How to Prevent and/or Remove the CA.com Virus

[Stalin-ohaulic]

If you have not been infected (You will know if you've been infected because a fake antivirus program begins to execute. you never downloaded this and you do not recognize it.) skip to the second part of this thread.

First, copy the contents of this post and save it as a word, notepad, or wordpad document and place it in the root of c:\. This way it will be named C:\removal.txt.

Second you want to go to start - reboot. Once your computer has began starting back up, you will see the usual P.O.S.T. screen (usually a black screen telling how much memory and what processor etc). Immediately after this you should begin tapping the "F8" key. Keep pressing it until you are presented with a menu. Select "Safe mode with networking". You will see lots of weird things happen but eventually you will be presented with your desktop. It will look different. Do not try to fix this it's normal.

Now, open c:\removal.txt.

Welcome back.

Now we're going to download malwarebytes anti malware.

Follow this link: Malwarebytes Anti-Malware 1.46 - TechSpot Downloads

Then click "Download Now"

Once it's downloaded execute it and go through the setup process. At the end it will have two checkboxes. One for updating and the other for running the program. Leave them both checked. Now it will download the latest definitions update. Once done it will open the program.

Inside the program, on the "scanner" tab, tick the radio button for "Perform quick scan". Click the scan button and let it finish. Once it's done it will pop up a notepad window. Just close that and click "show results". Then have it remove all objects.

(It may need to reboot. Tell it yes if it prompts you wanting to reboot. If you do this, remember to hit F8 like you did before and go back into safe mode with networking)

Now do a full scan just like you did the quick scan.

Once its' done and you've removed the objects reboot like you normally would. Don't go to safe mode this time.

Back inside of windows just do another full scan and let it run in the background while we do this next part.

___________________________________________________2nd Part__________________________________________________

We're going to install Spybot Search and Destroy but most importantly Tea Timer. (Tea timer protects the windows registry. Anything looking to make a change to the registry prompts tea timer to request your permission to do so. Most viruses cannot execute without that so this protects you from most.)

Follow this link:

http://mirrors.us.securitywonks.net/download/software/1/1281615136/8bc00aff1a8086dbcba5969a2ce4a14041b0f800/spybotsd162.exe

Now download, install, and update just like you did with malwarebytes. Install Tea Timer. Now you're pretty well protected.

Tea timer is not without its annoyances. EVERY time something wants to access the registry it will ask your permission. So, for the first week you REALLY need to pay attention. If you want something to have access forever, check the box and it won't EVER ask you again. This is also a bad thing, because if you deny something and have the box ticked, and later want it to have access, it's not easy to make that happen.

Also, instead of installing and running tea timer, a good solution is to run mainly in a limited account. Make a non-adminstrator account in windows and use that for your web browsing. You do not have access to install or change setting so neither will a virus. You will have to log in to an administrator account to install programs or change settings but for everything else you'll be fine.

Taken from here: http://www.google.com/safebrowsing/diagnostic?site=http://www.caraudio.com/index2.html&hl=en

Safe BrowsingDiagnostic page for caraudio.com

What is the current listing status for caraudio.com?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 6 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 5259 pages we tested on the site over the past 90 days, 563 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-08-11, and the last time suspicious content was found on this site was on 2010-08-11.

Malicious software includes 6 scripting exploit(s), 2 trojan(s), 1 exploit(s). Successful infection resulted in an average of 7 new process(es) on the target machine.

Malicious software is hosted on 44 domain(s), including lecrosse.co.cc/, 4safe.in/, secure-internet.in/.

5 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including lecrosse.co.cc/, shrinkydinx.com/, 4safe.in/.

This site was hosted on 9 network(s) including AS30209 (GSI), AS1680 (NV), AS9371 (SAKURA).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, caraudio.com appeared to function as an intermediary for the infection of 1 site(s) including caraudioforums.com/.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:

Return to the previous page.

If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

Updated 10 hours ago

What does this mean? Ca.com's ads have a malicious advertiser I'd guess. There is not much else it could be.

Click to read more...

 

[misfit138 5,000+ posts]

malwarebytes works //content.invisioncic.com/y282845/emoticons/fyi.gif.9f1f679348da7204ce960cfc74bca8e0.gif

Restarting in safe mode and performing a system restore will get rid of the new batch of "fake antivirus" viruses too...

 

[nateberrier 10+ year member]

IF you can do a system restore. I love when system restore backs up your fake av. running a limited account will help but not in this case. they run out of your temp directory and therefore can execute without admin privileges.

Good advice though brah. malwarebytes works great, i will also suggest for just general purpose to install Microsoft Security Essentials for a main AV. Rated well on Rootkit detection and integrates seemlessly with Windows. Low overhead and free.

 

[misfit138 5,000+ posts]

IF you can do a system restore. I love when system restore backs up your fake av. running a limited account will help but not in this case. they run out of your temp directory and therefore can execute without admin privileges.

You should have no trouble doing a system restore in safe mode...

 

[Stalin-ohaulic]

malwarebytes works //content.invisioncic.com/y282845/emoticons/fyi.gif.9f1f679348da7204ce960cfc74bca8e0.gif
Restarting in safe mode and performing a system restore will get rid of the new batch of "fake antivirus" viruses too...

Most of the time yes. Unfortunately the CA.com virus infects your restore points so when you restore it comes with it.

 

[misfit138 5,000+ posts]

Most of the time yes. Unfortunately the CA.com virus infects your restore points so when you restore it comes with it.

Glad I haven't had to deal with it yet...

 

[dave_damage 10+ year member]

What is the Fake antivirus called?

 

[nateberrier 10+ year member]

There are a bunch of them but if you have it you wont have to ask

 

[dave_damage 10+ year member]

So they are not made to look like main stream antivirus programs are they?

 

[nateberrier 10+ year member]

No. They are. But your computer will run like siht and you wont be able to do very much. It will ask you for cash. I would hope to god you know if you installed it or not. If not, kill yourself

 

[Cabin_Pressure 10+ year member]

Good info. Now how do you get CA.com off the "reported attack site" list? I use Linux with Firefox on my home laptop and there is no way to unblock attack sites, the menu does not have the options choice to modify preferences.

 

[Stalin-ohaulic]

Good info. Now how do you get CA.com off the "reported attack site" list? I use Linux with Firefox on my home laptop and there is no way to unblock attack sites, the menu does not have the options choice to modify preferences.

It's not possible until Ca.com removes the malware.

 

[Cabin_Pressure 10+ year member]

It's not possible until Ca.com removes the malware.

(in a Cartman voice).............son of a bish

 

[hispls 5,000+ posts]

Got that one before from a torrent site I believe. Nasty. A few ways to cure them. Malwarebytes sometimes works, otherwise for most you have to go into the registry yourself and axe things.