Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: iga on August 07, 2008, 01:48:07 PM

Title: Can Avast stop this virus or adware?
Post by: iga on August 07, 2008, 01:48:07 PM
Can Avast stop this virus or adware?
it downloads and installs on ur pc after you click into a website i'm worried about people
because i have sandboxie and it traps it with no probs but what about people that don't have sandboxie

i got hit by this thing befor when i did not have sandboxie and avast at that time did not stop this
and it done some bad things to my pc at that time, but i did formated it was a while ago.

Avast does not seem to see this any clue as to why?
Title: Re: Can Avast stop this virus or adware?
Post by: Lisandro on August 07, 2008, 02:58:25 PM
You can search avast virus database for that particular malware, although there isn't an international convention about virus naming...
But seems more ad than really protection... some antivirus promise more than can actually do and 'alert' about protection just for you to buy their product...
Title: Re: Can Avast stop this virus or adware?
Post by: DavidR on August 07, 2008, 03:33:24 PM
Something in the application made my nose twitch as I think it is scam/scumware, http://www.google.co.uk/search?q=power+antivirus+2009 (http://www.google.co.uk/search?q=power+antivirus+2009) so it isn't technically a virus, it does detect some of these fake alerts.

However if you have a sample then send it to avast. Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1. SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version. Or MalwareBytes Anti-Malware freeware version http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml (http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml). Or this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php (http://www.malwarebytes.org/rogueremover.php).
Title: Re: Can Avast stop this virus or adware?
Post by: Rick F on August 07, 2008, 07:37:42 PM
It's not a virus per se, but a rogue AV.

I've been dealing with this Rogue AV (Power Antivirus 2009) too for the past two days.  Still not really sure it's actually on my PC, but maybe a website I was trying to go to thru Google search or Yahoo search (it's not just google) that's been hijacked. It's only when I search for a certain restaurant (which will remain nameless in case that site has been hijacked) that I see 3 pop-ups.  I've run 'MalwareBytes' (http://www.malwarebytes.org/forums/index.php?showtopic=5178), which is supposed to remove any and all files of this rogue... including registry items.  Malwarebytes told me no infected files found.  Also ran SAS (SuperAntispyware) that David suggests; Trojan Remover; SpyBot S+D; CCleaner; VundoFix; Avast full scan; even avast's rootkit scan.  Nothing is ever found.  When I saw the popups, no matter what you click it opens another window that looks like an online scan. BUT... by then I've already stopped internet activity by clicking internet lock on ZoneAlarm.  When that popup shows and I stop internet traffic, I get an alert from ZoneAlarm saying, "Webscanner (avast) tried to receive data from the Internet" - then shows an address (I won't post that address here for obvious reasons). I did a DNS lookup for that address and it's located in St. Petersburg Russia.  Not sure if this is a static address but could be dynamic (and change). I've added that web address it tries to go to into my browser 'restricted' area AND to my HOSTS file.

I have a thread (http://www.bleepingcomputer.com/forums/topic161845.html) started in the Bleepingcomputer forum for some help with my HJT log.  So far no one has answered with a reply.  But to my eyes, I don't see any erroneous entries.  There are 3 thumb images at the bottom of my post in that thread if you want to see them. I was only able to attach 2 of those to this post due to size constraints.

So beware folks!!!  If you see a popup like this close your browser and don't click on anything.  I would also stop any internet traffic.  This is a phishing scheme to be sure.  Don't be lured into purchasing their product. Everything I've read on this says it's 'ROGUE'. From reading about this one, one of the files they identify as being a virus is "CMD.com".   

I would love to provide samples of this threat to alwil team, but so far I can't find any of those files.  Here's hoping my experience was just with a hijacked website I was trying to go to.

Title: Re: Can Avast stop this virus or adware?
Post by: jesydney on August 08, 2008, 10:20:05 AM
I've had to clean this phis off a few PC's and no antivirus can detect it. S&D will clean it but it will reappear.
It creates a hidden self-perpetuating exe in the registry.
I thot I'd cleaned it, gave the pc back, 2 days later got a call with the popup.

