Rogue AV "AVG Antivirus 2011"

Franklin · #1 January 29th, 2011, 12:53 PM

avg.exe - 5/43 - MD5 : e17a9937cb0314c22aeba5804727151f

Bleeping Removal Guide

Name: One.JPG
Views: 1269
Size: 25.0 KB

Name: Three.JPG
Views: 1268
Size: 59.6 KB

Name: Four.JPG
Views: 1266
Size: 18.2 KB

CloneRanger · #2 January 29th, 2011, 02:27 PM

Interesting how the've gone to the trouble of using AVG icons, but then funny how they list it as Dr.Web

It would still fool at lot of people though, and i guess it already has

Ibrad · #3 January 29th, 2011, 02:31 PM

They can't seem to make up their mind, do they want to copy AVG or Dr. Web

Noob · #4 January 29th, 2011, 07:18 PM

Hahaha, next generation Fake AV's now completely emulating real AV GUI!!

Phant0m · #5 January 30th, 2011, 12:57 AM

This must be circulating quickly, I had to already deal with this AVG rogue yesterday on one of my clients computer.

To me, for visual wise, it looks completely different than the real thing.

However, to my client, it was very, very convincing. When he called up about this problem with AVG, he basically said that this AVG is overrunning his computer, it loaded up on his computer automatically and it rendered useless the McAfee. He went onto saying “AVG shouldn’t be allowed to do this, should be criminal!”, and I said, from the sounds of things, I believe you have a AVG rogue infection, the real AVG wouldn’t display such malicious behavior.

Went out, I removed it, and addressed McAfee problems, checked for recent updates, received the recent updates and then his ISP decided to suspend his Internet account just at the moment I was getting ready to leave for home. Contacted his ISP, gave client information, mention ISP modem loss of Internet connectivity, and I was informed that the clients account was suspended due to a payment being missed recently.

Noob · #6 January 30th, 2011, 03:23 AM

LOL what a pain, now you will have to go back

Hahaha IMO that GUI is more than enough to disguise most people!

#7 January 30th, 2011, 07:34 AM

Better GUI than the original

safeguy · #8 January 31st, 2011, 04:12 PM

It looks ugly. I'm wondering if the original AVG itself has added this to their database/signatures...

MrBrian · #9 January 31st, 2011, 10:15 PM

FakeXPA raises a few brows

Daveski17 · #10 February 2nd, 2011, 07:38 AM

F-Secure's take on the rogue AVG.

safeguy · #11 February 2nd, 2011, 08:50 PM

Quote:

Aside from AVG's logo, the rogue's interface bears no resemblance to that of the legit AVG Anti-Virus Free Edition 2011.

Imagine how many more people will be duped if it resembles the real thing...

EliteKiller · #12 February 3rd, 2011, 03:13 PM

I've removed the fake AVG 2011 from one XP Pro SP3 pc and one Vista HP SP2 pc. After the removal flash player is not listed as an add-on in IE8. However it continues to work in Firefox 3.6.13. I've tried the following:

1) Ran the flash uninstaller
2) Ran CCleaner
3) Downloaded and installed the full flash activex installer

This did not resolve the issue. Add-on is not listed and flash will not play on any website.

4) Ran the subinacl fix - no change
5) Uninstall IE8 and revert to IE6 - no change
6) Reinstall IE8 - no change
7) Tried to uninstall/reinstall flash again - no change

Ran the XP fixpolicies fix - no change

I have not tried a repair install, but at this point I am stumped.

egomoo · #13 February 15th, 2011, 08:09 PM

I have tried to remove fake AVG Antivirus 2011 using Safe Returner

It will fix the hijack of broswer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe

4everybody · #14 February 16th, 2011, 08:19 PM

Did anyone find out whats causing This ?? I believe that the Rogue AVG does some changes in Registry or any, WHich Apparantly making IE not to play Any videos. Other browsers plays the video without any issues & IE alone Alerts like, Cannot Find flash player.

If Any got a fix for this, please do let everyone know the same.

Regards,
4Everybody

Quote:

Originally Posted by EliteKiller

I've removed the fake AVG 2011 from one XP Pro SP3 pc and one Vista HP SP2 pc. After the removal flash player is not listed as an add-on in IE8. However it continues to work in Firefox 3.6.13. I've tried the following:

1) Ran the flash uninstaller
2) Ran CCleaner
3) Downloaded and installed the full flash activex installer

This did not resolve the issue. Add-on is not listed and flash will not play on any website.

