Virus (Trojan) Warning

[MarkE]

For the second time in three days a Trojan has been deposited on my PC while I was attempting to respond to a post here. This happened Christmas morning and again this morning (12/28/2011).

The circumstances both times were the same. I was using quick reply to reply to a thread. While typing in the quick reply box, what I was typing was not showing up on the screen, then the cursor would disappear. The cursor would re-appear and I could continue typing. At that point Internet Explorer would completely shut down and a virus detected window would pop open. This window claimed to be Microsoft Internet Security 2012.

Here is some information on this fake security program.
http://www.spywareremove.com/removeWin7Security2012.html

 

[JackLeg]

That thing cost me a hundred bucks to get rid of!! :kamahlitu If it's on your machine, it's only gonna get worse! James Williams on here can tell you how to get rid of it.
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24

 

[froglips]

Mark,

Sorry to hear of this.

I did some preliminary checks and don't see any obvious signs the trojan came from us. Hopefully you got it elsewhere and it just likes to act up when you Quick Reply.......

Let us know if you need help cleaning up your machine or if you have any other details we can work off of.

Jim
Mozilla/5.0 (X11; Linux x86_64; rv:12.0a1) Gecko/20111225 Firefox/12.0a1 FirePHP/0.6

 

[MarkE]

About five minutes after starting this thread, I got hit for the third time. I have been trying since then to clean it off of my PC.

I have no idea where it came from, but it has showed up all three times when I was posting here.

I have spent the last nine hours or so trying to get rid of this thing. I truly hope that no one else has to go through this. It is not a fun process.

Sure would like to find out who designed this thing. It would be nice to be able to pay back the favor.
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

 

[MarkE]

That thing cost me a hundred bucks to get rid of!! :kamahlitu If it's on your machine, it's only gonna get worse! James Williams on here can tell you how to get rid of it.
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24

Consider that $100 money well spent. It cost me a lot more than that in lost time.

It is truly unfortunate than this kind of bull**** costs anyone anything.
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

 

[Dudelive]

First thing I would do is to run CCcleaner so it can clean out your cache from files and browsing. Also empty your temp folder as well. I would recommend running Malwarebytes as normal after updating it. Do a complete scan and allow it to clean what it recommends. Then reboot into safe mode and run it again.

This might help as well.
http://www.eset.com/us/online-scanner/

just read the page and follow directions

http://www.bitdefender.com/scanner/online/free.html

Good Luck


Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1

 

[MarkE]

Yup. That is what I did. Malwarebytes found and removed the infected files.

None of the solutions I found addressed the firewall issues. This trojan turned off the Windows firewall and Windows Defender (anti-malware) and prevented those from being re-started.

I could not find any 'easy fix' for this. It took a lot of time and a lot of effort to clean this off of my PC. Only time will tell if I was completely successful.
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

 

[Dudelive]

Yup. That is what I did. Malwarebytes found and removed the infected files.

None of the solutions I found addressed the firewall issues. This trojan turned off the Windows firewall and Windows Defender (anti-malware) and prevented those from being re-started.

I could not find any 'easy fix' for this. It took a lot of time and a lot of effort to clean this off of my PC. Only time will tell if I was completely successful.
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

Glad it all worked out just check it again in a couple of days to be sure. Also to put your mind at ease somewhat, you do NOT have to click anything to attract one of these. All you have to do is visit a web site that has it lurking and waiting and when you just visit it "goes home with YOU"

Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1

 

[bobby g]

If this was the fake security stuff, I got it on Christmas Eve and after hours of unfruitful effort, I ended up hiring help from MalwareBytes. The tech logged on to my computer and spent 2 hours getting rid of it. Cost was $129.99 and worth it to me. Good luck.

bobby g
Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0

 

[JackLeg]

Consider that $100 money well spent. It cost me a lot more than that in lost time.

It is truly unfortunate than this kind of bull**** costs anyone anything.
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

I totally agree! What kind of person sits around designing that kind of crap? :icon_scra And, what "joy" do they get from doing it? What profit? AND, what I really don't understand is when I'm running security software that's not cheap, and this thing still slips in? :kamahlitu What's with that? :dontknow:
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24

 

[jahrules]

I actually got this same issue, just the other day... Instead of bothering with cleaning it, I just wiped the hard drive and reinstalled.

