Soldato
- Joined
- 13 Mar 2007
- Posts
- 6,575
- Location
- UK
Thats not a virus, thats a popup. Isn't it?
Plz tell me the name of this virus
- Thread starter Souness
- Start date
The screenshot further up the thread is generally a pop-up which can of course be closed without being infected, but tends to download the fake anti-virus suite, especially if you click on one of the 'virus' warnings and don't have a decent anti-virus/up to date browser.
Speaking about the 'fake antivirus' programme itself. I can say as someone who is running a completely legitimate copy of XP Pro which is fully patched to sp3 and with all the other additional updates, whose got Avast AV installed, was using a fully upto date copy of FireFox 3.6 with ABP running along with the other addons I use on a daily basis ie: No Script etc. Even though I had all of that, I was surfing a website about a fortnight ago and the following happened.
Up popped ZoneAlarm and asked if I would like to permit av.exe access OUT of my computer. My first thought was, who would call their product 'av.exe' it looked to me as though it was a 'made up name', I can't explain why but I was suspicious, so I launched another browser tab and typed into google 'av.exe remove' at that the popup dissapeared without me clicking anything, up popped a pop-up that said 'extracting to Temporary Internet Files then Windows Security popped up and bang! I was infected with the program, it literally came out of my temporary internet files and got access to my computer using Windows Ruddy Security, a program that's supposed damn well protect me yet there it was telling me that the very program that was infecting me was infact THEIR programme and it was 'RECOMMENDED BY MICROSOFT' which I thought was somewhat ironic. Once the install had completed, it told me to goto some website and input my details so that they could get rid of the infection for me. Of course as soon as they infected me they disconnected me from the internet, leaving me with what was essentially a 'dumb terminal' so much for their intelligence.
I moved over to my other computer and was able to search more for the programme and after being advised to use MalwareBytes to remove the infection, there started the game of getting the damn thing to shutdown so that I could actually execute the programme as it simply would not permit me to run anything on the box at all, as soon as I tried it would popup some 'protection' in order to 'protect you from further infection'. I rebooted the computer, pressed F8 and entered 'safe mode' then simply moved 'combofix' downloaded from bleepingcomputer.com and it took around 10 minutes removing the program from my system. Of course once it was finished, I found myself installing a few programmes to ensure that the infection was removed, one of those was the one program I would suggest anyone installs that being 'Spyware Search & Destroy' a quick google search found me a link and boom it was installed, then a reboot later it brought a nice surprise for me. It didn't have the opportunity to do anything as the damn virus was back. I was somewhat stunned to be looking at the same program that I thought combofix had removed for me, back to safemode viua F8 and once again I got busy with combofix, I rebooted and then ran MalwareBytes and got another suprise, this time I got several of them, along with Spyware Search and Destroy I downloaded another stalwart of Spyware removal that being AdAware both found via a google search and downloaded from what I was sure was the correct sites. However, on closer inspection I found I had actually downloaded both Spyware Search and Destroy and AdAware CLONE websites which serve up these programmes, they are infact simply CLONES of the Real programmes but instead were Infected Programmes so I actually reinfected myself with the problem I thought I had gotten rid of, the ONLY programmes I could find that I could trust were ComboFix and MalwareBytes but make sure that you download them from legitimate websites ie: http://www.bleepingcomputer.com/combofix/how-to-use-combofix and: http://www.malwarebytes.org/ all others shouldn't be trusted as you can hide whatever you like behind a url and you don't know what you're getting untill you've downloaded them.
Since getting infected, I now either surf using a Virtual Machine or if I'm in a hurry behind a browser protected by Sandboxie. After witnessing the way the program actually got around all the defences I had in place and having trusted them due to previous good experience but then noticed that despite all that previous trust that when I needed them I was let down, on that basis sandboxie seems somewhat safer at least I can control what gets onto my computer now, as I get the end of session 'do you wish to recover the contents of your browser' question.
HTH
Up popped ZoneAlarm and asked if I would like to permit av.exe access OUT of my computer. My first thought was, who would call their product 'av.exe' it looked to me as though it was a 'made up name', I can't explain why but I was suspicious, so I launched another browser tab and typed into google 'av.exe remove' at that the popup dissapeared without me clicking anything, up popped a pop-up that said 'extracting to Temporary Internet Files then Windows Security popped up and bang! I was infected with the program, it literally came out of my temporary internet files and got access to my computer using Windows Ruddy Security, a program that's supposed damn well protect me yet there it was telling me that the very program that was infecting me was infact THEIR programme and it was 'RECOMMENDED BY MICROSOFT' which I thought was somewhat ironic. Once the install had completed, it told me to goto some website and input my details so that they could get rid of the infection for me. Of course as soon as they infected me they disconnected me from the internet, leaving me with what was essentially a 'dumb terminal' so much for their intelligence.
