Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows 7/XP/Vista Antivirus 2012 outbreak


  • Please log in to reply
52 replies to this topic

#1 Bearaly

Bearaly

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 19 December 2011 - 05:20 AM

I've noticed this is VERY popular virus people have been getting lately. I know at least 4 people personally who have been hit with it in the past week, and half the posts on the "Am I Infected?" forums are about it. Included with this virus are ping.exe problems and google redirects.

Does anyone have any information on this? Any idea where this thing is coming from? Any advice on how to stay away from it or clean it? Any word from Microsoft or antivirus companies about it?

Edited by Bearaly, 19 December 2011 - 06:13 AM.


BC AdBot (Login to Remove)

 


#2 nnoa110

nnoa110

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:07:58 AM

Posted 19 December 2011 - 09:31 AM

Hi Bearaly,

There is actually a well-documented info on the virus removal section of Bleeping Computer. :thumbsup:
Link: http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012

Hope this helps

#3 AltGEKE

AltGEKE

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee
  • Local time:04:58 PM

Posted 20 December 2011 - 06:20 PM

We have done this at my workplace and have had some 6 instances in the past two days.
It does not always work, and does not reverse the after-effects the virus leaves behind. These also are leaving behind where all files have their attribs marked as hidden and where the desktop, start menu, and quick start folder contents are deleted...

Bigger problem than just using MWB, sadly. It finds and cleans the infection if you can keep killing the malware proc while it tries to run; however, the PING.EXE problem persists afterwards and, I'm not sure if this is an effect of the infection or not, but had problems running a system restore afterwards.

Another malware that is extremely similar, if not the same, is called SystemFix..

Hi Bearaly,

There is actually a well-documented info on the virus removal section of Bleeping Computer. :thumbsup:
Link: http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2012

Hope this helps


Edited by AltGEKE, 20 December 2011 - 06:22 PM.


#4 jsparks

jsparks

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 20 December 2011 - 07:54 PM

Yes, this one is spreading pretty quickly. We are seeing it all over the place and once infected computers are cleaned using any scanner, the internet connections stop working.

I am not quite sure how it breaks the connection but plan on figuring it out. Anyone else seen this and been able to resolve it?

#5 scottai

scottai

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 20 December 2011 - 08:29 PM

I've had a half a dozen customers in this last week come in with this. Does anyone know the source websites for this? I had one customer say he clicked on an ad on MSN's website and had the malicious ad popup.
Does anyone know a place that documents sources for this stuff? I'd love to have list of specific malicious sites to go to just to test whether or not the antivirus we use blocks it.

#6 FalconAF

FalconAF

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 20 December 2011 - 10:23 PM

You could try these two for starters (at your own risk!):

h**p:\\dreamworksdragons.com
h**p:\\media.dreamworksdragons.com

After I got the Win 7 Security 2012 infection 3 days ago, I was going nuts trying to clean it out. At one point I could not re-install my paid/registered antivirus program which I have been using for over a decade now and never got infected while using it (it got completely bypassed this time by the trojan). So I installed AVG free just to get "something" on my computer while trying to resolve the trojan. While working on doing so, I discovered the 2 sites above had been added to the "website exclusions to scan" in the AVG advanced setting tools...and I sure as heck didn't put them there. Research indicated they are "online gaming sites", which would make sense because one of the things this trojan does is try to acquire financial info (bank account, credit/debit card account numbers, etc) so the "kiddies" can pay for their online gaming.

I can also tell you the site I got it from, but I won't post it here publically. I got it in a forum when I clicked on the "Next Page" button while reading a thread. PM me if you want the site.

#7 QQQQ

QQQQ

  • Members
  • 381 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 PM

Posted 21 December 2011 - 09:27 AM

I've had a half a dozen customers in this last week come in with this. Does anyone know the source websites for this? I had one customer say he clicked on an ad on MSN's website and had the malicious ad popup.
Does anyone know a place that documents sources for this stuff? I'd love to have list of specific malicious sites to go to just to test whether or not the antivirus we use blocks it.


I have seen 3 of these in the past 2 weeks, all from viewing an article on MSN's home page. One was reading something about Tiger Woods, another clicked on a sports article that had a picture of a football player with his arms out like he was flying and the one I dealt with yesterday clicked on an article with Aaron Rodgers picture on it. I believe they were all driveby downloads because they all said they were just reading the article when the computer freaked out. The one I dealt with yesterday I happened to be on site installing 3 computers when it happened. I went to my car to get my CD's and when I got back the owner of this place says what did you do to my computer? (don't you love getting blamed for stuff just because you are there working on something else!) I looked at it and UAC was saying install.exe was trying to install, I told him to click no. It kept coming back so I told him to shutdown. Upon rebooting all the System Fix symptoms were there. After I cleaned it I checked the protection and it was unchecked, they use Zscaler proxy. He told me he unchecked it a while back because he "thought" it was interfering with opening email attachments.

