Author Topic: Can Avast stop this virus or adware?  (Read 7361 times)

Offline iga

  • Jr. Member
  • **
  • Posts: 50
    • Personal Message (Offline)
Can Avast stop this virus or adware?
« on: August 07, 2008, 11:48:07 AM »
Can Avast stop this virus or adware?
it downloads and installs on ur pc after you click into a website i'm worried about people
because i have sandboxie and it traps it with no probs but what about people that don't have sandboxie

i got hit by this thing befor when i did not have sandboxie and avast at that time did not stop this
and it done some bad things to my pc at that time, but i did formated it was a while ago.

Avast does not seem to see this any clue as to why?

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64892
  • Gender: Male
    • Personal Message (Offline)
Re: Can Avast stop this virus or adware?
« Reply #1 on: August 07, 2008, 12:58:25 PM »
You can search avast virus database for that particular malware, although there isn't an international convention about virus naming...
But seems more ad than really protection... some antivirus promise more than can actually do and 'alert' about protection just for you to buy their product...
The best things in life are free.

Offline DavidR

  • avast! √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 69240
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Can Avast stop this virus or adware?
« Reply #2 on: August 07, 2008, 01:33:24 PM »
Something in the application made my nose twitch as I think it is scam/scumware, http://www.google.co.uk/search?q=power+antivirus+2009 so it isn't technically a virus, it does detect some of these fake alerts.

However if you have a sample then send it to avast. Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1. SUPERantispyware On-Demand only in free version. Or MalwareBytes Anti-Malware freeware version http://www.softpedia.com/get/Antivirus/Malwarebytes-Anti-Malware.shtml. Or this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Rick F

  • Poster
  • *
  • Posts: 411
  • Gender: Male
  • _______
    • Personal Message (Offline)
Re: Can Avast stop this virus or adware?
« Reply #3 on: August 07, 2008, 05:37:42 PM »
It's not a virus per se, but a rogue AV.

I've been dealing with this Rogue AV (Power Antivirus 2009) too for the past two days.  Still not really sure it's actually on my PC, but maybe a website I was trying to go to thru Google search or Yahoo search (it's not just google) that's been hijacked. It's only when I search for a certain restaurant (which will remain nameless in case that site has been hijacked) that I see 3 pop-ups.  I've run 'MalwareBytes', which is supposed to remove any and all files of this rogue... including registry items.  Malwarebytes told me no infected files found.  Also ran SAS (SuperAntispyware) that David suggests; Trojan Remover; SpyBot S+D; CCleaner; VundoFix; Avast full scan; even avast's rootkit scan.  Nothing is ever found.  When I saw the popups, no matter what you click it opens another window that looks like an online scan. BUT... by then I've already stopped internet activity by clicking internet lock on ZoneAlarm.  When that popup shows and I stop internet traffic, I get an alert from ZoneAlarm saying, "Webscanner (avast) tried to receive data from the Internet" - then shows an address (I won't post that address here for obvious reasons). I did a DNS lookup for that address and it's located in St. Petersburg Russia.  Not sure if this is a static address but could be dynamic (and change). I've added that web address it tries to go to into my browser 'restricted' area AND to my HOSTS file.

I have a thread started in the Bleepingcomputer forum for some help with my HJT log.  So far no one has answered with a reply.  But to my eyes, I don't see any erroneous entries.  There are 3 thumb images at the bottom of my post in that thread if you want to see them. I was only able to attach 2 of those to this post due to size constraints.

So beware folks!!!  If you see a popup like this close your browser and don't click on anything.  I would also stop any internet traffic.  This is a phishing scheme to be sure.  Don't be lured into purchasing their product. Everything I've read on this says it's 'ROGUE'. From reading about this one, one of the files they identify as being a virus is "CMD.com".   

I would love to provide samples of this threat to alwil team, but so far I can't find any of those files.  Here's hoping my experience was just with a hijacked website I was trying to go to.

« Last Edit: August 07, 2008, 07:22:41 PM by Rick F »
Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline jesydney

  • Newbie
  • *
  • Posts: 5
    • Personal Message (Offline)
Re: Can Avast stop this virus or adware?
« Reply #4 on: August 08, 2008, 08:20:05 AM »
I've had to clean this phis off a few PC's and no antivirus can detect it. S&D will clean it but it will reappear.
It creates a hidden self-perpetuating exe in the registry.
I thot I'd cleaned it, gave the pc back, 2 days later got a call with the popup.

However, there is one circumstance that you can stop it and others like it in future.

