We used to get a fair amount of these fake AV infections too. I changed our DNS forwarder to ClearCloud and haven't had any more for several months now.
.Tim > -----Original Message----- > From: Mike Gill [mailto:[email protected]] > Sent: Wednesday, May 04, 2011 4:31 PM > To: NT System Admin Issues > Subject: RE: Antivirus Center > > Because none of the AV/antimalware companies can keep up. I have had > quite > of few of these fake AV infections show up on my desk lately on peoples > home > laptops. A couple of them involved rootkits running from the MBR. Unless > the > AV software checks the MBR, and has def's that could see it anyway, you're > not going to detect it. In those cases re-writing the MBR from a Windows > recovery environment got rid of the symptoms. In my last two cases The last > symptom was searching for something using Google/Bing/etc., seeing the > results, but clicking the links took you to a rogue site. Copy link location > and paste in URL bar worked fine, but don't click the links! The users opted > not to have me reinstall the OS despite me recommending it mostly due to > installed software they no longer have the install source for. What I'm > seeing lately: > > 1) malware using the task scheduler instead of more common startup > methods > (e.g. Registry) for executing the malware > 2) always check the hosts file and DNS > 3) delete temp and temp internet folder contents, reset browsers to > defaults > 4) empty recycle bin (seen the malware live from in there a couple times > lately) > 5) just go ahead and rewrite the MBR just because > 6) use msconfig, process explorer, listdlls and other sysinternals tools > 7) hitman pro works well as second opinion AV (free one time use, but not > for domain joined machines) > > This is just the short list and changes from machine to machine depending on > what I see. There's more that needs to be done most of the time. Google > image searches seem to be what is getting people a lot lately and they're > not looking for porn either. The domains some of these images are on have > just been hijacked, or bought and repurposed to deliver the bad wares now. > I > suspect ads on Facebook too. > > -- > Mike Gill > > -----Original Message----- > From: N Parr [mailto:[email protected]] > Sent: Wednesday, May 04, 2011 12:05 PM > To: NT System Admin Issues > Subject: RE: Antivirus Center > > I've never had luck with Viper detecting, let alone stopping, any of these > fake AV's over the years. It's really my only big issue with the product. > Probably had a dozen or so home and work users get a variation and Viper's > failed every time. Most of the time I can do a system restore back to point > in time where Virus wasn't installed and scan with other products to get rid > of infected files. > > -----Original Message----- > From: John Aldrich [mailto:[email protected]] > Sent: Wednesday, May 04, 2011 1:58 PM > To: NT System Admin Issues > Subject: RE: Antivirus Center > > Richard, this is an end-user we're talking about. :D I found instructions on > bleeping computer on how to get rid of it, but the end user is barely > computer literate and he's in Texas, while I'm in Georgia. He decided he'd > rather ship me his computer than take it to a local tech. I was just curious > as to why Vipre Rescue didn't find it and whack it... > > > > From: [email protected] [mailto:[email protected]] > Sent: Wednesday, May 04, 2011 2:55 PM > To: NT System Admin Issues > Subject: Re: Antivirus Center > > > Can you run the task manager w/o the bug blocking it? How about "cmd"? > Windows Explorer (NOT IE!)? > > Although a bug whacked the registry, we had one where we could see what > process was starting when "something" triggered the fake AV window. We > noted the name of the process, then killed that process. > > We went into Explorer and were actually able to delete the process file. > > We have been able to open the registy, go looking for (in HKLM, > HKCurrentUser, and HKUsers.Default) .\windows\CurrentVersion\Run > something > that obviously does not belong there. We whack that value and > reboot. THEN > we can find things with VIPRE and MBytes scans. > > "John Aldrich" <[email protected]> wrote on 05/04/2011 > 01:21:55 > PM: > > > I just had a remote user infected with "Antivirus Center" fake > > antivirus. I had him try to run Vipre Rescue, but it didn't find > > anything. Any idea why VR didn't find it? > > > > [image removed] [image removed] > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: http://lyris.sunbelt-software. > > com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: http://lyris.sunbelt- > software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
