Rogue AV "AVG Antivirus 2011"

Discussion in 'malware problems & news' started by Franklin, Jan 29, 2011.

Thread Status:
Not open for further replies.
  1. Franklin
    Offline

    Franklin Registered Member

  2. CloneRanger
    Offline

    CloneRanger Registered Member

    Interesting how the've gone to the trouble of using AVG icons, but then funny how they list it as Dr.Web :D

    It would still fool at lot of people though, and i guess it already has :(
  3. Ibrad
    Offline

    Ibrad Registered Member

    They can't seem to make up their mind, do they want to copy AVG or Dr. Web :p
  4. Noob
    Offline

    Noob Registered Member

    Hahaha, next generation Fake AV's now completely emulating real AV GUI!! :D
  5. Phant0m
    Offline

    Phant0m Registered Member

    This must be circulating quickly, I had to already deal with this AVG rogue yesterday on one of my clients computer.

    To me, for visual wise, it looks completely different than the real thing.

    However, to my client, it was very, very convincing. When he called up about this problem with AVG, he basically said that this AVG is overrunning his computer, it loaded up on his computer automatically and it rendered useless the McAfee. He went onto saying “AVG shouldn’t be allowed to do this, should be criminal!”, and I said, from the sounds of things, I believe you have a AVG rogue infection, the real AVG wouldn’t display such malicious behavior.

    Went out, I removed it, and addressed McAfee problems, checked for recent updates, received the recent updates and then his ISP decided to suspend his Internet account just at the moment I was getting ready to leave for home. Contacted his ISP, gave client information, mention ISP modem loss of Internet connectivity, and I was informed that the clients account was suspended due to a payment being missed recently.
  6. Noob
    Offline

    Noob Registered Member

    LOL what a pain, now you will have to go back :rolleyes:

    Hahaha IMO that GUI is more than enough to disguise most people!
  7. carat
    Offline

    carat Guest

    Better GUI than the original :D
  8. safeguy
    Offline

    safeguy Registered Member

    It looks ugly. I'm wondering if the original AVG itself has added this to their database/signatures...
  9. MrBrian
    Offline

    MrBrian Registered Member

  10. Daveski17
    Offline

    Daveski17 Registered Member

  11. safeguy
    Offline

    safeguy Registered Member

    Imagine how many more people will be duped if it resembles the real thing...
  12. EliteKiller
    Offline

    EliteKiller Registered Member

    I've removed the fake AVG 2011 from one XP Pro SP3 pc and one Vista HP SP2 pc. After the removal flash player is not listed as an add-on in IE8. However it continues to work in Firefox 3.6.13. I've tried the following:

    1) Ran the flash uninstaller
    2) Ran CCleaner
    3) Downloaded and installed the full flash activex installer

    This did not resolve the issue. Add-on is not listed and flash will not play on any website.

    4) Ran the subinacl fix - no change
    5) Uninstall IE8 and revert to IE6 - no change
    6) Reinstall IE8 - no change
    7) Tried to uninstall/reinstall flash again - no change
    :cool: Ran the XP fixpolicies fix - no change

    I have not tried a repair install, but at this point I am stumped.
  13. egomoo
    Offline

    egomoo Registered Member

    I have tried to remove fake AVG Antivirus 2011 using Safe Returner

    It will fix the hijack of broswer

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe

    Attached Files:

  14. 4everybody
    Offline

    4everybody Registered Member

    Did anyone find out whats causing This ?? I believe that the Rogue AVG does some changes in Registry or any, WHich Apparantly making IE not to play Any videos. Other browsers plays the video without any issues & IE alone Alerts like, Cannot Find flash player.

    If Any got a fix for this, please do let everyone know the same.

