 8:11:45 PM

mbam-log-2010-03-23 (20-11-45).txt

Scan type: Quick Scan

Objects scanned: 118077

Time elapsed: 11 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\bk23567.dat (KoobFace.Trace) -> Quarantined and deleted successfully.

C:\Windows\fdgg34353edfgdfdf (KoobFace.Trace) -> Quarantined and deleted successfully.

5. Ran it again but it came back with nothing.

6. Open up IE and the fake virus keeps coming back.

HELP. FYI. followed Malware admin steps above. and also turned wireless off at times (tried both ways) when running. But was always connected to wireless when trying to update or try sites. only turned off when running scanner (popups would come up during scan) or re-booting.

Link to post
Share on other sites
debsilverman

debsilverman

Posted
  • Author
Posted

When you F8 into Lenovo you only have one option - that is to go into Windows XP. I misread your post - you said to NOT go into Safe Mode - a good thing ;-)

I am trying to get the so-called 'infection' to reappear on the scan screen, and of course now that I have started this thread, have your full attention, bought two new 1T external drives to replace the ones that 'might' be infected, software ,etc ... it's not appearing. --->>> BUT, interesting enough, as if I was about to declare myself officially insane, the log now says nothing is infected (those 2 items I mentioned earlier) and the 'Quaranteen' tab shows the items are there - but they were not counted as an infection.

I did shut down my web root spyware protection before I performed the scans. I use BitDefender nd scan my system using web root window wash ech time I boot up.

I can only assume that you've pulled a trick up your sleeve with those reg items in the new db definition ;-) which would be a good thing, because if they are not actually malicious, removing them out of the location triggering panic works for me and posisbly the rest of us.

-------------------------------------

Malwarebytes' Anti-Malware 1.44

Database version: 3907

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

03/23/10 8:49:18 PM

mbam-log-2010-03-23 (20-49-18).txt

Scan type: Quick Scan

Objects scanned: 139095

Time elapsed: 4 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

---------------------------------------------------

I will update this post tomorrow. Last but not least THANK you for being here. I am a consultant and rely on my system for work.

I've not heard of Lenovo doing that. If it is then there should be an alert or dialog box or a log of actions that you can review.

Go manually change the setting yourself in Regedit and see if something pops up to block it or changes it back. Wait a few seconds and do a refresh and see if it changed back.

Link to post
Share on other sites
debsilverman

debsilverman

Posted
  • Author
Posted

Very good (in a bad way) I have iolo technologies SYstem Mechanic. This tool has helped manage my memory and get rid of cr*p files among other things. I use VMWare and considered an active user (consultant) putting 12+ hours a day on my system. Sometimes my performance gets so slow I need to run the system mechanic to restore files and compress my memory. Tell me I didn't make a bad choice purchasing this program. It picks up what Web Root Window Washer doesn't.

IOLO System Mechanic is sometimes the culprit for these entries.
Link to post
Share on other sites
debsilverman

debsilverman

Posted
  • Author
Posted

I performed the scan and this time the end-result was back to the two original infected data items inidcated below.

*******************************

Malwarebytes' Anti-Malware 1.44

Database version: 3907

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

03/24/10 4:59:57 PM

mbam-log-2010-03-24 (16-59-50).txt

Scan type: Quick Scan

Objects scanned: 139522

Time elapsed: 12 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> No action taken.

HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

**************************************

These are not infections. Basically all there is to this is that the default settings for these commands are no longer set at their defaults. This could be from you changing them or some other software of Malware. If you have another program that monitors Registry changes like AdAware or Spybot or WinPatrol then they could be preventing or restoring this setting when we change it.

Also make sure your definitions are up to date, current database is: 3907

Check your other programs and make sure they're not blocking or restoring the change.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log

Link to post
Share on other sites
marktreg

marktreg

Posted
Posted

@ debsilverman

Hi debsilverman,

IOLO System Mechanic will just change those registry entries back each time Malwarebytes changes them to their default settings.

If you want to continue using IOLO System Mechanic, you can just add those Broken.OpenCommand detections to Malwarebytes' ignore list.

It will be safe because, if you happened to get a 'real' malware infection, Malwarebytes would show different detections which you could then remove.

I hope this puts your mind at rest. :)

Link to post
Share on other sites
marktreg

marktreg

Posted
Posted

@ dreamer

Hi dreamer,

It seems that you have a KoobFace infection that you may need expert help to get rid of.

But we don't work on malware removal in the general forums.

So, if you require expert help, please print out, read and follow the directions here:

http://www.malwarebytes.org/forums/index.php?showtopic=9573

Try to complete all the steps, but you can skip any steps you are unable to complete. Then post a NEW topic here:

http://www.malwarebytes.org/forums/index.php?showforum=7

If your computer is un-bootable and you cannot run any of the steps, just post a description of the problems you are having there.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someon has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

Link to post
Share on other sites
debsilverman

debsilverman

Posted
  • Author
Posted

Indeed it does, thank you. I appreciate how timely and supportive the company is - that is priceless.

@ debsilverman

Hi debsilverman,

IOLO System Mechanic will just change those registry entries back each time Malwarebytes changes them to their default settings.

If you want to continue using IOLO System Mechanic, you can just add those Broken.OpenCommand detections to Malwarebytes' ignore list.

It will be safe because, if you happened to get a 'real' malware infection, Malwarebytes would show different detections which you could then remove.

I hope this puts your mind at rest. :)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.