• New here? Register here now for access to all the forums, download game torrents, private messages, polls, Sportsbook, etc. Plus, stay connected and follow BP on Instagram @buckeyeplanet and Facebook.

BEWARE! Really Vile New Threat

Jump to latest Follow Reply
Sort by date Sort by votes
MaxBuck

MaxBuck

SoCal, Baby!
My wife (Windows XP Home) just got hit with a nasty little worm called AntiVira AV. This hideous thing loaded when she hit a link on a search run on FireFox - no warning whatever. Symptoms:

1. A "warning" pops up that "alerts" to a "security threat."
2. Simultaneously, a browser window pops up directing her computer to unwanted sites, including kiddie porn (!) THIS CAN BE DEADLY TO YOUR REPUTATION!
3. Attempts to remove it using our usual antivirus, Avast version 5, have been unsuccessful; Avast does not recognize the threat.
4. Attempts to load other antivirus from CD (Kaspersky - had an old version sitting around) are met with refusal - AntiVira identifies the new antivirus software as "infected" and intercepts the installation.
5. The worm prevents certain functions in Control Panel, and it doesn't show up in the Add/Remove Programs box.

I'm right now running her computer in Safe Mode with Networking, trying to use whatever tools I can find to identify and remove this thing. Unfortunately, the sites I've found through Google for "removal Antivira AV" are, I think, bogus sites run by the same company to further screw up the infected computer.

If I'm successful getting this thing taken care of, I'll let you all know what I've done.
 
More info on this from the McAfee Forum:

AntiVira Av Description
AntiVira Av (alias Anti-Vira Av) is the latest rogue security tool which comes from the Fake.SpyPro family that was represented by Antivirus.NET scam up till now. AntiVira Av is pushed through blackhat social engineering and fake SEO techniques which assure the malicious code is invisibly embedded into the structure of a potential host operating system. The most typical features of AntiVira Av a user may notice involve falsified system scanners that pop up right away after a targeted user boots a computer system, annoying counterfeit pop up alerts announcing multiple spyware detection facts, browser hijack and inability to execute random software programs.

AntiVira Av has typically the following processes in memory:
%Temp%[RANDOM CHARACTERS][RANDOM CHARACTERS].exe
AntiVira Av creates the following registry entries:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun ?[RANDOM CHARACTERS].exe?
?http=127.0.0.1:33921″
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerPhishingFilter ?Enabled? = ?0″
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings ?ProxyServer? =
HKEY_CURRENT_USERSoftware[RANDOM CHARACTERS]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings ?ProxyEnable? = ?1″

It appears to be fixable, if the above information is correct (and it may be wrong, or incomplete).

There are several sites out there peddling "cures" for this, but I don't really trust them. I'd wait for one of the recommended sites to come out with a fix (or McAfee, of course). In the meantime, try GetSusp.
Click to expand...
 
Upvote 0
From one of the McAfee boards:
To enter safe mode is by restarting and pressing F8 continously from start up. (You will need to enter Safe mode WITH Networking.)
happy.gif



To disable System Restore, please do this:


Vista:

1. Click the Start Button.

2. From the Start menu click Control panel.

3. In Control Panel click the System Icon.

4. On the Left of the System properties window you will see a list of Tasks, click on the System protection link.

5. In the System Protection window remove the 'Tick' mark from beside the drive you want to disable system restore on.

6. A message will now appear asking: 'Are you sure you want to turn System restore off'.

7. Press the Turn System restore Off button.

8. System Restore will now be turned off permanently on that particular drive.

9. To re-enable system restore (once this is sorted out) just click your mouse in the box next to the drive you require system restore to monitor ( a tick will appear in the box), the click the Apply button and system restore will resume monitoring the drive.


Please reply when you've done both of these.


