?
Solved

Virus detected

Posted on 2008-11-18
8
Medium Priority
?
962 Views
Last Modified: 2013-11-22
I have seen this virus called Cryp_FakeAV coming up in Trend Micro on many machines. What is it really?How do you prevent it? How do you remove it? Performing a full system scan is worthless.
0
Comment
Question by:tdbrowning
  • 4
  • 4
8 Comments
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22991977
Download Malwarebytes' Anti-Malware to your desktop(from either locations below). check for Updates before scanning if possible. Show us the logfile.

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
http://projects.securitywonks.net/projects/details.php?file=158

 
According to precisesecurity threat center, CRYP_FAKEAV-2 is a worm that spreads on computers by mass-mailing an email with attached video file, which will prompt users to download and install a fake video codec to be able to view the video.  
Sounds very much like the family of Zlob smitfraud family of infections.
0
 

Author Comment

by:tdbrowning
ID: 22996751
Log file below after running the Malwarebytes software.

Malwarebytes' Anti-Malware 1.30
Database version: 1412
Windows 5.1.2600 Service Pack 2

11/19/2008 11:34:17 AM
mbam-log-2008-11-19 (11-34-12).txt

Scan type: Quick Scan
Objects scanned: 95347
Time elapsed: 17 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22999980
Well.... MalwareBytes didn't find any...let's look at a Hijackthis log and see if it shows up there. We can run also run Combofix afterwards we'll see.
The 2 registry entries that MBAM found infected you can also let it remove.


Download Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Paste the log in the "Code Snippet" or "Attach File" window.
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 

Author Comment

by:tdbrowning
ID: 23014672
I will try the Hijackthis app this afternoon and send the results.
0
 

Author Comment

by:tdbrowning
ID: 23045826
THe highjackthis did not find anything. I also performed a search on the hard drive and I cannot find the file. I am not sure what is going on. One day the machine shows it has a virus and the next day it shows it is gone.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 1000 total points
ID: 23049727
Did TrendMicro give you the name and location of the file?
It could also be false positive, try and run another scanner (like an online Kaspersky scan) and see if it finds anything.
0
 

Accepted Solution

by:
tdbrowning earned 0 total points
ID: 23154522
It really is strange but now my virus software does not show the file exists on any of the machines that claimed in the past that it did exist. I am going give it up for now but still award the points because I feel you gave me very valuable tools that I can use for future issues. Thank You.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 23182953
Thanks for the points and the grade, :)
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Change your password...do it now!. Probably the easiest point of access to your account is through guessing your password. If your password is guessable, do change it now. If not for your sake but for everyone else in your friends list. Remember …
PREFACE The purpose of this guide is to explain how to manually move a SEP client to a different client group by performing steps on the client-side. These steps may prove particularly useful because they allow the client to move after it has alrea…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question