A few hours ago I got a popup that looked like a message of the windows firewall. It said that my system is infected with the trojan mentioned above and that it was a keylogger which takes screenshots and records keystrokes.
This could have been a real popup, but somehow it looked fake.
Mainly because, as far as I know, the win firewall (Vista, by the way) doesn't give me the advice to click on the popup to get "advised software" to get rid of it. The popup came up once more about 20 min later.

According to these sites it is a scaring tactic to get you to buy "Personal Defender 2009" but both sites look untrustworthy and want me to download software to get rid of it or scan my system, which is, according to them, the same thing the trojan wants me to do.
(So click these links on your own risk - I don't advise it!)
http://removal-tool.com/trojan-keyloggerwin32fung/
http://www.411-spyware.com/trojan-keylogger-win32-fung
There are much more of those sites, some looking more trustworthy.

The other Google results show only the usual advise (Hijackthis etc.) and are all very new, so it seems to have come up only in the last week or so.

AntiVir, Spybot and Malwarebytes didn't find anything.
Hijackthis also came up with nothing out of the ordinary.

No other problems or irregularities showed up and I can't think of anything I installed or downloaded which could have been infected.

 

It seems like a Ad-ware I had a few years ago. If it is the same thing it is not a keylogger, Etc. It is just an Ad-ware wanting to get you to download the stuff to put a trojan in. I would look at Bleepingcomputer.com for similar cases and see if they figured out how to get rid of it.

 

Those are the same guys who came up with WinFixer, DriveCleaner, etc. AVG picked up Winlogon on my old PC, needed to restart the system in order to remove it.

Suffice to say that you should not, under any circumstances, download this software. You will also have to take steps to clean your machine, how that's done in this instance I do not know.

I also recommend that you find yourself a decent Firewall and an effective anti-virus program, in order to prevent this shit from happening again.

 

Yea, that software is a nasty bit of spy/adware that will honestly take forever to remove if you download it. What you may need to do is go download a mixture of Spybot Search and Destroy, Avast! Anti-Virus, AVG, and Hijack-This! to make sure everything on your system is gone.

Remember to run them all in safe mode so that you have a better chance at grabbing everything on there. And as for firewall I'm a fan of ZoneAlarm's free firewall. That and Avast have kept me spyware/adware/virus free for a few years without a problem.

 

If you listen to Intention and get Zonealarm I would suggest you get the trial version of Suite. Then when it expires get the regular one or buy that one.

 

I'm not sure how well that it will work in this situation but for future possible situations i recommend downloading ProcessExplorer. It is fucking brilliant at finding unwanted processes.

Blacklight is also supposed to be good if you have a rootkit virus.

 

Thanks, guys.
So it's a fake like I thought - lucky me.

Well, I got three of those four already running, so it shouldn't be a problem.

Thank you all for the advise.

Sure. If you can recommend some?
I've got Avira, AVG, Spybot and Sygate (I know many people think the last one is shit, but I like it). And the standard Windows ones, of course, and I let HijackThis run every once in a while.

 

Try Malwarebytes' Anti-Malware program.

http://malwarebytes.org/ - they're pretty reliable, and it's dead useful in knocking out Trojans. Its database of Trojans and other malware is the hugest I've ever seen in any one dedicated system.

 

Avast, SAS and Malwarebytes provides very good free protection. I'd avoid AVG. If going paid and you are on a 32bit OS I'd go with Norton Internet Security 2009 instead of Avast, closely followed by Kaspersky 2009 (although there are a few bugs to be fixed still that make me a bit cautious to recommend with Norton).

 

If in doubt, reformat. :awesome

No, really...If you've got all your shit backed up, and don't mind spending an evening, do it.

I second the recommendation for Avast. I use it on my Windows partition, and have had no trouble with it at all. Their database of viruses rivals Norton's own. AVG is, at best, fourth place in my book. Sure it's pretty good about catching stuff, but it's annoying as fuck. Kaspersky is second-to-third place, only because it isn't free. McAfee Stinger is a handy standalone detector.

For spy-ware and stuff like that, Spy-Bot is the only thing I would recommend. (Unless you pair it with something else...discounting the false-positives that two (or more) anti-spyware programs will generate, there is strength in numbers after all.)

 

Someone has been downloading suss stuff

Avast/AVG/Kaspersky, Spybot: Search and Destroy, Adaware, CCleaner, Hijack This!

Those should fix pretty much everything bar any damage it has done already. You HAVE been infected with a trojan. The pop-ups can be a single problem it has caused.

 

THIS.

The popups are just one symptom. You may have been infected for a while and never realised it.

My parents had a similar problem to yours with popups asking them to download x to remove y. It turned out that they were infected by a rootkit. The rootkit was a piece of gateway malware whose sole purpose was to remain invisible and undetected while it attempted to download whatever real malware it's masters were being paid to infect you with that week.

The "download x to remove y" infection was just one of several that it had stealthily installed.

The rootkit got onto the computer because someone had downloaded and installed what they had thought was a video codec. I used Process Explorer (which Dark Lord Gullible mentioned) to kill malware processes, but they kept on copying themselves and even after deleting the virus files they'd reappear at the next reboot. Process Explorer is good for diagnosing (and perhaps temporarily stopping) malware, but it won't remove anything.

