FPSBANANA.COM Virus

[Chemo[RS]]

I read this on the THO forums, and thought I'd would pass it on to fellow RS members :




FPSBANANA.COM Virus

Please excuse the abrupt caps lock title, but if you are a user of the website FPSBanana.com and have a Windows PC, you could be infected by a virus that is going about on the sites advertisements.

If you are user of the website FPSBanana.com and have a Windows based computer then you may be victim to a recent virus that is circulating on the site. The virus itself, is infecting users through the adverts present on the site, not the actual website itself. The virus is to be believed to be using a java exploit to get onto your computer and the compramise it's security. I have been infected by this virus on both of my computers which are running plenty of Anti-Virus, Malware and Spyware software, however none of these were able to detect this virus. Minor adware viruses have been spotted on FPSBanana.com's adverts before, but this virus seems to be quite unique. So thought I should inform the community.

The virus has been confirmed as BlackInternet which is a rootkit that buries itself deep into the Master Boot Record (MBR) which forces the virus to run each time you start your computer. This has been confirmed, as running msconfig is useless as the virus does not plant itself there and booting into safe mode will still run the virus.

How to tell if you are infected by this virus

1. Open up task mananger (Ctrl + Alt + Del), click start task manager (If running Windows Vista/7) click the processes tab and make sure you can see all running processes

2. Look for any weird .exe programs with names like loader.exe running as a process

3. Another tell tale sign of this virus is having multiple iexplore.exe processes running even when there are no Internet Explorer windows open. If multiple iexplore.exe processes are open and task manager identifies them as SYSTEM, then you are infected. Don't attempt to end the processes as they just respawn after seconds of closing them.

4. If your wave bar on your sound control keeps setting itself to low, this is also a sign of the virus (This happened on my PC running Windows XP, though not on Windows 7)

5. If you here random sound clips (voice ads) or suddenly start receiving popups, this is also a sign of the virus and is the rogue iexplore.exe processes running in the background.

6. Random clicking sound of Internet Explorer is also another sign of rogue iexplore.exe processes.

At present it's believed no anti-virus, anti-spyware, anti-rootkit etc, software can pick this virus up, besides Kasperky, but even then Kasperky cannot remove the rootkit if the computer has already been infected.

How can you remove this virus?

Because the virus has latched onto the MBR of the infected computer, the only way to remove it is to perform a re-write of the MBR. To carry out this, you must have either a full Windows Installation disc that is relative to the operating system of your computer, or a Windows recovery disc.

The removal process:

Before I continue, I will explain what's about to happen. You are going to re-write the MBR of your Windows installation, the MBR is a boot record which is a partition on your computers hard drive, this partition contains boot information and tells Windows how to boot up. The MBR is not your entire computer, it will not re-format your hard drive, however, in the event of the re-writing of the MBR screwing your installation up, backup your files BEFORE you carry out the process below, as screwing up an MBR rewrite, will most likely mean an unbootable Operating System.

If you have a dual boot configuration setup i.e. Two operating systems partition on the same hard drive this will process will destroy it as Windows will completely take over the MBR again e.g. If you are running a dual boot of Windows and Linux, your Linux OS will become unbootable as the loader for Linux will be removed. Consult your Linux operating systems help forum, wiki or other methods of getting back your dual boot config after this process.

You must make sure you use a Windows disc that is the EXACT same version as your operating system otherwise you will write a incorrect MBR and have a unbootable system.

If you do not have a Windows disc/recovery disc, you can use EasyBCD a tool that can repair the Windows boot loader, however I have not used this tool personally, so I cannot provide instructions on how to use it. It can be obtained from this link:

neosmart.net/dl.php?id=1

Follow the steps below to rewrite your MBR

1. Get your Windows installation/recovery disc and put it in your CD/DVD tray
2. Reboot your computer

3. Just before the Windows logo loading screen you should be prompted to boot from the CD/DVD, press any key to boot it and wait for Windows to load. If you are not prompted to boot from the CD/DVD. Check your BIOS settings and make sure that boot from CD is enabled, as well as CD being first in your boot priority list.

4. Depending on if your using Windows XP or Windows Vista/7 you will need to follow either set of these instructions:

For Windows XP:

When asked what do access you will want to repair Windows XP and somewhere after that screen should be the option to access recovery console, once accesed you will probably be prompted to enter the administrator username and password, do so to get access to the recovery console so you can run commands. Now once in recovery console type "fixmbr" (no quotes) and execute it, upon doing so you may be asked to confirm your action, confirm it and you should now have re-written your MBR. You can now reboot your computer and remove the disc

For Windows Vista/7:

Once you've booted the CD/DVD select your language and click next, don't go ahead with the install, click repair my computer in bottom left, now wait for Windows to recongize your installation, once it has click next and you should see some options. Select open Command Prompt Window, now you should have a command prompt window open. Type the following command:

bootrec.exe /fixMBR

And execute it, it will follow up with "Command has completed successfully. You can now reboot the computer and remove the disc.

This should stop the virus being started up with your computer. However, traces of it may still exist on your PC so get back into Windows normally and delete any files in the following directories.

For Windows XP:

C:\Documents and Settings\Application Data\temp

For Windows Vista\7:

C:\Users\your user\AppData\Local\Temp

You could also run CCLeaner, if you have it already installed, which will also clear your temp directory for you.

I am sorry that this post is very long, however, I wanted to inform you all as im sure a lot of the community here will use FPSBanana.com from time to time for whatever reason. So I wanted to make sure you were all in the know about it. I'd recommend that no one goes near FPSBanana.com until the ad's have been sorted out, as this virus can silently infect your machine, without any of your anti virus, anti-malware or anti spyware protection detecting anything unusual.

If you feel you must use FPSBanana, DO NOT use Internet Explorer. No matter what Microsoft says, their browser is riddled with security holes. Instead use Mozilla Firefox, with the following plugins installed:

AdBlockPlus - Blocks advertisements on websites
NoScript - Blocks Java being executed without your knowledge

(Thanks nomy and Malak101 for giving me this tip)

However I can not be 100% certain that these plugins will protect you from any of the viruses floating around on the adverts, to be safe I'd suggest not visiting FPSBanana.com at all until it has been resolved.

Examining virus after removal

I successfully re-wrote my Windows 7 MBR some hours ago and since then I have not seen any rogue processess including SYSTEM generated iexplore.exe processes. I have monitored my processes for a few hours now and have not see any sign of the virus, I or it's rogue processes, I have even ran Internet Explorer to see if any virus is back boning off the process stll and nothing has been seen or found. It looks like my laptop is clean now.

I hope this information has been informative and has helped you in some way.

Stay safe.

[conky[RS]]

thanks for the heads up

[BMAsRevenge[RS]]

Thanks Chemo.
There may be an easier way to fix this virus though. I just got home and wanted to reply but I will post a possible easier solutions to this later. I have already messed with a similar and possibly the same java based web advertisement virus and know what registry key edits will stop the virus from running at startup. This will allow antivirus software to function properly and remove the files from the pc.

See this virus does manage to install with antivirus running but most antivirus software will pick it up during a manual scan the problem is when the virus is running it corrupts the scan. So it needs to be terminated first and without editing the registry the virus will restart no sooner than you kill it.