Infected by " Live security platinum " malware

[essexboy]

The website was infected, normally Avast will catch these so it must be a new one

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

  :OTL
  FF - prefs.js..network.proxy.http: "92.48.119.17"
  FF - prefs.js..network.proxy.http_port: 8080
  [2012.07.18 22:01:23 | 000,000,000 | ---D | C] -- C:\ProgramData\7531CCA90009086700001BDCF875EF60
  @Alternate Data Stream - 1176 bytes -> C:\Program Files\Common Files\System:xdUITtUCd4sMOgeiObr
  @Alternate Data Stream - 1060 bytes -> C:\Users\Miro\AppData\Local\3l7xhv069RHtkp:QE2sooiDRhau1n5tzF7hVcNuNg
  @Alternate Data Stream - 1035 bytes -> C:\ProgramData\Microsoft:kCSIWeCOnippFdTcvtNOP26rcR
  @Alternate Data Stream - 1018 bytes -> C:\ProgramData\Microsoft:FqgqysJtH4Mx2S9C3JWp4C
  
  :Files
  ipconfig /flushdns /c
   
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[miro8]

The proxy you typed is the one I really use inside firefox, it's manually typed.

what could be the site that infect my pc?

[mchain]

The proxy you typed is the one I really use inside firefox, it's manually typed.

what could be the site that infect my pc?

Hi miro8,

There is a big difference between any antivirus detecting a virus or malware and "ignoring" it.  For the first, the malware must be known, and a detection written into the virus database to protect you and other users from it.  For the second, 'ignoring' is not possible, as when a virus, a rogue program (in your case), or malware gets on your system, it is because there is no detection signature for it as it is so new.  Avast! and other antivirus programs cannot see it unless they are told to, and so cannot prevent it from installing and running on your system. 

It is a cat and mouse game that has gone on for a long time now between the good guys and the bad guys, and unfortunately, this bad thing happened to you.  The good guys can help, but they cannot prevent all bad things from happening, as catchup is the operative word here.

So the fix here is to be careful where you surf in the future, as even known good sites can get infected with this sort of stuff, and this sort of stuff will take advantage of obsolete or out-of-date (unsupported) software on your system and exploit that software to infect you.

So it can be any website that caused your problem, but you may have out-of-date software on your system.  (See below)

Adobe software and Sun Java are the most commonly exploited software used by the bad guys to infect you when you do not keep them up-to-date.  This is complicated, but it is enough to say that Avast! cannot fully protect you from software weaknesses in programs that they do not own or control.  If Avast! did, then you could certainly blame Avast! for this situation, but since they do not...

[true indian]

The proxy you typed is the one I really use inside firefox, it's manually typed.

what could be the site that infect my pc?

dont worry miro8...probably essexboy will ask you to upload the infected file to avast at the end of the fixing 

[miro8]

haha, i think i wouldn't be able to do that 

[essexboy]

How is the computer behaving now ?

[miro8]

it's good now, I fixed it by following guide on the link because I was in rush that evening, I didn't tried with OTL, but still thank you very much for posting removal guide.

I didn't noticed any serious problems anymore , I unninstalled avast before cleaning pc with tools, and then install it again and now have together avast and trial Malwarebytes Anti-Malware

The only thing I noticed is that some sites get completely blocked.

I will still keep monitoring this situation
 

[true indian]

Well! I guess you got infected with the new icon varient of live security rogue...Avast now has detections for these varients now..

the problem is that these fakeAV's and other malware change on daily basis..I would recommend you to run Malwarebytes PRO with avast

that would prevent these attacks...MBAM is great side kick to your AV....what avast doesnt have detection for MBAM will get it...I would recommend you to buy MBAM Pro [Really cheap] and its worth the money!! 

I have my own clients running Avast and mbam pro and they never got infected and never turned up back again..

[miro8]

and how about avast pro ? maybe pro had protection. 

[true indian]

and how about avast pro ? maybe pro had protection. 

Avast free,pro and IS have same engines...they provide same high quality protection..just pro and IS have more features than free...but the additional features in pro and IS are safezone...manual sanboxing avalilability..so the additional features in pro and IS are to be manually used by he user 

anyway I feel you like avast pro...go for it then    i switched 2 of my family members to them...1 to pro and 1 to IS... all have MBAM pro running alongside 

[miro8]

why do I hear twice "avast virus database has been updated" ?

 Message about update is showed only on second voice. 

[CptSternn]

I just had two friends of mine whom of which I recommended Avast to bring their laptops to me infected with Live Security Platinum in the past two days.  Both had the newest version of Avast installed with the most recent updates.  You can even run avast and do a quick scan/full scan/boot scan and it does not fix the issue.

Needless to say, they were not impressed. 

Here is the issue - it is another case of people visiting websites which have been hacked.  Both go the virus from online forums.  They logged onto the forums and a window popup said they had a virus and click here to fix it, that of course was a rouse and it installs the actual virus/trojan.  Avast for some reason never flagged it and it boots into memory before Avast and stops you from opening MSCONFIG, REGEDIT, a list of other antivirus products, and the uninstall screens.

The one thing Avast does have going for it is that it doesn't stop updates.  I have seen this before on a PC last week and it stops MCafee from even starting or updating, blocking the update websites and keeps you from downloading it in your browser.  They seem to have ignored Avast as Avast runs perfectly, it just doesn't see it as a threat.

I used the systernals process explorer (procexp.exe) to fix the issue.  First you have to rename it as EXPLORER.EXE as the virus will block it as it is setup to stop it as well, but if you rename it as EXPLORER.EXE it will let it run.  You can then kill the Live Platinum Process and you will find the location in your User folder, random folder and filename which you can then delete.  You also after killing it can remove it from the startup using msconfig.

Ye need to get this sorted though and quick as if I have already seen three of these in a week it does not bode well for whats to come if ye leave it unchecked.

[polonus]

There is a nice write-up about this here from Stelian Pilici: http://malwaretips.com/blogs/live-security-platinum-virus/
Victims are advised to seek help from a qualified removal expert, like essexboy etc. to guide the removal routine,

polonus