Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Prevention against Antivirus System Pro?


  • Please log in to reply
6 replies to this topic

#1 tom_rand

tom_rand

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 28 November 2009 - 07:42 PM

I've now had a second XP SP3 box get hit by Antivirus System Pro - as before, with no discernible user action to instigate the attack. Both were running Norton AV, current version with all the updates. The OS and Internet Explorer were both at the latest patch levels. With all that in place the systems still went down.

In each case, the infection took out the safe mode boot option. In one case it required a full restore of XP. In one case it took out Norton AV as a working tool on the box.

What is the proper way to prevent against this happening? I'm looking at the other boxes around here and wondering how to protect them (other than backups, backups, backups).

Thanks.

BC AdBot (Login to Remove)

 


#2 faye32

faye32

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 28 November 2009 - 07:50 PM

I am dealing with this for the first time tonight on a box that is not mine. I'd say this would probably will effect your box if you don't have the following:

A browser that is not IE. Disable your IE! Use firefox

I like to use NoScript and AdBlock Plus for firefox (these are addons extensions that run inside of firefox). Both these would block the primary scripts that start off the pop ups for this malicious software. It installs after one of the pop ups is clicked through scripts in the browser.

I have comodo firewall at home. It is the best firewall for my needs. It is a lot less invasive than spybot's teatimer and less cpu usage in the background. I am pretty sure it's doing more protection than avast or avira could primarily do in preventive care. It won't work properly if it isn't configured properly though. When configured to be over protective it may seem naggy. I think it's worth it for how much of a hassle to get rootkits off your pc is though! It will warn you of changes to registry, programs trying to change com interfaces and trying to access the internet (which may be just fine if it's a program you're installing willingly with knowledge - but something like antivirus system pro no)

Also honestly? Teaching the users of the boxes to not just click any link in google would be helpful too :thumbsup:

Could you give me some information on how you removed it? I still haven't gotten this thing off :/ But it's running alongside other things as well *sigh* I might have to reinstall windows.

Edited by faye32, 28 November 2009 - 07:51 PM.


#3 tom_rand

tom_rand
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 28 November 2009 - 09:33 PM

For removal, I followed the advice of this board's leaders - renamed MBAM and ran it, used SuperAntiSpyware, used rkill. If you Ctrl-Alt-Del as the system is coming up, you can see the processes of the system monitor and kill them, giving you a window for executing MBAM etc.

The second machine was left completely unbootable - I had to do the repair of XP just to boot normally let alone safe mode. for that, I followed
http://www.informationweek.com/story/showA...cleID=189400897
which was great except that my system never fully rebooted and I had to yank the power out.

I've given up on IE, but I have no greater comfort dealing with Safari.

And for the record, the user who hit this problem was using webkinz, not an adult site.

#4 Nawtheasta

Nawtheasta

  • Members
  • 403 posts
  • OFFLINE
  •  
  • Location:New England, USA
  • Local time:03:14 AM

Posted 28 November 2009 - 10:10 PM

Hello
I would not know what to advise to be sure one avoids infection. I would make a comparison that programs that protect us from virus and malware are like a fox hole for a solider. Is he protected? Yes. Does that mean nothing bad can happen? Unfortunately no. :trumpet:
I like to check Drudge during the day to see what is going on. Recently I clicked on a story about Mars. It brought me to Breitbart. Which seems like a safe news site. Immediately a PDF started opening ( weird) and IE ( which I do not use) tried to connect to the internet. My McAfee firewall asked for permission which I denied and blocked.
I checked my permissions list and the program that tried to get access was OP {1}
Which on investigation is listed as cloaked malware. I also found some reference to Breitbart being hacked.
I use firefox and I have McAfee site advisor installed. I only click on those links shown in Google that have the green check. Interestingly enough Site Advisor gives BreitBart a green check. :flowers: Other visits to Breitbart did not give a problem. It may be that safe sites can be hacked for a short time and then the bad guys leave.
Unfortunately the PC world is awash with malware. The Am I infected forum has 76 topics just today! The Mac forum on the other hand has only has 23 topics since February and only a couple of these touch on malware. I am seriously thinking of going in the Mac direction.
So how best to protect. Surf safe as they suggest here on BC. I, for one, do not do any banking from my computer. Not worth the risk.
Keep the firewall on the highest practical setting.
Educate any users to never allow access if your firewall asks permission for an unknown or unexpected program to connect to the internet .You can always change your mind if you determine later that the program was legit. Also that any weird warnings should only be closed with Ctrl-alt-delete.
And the most important of all. Always be courteous and respectful to the volunteer experts :thumbsup: at BC for their time, efforts and help when we eventually get hit by the bad guys.
Best Regards
Nawtheasta

