PDA

View Full Version : WIN 32 fakesysdef trojan



tony vines
04-05-2011, 11:10 PM
I know that this is not a specialist forum for computing, but that also there are some pretty techno-savvy subscribers who may be interested in the following.

My wife was surfing legitimate web sites for children's beds when suddenly her PC went mad. All sorts of Windows warnings came up suggesting that the disk was faulty and had faulty segments. It suggested various operations which she tried and the problem got worse. Pretty soon the laptop was unusable and all her files had disappeared in every program. This all happened even though she had Windows Defender and McAfee Anti-Virus up and running. Eventually the latter popped up and advised her that it had detected a trojan called by the above name. So it had detected it late and worse had allowed it through.

McAfee was unable to mend or remove the trojan and even though after two full days of research and effort she has managed to get some systems back up and running, she seems to have permanently lost some system files and email folders including those provided by the manufacturer.

Fortunately we have more than one laptop in the house and we were able to use those to research the problem. The trojan simulates Windows warnings so that they look just like the real thing. It also switches the settings to files to "Hidden" so that although many are still there, it appears that they have been wiped out. It suggests that you need to buy a product that fixes the problem. Fortunately we didn't fall for that so I don't know whether they do have a fix or whether they simply want your bank details.

Despite the fact that she has got some operational ability back again, her laptop does seem to have some permanent damage and whether it has gone completely is not clear. Even some of the programs suggested by Microsoft to remove the trojan don't seem to to be 100% effective.

This is some scary virus, if it can get through anti-virus defences before they even know that it has done so. Anyone else out there who has suffered or knows about this monster?

JohnN
04-05-2011, 11:18 PM
I don't know if it's the same monster, Tony, but both my wife's PC and my MacIntosh have received official-looking warning messages from 'Windows' listing the various viruses detected in our machines, also despite virus protection. In every instance, we've simply dumped the messages and then immediately cleared the Trash file.

We might have been sucked in by the message on the PC - but a Windows warning on a MacIntosh?

tony vines
04-05-2011, 11:22 PM
Hi John

Yes I use a Mac and so far haven't been touched. My wife is using Windows 7. The trojan may have got in through a picture of a bed my wife was looking at via a legitimate but infected retail website. I've never heard of Windows warning getting onto a Mac. Weird or what!

Mutley
04-05-2011, 11:30 PM
I think I had a similar one recently, I don't know if it was the same but the symptoms sound alike,
I was looking for pictures in google images when it happened.
I really thought I had lost everything and could not even load Windows.

I went into safe mode and requested a full scan and luckily my antivirus was then able to correct it, though it took nearly a whole day to do so and it really had to work hard.

I do a full scan daily and I thought I had all the right antivirus defenders in place but it still snuck in. :(
As you say..... Scary!!!

Mutley
05-05-2011, 12:03 AM
Messages about viruses

Virus announcements and discussion of viruses is strictly prohibited except in the relevant forum specifically for that purpose.

Oooops!
Sorry Graham, I was carried away by a virus, kicking and screaming and did not know where I was, let alone able to move a thread. Apologies for not doing my mod job.

You don't believe me? I don't blame you... the Mut is in disgrace.:redface:

Richard1955
05-05-2011, 2:34 AM
Hi Tony
You might want to try reverting the system back to a date prior to the attack using system restore.

tony vines
05-05-2011, 7:46 AM
Thanks for the replies so far.

I didn't realise that there is a forum policy on the discussion of viruses. I'm not sure why this is a problem - unless it it because some strange people like to spread rumours about non-existent viruses - but I am happy that it is now in the right place anyway. Thanks.

Mutley, my wife had to do the same thing i.e. go into safe mode to even stand a chance of fixing it.

Richard, I think that she has tried that but inevitably has lost a lot of stuff done recently, including lots of stuff she had prepared, order of service etc. for a funeral we are helping to arrange next week. It has also seemingly trashed a lot of system stuff provided by Toshiba the manufacturers, so restore points aren't a lot of use in dealing with that.

Her anti-virus software is set up to download new definitions whenever they are available, so it is not as if she had neglected to stay "safe". Clearly the virus writers (who MS state are likely to be Russian) are one step ahead of them.

Richard1955
05-05-2011, 8:14 AM
I think using System restore will only restore the system files and not the files you have added and lost
but you may still find them hidden.

To help prevent this in the future:
A good AV that tests the safely of websites and warns of unsafe sites. ie McAfee and Norton. (Site Adviser)
A pen drive and a backup of 'my docs' every evening. I'll have to start doing that myself !
Sorry I can't be of any more help.

