[Daenerys]

Hi guys

I am having an issue deleting Trojan.Fakealert virus my PC, ot at least thats what i think it is.

Yesterday i noticed my laptop was a bit slow so i tried going into task manager to have a look and it would just instantly close, same with command prompt or regedit. So i did what you would normally do and boot up in safe mode with networking, run malware bytes / spyhunter / rkill / rootkit remover and spybot when the above didnt help. Only malwarebytes and spyhunter detect anything, however as soon as they remove the trojan it replicates elsewhere on my system EVEN in safemode. I am unable to access task manager or cmd in safemode either. Malware bytes idetifies the trojan in multiple locations, gives you an option to delete it but the trojan replicates to another location as soon as its done.

This is the latest scan report from malwarebytes

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*devauditcsc.exe (Trojan.FakeAlert) -> Value: *devauditcsc.exe -> No action taken.


Files Infected:
c:\Windows\System32\config\systemprofile\AppData\Local\devauditcsc.exe (Trojan.FakeAlert) -> No action taken.
c:\$RECYCLE.BIN\s-1-5-21-1410236154-1455553273-2078879821-1000\$RHLXT54.exe (Trojan.FakeAlert) -> No action taken.
c:\Windows\System32\config\systemprofile\AppData\Local\Temp\FY1248.tmp (Trojan.FakeAlert) -> No action taken.
c:\Windows\System32\config\systemprofile\AppData\Local\Temp\FY92DC.tmp (Trojan.FakeAlert) -> No action taken.
c:\Windows\System32\config\systemprofile\local settings\devauditcsc.exe (Trojan.FakeAlert) -> No action taken.
c:\Windows\System32\config\systemprofile\local settings\application data\devauditcsc.exe (Trojan.FakeAlert) -> No action taken.

I can locate those files and in the description it says KwertiryWare and original file name is xfiqo.exe

Normally it replicates somewhere on the C drive or in user folders but this time it replicated into a windows folder.

Im running Windows 7 32-bit.

I am not sure where to go at this point and would really appreciate any help provided.

Cheers

Alex

[Advertisements]

Hi there lets see if we can beat this nasty up

Download RogueKiller to your desktop

• Quit all running programs
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
• When prompted, type 2 and validate
• The RKreport.txt shall be generated next to the executable.
• If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

THEN

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
• Under the Custom Scan box paste this in
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  /md5stop
  C:\Windows\assembly\tmp\U /s
  CREATERESTOREPOINT
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Post both logs

[Essexboy]

Hi there lets see if we can beat this nasty up

Download RogueKiller to your desktop

• Quit all running programs
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
• When prompted, type 2 and validate
• The RKreport.txt shall be generated next to the executable.
• If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

THEN

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
• Under the Custom Scan box paste this in
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  explorer.exe
  winlogon.exe
  Userinit.exe
  svchost.exe
  /md5stop
  C:\Windows\assembly\tmp\U /s
  CREATERESTOREPOINT
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
• Post both logs

[Essexboy]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.