#5 faye32

faye32

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 29 November 2009 - 09:53 AM

For removal, I followed the advice of this board's leaders - renamed MBAM and ran it, used SuperAntiSpyware, used rkill. If you Ctrl-Alt-Del as the system is coming up, you can see the processes of the system monitor and kill them, giving you a window for executing MBAM etc.


I believe I the computer I was working on yesterday has the latest variant of the virus. It already had too many startup items before hand so it had become impossible with the lack of ram + antivirus system's havoc to even function at 100% cpu consistently. Seeing how it wasn't my computer I couldn't tell which startup items were legit or malware. Used the exact method as you say to try to rid of it, but by closing some processes I might have closed the antisystem pro processes before rkill. I am doubtful though, I am pretty sure rkill was doing it. mbam came up with nothing. SuperAntiSpyware only found two tracking cookies. I did find something in application data though and deleted it. After that the pop up menu with options for a false anti virus program disappeared, but the browser hijacking was remaining still.

I've given up on IE, but I have no greater comfort dealing with Safari.


Again, firefox wins over all.

And for the record, the user who hit this problem was using webkinz, not an adult site.

It might have been on the computer before they reached that site. If it did come from webkinz and if that is a legit site, it probably came from an advertisement on their site. Ad-block plus on firefox would have blocked it.

I'm sure this is a pain for a large number of people but it just shows how vulnerable script security still is on most computers. I have heard a lot about it coming from people trying to download illegal music (Google search for some music titles, clicking links to scam sites for free downloads). When I say don't click any link in google, I mean it! Site advisor from McAfee is Okay and good as a pre-caution in clicking links in google. There's also an addon or something that lets you preview google pages in a image on the google search but I forget the name at the moment.

For the average user it APPEARS to look exactly like their regular windows security center. They probably won't know the difference, and as most would happily just reinstall windows or use system restore first before trying to learn about it, they'll probably just contract it again in time. Or something similar. If you are more informed about how scripts in your browser work, and have some internet search smarts you won't have these problems very often or at all. And block the ads, If you want to support the sites you DO trust, Ad-Block can replace the ads on their site only for you. But what if they get hijacked? I say death to ads.

Edited by faye32, 29 November 2009 - 09:54 AM.


#6 amoreEK

amoreEK

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 29 November 2009 - 10:55 AM

I'm piggybacking off this thread because I am also having a problem with Antivirus System Pro. This is my first post to this site and I'm not tech savvy, so I'm hoping someone can give me a "layman's" response to my problem.

The other day, my laptop was hijacked with this malicious piece of junk. I found the fix on bleeping computer, but I can't run the fix as instructed because this thing hijacked my IE browser. Each time I try to go to the website to download rkill, I get redirected to the System Pro website which reads "Internet Explorer Warning - visiting this website may harm your computer". I tried making the bleepware site my homepage, but to no avail.

Can someone advise as to how it might be possible to work around this problem and be able to follow the bleepingcomputer instructions for getting rid of this problem? Thanks.

#7 tom_rand

tom_rand
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:02:14 AM

Posted 29 November 2009 - 01:01 PM

You need to Ctl-Alt-del at the very beginning of the startup, right after you put in your password to start Windows. Then watch for and kill the processes it starts up and you can get in to run your programs. Get the files, then reboot into safe mode (if you can) and run them.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users