To answer the question of who comes up with this stuff. its all about money. the program imitates windows and prompts you to pay to remove the infection. a certain percentage of the population are naive and will promply punch in their credit card numbers to 'remove it' say they can infect 10 million machines and 5% of people punch in their credit card numbers, thats 500,000 times whatever they charge, plus then they can sell the credit card numbers on the black market for additional profit.
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

 

[jahrules]

to answer the last part of that question... think of your anti-virus program as a thumbprint reader. It scans your computer looking for the thumbprints of their black list. A talented hacker can change certain lines of the code so that the virus has the same effect, but has a different looking thumbprint. The security people then have to identify the new variant and record the thumbprint, and then rely on the end users (you) to download the most recent thumbprints (definitions).
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; WOW64; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

 

[GeorgeM]

I got hit with a virus today while typing a "Who I am" thread as requested. This is also the second time I have been hit. I quit posting for a while because of it. I thought it had been fixed.

Have a Blessed day.
George
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; YComp 5.0.0.0; GTB7.2; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; BOIE8;ENUSMSE)

 

[GeorgeM]

Sorry for the second post on this same thread but I forget to tell you what hit me. Microsoft Security eliminated it before it could do any harm.

This is the report it gave.

Exploit: Java/CVE 2011-3544

Alert Level: Severe

Hope this might help.

George
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; YComp 5.0.0.0; GTB7.2; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1; BOIE8;ENUSMSE)

 

[MarkE]

Well, it came back again today. At about 3:00 pm I posted a reply to Scott's thread about his new mystery tool.

This is now the fourth time I have been hit with this trojan and all four times it happened when I was replying to a post on this site.

It took me until about 15 minutes ago to clean it off this time.

I know that you guys have checked things out on your end, but the correlation is definitely there. Every single time this triojan has hit me was when I was logged into NCWOODWORKER and replying to a post.

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)

 

[froglips]

Mark,

Are you familiar with viewing source code on a web page?

What'd help us tremendously is to get the source from the page that triggers the trojan.

We can walk you through how to do it if you'd like.

I'll send you my outside email. Don't want to paste the source on the site (sweet irony there!)

Thanks,
Jim
Mozilla/5.0 (X11; Linux x86_64; rv:12.0a1) Gecko/20111228 Firefox/12.0a1

 

[toolman]

I totally agree! What kind of person sits around designing that kind of crap? :icon_scra And, what "joy" do they get from doing it? What profit? AND, what I really don't understand is when I'm running security software that's not cheap, and this thing still slips in? :kamahlitu What's with that? :dontknow:
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24

Reggie

If I had a site on woodworking, but it was not as good as another site and I was losing members to them. I also would lose $$$$$ at the same time.. Look at this thread you our getting a Virus or Trojan, after spending 3 or 4 hour of time to get it off your computer. Then do it 3 or 4 times, you say I'm out of here and come back to my site.. How much is it worth paying someone to make a Trojan. If 100 members left @ $50.00 in Donations and ads income, I have lose $500.00 or more.. Someone makes a Trojan for $200.00, I would have $300.00 to the good.. plus I could also track the sites you go to and get your account numbers.... Ho yes Virus and Trojans are profit making..

Just my $.02
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0

 

[DWSmith]

I have been infected as well. I am running XP and started to get notices that Explorer encountered a problem and needs to be shut down. The warning offered to "debug" Explorer. Last night I ran the anti-virus program that was suggested here it found a trojan and deleted it.

It may be a coincidence, maybe not.
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)

 

[golfdad]

I got the same thing
Mozilla/5.0 (compatible; MSIE 9.0; AOL 9.7; AOLBuild 4343.19; Windows NT 6.1; WOW64; Trident/5.0)

 

[Rob]

I've ran into this before and it's a real bear to get rid it. It's not this site causing it, it's actually installed on your computer, and any site can cause it to pop up. Here's some instructions I've had some success with in the past. Remove Win 7 Security 2012 (Uninstall Guide).


Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20100101 Firefox/8.0