ClanKiller.com
http://forums.clankiller.com/

<insert_os_name> antivirus 2010 - ROGUE/VIRUS WARNING
http://forums.clankiller.com/viewtopic.php?f=8&t=3416
Page 1 of 1

Author:  Mole [ Sun Feb 21, 2010 4:32 pm ]
Post subject:  <insert_os_name> antivirus 2010 - ROGUE/VIRUS WARNING

Hey people!

This more so applies to Avast users, as that's what I'm using. But I figure you all may need this at some point!

Today I was browsing the net happily when bang, up popped this screen (See attachment ANTI1)

Attachment:
ANTI1.jpg


Shortly followed by this (ANTI2)

Attachment:
ANTI2.jpg


I quickly started running around my system trying to find this fucker.

It's process is called "av.exe". You can cancel this from task manager, but anytime you go to boot anything (Anti Virus related more so) it'll just boot up again. So I started searching the net for fixes.

There are several fixes available, both manual and automated.

Basically speaking, from what I can see nearly any antiviral software will remove this fucker, but for example my avast would not boot whilst it was operational and any attempt to reboot Avast would result in this thing rebooting. Even in safe mode.

The manual fixes were to remove the registry entries that caused it to boot, but my PC would not let me. Which I don't think is anything to do with the virus, I think it's because vista's a bitch!

Anyway, Manual Fix 1: [scroll past the spyware scanner part] http://www.spywareremove.com/removeVist ... y2010.html
Automatic Fix 2: http://www.bleepingcomputer.com/virus-r ... vista-2010

Personal notes: This virus is at first, very convincing to look at. A lot of time and effort seems to have gone in to making this look as good as possible. Luckily, I'm fairly vigilant and generally speaking if something boots of it's own accord on my PC then it triggers plenty of alarm bells in my head. All of the 'links' (I.E. The ones that say turn this on, turn that off) look very official though [obviously] I have no clicked on any of them. What I mean by official, is they're not just a flat image that is actually a link. They are all properly coded and highlight when you hover over each one etc etc.

It starts throwing up mountains of those windows style pop up balloons saying X, Q and Y are all doing Z, B and A - but the fact it shows so many of them also triggers alarms. But the biggest overall give away was that it was calling up files that I recognise and know are not virii, and on top of that it scanned my 'entire system' in less than 30 seconds. Also, it made a guise mistake - It tries to appear as 'part of windows' but then on one screen is selling itself as an independent AV.

Oh, and just on the off chance you think this is a bot, advertising some other kind of software removal shit

1. Satis is a gun toting loon ;)
2. Ox ... well, ox is Belgian I don't really need to say any more!
3. 11b (ElevenBravo) Hates me!
4. Peltz is from Estonia
5. J is a teacher
6. Pev is a whore ;) With a pointy stick none the less!
7. Shiny appears once in a while to keep Sat in check ;)

And sorry if I missed anyone but I think I proved my point!

Useful info from Beepingcomputers wrote:
Associated XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 Files:

%UserProfile%\Local Settings\Application Data\av.exe
%UserProfile%\Local Settings\Application Data\WRblt8464P
%UserProfile%\AppData\Local\av.exe <In Antivirus Vista 2010 & Win 7 Antispyware 2010>
%UserProfile%\AppData\Local\WRblt8464P <In Antivirus Vista 2010 & Win 7 Antispyware 2010>



Associated XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010 Windows Registry Information:

HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\.exe\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_CLASSES_ROOT\secfile\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "%1" %*
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command "(Default)" = "%UserProfile%\Local Settings\Application Data\av.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = "1"

Author:  Satis [ Mon Feb 22, 2010 7:32 am ]
Post subject:  Re: <insert_os_name> antivirus 2010 - ROGUE/VIRUS WARNING

lol...wow. I think I'm most entertained by the succinct list of CK users and their attributes.

Page 1 of 1 All times are UTC - 6 hours
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/