However, there is one circumstance that you can stop it and others like it in future.

If the popup appears, DO NOT CLICK ANYWHERE in the popup window, not even the little x at top right hand corner. The mouse click will initiate a hidden self-copy exe together with modding the IE host.
Save all you opened files immediately. DO NOT SHUT DOWN with windows BUT by holding the power button on the PC itself. Pressing the reset button on resets the system and on some mobo it does not clear the RAM, where this rogue AV resides. Power off at the wall after the PC power is down. Leave it for 1min.

If the above does not work, your hard disk needs to be physically taken out to another PC to be scan offline by AVast.
There would also be a directory called Antivirus2009 in the program files folder, delete it. You can only delete this offline.
Before taking out the HDD start it in safe mode, run msconfig, in Startup stop any process that have a whole lot of numbers and also any process that do not have any information. EXit and save without restarting. Just shutdown. Take out HDD to scan from another PC.

Depending on how long the malware has reside in the system, there might be side effects to windows because the malware makes adjustments to system dlls. If funny things happens during normal windows ops, then there is only one way out, the dreaded rebuild..

Title: Re: Can Avast stop this virus or adware?
Post by: iga on August 08, 2008, 01:03:24 PM
Thanks guys

I would love to provide some samples of this Antivirus 2009 to alwil team,
but as i said i can not because i am useing sandboxie and my sandbox traps anything
that trys to get onto my pc!!
it's because of scumware like this that i said to myself right that's it i'm going to use sandboxie
and run my Browser with in a sandbox!

It is very bad scumware i have also had to clean this out of some of my friends computers
they where giveing out about this scumware, adware, what ever it is,
i put a-squared on there pc's and that does a very good job in finding it and killing it also i told them to install sandboxie and they will not have this prob again if they run their browser in the sandbox and all of them use Avast Antivirus 4.8 also.

It would be good if avast or any other antiviruses out there could stop this kind of scumware maybe down the road maybe!

Thank's guys!
Title: Re: Can Avast stop this virus or adware?
Post by: Lisandro on August 08, 2008, 03:07:02 PM
It would be good if avast or any other antiviruses out there could stop this kind of scumware maybe down the road maybe!
Try RogueRemover that David posted on #2.
Title: Re: Can Avast stop this virus or adware?
Post by: Jeleal on August 08, 2008, 03:38:05 PM
I was told ThreatFire kills the process for Antivirus XP 2008 which is also considered rogue malware, but I don't know how it would fair with this one.
Title: Re: Can Avast stop this virus or adware?
Post by: Rick F on August 08, 2008, 03:56:18 PM

Try RogueRemover that David posted on #2.

I ran that (MalwareBytes) and it didn't find anything. But I think that's because I don't have the actual rogue software on my HDD. If I did, then Malwarebytes could possibly remove any registry items along with the rogue software. Finding no files on the HDD, MalwareBytes doesn't look in the registry. Not sure though. The only time I get this image (too big to attach so hosted elsewhere)....

(http://i6.photobucket.com/albums/y240/rnfloyd/sshot-2.jpg)

... is when I try to visit a website that I've searched for thru google or Yahoo search engine.  This is the only time I see that window load.  I don't click on it (no cancel or close), but engage my Firewall interlock to stop traffic (right-click Zonealarm).  I've never did see the image posted by 'iga' who started this tread... which looks like the actual software trying to run.  I'm thinking that the site I was trying to visit has been hacked.

I still haven't recv'd any followup posts on my thread (http://www.bleepingcomputer.com/forums/topic161845.html) I started on BleepingComputer with my DSS and HJT logs.

I sent an email to virus<at>avast with any information I have on this so they can add protection to the 'webshield'.  I always have the webshield turned on.
Title: Re: Can Avast stop this virus or adware?
Post by: olddog on August 08, 2008, 05:22:18 PM
Rick F,

The scan.power-Antivirus-2009 screen shot you show is coming up on computers all over the place and as has been said, Avast, Rogue Remover, Malwarebytes, Superantispyware, Spybot, HijackThis etc do not subsequently find any trace of residuals where either the browser has been immediately closed or where the lock has been applied in ZA, even on safemode scans.

