Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Mike9812 on May 23, 2010, 12:47:38 AM
-
Today, a Rogue-Anti-virus infected my HP Slimline. It is secured with Avast! PRO Anti-virus. The rogue antivirus was named - "My Security Engine". When I tried to access Avast! It was completely disabled. When I pressed "Fix Now" It wouldn't turn on, the same with the "Real time Shields" It was all turned off. Luckily, I had one more Anti-Malware program. Malwarebytes Anti-Malware was able to detect and delete the rouge antivirus that somehow got on my computer and disabled Avast! Pro Anti--virus. The same is with a Trojandownloader:win32 appeared on my Dell Inspiron 1545 and Avast! PRO Antivirus was disabled. Again Malwarebytes Anti-Malware saved me. So WHY Does Avast! Get disabled and not turn on when I need it the most, when my computer is attacked?
What is the use of having Avast! Pro Anti-Virus when a virus just kills it?
Michael Sanangelo - Ohio, USA
-
just one question: what do mean by "somehow" ??? when you're talking about the way the rogue got downloaded, you have absolutely no idea?
How Avast reacted is another question, and that's unfortunately not the first time I hear that it doesn't block rogues downloads and actions.
-
just one question: what do mean by "somehow" ??? when you're talking about the way the rogue got downloaded, you have absolutely no idea?
How Avast reacted is another question, and that's unfortunately not the first time I hear that it doesn't block rogues downloads and actions.
The thing is, I haven't used that HP Slimline in a few months, I use my laptop 24/7. I just got on today to get all my pictures off onto a USB then out of no where this rouge starts installing. I used to play video games on that computer all the time, but I scanned mostly every file before opening. Thats not the issue at hand here. The issue is Avast! Anti-Virus PRO Does not work when I need it the most. The virus just turns it off and wont re-enable itself, even after pressing "fix now" or "start program"
-
Try using Superantispyware or MBAM to remove the rough program
-
calc,
you might want to reread the OP first post, He already got rid of the rogue with malwarebytes~wink~
he is asking why avast didnt catch it and was shut off.
Rogue AV's are a major thorn in all legitimate AV's side in My opinon.
Sat
-
here is one reason why it didn't stop this one getting on:
- Fake antivirus overwhelming scanners, whilst this is an old article, the trend is still there.
http://news.techworld.com/security/3203072/fake-antivirus-overwhelming-scanners/ (http://news.techworld.com/security/3203072/fake-antivirus-overwhelming-scanners/)
The reason for the growth in numbers is what is known in technical terminology as ‘polymorphism', an old defence technique which involves changing the binary checksum of every copy (or download) of a piece of malware. This makes it much more difficult for antivirus programs to detect the programs.
-
here is one reason why it didn't stop this one getting on:
- Fake antivirus overwhelming scanners, whilst this is an old article, the trend is still there.
http://news.techworld.com/security/3203072/fake-antivirus-overwhelming-scanners/ (http://news.techworld.com/security/3203072/fake-antivirus-overwhelming-scanners/)
The reason for the growth in numbers is what is known in technical terminology as ‘polymorphism', an old defence technique which involves changing the binary checksum of every copy (or download) of a piece of malware. This makes it much more difficult for antivirus programs to detect the programs.
I read that article, I get it a little more now. Infact, I just downloaded Superantispyware portable edition on my USB to use incase my computer gets infected again and I dont have MBAM.
-
The thing is, I haven't used that HP Slimline in a few months, I use my laptop 24/7. I just got on today to get all my pictures off onto a USB then out of no where this rouge starts installing. I used to play video games on that computer all the time, but I scanned mostly every file before opening. Thats not the issue at hand here...
I don't agree with that sorry, rogues don't come just like that ::)
-
1. If avast didn't detected it that doesn't means that it is 100%
Because no Av give 100%/ more protection ;D
2.If you have the Pro version of avast why didn't you use the Sandbox?
Doesn't the Sandbox makes avast look cooler O.O?
