Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

New rogue called Antivirus IS in the wild


  • Please log in to reply
11 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:49 AM

Posted 01 October 2010 - 03:58 PM

A new rogue called Antivirus IS has been released and is being propagated through fake online anti-malware sites as well as malware that silently installs it onto your computer. This rogue is part of the Security Suite family of rogue anti-spyware programs.This rogue utilizes false scan results, fake alerts, and browser hijackings in order to scare you into purchasing the program. Antivirus IS has been out for about a week, but this is first chance we have had to actually analyze the sample. A link to a removal guide can be found below.




BC AdBot (Login to Remove)

 


#2 Eyesee

Eyesee

    Bleepin Teck Shop


  • BC Advisor
  • 3,545 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:In the middle of Kansas
  • Local time:10:49 AM

Posted 01 October 2010 - 06:00 PM

I saw this beast on a laptop yesterday.
A farmer about 5 miles from where I live got it

As always, Griner is dead on for removal.
Boot safe mode
Run Rkill
Run Malwarebytes. I always do the full and run SuperAntiSpyware at the same time.
Reset the proxy in IE

Thanks Grinler!!
In the beginning there was the command line.

#3 Welshmally

Welshmally

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 03 October 2010 - 06:23 AM

Hi there,

Just got this (new to forum) and followed all (extremely excellent!) instructions. No joy. How do I upload a Hijackthis log please?

WM

#4 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:49 AM

Posted 03 October 2010 - 08:28 AM

What problems did you have with the instructions? Did MBAM not see the infection?

#5 Welshmally

Welshmally

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 03 October 2010 - 08:59 AM

It did, and removed them, but eactly the same thing has occurred - I'm running in safe mode at present as I can't connect in mormal mode. And I'm REALLY frustrated!!! :-)

#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:49 AM

Posted 03 October 2010 - 09:26 AM

So mbam removed it and then it came back? Did it come back immediately or later in the day?

#7 Welshmally

Welshmally

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 03 October 2010 - 10:08 AM

Right away - and again when I repeated the process. I've gone onto Secunia and done a scan - it says that Java and Adobe are the most vulnerable applications I'm running, and the virus entered when Java started up.

When I ran rkill it came up with 2 files that had been infected (as did MAB when I first ran it - but nothing on the 2nd and 3rd tries)

I's all a bit worrying as I use MSE and Malawarebytes and scan/update at least weekly and MSE seems is disabled in normal mode.

Let me know if you need more info - I'm painting doors this afternoon - a break to check your replies is very welcome!!!! :thumbsup:
WM

BTW I am always amazed at how many folks like you offer free advice to computer-ignorants like me. Always MUCH appreciated.

#8 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:49 AM

Posted 03 October 2010 - 10:49 AM

Did you update adobe and java? It could be that you are cleaning the infection and then being reinfected by a site that you visit. It could also be mbam not picking up a new variant. Feel free to send me a hijackthis log via pm so I can see if there are any files that are not being picked up.

Note: Noone else should send me a hijackthis file.

#9 greyseal2012

greyseal2012

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire
  • Local time:04:49 PM

Posted 09 October 2010 - 06:56 AM

Hi - Just like to say - I have the same problem - followed the instructions above and the virus is still there. mbam picked up 144 infected files during a scan. I disconnected my on-line access before rebooting. I'm now back in safe mode with all the fake warnings from MS and McAfee popping up. I need to get my head around this one - it's been a long night :thumbsup: PS - the OS on the infected laptop is vista - McAfee is the antivirus.

Edited by greyseal2012, 09 October 2010 - 07:01 AM.


#10 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,640 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:49 AM

Posted 09 October 2010 - 08:20 AM

PM me a hijackthis log from safe mode. I will see if i can spot the malware process.

#11 jazboy

jazboy

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:49 AM

Posted 10 October 2010 - 03:05 PM

My wife was watching some online videos last week and got this virus. It was really pain to remove this virus.. First of all neither me or my wife didn't had any idea about this spyware and none of website was working on my notebook. I was not sure this is spyware or some torzen attack. I tried to remove it but it was not letting me open anything any application, website. It didn't even let me to open notepad.
I went to neighbouts home and asked him if i can use his pc for while then I researched about this spyware and got the instruction to remove from this site.. I helped me to come out of this spyware.. man it took 3 hours to fix..

#12 daemian2k

daemian2k

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:09:49 AM

Posted 31 October 2010 - 06:53 PM

Great a new one out there to worry about, I wish some of these people would get infected with their own crap and see what they are doing.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users