I have downloaded a fake firefox update and actually installed it on my netbook. what should i do? im now currently running nod32 virus scan and antimalware on my netbook
while i was browsing photos on google, another page just came up that said i have to update firefox and my flash player for security reasons and then a box just popped out and i clicked save file. After i installed it, i came back to the download page and i became suspicious because it has no mozilla.com in its address, it was http://setupfirefox.co.cc/ i researched on it in the web and i realized that i have just downloaded a fake firefox update which probably has a virus on it.
well, my anti malware scanner has detected 2 trojan horses and i removed it and restarted my netbook but i don't know what damages has been done by it..i dont even know if all traces of it has been removed..
Modified
All Replies (10)
Same here .. was very busy and got tricked .. page looked just like a FF update page too. Please help .. I am running XP not sure if that will matter .. I believe the kt1.exe process has a connection .. thats where i am at
I had the same problem, kinda stupid of me because I typically don't fall for these dumb things but alas, I was in a rush while multitasking.
Anyways, you can do a few things to remove it manually:
1) End the process (use taskmgr.exe). There are several names. See a list here for examples: http://www.mypcsafe.com/tag/hxg-exe-removal. But for me, it also ran as Hqeqaa.exe
2) Then delete the appropriate trojan files that you find on your PC. Files were "installed" in 2 places for me: C:\Users\Your Login Name\AppData\Local\Temp\hxg.exe C:\Windows\Hqeqaa.exe, hxg.exe The path for you may be different though for several reasons, e.g. different strain of the trojan, infection method, and operating system (using Win7 here).
3) Be safe and use antivirus program(s) and scan your whole system. Prevx actually detects it but you have to buy it to use its removal features. I just sent the file to Avira because they currently don't detect this version...
Also, it adds the path and file to the registry under ...\Windows\Run in multiple locations which you should remove even though it's useless when the files don't exist after you delete them.
Modified
well, at last, i have removed it completely! When i used malwarebytes, the trojan fake alert just keeps on coming back every time i do a scan and i remove it again and again. Then i did a system restore(twice) and emptied the quarantine items on malwarebytes. then i ran a scan twice with malwarebytes,NOD32 and bitdefender and thankfully, there were no infections detected... I really am not sure if the system restore did all the trick but at least, my problem is solved.
I am still having issue .. I always look at my processes and it seems there is now a kt1.exe popping up .. i did run virus scan and it found some stuff .. I also have real time protection with it .. but that process still keeps popping up . Anyone else with help much apreesh
Like I said, u have to end the process and delete the originating executable otherwise of course it will restart itself. Do yourself a favor and use Prevx to scan your entire system to find all the viruses and then follow the instructions to actually remove said files while the process(es) aren't running. You're just temporarily by ending the process... not removing anything.
FYI, Avira got back to me and here's part of their response:
The file 'Hqeqaa.exe' has been determined to be 'MALWARE'. Our analysts named the threat TR/Zlob.AG. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection will be added to our virus definition file (VDF) with one of the next updates.
I changed my email and Battle.net (SC2) passwords after removing the trojan and I advise you to do the same with any sensitive accounts you've used since being infected.
I understand .. .. I know i am ending the process .. I have the symantec corporate edition for my anti virus .. and i have detected some of them with it .. but i believe I am going to have to run the scan in safe mode .. I could not follow your path outlined to the executable file .. I went into my C actually on mine its h windows folder and could not find it .. .. to be cont..
I got this earlier today (on XP Home). It was called xlx.exe and other x[whatever].exe files on mine. Malwarebytes and Unlocker wouldn't even run (I wanted to delete the evil files out of "Local Settings/Temp" but it wouldn't let me) and the internet stopped working! I went in to safe mode, tried to run rkill and then Malwarebytes, but still no dice. I couldn't even get Combofix -- my last-straw everything-killer -- to run as a .exe file, but I renamed it to a .com file and it ran. It wouldn't update because of the internet problem, but it fixed things enough so that I could run other programs. The internet was still being wonky-- now it LOOKED like I was connected, but I couldn't get anywhere. I looked in my Connection Settings and there was a proxy server set up, which I did not do, so I set that back to "no proxy". Still not working. I then found that my DNS Server was blank in Network Connection Settings (I have to manually enter the IP Address etc. at my house) but I'm not sure how that happened. I typed it in, and the internet worked again. Hallelujah! I updated and ran Combofix (again), Malwarebytes and Avira AntiVir. They all found stuff and deleted it. I think it's really gone now, but DANG! (If anyone is actually planning to try this, I should note that they always warn you against using Combofix without "supervision". I've never had a problem with it hurting anything but you never know. Also, Combofix turns System Restore on, which is fine, but I turned it off before letting Malwarebytes and AntiVir do their thing because sometimes the bad stuff gets kept in System Restore and then puts itself right back on.)
Modified
got rid of it using malwarebytes .. it was 25 dollars but well worth it .. the headache is gone ..