Thanks.
Click to expand...
Doesn't seem to me like that removes anything - but the following, manual removal method might just do the trick - same thread:
(first part is done in Task Manager, second part in Registry Editor
This is what is known so far :
AntiVira Av Description
AntiVira Av (alias Anti-Vira Av) is the latest rogue security tool which comes from the Fake.SpyPro family that was represented by Antivirus.NET scam up till now. AntiVira Av is pushed through blackhat social engineering and fake SEO techniques which assure the malicious code is invisibly embedded into the structure of a potential host operating system. The most typical features of AntiVira Av a user may notice involve falsified system scanners that pop up right away after a targeted user boots a computer system, annoying counterfeit pop up alerts announcing multiple spyware detection facts, browser hijack and inability to execute random software programs.

AntiVira Av has typically the following processes in memory:
%Temp%[RANDOM CHARACTERS][RANDOM CHARACTERS].exe
AntiVira Av creates the following registry entries:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun ?[RANDOM CHARACTERS].exe?
?http=127.0.0.1:33921″
HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerPhishingFilter ?Enabled? = ?0″
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings ?ProxyServer? =
HKEY_CURRENT_USERSoftware[RANDOM CHARACTERS]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings ?ProxyEnable? = ?1″
Click to expand...
It appears to be fixable, if the above information is correct (and it may be wrong, or incomplete).
Click to expand...
Elsewhere it then suggests repeating the AntiVira AV process removal in task manager
%Temp%[RANDOM CHARACTERS][RANDOM CHARACTERS].exe
%Temp%[RANDOM CHARACTERS]
Click to expand...

EDIT: See you found the same McAfee thread.
 
Upvote 0
I found all that commentary about "[RANDOM CHARACTERS].exe" but cannot figure out what the fuck it means. If I were to remove all the filenames that seem like random characters with .exe at the end, I think I'd lose half my software.
 
Upvote 0
MaxBuck;1871312; said:
I found all that commentary about "[RANDOM CHARACTERS].exe" but cannot figure out what the fuck it means. If I were to remove all the filenames that seem like random characters with .exe at the end, I think I'd lose half my software.
Click to expand...
Good point if things were being actively deleted.

But, all that is being advised (as far as I can tell) is to remove processes from memory, and associated registry entries from RegEdit.
(You leave up and running core systems of known merit).

The other tool they recommend in that thread may be helpful in getting additional clarification from those McAfee tech mods.

GetSusp: The .zip attachement on the first post in this thread:
 
Upvote 0
Just finished clearing it off of my machine. You have to get it started to kill the memory process. It's pretty obvious if you spend any time looking at your task manager.

I then went into regedit and got rid of the stuff suggested above. After that I did a system restore to finish up. Looks like it got everything.


EDIT: Getsusp doesn't appear to recognize the non active piece of this virus. I have some software that I'm trying to open this bug up with. I'm hoping to figure out a way to get this thing to go away for good. Right now I'm expecting it to pop up again.
 
Last edited:
Upvote 0
The random executables are in your temp folder (%TEMP% is the environment variable for it). Generally, you should be able to clear anything you want out of the Temp folder safely. No legitimate software should install itself there.

MaxBuck;1871312; said:
I found all that commentary about "[RANDOM CHARACTERS].exe" but cannot figure out what the [censored] it means. If I were to remove all the filenames that seem like random characters with .exe at the end, I think I'd lose half my software.
Click to expand...
 
Upvote 0
CleveBucks;1871400; said:
The random executables are in your temp folder (%TEMP% is the environment variable for it). Generally, you should be able to clear anything you want out of the Temp folder safely. No legitimate software should install itself there.
Click to expand...
In the case of our attack, there were no .exe files in any Temp folder.
 
Upvote 0
OK, for anyone faced with this problem, here's what worked for me.

  1. Downloaded MalwareBytes (shareware) onto a flash drive using another computer
  2. Booted up infected computer in safe mode with networking
  3. Transferred MalwareBytes setup file from flash drive onto desktop of infected computer
  4. Set up MalwareBytes on infected computer and ran it while in safe mode
MalwareBytes indicated three infected files, which it allowed me to delete. After that, re-booted (not in safe mode), with no more infection.
 
Upvote 0
You must log in or register to reply here.
Back
Top