-
The thing is, I haven't used that HP Slimline in a few months, I use my laptop 24/7. I just got on today to get all my pictures off onto a USB then out of no where this rouge starts installing. I used to play video games on that computer all the time, but I scanned mostly every file before opening. Thats not the issue at hand here...
I don't agree with that sorry, rogues don't come just like that ::)
I'm not kidding. Explain to me how a rogue gets there when I haven't used that computer in more than 5 weeks.
-
The rouge program install when you download it and runs its installer. It can't infect a computer from nothing. If you dont remember what you installed last time then that is other thing. Maybe someone that used it.
-
Have you checked the USB stick you used ?
-
Have you checked the USB stick you used ?
Yea, I scanned it with Superantispyware before I put it in. And after I got infected. Results=Clean
-
Use malwarebytes
http://www.malwarebytes.org
-
The free version I mean..update it fully and do a full scan with it and post the log here for people to help u!
-
The free version I mean..update it fully and do a full scan with it and post the log here for people to help u!
Here is the log with the rogue (Mysecurityengine)
--------------------------------------------------------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4091
Windows 6.0.6000
Internet Explorer 8.0.6001.18904
5/22/2010 3:12:06 PM
mbam-log-2010-05-22 (15-12-06).txt
Scan type: Full scan (C:\|)
Objects scanned: 14987
Time elapsed: 10 minute(s), 40 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
C:\ProgramData\b28aff4\MSb28a.exe (Rogue.Installer) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\my security engine (Rogue.Installer) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\ProgramData\b28aff4\MSb28a.exe (Rogue.Installer) -> Quarantined and deleted successfully.
-
Just a question, are you using the 5.0 version of avast? Because avast is supposed to be resistant to malwares that tried to shut it down...
Maybe you got a window like this: http://help.artaro.eu/images/general/avastfree70.jpg (http://help.artaro.eu/images/general/avastfree70.jpg) and you clciked "Yes", not knowing what it was otherwise if you're using v5.0 and didn't get thhe window then I think it should be checked out as something went wrong in the process...
Al968
-
The free version I mean..update it fully and do a full scan with it and post the log here for people to help u!
Here is the log with the rogue (Mysecurityengine)
--------------------------------------------------------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4091
Windows 6.0.6000
Internet Explorer 8.0.6001.18904
5/22/2010 3:12:06 PM
mbam-log-2010-05-22 (15-12-06).txt
Scan type: Full scan (C:\|)
Objects scanned: 14987
Time elapsed: 10 minute(s), 40 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
C:\ProgramData\b28aff4\MSb28a.exe (Rogue.Installer) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\my security engine (Rogue.Installer) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\ProgramData\b28aff4\MSb28a.exe (Rogue.Installer) -> Quarantined and deleted successfully.
Any changes after removing these?
-
Did you enable the avast! Self-defense module in Settings?
-
Did you enable the avast! Self-defense module in Settings?
Umm not sure.
-
Ok, I'm first time user of this forum, and I have been reading this thread.
My background:
computer tech for last 15 years.
I just got infected for the first time since Nov 2005
I browsed to a site w firefox, nothing popped up, but the computers CPU use hit 100% then bam: the dreaded "anti-spyware" MSG. No, I did not click on anything. This gentalman here got this somehow, but to sway from judgement, he may be correct. As with all my clients. Out of the last 5 infections I've cleaned, 4 claim not to have clicked on anything but a link.
I have all my clients on Avast. I have stuck by them, but now I'm looking into other antivirus providers. These attacks make me good money, but I can't in good conscience keep allowing this to happen.
I'm also moving to chrome on all browser based on the pwn2own results. Even if it a new browser and we haven't seen it for long enough, it still has the fewest exploits. Especially from this distructive and easy attack.
Avast: I and my associates here in Tucson Az have sold hundreds of licenses for you, for over 5 years. Find a resolution to this "grayware" issue ( this wasn't grayware). As of today, my loyalty changes - if you want to keep my business, act now; in one year all of my clients will be switched.
-
As with all my clients. Out of the last 5 infections I've cleaned, 4 claim not to have clicked on anything but a link.
Yeah, but that's not "I didn't do anything". They clicked the link. A script ran on access to the site, and malware installed.