    Regards,
    4Everybody

  15. egomoo
    Offline

    egomoo Registered Member

    Do Please check the value about

    {D2F97240-C9F4-11CF-BFC4-00A0C90C2BDB} is the CLSID of shockwave flash object

    the path in the registry


    Or you could use my fix code (just copy it and save to a notepad as fix.reg)

  16. EliteKiller
    Offline

    EliteKiller Registered Member

    @egomoo

    Unfortunately your suggestion did not resolve the issue. The dword and value you listed was already intact on the pc that had the rogue AVG removed. Removing the key and adding the reg file had no change. Using IE8 and visiting Hulu still displays "Hulu requires Flash Player 10.0.32 or higher. Please download and install the latest version of Flash Player before continuing."
  17. egomoo
    Offline

    egomoo Registered Member

    o,I'm sorry

    In my test,I use a Windows XP sp2 machine

    maybe the CLSID is different about Flash Player 10

    But the key is below

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\
  18. CloneRanger
    Offline

    CloneRanger Registered Member

    @ EliteKiller

    Hi, i've had similar problems in the past. Sometimes it "might" be due to not allowing some scripting, or all, and/or iframes, and/or refferer/s. Also now it seems we have to allow PlugInContainer as well :( As you said FF is ok, i'm only posting that info in case others would like to know, if they don't already ;)

    As for IE, have you looked in Options at the settings ? The following is on IE6.

    v.gif

    ie.gif

    Also something such as MruBlaster etc could be blocking it ?
  19. 4everybody
    Offline

    4everybody Registered Member

    All the Above Steps, failed to Fix it. Anything else to Try ??
  20. mjlk
    Offline

    mjlk Registered Member

    Adobe Forums :
    -http://forums.adobe.com/message/3454998#3454998-
  21. EliteKiller
    Offline

    EliteKiller Registered Member

    Thanks for sharing that link.

    - Uninstalling using the flash removal tool ~ reboot
    - reinstall flash 9 ~ reboot
    - uninstall flash again using the removal tool ~ reboot
    - install flash 10 ~ reboot

    The trick was definitely uninstalling flash and installing the old version 9 first. All of the reboots may not be necessary, but I did them anyhow and flash now works on the pc that was infected with the fake AVG 2011. :D
  22. Ibrad
    Offline

    Ibrad Registered Member

    Just saw on the Panda Cloud forum that a user reported that got a sample just like this except AVG Antivirus is was Dr. Web Antivirus for Windows 2011.
  23. John Bull
    Offline

    John Bull Registered Member

    I suppose I`ll get a few kicks, but here goes.

    These AVG look-a-likes not only look like fakes, but smell like them. Yes they will fool a lot of people if they are silly enough to click anything, but to the more experienced user, their behaviour is a joke.

    OK, a false threat panel can pop up and cause concern with perhaps ONE infection message, but 22 !! I cannot stop laughing. After months of web activity and no daily/weekly scans, it just MAY be possible, but even that is stretching it a little.

    Use Sandboxie all the time and these cowboy`s can paint AVG or Dr.Web Picasso`s all over the screen. Just completely ignore them, delete the sandbox contents and away they go down the plug hole - Glug Glug. No infection in sight. Next one please.

    John

    I have added this footnote to provide some fact in case my main comments are taken as one of JB`s joy-rides.

    Over the past few months, I have had TWO fake AVG alerts pop up inside SBxie. Of course I knew they were the work of some freak. All I did was delete the contents of the sandbox, shut down SBie and FF, then checked my REAL AVG. NOTHING there of course and a quick scan with HMP and MBAM was clear.

    So all I can say is "Roll up, roll up you hackers, you `aint going nowhere". Just use SBxie then you can forget all these pretty pictures from the rogues gallery.
    Last edited: Feb 20, 2011
  24. zfactor
    Offline

    zfactor Registered Member

    my mother AND my mother in law both got hit with this today my mom is running nis2011 and my mother in law is running avast and they both let it right through. arghhhh now i have work tomm to remove this garbage. they BOTH got it while on their facebook page
  25. zfactor
    Offline

    zfactor Registered Member

    VERY NICE well i was going to have to fix this on my mother in law's computer but this morning she turned it on and said it took a while to come on and then when it did avast popped up and said it found and fixed a threat and suggested a reboot. she did and the avg antivirus was no longer there. i did double check to make sure it was gone and it was except 2 leftover reg entries i deleted otherwise it cleaned it all up. very nice and thank you avast
Thread Status:
Not open for further replies.