I moved over to my other computer and was able to search more for the programme and after being advised to use MalwareBytes to remove the infection, there started the game of getting the damn thing to shutdown so that I could actually execute the programme as it simply would not permit me to run anything on the box at all, as soon as I tried it would popup some 'protection' in order to 'protect you from further infection'. I rebooted the computer, pressed F8 and entered 'safe mode' then simply moved 'combofix' downloaded from bleepingcomputer.com and it took around 10 minutes removing the program from my system. Of course once it was finished, I found myself installing a few programmes to ensure that the infection was removed, one of those was the one program I would suggest anyone installs that being 'Spyware Search & Destroy' a quick google search found me a link and boom it was installed, then a reboot later it brought a nice surprise for me. It didn't have the opportunity to do anything as the damn virus was back. I was somewhat stunned to be looking at the same program that I thought combofix had removed for me, back to safemode viua F8 and once again I got busy with combofix, I rebooted and then ran MalwareBytes and got another suprise, this time I got several of them, along with Spyware Search and Destroy I downloaded another stalwart of Spyware removal that being AdAware both found via a google search and downloaded from what I was sure was the correct sites. However, on closer inspection I found I had actually downloaded both Spyware Search and Destroy and AdAware CLONE websites which serve up these programmes, they are infact simply CLONES of the Real programmes but instead were Infected Programmes so I actually reinfected myself with the problem I thought I had gotten rid of, the ONLY programmes I could find that I could trust were ComboFix and MalwareBytes but make sure that you download them from legitimate websites ie: http://www.bleepingcomputer.com/combofix/how-to-use-combofix and: http://www.malwarebytes.org/ all others shouldn't be trusted as you can hide whatever you like behind a url and you don't know what you're getting untill you've downloaded them.
Since getting infected, I now either surf using a Virtual Machine or if I'm in a hurry behind a browser protected by Sandboxie. After witnessing the way the program actually got around all the defences I had in place and having trusted them due to previous good experience but then noticed that despite all that previous trust that when I needed them I was let down, on that basis sandboxie seems somewhat safer at least I can control what gets onto my computer now, as I get the end of session 'do you wish to recover the contents of your browser' question.
HTH
Honestly, a virus doesn't just 'get through'. You must have been on dodgy websites, clicked on something, run something, agreed to something, run an attachment, etc.
Either the above, or you had an out of date browser/OS which was exploited, or there's something you're not mentioning in your post above.
There's really no need to be browsing through a virtual machine/Sandboxie if you have a decent anti-virus & up-to-date software and don't click on anything silly etc.
We have had this one a work machine, the user had been surfing a free mp3 site.
It doesn't really infect everything once you get it!, i had in the space of 5 seconds 40 virus alerts and each location of the file was different.
Just lifted the station and reimaged just to be sure it was fully gone.
It doesn't really infect everything once you get it!, i had in the space of 5 seconds 40 virus alerts and each location of the file was different.
Just lifted the station and reimaged just to be sure it was fully gone.
Speaking about the 'fake antivirus' programme itself. I can say as someone who is running a completely legitimate copy of XP Pro which is fully patched to sp3 and with all the other additional updates, whose got Avast AV installed, was using a fully upto date copy of FireFox 3.6 with ABP running along with the other addons I use on a daily basis ie: No Script etc. Even though I had all of that, I was surfing a website about a fortnight ago and the following happened.
Up popped ZoneAlarm and asked if I would like to permit av.exe access OUT of my computer. My first thought was, who would call their product 'av.exe' it looked to me as though it was a 'made up name', I can't explain why but I was suspicious, so I launched another browser tab and typed into google 'av.exe remove' at that the popup dissapeared without me clicking anything, up popped a pop-up that said 'extracting to Temporary Internet Files then Windows Security popped up and bang! I was infected with the program, it literally came out of my temporary internet files and got access to my computer using Windows Ruddy Security, a program that's supposed damn well protect me yet there it was telling me that the very program that was infecting me was infact THEIR programme and it was 'RECOMMENDED BY MICROSOFT' which I thought was somewhat ironic. Once the install had completed, it told me to goto some website and input my details so that they could get rid of the infection for me. Of course as soon as they infected me they disconnected me from the internet, leaving me with what was essentially a 'dumb terminal' so much for their intelligence.
I moved over to my other computer and was able to search more for the programme and after being advised to use MalwareBytes to remove the infection, there started the game of getting the damn thing to shutdown so that I could actually execute the programme as it simply would not permit me to run anything on the box at all, as soon as I tried it would popup some 'protection' in order to 'protect you from further infection'. I rebooted the computer, pressed F8 and entered 'safe mode' then simply moved 'combofix' downloaded from bleepingcomputer.com and it took around 10 minutes removing the program from my system. Of course once it was finished, I found myself installing a few programmes to ensure that the infection was removed, one of those was the one program I would suggest anyone installs that being 'Spyware Search & Destroy' a quick google search found me a link and boom it was installed, then a reboot later it brought a nice surprise for me. It didn't have the opportunity to do anything as the damn virus was back. I was somewhat stunned to be looking at the same program that I thought combofix had removed for me, back to safemode viua F8 and once again I got busy with combofix, I rebooted and then ran MalwareBytes and got another suprise, this time I got several of them, along with Spyware Search and Destroy I downloaded another stalwart of Spyware removal that being AdAware both found via a google search and downloaded from what I was sure was the correct sites. However, on closer inspection I found I had actually downloaded both Spyware Search and Destroy and AdAware CLONE websites which serve up these programmes, they are infact simply CLONES of the Real programmes but instead were Infected Programmes so I actually reinfected myself with the problem I thought I had gotten rid of, the ONLY programmes I could find that I could trust were ComboFix and MalwareBytes but make sure that you download them from legitimate websites ie: http://www.bleepingcomputer.com/combofix/how-to-use-combofix and: http://www.malwarebytes.org/ all others shouldn't be trusted as you can hide whatever you like behind a url and you don't know what you're getting untill you've downloaded them.
Since getting infected, I now either surf using a Virtual Machine or if I'm in a hurry behind a browser protected by Sandboxie. After witnessing the way the program actually got around all the defences I had in place and having trusted them due to previous good experience but then noticed that despite all that previous trust that when I needed them I was let down, on that basis sandboxie seems somewhat safer at least I can control what gets onto my computer now, as I get the end of session 'do you wish to recover the contents of your browser' question.
HTH
To be honest, if that was me. I would have turned my computer off and formatted it.
You can never be sure these things are fully gone.