Rogue AV "AVG Antivirus 2011"

Discussion in 'malware problems & news' started by Franklin, Jan 29, 2011.

Thread Status:
Not open for further replies.
  1. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,704
    Interesting how the've gone to the trouble of using AVG icons, but then funny how they list it as Dr.Web :D

    It would still fool at lot of people though, and i guess it already has :(
     
  3. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,926
    They can't seem to make up their mind, do they want to copy AVG or Dr. Web :p
     
  4. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,464
    Hahaha, next generation Fake AV's now completely emulating real AV GUI!! :D
     
  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,493
    Location:
    Canada
    This must be circulating quickly, I had to already deal with this AVG rogue yesterday on one of my clients computer.

    To me, for visual wise, it looks completely different than the real thing.

    However, to my client, it was very, very convincing. When he called up about this problem with AVG, he basically said that this AVG is overrunning his computer, it loaded up on his computer automatically and it rendered useless the McAfee. He went onto saying “AVG shouldn’t be allowed to do this, should be criminal!”, and I said, from the sounds of things, I believe you have a AVG rogue infection, the real AVG wouldn’t display such malicious behavior.

    Went out, I removed it, and addressed McAfee problems, checked for recent updates, received the recent updates and then his ISP decided to suspend his Internet account just at the moment I was getting ready to leave for home. Contacted his ISP, gave client information, mention ISP modem loss of Internet connectivity, and I was informed that the clients account was suspended due to a payment being missed recently.
     
  6. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,464
    LOL what a pain, now you will have to go back :rolleyes:

    Hahaha IMO that GUI is more than enough to disguise most people!
     
  7. carat

    carat Guest

    Better GUI than the original :D
     
  8. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,584
    It looks ugly. I'm wondering if the original AVG itself has added this to their database/signatures...
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  10. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    7,219
    Location:
    Lloegyr
  11. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,584
    Imagine how many more people will be duped if it resembles the real thing...
     
  12. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    I've removed the fake AVG 2011 from one XP Pro SP3 pc and one Vista HP SP2 pc. After the removal flash player is not listed as an add-on in IE8. However it continues to work in Firefox 3.6.13. I've tried the following:

    1) Ran the flash uninstaller
    2) Ran CCleaner
    3) Downloaded and installed the full flash activex installer

    This did not resolve the issue. Add-on is not listed and flash will not play on any website.

    4) Ran the subinacl fix - no change
    5) Uninstall IE8 and revert to IE6 - no change
    6) Reinstall IE8 - no change
    7) Tried to uninstall/reinstall flash again - no change
    :cool: Ran the XP fixpolicies fix - no change

    I have not tried a repair install, but at this point I am stumped.
     
  13. egomoo

    egomoo Registered Member

    Joined:
    Aug 28, 2007
    Posts:
    115
    I have tried to remove fake AVG Antivirus 2011 using Safe Returner

    It will fix the hijack of broswer

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe
     

    Attached Files:

  14. 4everybody

    4everybody Registered Member

    Joined:
    Nov 24, 2010
    Posts:
    2
    Did anyone find out whats causing This ?? I believe that the Rogue AVG does some changes in Registry or any, WHich Apparantly making IE not to play Any videos. Other browsers plays the video without any issues & IE alone Alerts like, Cannot Find flash player.

    If Any got a fix for this, please do let everyone know the same.

    Regards,
    4Everybody

     
  15. egomoo

    egomoo Registered Member

    Joined:
    Aug 28, 2007
    Posts:
    115
    Do Please check the value about

    {D2F97240-C9F4-11CF-BFC4-00A0C90C2BDB} is the CLSID of shockwave flash object

    the path in the registry


    Or you could use my fix code (just copy it and save to a notepad as fix.reg)

     
  16. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    @egomoo

    Unfortunately your suggestion did not resolve the issue. The dword and value you listed was already intact on the pc that had the rogue AVG removed. Removing the key and adding the reg file had no change. Using IE8 and visiting Hulu still displays "Hulu requires Flash Player 10.0.32 or higher. Please download and install the latest version of Flash Player before continuing."
     