If the popup appears, DO NOT CLICK ANYWHERE in the popup window, not even the little x at top right hand corner. The mouse click will initiate a hidden self-copy exe together with modding the IE host.
Save all you opened files immediately. DO NOT SHUT DOWN with windows BUT by holding the power button on the PC itself. Pressing the reset button on resets the system and on some mobo it does not clear the RAM, where this rogue AV resides. Power off at the wall after the PC power is down. Leave it for 1min.

If the above does not work, your hard disk needs to be physically taken out to another PC to be scan offline by AVast.
There would also be a directory called Antivirus2009 in the program files folder, delete it. You can only delete this offline.
Before taking out the HDD start it in safe mode, run msconfig, in Startup stop any process that have a whole lot of numbers and also any process that do not have any information. EXit and save without restarting. Just shutdown. Take out HDD to scan from another PC.

Depending on how long the malware has reside in the system, there might be side effects to windows because the malware makes adjustments to system dlls. If funny things happens during normal windows ops, then there is only one way out, the dreaded rebuild..


Offline iga

  • Jr. Member
  • **
  • Posts: 50
    • Personal Message (Offline)
Re: Can Avast stop this virus or adware?
« Reply #5 on: August 08, 2008, 11:03:24 AM »
Thanks guys

I would love to provide some samples of this Antivirus 2009 to alwil team,
but as i said i can not because i am useing sandboxie and my sandbox traps anything
that trys to get onto my pc!!
it's because of scumware like this that i said to myself right that's it i'm going to use sandboxie
and run my Browser with in a sandbox!

It is very bad scumware i have also had to clean this out of some of my friends computers
they where giveing out about this scumware, adware, what ever it is,
i put a-squared on there pc's and that does a very good job in finding it and killing it also i told them to install sandboxie and they will not have this prob again if they run their browser in the sandbox and all of them use Avast Antivirus 4.8 also.

It would be good if avast or any other antiviruses out there could stop this kind of scumware maybe down the road maybe!

Thank's guys!

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64892
  • Gender: Male
    • Personal Message (Offline)
Re: Can Avast stop this virus or adware?
« Reply #6 on: August 08, 2008, 01:07:02 PM »
It would be good if avast or any other antiviruses out there could stop this kind of scumware maybe down the road maybe!
Try RogueRemover that David posted on #2.
The best things in life are free.

Offline Jeleal

  • Jr. Member
  • **
  • Posts: 98
    • Personal Message (Offline)
Re: Can Avast stop this virus or adware?
« Reply #7 on: August 08, 2008, 01:38:05 PM »
I was told ThreatFire kills the process for Antivirus XP 2008 which is also considered rogue malware, but I don't know how it would fair with this one.

Offline Rick F

  • Poster
  • *
  • Posts: 411
  • Gender: Male
  • _______
    • Personal Message (Offline)
Re: Can Avast stop this virus or adware?
« Reply #8 on: August 08, 2008, 01:56:18 PM »

Try RogueRemover that David posted on #2.

I ran that (MalwareBytes) and it didn't find anything. But I think that's because I don't have the actual rogue software on my HDD. If I did, then Malwarebytes could possibly remove any registry items along with the rogue software. Finding no files on the HDD, MalwareBytes doesn't look in the registry. Not sure though. The only time I get this image (too big to attach so hosted elsewhere)....



... is when I try to visit a website that I've searched for thru google or Yahoo search engine.  This is the only time I see that window load.  I don't click on it (no cancel or close), but engage my Firewall interlock to stop traffic (right-click Zonealarm).  I've never did see the image posted by 'iga' who started this tread... which looks like the actual software trying to run.  I'm thinking that the site I was trying to visit has been hacked.

I still haven't recv'd any followup posts on my thread I started on BleepingComputer with my DSS and HJT logs.

I sent an email to virus<at>avast with any information I have on this so they can add protection to the 'webshield'.  I always have the webshield turned on.
« Last Edit: August 08, 2008, 01:59:40 PM by Rick F »
Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline olddog

  • Poster
  • *
  • Posts: 567
  • Gender: Male
    • Personal Message (Offline)
Re: Can Avast stop this virus or adware?
« Reply #9 on: August 08, 2008, 03:22:18 PM »
Rick F,

The scan.power-Antivirus-2009 screen shot you show is coming up on computers all over the place and as has been said, Avast, Rogue Remover, Malwarebytes, Superantispyware, Spybot, HijackThis etc do not subsequently find any trace of residuals where either the browser has been immediately closed or where the lock has been applied in ZA, even on safemode scans.

