RE: FakeAlert virus removal

["Mike Staples" <mstaples () wvii com>]

This situation seems to me more like a computer that is infected with
SmitFraud and the suite of Trojans that come with it rather than a website
that has a problem. Very often, a keylogger is among those Trojans, so this
is a situation that may require changing logon passwords for any service
accessed on the computer while the infection was present.

SmitFraud can be a bear to remove as it sticks randomly-named dll's in the
Winlogon\notify registry area, and it manages to totally reassert itself
when only partial removal occurs; I don't believe it can be removed by
deleting files and registry entries manually, as it stays a few steps ahead
of you, restoring them faster than you can delete them.

When the computer is able to be rebooted into Safe Mode, SmitFraudFix
usually does a good job; increasingly, I see SmitFraud variants that prevent
Safe Mode, causing a reboot when it is attempted. In those cases I've had
good luck with SuperAntiSpyware.

Googling either of those (from an uninfected machine, of course) should
point you in the right direction.

Mike Staples

> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com]On Behalf Of John Williams
> Sent: Tuesday, December 02, 2008 15:08
> To: security-basics () lists securityfocus com
> Subject: FakeAlert virus removal
>
>
> Dear LIst,
>
> I am working with a small local police department to resolve a malware
> issue on their police web site. When the web site is access directly
> from a browser address bar, the web site displays properly. But when
> the web site is accessed via a google search, the "FakeAlert" virus
> for AntiVirus 2009 takes over the browser. I am interested in a)
> understanding how this virus operates, and b) advice for removing the
> virus from the web site.
>
> Thank you in advance for your expert advice.