• Changing RCF's index page, please click on "Forums" to access the forums.

Malware??

Do Not Sell My Personal Information

brownsbuck6

Gold Star Member
Joined
Apr 2, 2007
Messages
5,296
Reaction score
8,008
Points
113
I am 90% convinced that I received a rootkit from this here site earlier today... took me hours of work to fully remove it and recover my PC. And just now, was browsing the site, and got a malware warning from my new AV program. What is going on here that's causing malware?
 
Same here. Around 5ish I got hit by some malware and RCF and ESPN.com were the only two sites I had open.
 
This is CONFIRMED by me; the trojan AVE99, an offshoot of the FakeReanTrojan, is certainly coming from RealCavsFans.com.

The infection, if allowed to manifest, is ridiculous. I've had technicians come in all week complaining about this particular trojan (so it's not only RealCavsFans), all the variations also come strapped with a variation of the FaBot trojan and all with the general characteristic of being named "AVE[nn].exe" and all imitating a genuine Microsoft product. The latest iteration attempts to replace key Windows components including explorer.exe, iexplore.exe, winlogin.exe, svchost.exe, and taskmgr.exe.

Again, I'm positive it's coming from RealCavsFans because it infected a fresh virtual machine running Windows Media Center Edition (XP SP3).

If anyone needs help restoring their system, just let me know and I can post a tutorial tonight.
 
This is CONFIRMED by me; the trojan AVE99, an offshoot of the FaBot Trojan, is certainly coming from RealCavsFans.com.

The infection, if allowed to manifest, is ridiculous. I've had technicians come in all week complaining about this particular trojan (so it's not only RealCavsFans), all variations of the FaBot Trojan and all with the general characteristic of being named "AVE[nn].exe" and all imitating a genuine Microsoft product. The latest iteration attempts to replace key Windows components including explorer.exe, iexplore.exe, winlogin.exe, svchost.exe, and taskmgr.exe.

Again, I'm positive it's coming from RealCavsFans because it infected a fresh virtual machine running Windows Media Center Edition (XP SP3).

If anyone needs help restoring their system, just let me know and I can post a tutorial tonight.

Can I blame this shit for my pirated Windows 7 now saying it's not genuine anymore?
 
I was on my parents computer and on RCF, and today the computer is all screwed up with malware. Perhaps that is how I got malware on my computer a couple weeks ago, too.
 
Hopefully some actual 'staff' will see this and respond.

I remove malware (among other IT stuff) for a living.. if anyone needs help removing malware, send me a message.

Meanwhile, this is serious stuff going on here.. I was very close to having to do a system recovery because of this site. Any answers?
 
I got it too while on this site earlier and in the live chat.

It was pretty easy to take care of though.
 
I got the message from Windows 7 saying this site was reported as unsafe and containing threats. I didn't heed it, and to this point haven't had any problems. Can the mods keep us updated on this?
 
Just FYI, Windows 7 for the most part is safe from this particular trojan. It will only effect earlier versions of the NT kernel, particularly XP/2003 and only non-64bit versions.
 
Can I blame this shit for my pirated Windows 7 now saying it's not genuine anymore?

LOL.. No. You need to obtain a pre-activated or corporate version of Windows 7 Ultimate. If you're going to download a torrent, I'd recommend the "AIO" release that's readily available from the usual places.
 
I can confirm I also was hit with some serious malware yesterday as well and I was on the site too...just thought I'd let the others know they aren't alone and hopefully the admins can get it taken care of if it really did originate from here.
 
If anyone needs help restoring their system, just let me know and I can post a tutorial tonight.

I think I got rid of most the bad stuff but whatever you can post to help me confirm that would be great.
 
I think I got rid of most the bad stuff but whatever you can post to help me confirm that would be great.