I have attached a screen shot of blocking entries that seems to be effective in Web Shield.     
Title: Re: Can Avast stop this virus or adware?
Post by: Rick F on August 08, 2008, 08:30:43 PM
Thanks Olddog for that info.

I hadn't thought to add those addys to the webshield.  ::)  I did add it to my MVPS 'HOSTS' file - and to the restricted sites in my browser (IE).

Question... for the webshield to block those addresses, does webshield have to be set to 'customize'... or will 'normal' or 'high' setting still look for blocked URLs? Wondering because to get to the URL Blocking tab you have to click on 'customize'.  I decided to set my webshield to 'high' to see how that works.  But if I need to set it to customize, I will.

Thanks. 
Title: Re: Can Avast stop this virus or adware?
Post by: DavidR on August 08, 2008, 09:17:02 PM
I believe the Blocked URLs works on any sensitivity setting, however I have always set the web shield to High.
Title: Re: Can Avast stop this virus or adware?
Post by: Jeleal on August 08, 2008, 09:18:45 PM
I was told ThreatFire kills the process for Antivirus XP 2008 which is also considered rogue malware, but I don't know how it would fair with this one.

From what this thread mentions, this may be a newer version of Antivirus XP 2008.  I asked in PC Tools forum for someone to test ThreatFire to see if it actually does allow this to be killed.

http://blogs.msdn.com/mcampos/archive/2008/07/05/removing-the-antivirus-2009-infection.aspx
Title: Re: Can Avast stop this virus or adware?
Post by: iga on August 08, 2008, 10:56:50 PM
That's a good idea to use URL Blocking in Web Shield.
i have copy whats in your screen shot,

Does any of you have any more entries that seems to be effective in Web Shield for blocking bad things like host and others? and what the entrie looks like in the blocked URL box? you use

http://*power-antivirus*
http://scan.power*

Do you guys have any more i could use that are good?

Thanks!!
Title: Re: Can Avast stop this virus or adware?
Post by: olddog on August 09, 2008, 01:16:09 AM
Rick F,

The URL blocking works at any sensitivity level in Web shield, once you tick it and add in the URLs to be blocked. I normally run my Standard shield and Internet Mail shield at High, but my Web shield at the default Normal setting.

I have tested the URL blocks I showed in my screen shot at Normal sensitivity by trying to access the URL shown in your screen shot of the offending web page, and also what appears to be an alternative URL to the same product? and Avast blocked the sites nicely. (I don't advocate deliberately trying to access potentially nasty sites like this unless you are prepared to take the consequences - this was done on an isolated test computer that contains no important data, and for which I have a complete replacement drive image)

It's my personal opinion that using the Web Shield URL blocking should be viewed more as a temporary measure until Avast includes protection for that problem in their normal updates. Whilst a few entries here should not noticeably affect performance, over zealous use might do so, and there are those who claim they can't afford to run Web Shield even without the extra blocking.     
Title: Re: Can Avast stop this virus or adware?
Post by: olddog on August 09, 2008, 02:20:25 AM
For those interested in reading some factual information about this scam software

http://www.bleepingcomputer.com/malware-removal/remove-power-antivirus-2009

Note: If you are using the URL blocks I posted earlier in this thread they will prevent you from accessing this information because of the wild cards used. It is safe to just temporarily untick the "Enable URL Blocking" in the Web shield to enable you to access the bleepingcomputer information pages.
Title: Re: Can Avast stop this virus or adware?
Post by: Rick F on August 09, 2008, 03:50:13 PM
Thanks Olddog and David,

I see by clicking on the 'Bleeping link' above that URL blocking works with it set to normal or high (see att below).  Then temporarily unticking 'URL Blocking', I can access that site again.  (This is one of the first links I found when starting to research this a few days ago.)

