Virus detected

I have seen this virus called Cryp_FakeAV coming up in Trend Micro on many machines. What is it really?How do you prevent it? How do you remove it? Performing a full system scan is worthless.
tdbrowningAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rpggamergirlCommented:
Download Malwarebytes' Anti-Malware to your desktop(from either locations below). check for Updates before scanning if possible. Show us the logfile.

http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
http://projects.securitywonks.net/projects/details.php?file=158

 
According to precisesecurity threat center, CRYP_FAKEAV-2 is a worm that spreads on computers by mass-mailing an email with attached video file, which will prompt users to download and install a fake video codec to be able to view the video.  
Sounds very much like the family of Zlob smitfraud family of infections.
0
tdbrowningAuthor Commented:
Log file below after running the Malwarebytes software.

Malwarebytes' Anti-Malware 1.30
Database version: 1412
Windows 5.1.2600 Service Pack 2

11/19/2008 11:34:17 AM
mbam-log-2008-11-19 (11-34-12).txt

Scan type: Quick Scan
Objects scanned: 95347
Time elapsed: 17 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
0
rpggamergirlCommented:
Well.... MalwareBytes didn't find any...let's look at a Hijackthis log and see if it shows up there. We can run also run Combofix afterwards we'll see.
The 2 registry entries that MBAM found infected you can also let it remove.


Download Hijackthis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download

Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Paste the log in the "Code Snippet" or "Attach File" window.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

tdbrowningAuthor Commented:
I will try the Hijackthis app this afternoon and send the results.
0
tdbrowningAuthor Commented:
THe highjackthis did not find anything. I also performed a search on the hard drive and I cannot find the file. I am not sure what is going on. One day the machine shows it has a virus and the next day it shows it is gone.
0
rpggamergirlCommented:
Did TrendMicro give you the name and location of the file?
It could also be false positive, try and run another scanner (like an online Kaspersky scan) and see if it finds anything.
0
tdbrowningAuthor Commented:
It really is strange but now my virus software does not show the file exists on any of the machines that claimed in the past that it did exist. I am going give it up for now but still award the points because I feel you gave me very valuable tools that I can use for future issues. Thank You.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rpggamergirlCommented:
Thanks for the points and the grade, :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.