Please, I'm not starting a flame war here, I totally agree with you that the A/V or whatever else you have installed to stop these threads should have done so before it got installed on the machine.
I'm more or less directing this towards the OP. He stated that he didn't do anything with the computer for a long time, and when he started it up, it had malware. Obviously, something was done to get the virus in the first place, be it visiting a website, plugging in an infected flash drive, or whatever else.
-
Ok, I'm first time user of this forum, and I have been reading this thread.
My background:
computer tech for last 15 years.
I just got infected for the first time since Nov 2005
I browsed to a site w firefox, nothing popped up, but the computers CPU use hit 100% then bam: the dreaded "anti-spyware" MSG. No, I did not click on anything. This gentalman here got this somehow, but to sway from judgement, he may be correct. As with all my clients. Out of the last 5 infections I've cleaned, 4 claim not to have clicked on anything but a link.
I have all my clients on Avast. I have stuck by them, but now I'm looking into other antivirus providers. These attacks make me good money, but I can't in good conscience keep allowing this to happen.
I'm also moving to chrome on all browser based on the pwn2own results. Even if it a new browser and we haven't seen it for long enough, it still has the fewest exploits. Especially from this distructive and easy attack.
Avast: I and my associates here in Tucson Az have sold hundreds of licenses for you, for over 5 years. Find a resolution to this "grayware" issue ( this wasn't grayware). As of today, my loyalty changes - if you want to keep my business, act now; in one year all of my clients will be switched.
No Antivirus product will offer 100% detection. That's a fact. But that's why avast introduced the sandbox/process virtualization in their paid versions. It contains all threats, so only the virtual 'computer' will be infected. Then when you close the browser you wipe out all the contents so your real system doesn't get infected. Were you browsing in a sandboxed browser?
-
Its easy to prevent this type of infection. If you use AIS then use the Sandbox
like GloobyGoob suggested and if you are using the free version then use Sbxie
and you ll never have to worry about this type of infections. All AV are terrible
against Rogues, and I mean all of them so do yourself a favor and start using
one or the other.
Bo
-
I know this is old thread but after fixing 25+ PCs with these variants I have found a way to fix. All of the above threads only work partially. In fact, new variants as of September auto shut down malwarebytes, superantispyware full and portable, removefakeav 1.69, mcafee stinger, and pretty much bypasses or disables all commercial AV products like Trendmicro, AVG Pro, AVastPro, Panda, Norton and Nod32. The signs of infection are clicking a link from a normal google search and ending up in a web page of another search engine showing additional links or ending in a web page of an irrelevant topic. Secondary signs are running superantispyware portable and having it shut down automatically during scan or trying to launch malwarebytes and nothing happens.
Fix: uninstall current antivirus software (which doesnt work anyway) and download AVG free, superantispyare free and portable and malwarebytes. if possible, download the ***manual updates*** for each of these. it'll take a few attempts to get to these web pages as the rogueware will try to divert your searches. after downloading these files, install them but do not start or update the programs. instead, reboot into safe mode without network connection and then run a full sweep starting with superantispyware installed version, then malwareybtes. if software says needs to reboot to remove and you havent finished the sweep with the other software, reboot but go straight back into safe mode.
After both software sweeps are finished, reboot normally and run the superantispyware portable. if the portable shuts down automatically during its scan, you are still infected. also, malwarebytes will not start. most of the rogueware will have been removed however, so run AVG full clean and then test with portable again. system should be free of rogueware.
EDIT*: this rogueware appears to be able to jump computers on the same network if there are loose permissions - even computers that are governed by domain controllers. before purging these nasties, unplug the network cable or wireless antenna. hope this helps someone.
-
Fix: uninstall current antivirus software (which doesnt work anyway) and download AVG free. Why in the world should the op install avg? if this rogue was able to bypass avast im pretty sure that it would probably do the same with avg, plus the op had originally said in the first post that he removed the rogue with malwarebytes anyway. No av is 100% safe and that's why a layered approach to security is best so to have malwarebytes pro running in realtime with avast would be a much better soloution imo and a decent firewall.