[RESOLVED] will avast ever be able to detect/remove xp total security 2011?

[arjay]

Today, I have been helping a colleague to remove xp total security 2011 from his laptop using fixNCR.reg, Rkill and malwarebytes as per numerous posts.  This has gone fine as far as I can tell.  The next few reboots should hopefully prove me right.

However, my concern is that from what I can see on this forum and elsewhere, Avast Home does not detect this infection at all.  I am a bit embarrassed to say the least.  As an experienced user (Linux and Windows) and a casual website designer/amateur programmer, I am always being asked to recommend AV software.  I have advised literally DOZENS of friends and colleagues to use Avast, quite a few of whom have gone on to upgrade from Home to Pro versions.

When I ran malwarewbytes, it also detected a bunch of pup.zwangi files.  I deleted all the total security files but left zwangi on as an experiment.  I then installed Avast home 4.8 which I had handy and was surprised that it did not even detect zwangi?

I am now installing what appears to be the latest Home version (6.0112) and will scan again when all updates are in place.  Hopefully it should find the files.

If not, should I advise him to run another AV program alongside Avast?  Normally I advise friends to avoid that but it appears Avast is deficient in some areas?  Would it be OK to run Malwarebytes or equivalent alongside Avast?  If so which free AV would folks recommend to run with Avast?

Thanks

RJ

[Pondus]

avast is detecting many of these, so if you check the signature names here you find new FakeAv / FakeAlert every day    http://www.avast.com/en-no/virus-update-history
but no Security program have 100% detection

Fake antivirus overwhelming scanners 
http://news.techworld.com/security/3203072/fake-antivirus-overwhelming-scanners/

When I ran malwarewbytes, it also detected a bunch of pup.zwangi files.  I deleted all the total security files but left zwangi on as an experiment.  I then installed Avast home 4.8 which I had handy and was surprised that it did not even detect zwangi?

I am not sure avast 4.8 would detect this since it is detected as PUP.....cant remeber if 4.8 have PUP detection ?
PUP (potentially unwanted program) http://searchsecurity.techtarget.com/definition/PUP

you can upload the file(s) to www.virustotal.com and see if avast5/6 detect it, if not it may be a new sample that you can send to avast lab

anyway Zwangi is just an Adware:toolbar

If not, should I advise him to run another AV program alongside Avast?  Normally I advise friends to avoid that but it appears Avast is deficient in some areas?  Would it be OK to run Malwarebytes or equivalent alongside Avast?  If so which free AV would folks recommend to run with Avast?

malwarebytes and/or Superantispyware

[arjay]

Pondus - thanks for your quick and helpful reply.

I am currently installing the latest Avast and will see what that finds.  I thought I had killed xp total security for ever, but after a reboot I ran malwarebytes again and it has found more (possibly some of the same) files, but down from 87 to 8.  It is still scanning but I'll push on and report what finally happens.

Also, of course, xp total security turned of Automatic Updates and I can't get them turned on again. I've tried the alert icon in the systray, also turning it on via Control Panel/System Settings/ Automatic Updates and also manually running wscui.cpl and sysdm.cpl but all refuse to turn it back on again!

RJ

[Pondus]

did you update Malwarebytes before you started scanning ?

[arjay]

Good point - The first time I tried to run the update for Malwarebytes it was blocked by xp total security.  So I ran the out of date version.  That detected and removed enough files to be able to reboot, and update Malwarebytes.  This is now a new scan with the updated version that has found more infected files.  I have deleted those (including the pup.zwangi ones).  We'll see what happens now - the quest continues....

RJ

BTW - I am posting here using linux on one of my own PCs.  I have 5 of them at home, 4 of them networked.  I keep one of them UN-NETWORKED with win xp on it just so i can test new websites I design.  Otherwise, I threw all versions of windoze out about 5 years ago and never looked back.  Or, of course, had any sort of virus or hijack attempt 

[Pondus]

just remeber that there is created more an more Linux malware also.... it is not malware free

http://en.wikipedia.org/wiki/Linux_malware
http://blogs.computerworld.com/16316/think_linux_is_free_from_malware_think_again_its_been_hacked

[DavidR]

When I ran malwarewbytes, it also detected a bunch of pup.zwangi files.  I deleted all the total security files but left zwangi on as an experiment.  I then installed Avast home 4.8 which I had handy and was surprised that it did not even detect zwangi?

Something that you probably aren't aware of the pup. part of the MBAM detection is Potentially Unwanted Program. This is generally something which you may or may not have installed and this is the crux of if it is unwanted.

Also it rather depends on what MBAM found if this was active or not, so posting the MBAM log contents would help in that regard.

The Zwangi has been known to do this.

####1
the detection for a program that runs as a service in the background and modifies Web browser settings to visit a particular Web site.

####2
It is also known as Spyware.Screenspy, Mal/BHO-S, and Seekapp. The program redirects URLs typed into the browser's address bar to a search page at www.zwangi.com

Also see http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2FZwangi.

So was the user seeing any of this activity.

On the avast scans, by default it doesn't scan for PUPs, so would account for it not being found, though avast 4.8 is long in the tooth and pre-dates the checking for PUPs.

[arjay]

Thanks for your contribution.  Very helpful to further understanding.  As I said above, I mainly use Linux so am not used to prolonged sessions with AV checkers etc  .

No one answered my first question, though. Perhaps you can.  Will the latest version of Avast Home (6.012 or thereabouts) detect win7/vista/x total security fake AV?

[DavidR]

The short answer is no one really knows.

As avast detects many of these rogues, they are a constantly moving target, with multiple new variants on the same theme. They change it slightly so that it doesn't match the same signatures, so it rather depends on the variant.

The biggest thing in these Fake AVs, Rogues, is that they for the most part require a degree of complicity by the user. This is normally gained by the fake pop-up you are infected and the user panicking and clicking buttons (doesn't really matter which as they can all have the same effect) and this is actually allowing something to be installed.

The key is not to panic (how would they know your system is infected, they don't) and the best action on seeing the pop-up is to use the Task Manager and end the browser process from there.

~~~~
That said MalwareBytes AntiMalware (MBAM) is one of the best at removal of these fake AVs and rogues, before it changed its name to MBAM, it was called RogueRemover, a specialist tool at the removal of these rogues.

[arjay]

Very clear - thanks for your time and the info.

RJ

[DavidR]

No problem, glad I could help.

Welcome to the forums.

[arjay]

BTW - couldn't find an obvious way to mark this up as SOLVED so I edited my first post and amended the topic title - hope that's OK

Adios

[DavidR]

That is basically the only way to mark it up