First and foremost you need to clear out the user temp directories located at "\Documents and Settings\%USERNAME%\Local Settings\Temp" and also "\Documents and Settings\%USERNAME%\Local Settings\Application Data\Temp" Be certain that no hidden files or folders remain in these locations. You may need to boot into safe mode with command prompt and recursively delete the hidden files and folders manually. Use the "attrib" comand with the string "attrib -r -s -h *.*" to remove hidden, system, and read-only attributes from the files in those directories. Feel free to delete everything in these temp directories.

My best advice is to load Process Explorer, add the table header for "Command Line," sort by command line, and find all instances of executables or instances of rundll loading a library that is located in ~\Local Settings\Temp or ~\Local Settings\Application Data.

Particularly these files should be deleted if found in your user directory: winlogon.exe*, winamp.exe*, AVE.exe, AVE99.exe, AVP.exe, taskmgr.exe*, smss.exe*, svchost.exe*, iexplorar.exe (note the "a"), ose00000.exe. I noted several of the filenames with "*" not as a wildcard but to make sure you only delete these files if their found in your temp directories, and/or if you cannot verify their Microsoft signature in the executable. A good rule of thumb is don't delete these files if they happen to reside in the \Windows\ directory.

Beyond that, make sure you can still view hidden files and folders as the FakeRean trojans like to modify the Registry values for explorer to prevent you from finding the files. Also, run a registry scan for the value "ave.exe," particularly checking \HKEY_CLASSES_ROOT\exefile\shell\open\command to verify that AVE.exe has not hijacked executable association. The proper line should read "%1" %*. Feel safe in eliminating all instances of AVE.exe located within your registry. If located in any exefile association, replace the AVE start command (which starts the fake "XP Security Center" trojan) with "%1" %* for default values.

If you find that you can no longer launch the registry editor, even by executing regedit.exe directly from the command prompt; or you are prompted with "Registry editing has been disabled," then you can re-enable the function by launching "gpedit.msc" from either the Start>Run... menu or by using "start.exe" from the command prompt. Once loaded, goto Computer Configuration->Administrative Templates->System->Prevent Registry Editing (or some such). You may find no value has been set, this is fine. First, enable prevention and press Apply, then disable prevention and press Apply. Disabling prevention without first enabling it doesn't actually work due to an unresolved bug. Perform the same step at User Configuration->Administrative Templates->System->Prevent Registry Editing.

Run a good registry cleaner, install an antivirus suite like Avast, and also, make sure to clear out the \Windows\Prefetch directory. (Remember to delete any hidden files or folders there as well).



Other than that if you have any problems just let me know...
 
This is CONFIRMED by me; the trojan AVE99, an offshoot of the FakeReanTrojan, is certainly coming from RealCavsFans.com.

The infection, if allowed to manifest, is ridiculous. I've had technicians come in all week complaining about this particular trojan (so it's not only RealCavsFans), all the variations also come strapped with a variation of the FaBot trojan and all with the general characteristic of being named "AVE[nn].exe" and all imitating a genuine Microsoft product. The latest iteration attempts to replace key Windows components including explorer.exe, iexplore.exe, winlogin.exe, svchost.exe, and taskmgr.exe.

Again, I'm positive it's coming from RealCavsFans because it infected a fresh virtual machine running Windows Media Center Edition (XP SP3).

If anyone needs help restoring their system, just let me know and I can post a tutorial tonight.

A further confirmation of the exact same thing. My virus software called them a total of 6 viruses with the same kind of names you just wrote. My program also got them isolated before I actually clicked on something I shouldn't have. They are vicious... VERY vicious. I did get rid of them though..... for now. Nasty, nasty stuff.

Whoever this site uses to distribute ads needs to be fired by this site. Sorry. That's how it is. They can't keep out or screen the bad ads. Either they cannot do it, or they do not WANT TO DO IT. Period. Fire them please. I would hate members to stop coming here because of bad advertisements.
 

Rubber Rim Job Podcast Video

Episode 3-13: "Backup Bash Brothers"

Rubber Rim Job Podcast Spotify

Episode 3:11: "Clipping Bucks."
Top