Rogue ... antivirus 2009

Discussion in 'malware problems & news' started by Chuck57, Jul 31, 2008.

Thread Status:
Not open for further replies.
  1. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    No point to this post, except maybe to say BEWARE.

    My wife's new laptop, Vista SP1 with McAfee Security Suite somehow got infected with a monster called Antivirus 2009. We don't have the slightest idea how, unless via some email video or through one of her music CDs, although the music stuff is on her XP desktop and no problems. McAfee Security Suite didn't catch it - obviously. From what I gather during a search for a solution, no antivirus program can remove this very, very pesky program.

    We've battled with it for several hours now, and finally came up with something called Malwarebyte Anti-Malware, or something like that and are in the process of running it. Hopefully this MBAM will fix the problem.

    Maybe this will convince her to install Sandboxie or maybe geswall if it stops these things. I've tried for a year to get her to use Sandboxie with no luck.
     
  2. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Chuck, actually I was able to remove this same piece of crap from a neighbors system with Avast, SAS, and MBAM all smacking it around. Avast did have to do it during a reboot, but it did remove it. The residuals were killed off by SAS and MBAM
     
  3. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    Hopefully MBAM can help.
    You could also try SAS.
    Also have a look at Rogue Removal Kit (get it here)

    I hope you solve your problem, keep us posted :thumb:
     
  4. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    My wife goofed. She told me after we got rid of it with SAS that when it appeared she had tried to uninstall it. I think that was a mistake. This thing was a nightmare that cost us the entire evening.

    MBAM removed 2 files. When we finished, it re-appeared.

    SuperAntiSpyware got rid of a large number of files scattered all over the place. So far, after 15 minutes and a reboot, it hasn't come back.

    Sorry if this post doesn't make a lot of sense. It's almost 2AM Mountain Time here and I'm wasted from fighting it.

    This program tries to extort money from you in order to be able to remove it. Seems like that ought to be illegal.

    Thanks HURST and dw426 for the superantispyware suggestion. It seems to have worked. I'm praying that tomorrow when she boots up, it doesn't show its nasty self. I told her this wouldn't have happened with Sandboxie and got a dirty look.
     
  5. Tarq57

    Tarq57 Registered Member

    Joined:
    Oct 7, 2006
    Posts:
    966
    Location:
    Wellington NZ
    Wouldn't hurt at all to run another scan in safe mode, and assuming all is well following, to delete your system restore points, just to be sure. (System restore can be re-enabled following a reboot.)
     
  6. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Completely forgot about System Restore:ouch: Sometimes viruses/spyware can copy themselves to a System Restore point and it'll keep coming back. Delete the points first then do a safe mode scan.
     
  7. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    Never thought of fixing system restore. I'll get into Vista and see how it's done, then gently explain to my wife why it needs to be done.
     
  8. Osaban

    Osaban Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    4,222
    Chuck, I don't want to state the obvious, but you ought to consider having a clean image to restore your system, particularly considering that your machines are new.
     
  9. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    Good point, Osaban. I'd considered just the restore disc that came with Dell for myself, since I've only downloaded Office Ultimate and IE7 Pro.

    My wife, though, has loaded her machine with various programs she works with. The problem is getting her to download a good imaging program. I can't get her to install Sandboxie. I thought this last thing - which came in an email graphic apparently, would do it. Nope, not yet.
     
  10. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Time to show tough love, lol. If she won't take measures of prevention, then when the next infection comes (and it will, lol), tell her she's on her own:thumb: :D A couple of nights on the couch is worth it, trust me.
     
  11. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    I agree but thats a tuff call on the wifey. I would end up in the Dogy House If I refused to help my wife.*puppy*
     
  12. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543

    She either learns not to be a happy clicker and take precautions or she loses her data, there's no gray area. Everyone, sing! *whistles* "Hi Ho, Hi Ho, it's off to the couch he goes!"
     
  13. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    I noticed if you search Google for "avira mcafee antivirus benchmark", like this:

    http://www.google.com/search?hl=en&safe=off&q=avira mcafee antivirus benchmark

    ...the 4th link down (tliness.100webspace.....) leads to this crap. The link is titled Avk Antivirus, so they probably catch a lot of people, especially when placed so high in Google's search results. I backed out of their popup boxes and never downloaded anything, but if you aren't paying attention...
     
  14. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Here it is and some will run even if you close by X.
     

    Attached Files:

    Last edited: Aug 6, 2008
  15. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Testing with sanboxie take a look at the Exe.
     

    Attached Files:

  16. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Some more screens
     

    Attached Files:

  17. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Sandboxie
     

    Attached Files:

  18. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Sandboxie was set invocation to delete but it seem to be stuck upon browser close. perhaps I did not wait long enough i forced deletion.everything appears fine but will scan and post back.
     
    Last edited: Aug 7, 2008
  19. wat0114

    wat0114 Guest

    My daughter stumbled upon a similar one last night while searching for Webkinz toys. She called me over so, just for kicks, I only went as far as seen in the screenshots before backing out. It's one of those rogue companies that warns your pc is running slow then offers to scan it for free. It comes up with fake malware and advises you to install their product, after which you can only remove them if you pay. Look very closely at the shots and in two of them you can spot the poor syntax/grammar - a telltale sign of a bogus product. Also of interest is what it does to the browser's window, shrinking it and/or moving it across the screen in an attempt to hide the "close" button.

    This one goes on to "scan" after hitting cancel or close.
     

    Attached Files:

    Last edited by a moderator: Aug 7, 2008
  20. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Seeing lots off the "Antivirus 2009" these days. Some people actually paid for the full version. Of course they were still stuck with malware and out $40!!

    bill
     
  21. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    As I thought Sandboxie passes.:thumb:
     
  22. Chuck57

    Chuck57 Registered Member

    Joined:
    Sep 2, 2002
    Posts:
    1,422
    Location:
    New Mexico, USA
    I'm seeing and hearing a lot about it, too. Besides my wife, we've learned of a couple of people who were infected, and when I went searching for a fix, forums were full of people who's computers were infected. It's more annoying than some viruses.
     
  23. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Yep the poor syntax/grammer and passable if looked at quickly what a shame the scams that go on.Good thing your daughter is very wise To stop and not click away.:)
     
  24. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    GesWall Failed found files in user/appdata,Av 2009 was running system tray.Geswall medium and High.Scan Results from SAS after completion.

    SAS results 1 in memory O registry 19 files
     
    Last edited: Aug 7, 2008
  25. HURST

    HURST Registered Member

    Joined:
    Jul 20, 2007
    Posts:
    1,419
    :eek: :eek: :eek: :eek:

    I'm glad sandboxie passed, and very surprized GesWall failed on just a rogue... is there anything special on it that might cause GesWall to fail? Can anyone confirm this finding? (If nobody has, I could test it by friday)
     
Thread Status:
Not open for further replies.