  17. egomoo

    egomoo Registered Member

    Joined:
    Aug 28, 2007
    Posts:
    115
    o,I'm sorry

    In my test,I use a Windows XP sp2 machine

    maybe the CLSID is different about Flash Player 10

    But the key is below

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\
     
  18. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,704
    @ EliteKiller

    Hi, i've had similar problems in the past. Sometimes it "might" be due to not allowing some scripting, or all, and/or iframes, and/or refferer/s. Also now it seems we have to allow PlugInContainer as well :( As you said FF is ok, i'm only posting that info in case others would like to know, if they don't already ;)

    As for IE, have you looked in Options at the settings ? The following is on IE6.

    v.gif

    ie.gif

    Also something such as MruBlaster etc could be blocking it ?
     
  19. 4everybody

    4everybody Registered Member

    Joined:
    Nov 24, 2010
    Posts:
    2
    All the Above Steps, failed to Fix it. Anything else to Try ??
     
  20. mjlk

    mjlk Registered Member

    Joined:
    Jul 30, 2009
    Posts:
    7
    Adobe Forums :
    -http://forums.adobe.com/message/3454998#3454998-
     
  21. EliteKiller

    EliteKiller Registered Member

    Joined:
    Jan 18, 2007
    Posts:
    1,138
    Location:
    TX
    Thanks for sharing that link.

    - Uninstalling using the flash removal tool ~ reboot
    - reinstall flash 9 ~ reboot
    - uninstall flash again using the removal tool ~ reboot
    - install flash 10 ~ reboot

    The trick was definitely uninstalling flash and installing the old version 9 first. All of the reboots may not be necessary, but I did them anyhow and flash now works on the pc that was infected with the fake AVG 2011. :D
     
  22. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,926
    Just saw on the Panda Cloud forum that a user reported that got a sample just like this except AVG Antivirus is was Dr. Web Antivirus for Windows 2011.
     
  23. John Bull

    John Bull Registered Member

    Joined:
    Nov 22, 2009
    Posts:
    904
    Location:
    London UK
    I suppose I`ll get a few kicks, but here goes.

    These AVG look-a-likes not only look like fakes, but smell like them. Yes they will fool a lot of people if they are silly enough to click anything, but to the more experienced user, their behaviour is a joke.

    OK, a false threat panel can pop up and cause concern with perhaps ONE infection message, but 22 !! I cannot stop laughing. After months of web activity and no daily/weekly scans, it just MAY be possible, but even that is stretching it a little.

    Use Sandboxie all the time and these cowboy`s can paint AVG or Dr.Web Picasso`s all over the screen. Just completely ignore them, delete the sandbox contents and away they go down the plug hole - Glug Glug. No infection in sight. Next one please.

    John

    I have added this footnote to provide some fact in case my main comments are taken as one of JB`s joy-rides.

    Over the past few months, I have had TWO fake AVG alerts pop up inside SBxie. Of course I knew they were the work of some freak. All I did was delete the contents of the sandbox, shut down SBie and FF, then checked my REAL AVG. NOTHING there of course and a quick scan with HMP and MBAM was clear.

    So all I can say is "Roll up, roll up you hackers, you `aint going nowhere". Just use SBxie then you can forget all these pretty pictures from the rogues gallery.
     
    Last edited: Feb 20, 2011
  24. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    5,862
    Location:
    on my zx10-r
    my mother AND my mother in law both got hit with this today my mom is running nis2011 and my mother in law is running avast and they both let it right through. arghhhh now i have work tomm to remove this garbage. they BOTH got it while on their facebook page
     
  25. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    5,862
    Location:
    on my zx10-r
    VERY NICE well i was going to have to fix this on my mother in law's computer but this morning she turned it on and said it took a while to come on and then when it did avast popped up and said it found and fixed a threat and suggested a reboot. she did and the avg antivirus was no longer there. i did double check to make sure it was gone and it was except 2 leftover reg entries i deleted otherwise it cleaned it all up. very nice and thank you avast
     
Thread Status:
Not open for further replies.