Because none of the AV/antimalware companies can keep up. I have had quite of few of these fake AV infections show up on my desk lately on peoples home laptops. A couple of them involved rootkits running from the MBR. Unless the AV software checks the MBR, and has def's that could see it anyway, you're not going to detect it. In those cases re-writing the MBR from a Windows recovery environment got rid of the symptoms. In my last two cases The last symptom was searching for something using Google/Bing/etc., seeing the results, but clicking the links took you to a rogue site. Copy link location and paste in URL bar worked fine, but don't click the links! The users opted not to have me reinstall the OS despite me recommending it mostly due to installed software they no longer have the install source for. What I'm seeing lately:
1) malware using the task scheduler instead of more common startup methods (e.g. Registry) for executing the malware 2) always check the hosts file and DNS 3) delete temp and temp internet folder contents, reset browsers to defaults 4) empty recycle bin (seen the malware live from in there a couple times lately) 5) just go ahead and rewrite the MBR just because 6) use msconfig, process explorer, listdlls and other sysinternals tools 7) hitman pro works well as second opinion AV (free one time use, but not for domain joined machines) This is just the short list and changes from machine to machine depending on what I see. There's more that needs to be done most of the time. Google image searches seem to be what is getting people a lot lately and they're not looking for porn either. The domains some of these images are on have just been hijacked, or bought and repurposed to deliver the bad wares now. I suspect ads on Facebook too. -- Mike Gill -----Original Message----- From: N Parr [mailto:[email protected]] Sent: Wednesday, May 04, 2011 12:05 PM To: NT System Admin Issues Subject: RE: Antivirus Center I've never had luck with Viper detecting, let alone stopping, any of these fake AV's over the years. It's really my only big issue with the product. Probably had a dozen or so home and work users get a variation and Viper's failed every time. Most of the time I can do a system restore back to point in time where Virus wasn't installed and scan with other products to get rid of infected files. -----Original Message----- From: John Aldrich [mailto:[email protected]] Sent: Wednesday, May 04, 2011 1:58 PM To: NT System Admin Issues Subject: RE: Antivirus Center Richard, this is an end-user we're talking about. :D I found instructions on bleeping computer on how to get rid of it, but the end user is barely computer literate and he's in Texas, while I'm in Georgia. He decided he'd rather ship me his computer than take it to a local tech. I was just curious as to why Vipre Rescue didn't find it and whack it... From: [email protected] [mailto:[email protected]] Sent: Wednesday, May 04, 2011 2:55 PM To: NT System Admin Issues Subject: Re: Antivirus Center Can you run the task manager w/o the bug blocking it? How about "cmd"? Windows Explorer (NOT IE!)? Although a bug whacked the registry, we had one where we could see what process was starting when "something" triggered the fake AV window. We noted the name of the process, then killed that process. We went into Explorer and were actually able to delete the process file. We have been able to open the registy, go looking for (in HKLM, HKCurrentUser, and HKUsers.Default) .\windows\CurrentVersion\Run something that obviously does not belong there. We whack that value and reboot. THEN we can find things with VIPRE and MBytes scans. "John Aldrich" <[email protected]> wrote on 05/04/2011 01:21:55 PM: > I just had a remote user infected with "Antivirus Center" fake > antivirus. I had him try to run Vipre Rescue, but it didn't find > anything. Any idea why VR didn't find it? > > [image removed] [image removed] > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt-software. > com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