Question... Is there a way to add an actual address to URL Blocking?  IE... 91.208.0.2xx (x'd out two of the numbers).  When I try to do this avast adds the 'http://' in front of the numbers.  Not sure it will work that way.

BTW, I'm thinking that maybe I didn't get a full infection of this because I use "drop my rights" for IE and OE launch.  Maybe it helps with some of these.

Thanx.
Title: Re: Can Avast stop this virus or adware?
Post by: DavidR on August 09, 2008, 05:32:59 PM
You're welcome.

Well the first thing that avast would see are the user friendly domain name unless they used an IP address.

When an IP address is used it should have the http element in front of it when it is used as a URL, so I don't know if using the * wildcard before the IP address would enable you to do this.

The other consideration is where you have x'd out the last two digits (I don't know why you have done this, just for the forum, etc.), the IP address is also likely to be variable, so you could put in ?? which would represent any two characters, but if there were only two numbers in the last IP group than that would fail as it must have three numbers.

It would still require that the domain name url were blocked.

DMR would certainly cramp this beasts style.
Title: Re: Can Avast stop this virus or adware?
Post by: Rick F on August 09, 2008, 06:43:10 PM
Thanks.

Yes, I X'd out the last two so no one on the forum would try that site.  It's a static site as I saw that same alert from my ZoneAlarm when it tried to load (St. Petersburg, Russia).
Title: Re: Can Avast stop this virus or adware?
Post by: normishmael on August 12, 2008, 05:04:11 AM
URL blocking,at least with Ad-Blocker Firefox extension does not work,as the fake scan never seems to show the same URL twice.
wildcarding does not seem work either.
I am not sure the turn off PC with the on/off button is a good or nessasary idea,as it is bloody hard
on Windows.
Killing the process of your Browser in task manager seems to be enough.
What does work is to disable Java script. The Fake scans will not work,the merry go-round of "Ckick ok to clean your computer,or cancel to proceed" does not happen.
The page will pop up,but is inert.
If you use fire fox it is even possible to do this after the high jack-starts.
As far as hidden registry keys instaled during the fake scans,all I know is a thorough
cleaning at Bleeping-Computer did not turn anything up.
The big myth is that these things only grab you on pornsites.
Title: Re: Can Avast stop this virus or adware?
Post by: DavidR on August 12, 2008, 02:42:44 PM
If you press and Hold the power off button for at least 5 seconds, that does attempt to closs down a little more tidily.

I have had to do that on a number of occasions on my old system when it had effectively locked up without any really harmful issues, yes on occasion it asked to do a chkdsk (that system was formatted to FAT32 more prone to file system errors, etc.), but again no lasting issues.

There are times when there are no other options than the power button, if you have to go down that rut press and hold for at least 5 seconds you will see that it is shutting down.

Firefox with NoScript will avoid javascript unless and untill you explicitly give permission for scripts to be run.

If you are using XP then I would also suggest running all web facing applications, browsers, email clients, etc. under DropMyRights or run your system on a limited user account as this limits the potential damage e.g. writing to system folders and creating registry entries outside user areas.

On Vista you have UAC and you are also running as a standard user without administrator rights until you elevate the level with the administrator password, etc. I don't use Vista so I don't know if DMR runs, is needed or works under Vista.
Title: Re: Can Avast stop this virus or adware?
Post by: Rick F on August 12, 2008, 03:43:13 PM

If you are using XP then I would also suggest running all web facing applications, browsers, email clients, etc. under DropMyRights or run your system on a limited user account as this limits the potential damage e.g. writing to system folders and creating registry entries outside user areas.

I use 'DropMyRights' (http://msdn.microsoft.com/en-us/library/ms972827.aspx) and maybe that's why I didn't get the infection. Not sure but I know it helps. I created a 'DropMyRights' for IE and OE and those icons are the ones I have on my quick launch toolbar. You just have to remember when installing Window's security fixes, to use your regular browser.