Richard1955
05-05-2011, 8:30 AM
I have just thought of something else.
The missing files are embedded on the hard drive even if deleted by a virus.
A good computer shop can recover deleted files and you just need to specify a date range
of the files you want to recover.

tony vines
05-05-2011, 9:07 AM
Thanks for both replies Richard. McAfee was up and running when the virus the infected her laptop!

Dorset Girl
05-05-2011, 1:05 PM
According to the system I use (Vipre) this Trojan was released on 27 12 2010 so it should have had protection against it by now.
Marion

Devonmade
05-05-2011, 3:58 PM
My next door neighbours had a similar experience with Win 32. It was flagged up by "Windows Security Centre" they were supposedly infected with lots of other things also. This was a complete red herring that caused a lot of worry. Their McAfee was up to date and once a complete scan was carried out and nothing was found their minds were put at rest and the computer behaved normally and nothing was lost.

Sue

tony vines
05-05-2011, 8:19 PM
Marion

Your information chimes with the info on MS. However, they also state that it has grown more sophisticated as new versions have been released. That means that as usual the virus writers are always likely to be one step ahead of the anti-virus writers. McAfee initially but belatedly reported the trojan but only after it was too late. What good is software that can spot something but cannot stop it?

It may now have been zapped but only by using another malware program. Sadly however, it has caused a lot of damage in the meantime and may lead to us scrapping the laptop after only 2 years.

tony vines
05-05-2011, 8:28 PM
Sue there are lots of viruses called by the prefix Win 32. The one in question is genuine and has caused real damage. If you are interested Google "Win32/FakeSysdef" and have a look at the Microsoft site information about it. I have an old Windows laptop which I use for genealogy projects and I have now put Windows Security Essentials on it in the hope that it does a better job than the McAfee product.

Mutley
05-05-2011, 10:04 PM
Sue there are lots of viruses called by the prefix Win 32. The one in question is genuine and has caused real damage. If you are interested Google "Win32/FakeSysdef" and have a look at the Microsoft site information about it. I have an old Windows laptop which I use for genealogy projects and I have now put Windows Security Essentials on it in the hope that it does a better job than the McAfee product.

I've used AVG for years but a while ago I had a power switch blow and the repair shop removed AVG and replaced it with Microsoft Security Essentials. I was not a happy bunny and seeing as AVG and MSE will not sit on the same PC together I thought I would try MSE for a while. It was the one that let my virus in but it worked doubly hard to get rid of it and finally succeeded without me losing anything.

A friend has been blowing the trumpet of an anti virus called Kaspersky (sounds like a motor bike). He said everyone was talking about it and it was excellent. I'd never heard of it but was surprised to find Barclays Bank offering it for free.

Any one tried it?

roan
05-05-2011, 10:08 PM
Viruses like this are a real problem and in my experience the best option is to save any files you have created to an external Hard Drive or USB stick, then re-install the operating system from the discs that came with the computer or from the restore drive on the computer, making sure you use the option to format before re-installation. Then it will be necessary to re-load all your other programs etc., including your anti-virus before copying your saved files back onto the computer. A real pain, but well worthwhile and the computer will run faster too!

Dorset Girl
06-05-2011, 11:34 AM
Tony,
Don't know if you have looked at this site - Bleeping Computers. (Ignore the first part where they say register or log in - just wander down the page and there is quite a bit on it - how to fix etc). You've probably seen it but just in case not

http://www.
bleepingcomputer.com/virus-removal/remove-disk-optimizer

Marion

tony vines
06-05-2011, 10:20 PM
Hi Marion

What a great steer, thanks. I wasn't aware of this site although "her indoors" may have come across it as she wrestled with this virus. I have of course told her about it. Is the site reliable in your experience?

regards

Dorset Girl
07-05-2011, 11:17 AM
Hi Tony,
Bleeping Computers usually seem to be pretty reliable and they point you to Malwarebytes - which I have used on many occasions - and Hijack (also used). Having looked through their instructions I couldn't see anything that would worry me - and I would always recommend Malwarebytes - from memory I had to start my computer in safe mode when I got "hit" some moons ago and then use Malwarebytes in safe mode. Hope it is of some help.
Marion

tony vines
07-05-2011, 2:30 PM
Hi Marion

Yes she used Malwarebytes in safe mode. It seems to have removed the trojan but there is still damage. I suspect it is because she followed several of the spurious instructions provided by the trojan before McAfee woke up and told her that she had the virus. It's a useful site so thanks for your help.

regards

Dorset Girl
08-05-2011, 12:33 PM
You're welcome Tony - just hope you can recover most of the data. I like Vipre because they seem to be one of the very few that actually include the offer that if you are a paying client and do get infected whilst with them they will organise to remove any malware from your computer. So far I have't had to take advantage of it since I've been with them thank heavens!
Marion