4) Ran the subinacl fix - no change
5) Uninstall IE8 and revert to IE6 - no change
6) Reinstall IE8 - no change
7) Tried to uninstall/reinstall flash again - no change

Ran the XP fixpolicies fix - no change

I have not tried a repair install, but at this point I am stumped.

egomoo · #15 February 16th, 2011, 10:19 PM

Do Please check the value about

{D2F97240-C9F4-11CF-BFC4-00A0C90C2BDB} is the CLSID of shockwave flash object

the path in the registry

Quote:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D2F97240-C9F4-11CF-BFC4-00A0C90C2BDB}]

Or you could use my fix code (just copy it and save to a notepad as fix.reg)

Quote:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D2F97240-C9F4-11CF-BFC4-00A0C90C2BDB}]
"Compatibility Flags"=dword:00000010

EliteKiller · #16 February 16th, 2011, 10:52 PM

@egomoo

Unfortunately your suggestion did not resolve the issue. The dword and value you listed was already intact on the pc that had the rogue AVG removed. Removing the key and adding the reg file had no change. Using IE8 and visiting Hulu still displays "Hulu requires Flash Player 10.0.32 or higher. Please download and install the latest version of Flash Player before continuing."

egomoo · #17 February 17th, 2011, 02:12 AM

o,I'm sorry

In my test,I use a Windows XP sp2 machine

maybe the CLSID is different about Flash Player 10

But the key is below

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\

CloneRanger · #18 February 17th, 2011, 02:31 AM

@ EliteKiller

Hi, i've had similar problems in the past. Sometimes it "might" be due to not allowing some scripting, or all, and/or iframes, and/or refferer/s. Also now it seems we have to allow PlugInContainer as well

As you said FF is ok, i'm only posting that info in case others would like to know, if they don't already

As for IE, have you looked in Options at the settings ? The following is on IE6.

Name: v.gif
Views: 650
Size: 10.8 KB

Also something such as MruBlaster etc could be blocking it ?

4everybody · #19 February 17th, 2011, 12:55 PM

All the Above Steps, failed to Fix it. Anything else to Try ??

mjlk · #20 February 17th, 2011, 04:01 PM

Quote:

Originally Posted by 4everybody

All the Above Steps, failed to Fix it. Anything else to Try ??

Adobe Forums :
-http://forums.adobe.com/message/3454998#3454998-

EliteKiller · #21 February 17th, 2011, 08:37 PM

Quote:

Originally Posted by mjlk

Adobe Forums :
-http://forums.adobe.com/message/3454998#3454998-

Thanks for sharing that link.

- Uninstalling using the flash removal tool ~ reboot
- reinstall flash 9 ~ reboot
- uninstall flash again using the removal tool ~ reboot
- install flash 10 ~ reboot

The trick was definitely uninstalling flash and installing the old version 9 first. All of the reboots may not be necessary, but I did them anyhow and flash now works on the pc that was infected with the fake AVG 2011.

Ibrad · #22 February 19th, 2011, 07:19 PM

Just saw on the Panda Cloud forum that a user reported that got a sample just like this except AVG Antivirus is was Dr. Web Antivirus for Windows 2011.

John Bull · #23 February 19th, 2011, 07:51 PM

I suppose I`ll get a few kicks, but here goes.

These AVG look-a-likes not only look like fakes, but smell like them. Yes they will fool a lot of people if they are silly enough to click anything, but to the more experienced user, their behaviour is a joke.

OK, a false threat panel can pop up and cause concern with perhaps ONE infection message, but 22 !! I cannot stop laughing. After months of web activity and no daily/weekly scans, it just MAY be possible, but even that is stretching it a little.

Use Sandboxie all the time and these cowboy`s can paint AVG or Dr.Web Picasso`s all over the screen. Just completely ignore them, delete the sandbox contents and away they go down the plug hole - Glug Glug. No infection in sight. Next one please.

John

I have added this footnote to provide some fact in case my main comments are taken as one of JB`s joy-rides.

Over the past few months, I have had TWO fake AVG alerts pop up inside SBxie. Of course I knew they were the work of some freak. All I did was delete the contents of the sandbox, shut down SBie and FF, then checked my REAL AVG. NOTHING there of course and a quick scan with HMP and MBAM was clear.

So all I can say is "Roll up, roll up you hackers, you `aint going nowhere". Just use SBxie then you can forget all these pretty pictures from the rogues gallery.

zfactor · #24 February 19th, 2011, 09:39 PM

my mother AND my mother in law both got hit with this today my mom is running nis2011 and my mother in law is running avast and they both let it right through. arghhhh now i have work tomm to remove this garbage. they BOTH got it while on their facebook page

zfactor · #25 February 20th, 2011, 08:34 PM

VERY NICE well i was going to have to fix this on my mother in law's computer but this morning she turned it on and said it took a while to come on and then when it did avast popped up and said it found and fixed a threat and suggested a reboot. she did and the avg antivirus was no longer there. i did double check to make sure it was gone and it was except 2 leftover reg entries i deleted otherwise it cleaned it all up. very nice and thank you avast

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search