Is there an real solution to AV.EXE nightmare

Topic

New Reply

This past week and weekend I was hit multiple times by a fake Anti-virus (AV.EXE) program that’s actually a really nasty malware. It mimics the look of Windows security warnings and functions. There are ways to delete it but they are time consuming and require running SafeMode with Networking and up to four different removal tools (MalwareBytes, SurfRight HitManPro, MS Security Essentials and SpyBot S&D).

My question is I was using the latest version of Firefox and still got nailed even though I was only on the Social Wallpaper site. From what I’ve read, this menace hijacks the browser. My question then is what must I turn off (JAVA? Flash? ActiveX?) to stop this from every getting me again? Don’t tell me to run better protection because I had ESET NOD 32 Active running each time. I now have removed ESET and and using just MS Security Essentials as recommended. I’m loathe to trust just Microsoft but I’ve read none of the heavily advertised solutions (Symantec, TrenMicro, McAfee, etc) are any better at safeguarding against this attack.

Suggestions as to how to protect the browser? FYI: Chrome seems to be OK but I only used it to download the removal weapons. I won’t use IE since I know it is a sieve. I’d like to be able to trust Firefox if there is some way to make it safe for all surfing again.

Reply | Quote

Replies

If you got this as a drive by it’s probably because Windows was not patched, not because Firefox had an issue or your AV missed it.
If you got it because you clicked Yes to a question then there is nothing anyone can do – apart from removing your mouse. ;-))

cheers, Paul

Reply | Quote

If you got this as a drive by it’s probably because Windows was not patched, not because Firefox had an issue or your AV missed it.
If you got it because you clicked Yes to a question then there is nothing anyone can do – apart from removing your mouse. ;-))

cheers, Paul

I have Windows set to keep itself updated. Inasmuch as Microsoft indicates the system is current with all patches, that was not the issue.
Not clicking Yes to a question might make more sense had I not stated I was on the Social Wallpaper site where clicking just votes an image up/down.
Perhaps I should have added I’ve been around computers since 1970 and even know what Doug Englebart did to earn a place at your table.

Reply | Quote

Are you using the NoScript plugin for Firefox? I have it installed and never allow scripts for any site unless I trust the site implicitly; and I trust very few sites.

Another things I have found helpful is DropMyRights:
http://download.cnet.com/DropMyRights/3000-2144_4-10722877.html

I set up my wife’s computer to run email and Firefox using DropMyRights and the reduced rights help a lot with preventing bad things from happening.

Reply | Quote

Are you using the NoScript plugin for Firefox? I have it installed and never allow scripts for any site unless I trust the site implicitly; and I trust very few sites.

Another things I have found helpful is DropMyRights:
http://download.cnet.com/DropMyRights/3000-2144_4-10722877.html

I set up my wife’s computer to run email and Firefox using DropMyRights and the reduced rights help a lot with preventing bad things from happening.

Thanks for the tip re Firefox “NoScript” plugin. I’ll give that a try. Much appreciated.

Reply | Quote

Are you using the NoScript plugin for Firefox? I have it installed and never allow scripts for any site unless I trust the site implicitly; and I trust very few sites.

I just added Noscript, thanks for the info.

Reply | Quote

If your problem has anything to do with the rather nasty AntiVir 2010 (or similar names) then this Bleeping Computers guide How to Remove Antivir, Antivir 2010, and Antivir Antivirus might be of interest. It seems to me to be the most definitive procedure I have yet come across…

BATcher

Plethora means a lot to me.

Reply | Quote

What version of java are you using. Would recommend the latest version which patches known problems with prior releases, which may preclude the possibly of a java script on a webpage from running and installing the software. You might want to uninstall older versions, also …. just to be safe. Normally, these programs are installed by the user because of a popup saying that their computer maybe compromised and no spyware/malware software has been detected – do you want to fix this? You click on the box and it installs. But, you say I clicked on the red x icon to close the popup or selected the box that said “exit” or “whatever”, well these can also be bogus (part of the overall image) and still install the software. The only possible safe way to exit the popup would be to close the browser session, or use the task manager to close it.
Another freebie program might try…. is Spywareblaster. Works mostly as a preventative program that restrict activex programs, certain dll’s from running in IE and firefox.
http://www.javacoolsoftware.com/spywareblaster.html
Will have to manually download updates everyso often, and select the enable all protection buttons, then close the program and your done. Just repeat the process once or twice a month, or so.

