| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 117064 | 2011-03-31 22:29:00 | The fake AV epidemic | linw (53) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 1190964 | 2011-03-31 22:29:00 | It's a bit embarrassing that these things seem to have no problem by-passing the AV products commonly installed. It's also hard to track just where they have been initiated from so it is impossible to warn people off certain sites/activities. Do they bypass the UAC installation prompt as well? About to receive a second machine from same person that has now been hit twice (MSE installed). They think it might have come from an attachment on a sports result picking site but who knows. Looks like these darn things are just too clever for most AV products? |
linw (53) | ||
| 1190965 | 2011-03-31 22:34:00 | I'm not sure but everybody I know who's been infected has been using Internet Explorer. There's several that are all pretty much identical, just slightly different names / GUIs. Wrote a quick and dirty removal guide a few weeks back after I had 4 people in 5 days come to me with it! Just removed another this morning too: www.c2s.co.nz |
Chilling_Silence (9) | ||
| 1190966 | 2011-03-31 22:37:00 | I had one last night Windows Expansion System . Some fake thing . What an annoying piece of crap . It adds entries to the registry for Avast, MSE, and 2 others . Not easy to remove . Since once it loads, it wants you to buy it . You have to click on the licence, close it then the desktop loads . Then, it blocks access to everything inc the Internet . Anything you try and run, it blocks I tried to remove it with teamviewer (took a while), because it gives you like 1-2 mins to do whatever, then cuts you off (you and the person youre helping) The person had to go into safe mode / networking, so I could copy rkill and a few files , before we could remove it . Then boot back into normal windows, then find rkill then run it . Since running rkill in safe mode doesnt remove this thing |
Speedy Gonzales (78) | ||
| 1190967 | 2011-03-31 22:54:00 | I found booting into safe mode and clearing the registry entries manually was the easiest solution for a couple of variants... | Chilling_Silence (9) | ||
| 1190968 | 2011-03-31 22:56:00 | I did / I tried that trick it didnt work for this lol. It also disables system restore. I also changed it in the registry. Didnt work. We had to run rkill in normal windows, to kill it completely | Speedy Gonzales (78) | ||
| 1190969 | 2011-03-31 22:58:00 | I have been using IE as my choice for some years now. Have not yet been hit with a virus. There again I don't use torrents etc and also I'm the only one that uses my PC. |
Snorkbox (15764) | ||
| 1190970 | 2011-03-31 23:26:00 | There's some awesome ones out there these-days that block damn near everything system restore, safe mode, and any useful utility like regedit. You can get around it all of course but its much more tiresome than it used to be. I've taken to using bootable antivirus & malware cd's to remove most of the crud (at least there is several of these free out there now that are half decent) only after that do I go back into the regular OS to clean up any niggly issues remaining. |
razzarphenix (2626) | ||
| 1190971 | 2011-04-01 00:03:00 | It's a bit embarrassing that these things seem to have no problem by-passing the AV products commonly installed. Because they're really spyware. Avs aren't good at spyware. |
pctek (84) | ||
| 1190972 | 2011-04-01 00:14:00 | There are several around at the moment, and some are really nasty. Almost No AV, doesn't matter what it is will detect them. Many of the antispyware programs will detect parts - the reason I say parts is the buggers actually hide as genuine system files. They also have the ability to disable Any AV, and stop any Antimalware program running.Got one here at the moment, its badly infected, cant run anything, even in safe mode. Malwarebytes is used by many, but in every single case it has missed these infections and only got bits and pieces. There have been a couple I have simply done reinstalls on. It had nothing to do with IE as in most cases they used FireFox or Chrome. Even after running Malwarebytes, Superantispy, Spybot, Combofix, Trojan remover and a few others, the buggers come right back, and system restore was disabled as well. Hijackthis doesn't show them either. Fun aint it ! :D |
wainuitech (129) | ||
| 1190973 | 2011-04-01 00:19:00 | Yeah it's always an uphill battle. My favorite ones are the ones that don't just kill certain executable programs when you launch them, but actually disassociate how windows runs exe files. Very sneaky. Luckily I found a fix which is a .com file that can be run from within Windows (XP / Vista / 7 all tested), and that works a treat :D |
Chilling_Silence (9) | ||
| 1 2 3 | |||||