Sygate is fine as a firewall. TURN OFF YOUR WINDOWS FIREWALL. You should definitely not be running two software firewalls on the same system. Sygate is much, much better than Microsoft's, so turn that crap off. 90% of the items that ask to communicate through the firewall can safely be blocked. I do this all of the time. If something stops working, then disable the block. NT Kernel & System, LSA Shell (Export Version) have both been blocked by Sygate for years with no ill effects. Windows and all other Microsoft products operate and update just fine.

I almost always either deny permission to pass my firewall when something asks, or I just grant it one-off permission. Sometimes you have to grant one-off permission several times in a row. I don't like leaving holes in my firewall by granting software a permanent pass to the internet without reason.

Use Avira or Avast or AVG. Don't keep all three running. They only interfere with each other and do a worse job than running one by itself. Avira and Avast are highly recommended by the geeky Slashdot community so I'd go with one of those two.

Do you even understand your HijackThis! logs? I know that I don't. I can read them to a degree, but to find out what's really going wrong there's an anti-malware forum out there on the intarwebs that specialises in analysing HJT logs for desperate malware victims. I've found them several times via Google. If you need HJT logs read, then go and see those guys. Be sure to supplicate them and follow all of their little rules before posting your HJT logs. Remember that they're doing you a favour and they can easily skip your logs to read someone elses.

Whoever suggested Norton is... ignorant. Steer clear. It's a useless piece of crap that makes idiots feel better because they paid money for a commercial product that they believe will protect their computer. They may as well wrap an elastic band around their cocks and pray that it will keep the AIDS out. My parents had Norton with multi-year subscriptions. "But but... we've got Norton. I don't understand why all of this stuff is happening to us. How can viruses come on here. Look, see? Norton is running."

Most of the programs mentioned here work for most malware, but sometimes malware is just too new, or beyond the capability of the software (especially in the case of rootkits).

 

yak, Norton 2008/2009 are perfectly fine Antivirus programs especially 2009 from a performance point of view.

 

I've got a lot of hate for Symantec/Norton's security products. This is coming from an old fan of the original Norton products when Peter Norton still had something to do with it.

Norton 2008 was a marked improvement over previous versions as far as the interface and usability goes. That doesn't mean it was doing any better at the actual 'security' part of it's job though. 'Leaky like a sieve' is the phrase that comes to mind.

Norton 2009 looks like it's improved in all of the areas that 2008 was still shoddy in. "Symantec claims that Norton 2009 is faster than previous versions due to new architecture that reduces boot time, scan time, memory usage, overall system footprint and install time." It looks like these claims might actually be true rather than just being the usual crunk that some wag in marketing came up with.

2009's detection rate is also much better than 2008's. Infact Norton 2009 Beta topped that test for detection rates.

Norton 2009 came out in September. My parents have probably bought it by now. I should give it a try the next time I'm over there. Symantec have been screwing up for so long that I'll have difficulty trusting them ever again.

If you live in the US and value your privacy from the government as much as from information thieves, consider chosing a different product.

"A keystroke logging Trojan, called Magic Lantern, will enable (FBI) investigators to discover break PGP encoded messages sent by suspects under investigation, MSNBC reports."

"MSNBC quotes unnamed sources who says that Magic Lantern could be sent to a target by email or planted on a suspect's PC by exploiting common operating system vulnerabilities."

"Eric Chien, chief researcher at Symantec's antivirus research lab, said that provided a hypothetical keystroke logging tool was used only by the FBI, then Symantec would avoid updating its antivirus tools to detect such a Trojan."

That's from an article from back in 2001 (post 9/11 but before the Patriot Act). Too bad if a copy of Magic Lantern has fallen into the wrong hands.

 

Well it's not perfect, but it's certainly top 3 depending on how you look at it #1,#2,#3 with Kaspersky and Avira. The reason I switched from Kaspersky is due to some BSOD/Update issues and not to Avira due to updating issues.

 

I've heard plenty of good things about F-Secure over the past two years. I've never seen it in action myself, but the results and reviews are impressive.

 

Just to pipe in, I've used Mcafee, Norton and Kaspersky. Kaspersky was far and away the best of the three. Yes it costs per month, but it is definately worth it.

 

AVIRA is a damn good Anti-virus, Not sure how good the Anti-Root-kit is though, I haven't had one. But between AVIRA and AVAST! just about everything should be covered, AVG and others are pretty much just like putting on a second condom. Though if your going to have sex with the AIDS infested hooker known as the internet, The Second condom may just save your life.


As for McAffe and Norton, Well I have only had bad experiences with them, McCaffe was more of a nuisance than any Ad-ware I had ever gotten, And Norton, Well Norton never caught anything and just kept bugging me.


Yak: I So agree with you on not giving programs free internet access, It may get to be a hassle when I start up and like 30 programs ask for access at the same time but it helps cut back on internet usage as well as program control. I have a few programs that I don't want updated >_> and I can't figure out how to turn off the automatic updates, So I just deny them internet access

 

Avira Rootkit Detection (not their Permium IS suite) is great for removing rootkits on XP, but not so good on Vista according to this test.

Good work Knox.

I don't have that problem at start up. If the program is supposed to be accessing the internet than I usually permanently allow it. If it's a program that has an auto-update component, I usually make it ask first. I wish Sygate was much easier to configure boundaries for specific programs. Eg. Program x can always use protocol y to communicate with IP range z0 - z255.

I can do it, but it's a royal pain in the ass and difficult to change.

edit: I did this for Steam. I get uncounted downloads from my ISPs Steam server, but to take advantage of that I have to block Steam from making large downloads from any other Steam servers.

 

The only thing that has auto internet access is FireFox >_>