Reply | Quote

What version of java are you using. Would recommend the latest version which patches known problems with prior releases, which may preclude the possibly of a java script on a webpage from running and installing the software. You might want to uninstall older versions, also …. just to be safe. Normally, these programs are installed by the user because of a popup saying that their computer maybe compromised and no spyware/malware software has been detected – do you want to fix this? You click on the box and it installs. But, you say I clicked on the red x icon to close the popup or selected the box that said “exit” or “whatever”, well these can also be bogus (part of the overall image) and still install the software. The only possible safe way to exit the popup would be to close the browser session, or use the task manager to close it.
Another freebie program might try…. is Spywareblaster. Works mostly as a preventative program that restrict activex programs, certain dll’s from running in IE and firefox.
http://www.javacoolsoftware.com/spywareblaster.html
Will have to manually download updates everyso often, and select the enable all protection buttons, then close the program and your done. Just repeat the process once or twice a month, or so.

I now have Java switched off just as a prophylactic measure. That was the first step after getting the system back up. Thanks for the confirmation Java may be a problem.

FYI: Closing the AV.EXE program via Task Manager doesn’t help. As soon as I saw the first sign of trouble I killed everything that truly wasn’t critical via Task Manager.

Reply | Quote

If you got it because you clicked Yes to a question then there is nothing anyone can do – apart from removing your mouse. ;-))

And, even the red X or cancel button is not safe to click on since it may have been reprogrammed to mean yes in any case. Safest when prompted unexpectedly is to go into task manager and kill the browser (or whatever the vector is) there.

Reply | Quote

And, even the red X or cancel button is not safe to click on since it may have been reprogrammed to mean yes in any case. Safest when prompted unexpectedly is to go into task manager and kill the browser (or whatever the vector is) there.

Unfortunately Task Manager doesn’t kill it either. While malicious, this is a carefully crafted bit of of code in that it convincingly mimics the look and feel of Windows’ warnings and circumvents the prudent steps a user employs to avoid infection.

I’m not lauding the programmer as s/he is despicable. They should earn an living using their talents more intelligently.

Reply | Quote

And, even the red X or cancel button is not safe to click on since it may have been reprogrammed to mean yes in any case. Safest when prompted unexpectedly is to go into task manager and kill the browser (or whatever the vector is) there.

Unfortunately Task Manager doesn’t kill it either. While malicious, this is a carefully crafted bit of of code in that it convincingly mimics the look and feel of Windows’ warnings and circumvents the prudent steps a user employs to avoid infection.

I was refering the task manager method to a period prior to the aquirement of the malware–when the initial prompt displayed, if any were made, then use task manager to kill Firefox without any further interaction with the browser. You’ve progress beyond that point, if that was the path, and task manager is subsequently not a useful tool in that respect.

Reply | Quote

I just found this referenceIt may be too late but perhaps it will help others.

Reply | Quote

I just found this referenceIt may be too late but perhaps it will help others.

Thank You — They recommend a variation on what I did.

The inference in the article that a user has to be technically naive to get infected by this one is both condescending and misleading. The reason I posted here was I executed all the right steps… never clicked anything except right mouse on the task bar to access TaskManger. I proceeded to kill everything and then rebooted. 99.9% of the time that approach is sufficient to thwart any attack as the “message” is a screen display until it tricks the user into inadvertently installing it. However, as I have since learned, this bit of code seems to hijack via java and the browser. Running the NoScripts add-on to Firefox seems to work although I am not about to visit Social Wallpaper (a heretofore benign website) to press my luck.

Unless the definition of porn has changed, desktop images of landscapes are not usually considered erotic. That said, I never got the full story on ‘the birds and the bees’ so perhaps mountains, sunsets, oceans and rivers are hardcore for some creatures.

Reply | Quote

It’s been my observation, as a red-blooded North American male of single and unattached status (harrumph harrumph!!), that while there certainly are many threats on the dark side of the Internet street, far and away, or at least equally as much, social networking sites are the real pot of potential ill-gotten gains. There was a recent story of a person’s facebook account being hacked and so access to that person’s friend network was established and I’m sure its pretty obvous how successful malware can be spread then with contextually pertinent content between “friends.” Facebook, Twitter, MySpace, YouTube…hackers are going to go where the richest feeding grounds are. We have to recognize it from that perspective and not from a site content perspective.

Reply | Quote

… social networking sites are the real pot of potential ill-gotten gains.

No doubt you are correct… however in this case, the name of the site is just that: a name. There is no social interaction.

Reply | Quote

social networking sites are the real pot of potential ill-gotten gains. There was a recent story of a person’s facebook account being hacked and so access to that person’s friend network was established

Steve Gibson in his podcast “security Now #239” talks about a serious hack involving access to a corporation through a social networking site, second or third hand, from an employee with access via VPN laptop. An interesting listen. I think it was Facebook or something like that.

Reply | Quote

desktop images of landscapes

Sounds like it was a download site though…

Reply | Quote

Sounds like it was a download site though…

Not for me but I can see how that would be a logical conclusion. In my case, I listen to audiobooks and just allow my eyes to wander. Sometimes the juxtapositions between words and images are interesting; other instances quite amusing as the words collide with the vista.

Reply | Quote