I have attached a screen shot of blocking entries that seems to be effective in Web Shield.     
3.4Ghz Intel i7, 8Gb Ram, GeForce GTX560, Win 7 Pro 64 bit, Dual 1920x1080 monitors, Avast 2014, Firefox 26, Malwarebytes Pro, Paragon 14

Offline Rick F

  • Poster
  • *
  • Posts: 411
  • Gender: Male
  • _______
    • Personal Message (Offline)
Re: Can Avast stop this virus or adware?
« Reply #10 on: August 08, 2008, 06:30:43 PM »
Thanks Olddog for that info.

I hadn't thought to add those addys to the webshield.  ::)  I did add it to my MVPS 'HOSTS' file - and to the restricted sites in my browser (IE).

Question... for the webshield to block those addresses, does webshield have to be set to 'customize'... or will 'normal' or 'high' setting still look for blocked URLs? Wondering because to get to the URL Blocking tab you have to click on 'customize'.  I decided to set my webshield to 'high' to see how that works.  But if I need to set it to customize, I will.

Thanks. 
Dell Dimension; Intel-core2 duo; WinXP Media Ctr; 2.8ghz - NTFS; 1-Gig Ram; NVIDIA GeForce 7300LE; Firefox 19.0.2; OE-6; ZA-7.0.302; avast 6.0.1367; / DropMyRights / MalwareBytes-Free / Symantec LiveState Recovery Desktop 6.0 / (using WOT), MVPS HOSTS file, SpywareBlaster, WinPatrol PLUS,

Offline DavidR

  • avast! √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 69240
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Can Avast stop this virus or adware?
« Reply #11 on: August 08, 2008, 07:17:02 PM »
I believe the Blocked URLs works on any sensitivity setting, however I have always set the web shield to High.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Jeleal

  • Jr. Member
  • **
  • Posts: 98
    • Personal Message (Offline)
Re: Can Avast stop this virus or adware?
« Reply #12 on: August 08, 2008, 07:18:45 PM »
I was told ThreatFire kills the process for Antivirus XP 2008 which is also considered rogue malware, but I don't know how it would fair with this one.

From what this thread mentions, this may be a newer version of Antivirus XP 2008.  I asked in PC Tools forum for someone to test ThreatFire to see if it actually does allow this to be killed.

http://blogs.msdn.com/mcampos/archive/2008/07/05/removing-the-antivirus-2009-infection.aspx
« Last Edit: August 08, 2008, 07:21:20 PM by Jeleal »

Offline iga

  • Jr. Member
  • **
  • Posts: 50
    • Personal Message (Offline)
Re: Can Avast stop this virus or adware?
« Reply #13 on: August 08, 2008, 08:56:50 PM »
That's a good idea to use URL Blocking in Web Shield.
i have copy whats in your screen shot,

Does any of you have any more entries that seems to be effective in Web Shield for blocking bad things like host and others? and what the entrie looks like in the blocked URL box? you use

http://*power-antivirus*
http://scan.power*

Do you guys have any more i could use that are good?

Thanks!!

Offline olddog

  • Poster
  • *
  • Posts: 567
  • Gender: Male
    • Personal Message (Offline)
Re: Can Avast stop this virus or adware?
« Reply #14 on: August 08, 2008, 11:16:09 PM »
Rick F,

The URL blocking works at any sensitivity level in Web shield, once you tick it and add in the URLs to be blocked. I normally run my Standard shield and Internet Mail shield at High, but my Web shield at the default Normal setting.

I have tested the URL blocks I showed in my screen shot at Normal sensitivity by trying to access the URL shown in your screen shot of the offending web page, and also what appears to be an alternative URL to the same product? and Avast blocked the sites nicely. (I don't advocate deliberately trying to access potentially nasty sites like this unless you are prepared to take the consequences - this was done on an isolated test computer that contains no important data, and for which I have a complete replacement drive image)

It's my personal opinion that using the Web Shield URL blocking should be viewed more as a temporary measure until Avast includes protection for that problem in their normal updates. Whilst a few entries here should not noticeably affect performance, over zealous use might do so, and there are those who claim they can't afford to run Web Shield even without the extra blocking.     
3.4Ghz Intel i7, 8Gb Ram, GeForce GTX560, Win 7 Pro 64 bit, Dual 1920x1080 monitors, Avast 2014, Firefox 26, Malwarebytes Pro, Paragon 14

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now