EDIT: Hey scottai try this site for testing your antivirus it's not malicious. http://www.spycar.org/Welcome%20to%20Spycar.html

Edited by QQQQ, 21 December 2011 - 09:29 AM.


#8 scottai

scottai

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 21 December 2011 - 05:16 PM

I have seen 3 of these in the past 2 weeks, all from viewing an article on MSN's home page. One was reading something about Tiger Woods, another clicked on a sports article that had a picture of a football player with his arms out like he was flying and the one I dealt with yesterday clicked on an article with Aaron Rodgers picture on it. I believe they were all driveby downloads because they all said they were just reading the article when the computer freaked out.


I'm no expert, but doesn't that mean that either MSN itself has been hacked, or the people they are selling ad space to have been hacked or are malicious? Why is this not bigger news? It's the default home page of the default browser (IE) on all new pc's!

EDIT: Hey scottai try this site for testing your antivirus it's not malicious. http://www.spycar.org/Welcome%20to%20Spycar.html


Thanks! That's exactly what I was looking for. It would be interesting to see an ongoing list of common sites that that have been hacked or serve hacked ads that deliver malware.

#9 QQQQ

QQQQ

  • Members
  • 381 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 PM

Posted 21 December 2011 - 05:31 PM

Your welcome scottai!
Could be anything on MSN's site I am thinking maybe an adobe flash player that infects older exploitable versions???

#10 Bearaly

Bearaly
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 21 December 2011 - 08:53 PM

A few of my friends said they got it when opening a youtube video. So it does sound like it "activates" with flash.

#11 Union_Thug

Union_Thug

    Bleeps with the fishes...


  • Members
  • 2,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:is everything
  • Local time:05:58 PM

Posted 22 December 2011 - 01:28 AM

It's the default home page of the default browser (IE) on all new pc's!


...which makes it a very attractive target of the bad guys. :angry:

#12 lti

lti

  • Members
  • 583 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 22 December 2011 - 06:05 PM

It is probably an infected advertisement. Youtube and MSN haven't infected my computer yet, and I have some ad servers that seem to only serve infected ads blocked in the Hosts file.

#13 Required Field

Required Field

  • Members
  • 169 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:58 PM

Posted 23 December 2011 - 12:49 PM

This may be related...
http://www.huffingtonpost.com/2011/11/09/click-hijack-hackers-online-ad-scam_n_1084497.html
You click on a link on say, the New Yok Times online, that looks like an add for Vonage, or something you've heard of, and it starts a silent download and/or redirects you to a different website. That's where I think a lot of these rogue applications come from. The article also notes that, "The malware used in the scheme is called a "DNSChanger" and was also designed to prevent the infected computers from installing antivirus software updates." But this has beening on for a long time. I'd say fighting this kind of malware is about 95% of my job. I almost miss replacing zapped modems and stuff.
"Most quotes attributed to famous people on the internet are fake." -Abraham Lincoln

#14 bitesized1612

bitesized1612

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Virginia
  • Local time:04:58 PM

Posted 26 December 2011 - 12:50 AM

I think my mom clicked on an infected email (uses Yahoo! and Hotmail) or a hijacked link by accident. MSN is the homepage in IE9. Right now, I'm making sure I sent Vista Antivirus 2012 packing by doing scans again. I think it's gone but I should probably scan the registry more closely. Cleaning out the registry manually always makes me antsy. :unsure:

This bout wasn't as bad as the one I had with the two rouges and other assorted nasties that I got last month (AV Protection 2011 and Privacy Protection, ick). They came from cleaning out my Yahoo! spam folder, as well. It was actually a pretty uneventful evening otherwise.

Edited by bitesized1612, 26 December 2011 - 12:51 AM.


Windows 7 Professional SP1 (64-bit) // HP EliteBook 8460p = 2.50GHz + 8GB RAM 

 

AVAST! - Google Chrome & Mozilla Firefox - LibreOffice - Rainmeter

 

Currently Testing: Linux Mint 17.3 XFCE on a Dell Inspiron 531 (2.1Ghz +3GB RAM)

Status: steady with some minor issues


#15 cloudydays

cloudydays

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:58 PM

Posted 26 December 2011 - 05:32 PM

I got it when I was listening to music on Myspace so who knows?
The first time I got this virus, similar to this security 2012, I was just browsing a forum! <_< (but I was way more naive back then)

I think the disturbing part to me is that it just bypassed Microsoft Security Essentials. It didn't detect anything.

I don't think getting rid of the virus is the problem, but the aftereffects of redirects etc that follow.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users