Guest Jack Posted December 6, 2008 Posted December 6, 2008 Please read the entire post before replying. I'm using WinXP SP2 with the latest patches (except SP3) installed. While browsing the internet using a limited account, IE7 pops up the following message; exactly as it appears (I bet the bad guys meant to say CRASHES instead of CREAHES): ---------------------------------------------------------- ATTENTION! If your computer is struck by the spyware, you could suffer data loss, erratic PC behaviour, PC freezes and creahes. Detect and remove viruses before they damage your computer! Antivirus 2009 will perform a 100% FREE and quick scan of your computer for Viruses, Spyware and Adware. Do you want to install Antivirus 2009 to scan your computer for malware now? (Recommended) ---------------------------------------------------------- I know Antivirus 2009 is a rogue antivirus. It must NOT be allowed to install. Avast 4.8 Home Edition remains quiet. It doesn't warn me about the danger that's about to hit my PC. Btw, I was browsing http://encarta.msn.com and 1 other site which is bestbuy.com. Makes me wonder why I got AV2009 pop-up from those 2 sites. Does the pop-up really come from those sites? I have no clue. Anyway, when I saw the pop-up, I did NOT click any button (OK, Cancel button). I did NOT click the red X button on the top right corner of that pop-up window either. My guess is it doesn't matter what button gets clicked, it'll proceed with the installation. Instead of responding, I pulled up Task Manager and End Task IExplore.exe process. Here are my questions: Based on the above info, is my PC infected? Is it possible to infect a PC with Antivirus 200whatever when the user does not respond to the question but kill the process instead? Quote
Guest 1PW Posted December 6, 2008 Posted December 6, 2008 On 12/05/2008 10:44 PM, Jack sent: Snip, snip... <span style="color:blue"> > Here are my questions: > > Based on the above info, is my PC infected?</span> At this point, unknown. <span style="color:blue"> > Is it possible to infect a PC with Antivirus 200whatever when the user does > not respond to the question but kill the process instead? </span> Also unknown. The infection process might be an "improvement" over what we've heard of recently. The first thing we ask is that you download, update, and run the freeware version of MBAM. <http://www.malwarebytes.org/mbam/program/mbam-setup.exe> Once you've accomplished that, post a simple reply (no cut & paste with the output report) and we'll go on from there. Best wishes and good luck to you Jack. Pete -- 1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t] Quote
Guest Malke Posted December 6, 2008 Posted December 6, 2008 Jack wrote: <span style="color:blue"> > I'm using WinXP SP2 with the latest patches (except SP3) installed. While > browsing the internet using a limited account, IE7 pops up the following > message; exactly as it appears (I bet the bad guys meant to say CRASHES > instead of CREAHES):</span> (snippage) <span style="color:blue"> > Do you want to install Antivirus 2009 to scan your computer for malware > now? (Recommended)</span> <span style="color:blue"> > Based on the above info, is my PC infected?</span> Probably with some malware but possibly not seriously as yet. IOW, it is probably still possible to get the machine clean fairly easily. <span style="color:blue"> > Is it possible to infect a PC with Antivirus 200whatever when the user > does not respond to the question but kill the process instead?</span> Depends on what else the user is infected with and what vulnerabilities s/he has such as obsolete versions of Java, Adobe Reader, operating system patches (which means you, BTW), etc. I would go through the following general malware removal steps, not skipping the prep work and then follow the removal instructions for AV 2009 at either BleepingComputer or Malwarebytes. http://www.elephantboycomputers.com/page2....emoving_Malware http://www.bleepingcomputer.com/malware-re...-antivirus-2009 Removal instructions for Antivirus 2009: http://www.malwarebytes.org/forums/index.php?showtopic=5178 Malke -- MS-MVP Elephant Boy Computers - Don't Panic! FAQ - http://www.elephantboycomputers.com/#FAQ Quote
Guest FromTheRafters Posted December 6, 2008 Posted December 6, 2008 In my opinion, you are probably not infected. If "probably" is good enough for you (and it shouldn't be), then there is no need to check further. The tools offered by other posters aren't that hard to use so why not increase your confidence by running them. You did good by ending the process with task manager. Yes, some use the "x" button as another "yes" button. Not sure why your antimalware wouldn't alert, perhaps it would have alerted had you downloaded the executable. This is a good example of the correct role of an antivirus program - it should be used as a backstop for when you fail to compute safely. It should be your goal to prevent it from having to act on your behalf. Good job! <span style="color:blue"> >Jack" <Jack@> wrote in message >news:%23fyGo42VJHA.4948@TK2MSFTNGP02.phx.gbl... > Please read the entire post before replying. > > I'm using WinXP SP2 with the latest patches (except SP3) installed. While > browsing the internet using a limited account, IE7 pops up the following > message; exactly as it appears (I bet the bad guys meant to say CRASHES > instead of CREAHES): > > ---------------------------------------------------------- > ATTENTION! If your computer is struck by the spyware, you could suffer > data loss, erratic PC behaviour, PC freezes and creahes. > > Detect and remove viruses before they damage your computer! > Antivirus 2009 will perform a 100% FREE and quick scan of your computer > for Viruses, Spyware and Adware. > > Do you want to install Antivirus 2009 to scan your computer for malware > now? (Recommended) > ---------------------------------------------------------- > > I know Antivirus 2009 is a rogue antivirus. It must NOT be allowed to > install. Avast 4.8 Home Edition remains quiet. It doesn't warn me about > the danger that's about to hit my PC. Btw, I was browsing > http://encarta.msn.com and 1 other site which is bestbuy.com. Makes me > wonder why I got AV2009 pop-up from those 2 sites. Does the pop-up really > come from those sites? I have no clue. > > Anyway, when I saw the pop-up, I did NOT click any button (OK, Cancel > button). I did NOT click the red X button on the top right corner of that > pop-up window either. My guess is it doesn't matter what button gets > clicked, it'll proceed with the installation. Instead of responding, I > pulled up Task Manager and End Task IExplore.exe process. > > Here are my questions: > > Based on the above info, is my PC infected? > > Is it possible to infect a PC with Antivirus 200whatever when the user > does not respond to the question but kill the process instead? > </span> Quote
Guest Jack Posted December 7, 2008 Posted December 7, 2008 Thanks to all for your reply. more inline... "FromTheRafters" <erratic@nomail.afraid.org> wrote in message news:uQ04oj%23VJHA.1224@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> > In my opinion, you are probably not infected. If "probably" is good > enough for you (and it shouldn't be), then there is no need to check > further. The tools offered by other posters aren't that hard to use so > why not increase your confidence by running them. ></span> I feel the same way too. With all the defensive actions (limited user account, up to date patches, End Task the process etc) on my part, I'd be really impressed (or confused :-)) if this malware infects my PC. Btw, I did a full scan with Avast after posting the first message. No infections found. I'll get the tool from malwarebytes later just for the heck of it. I have no important data in this laptop anyway. <span style="color:blue"> > You did good by ending the process with task manager. > Yes, some use the "x" button as another "yes" button.</span> Thanks. I was once a programmer. I believe we can put the same codes in OK, Cancel, X button when those events are triggered. That is why I chose to end task instead of clicking. What I still don't understand is how the heck do I get AV2009 pop-up while browsing 2 websites that appear to be safe (encarta.msn.com and bestbuy.com). All of a sudden, there is a 3rd IE7 tab, with the following info: - IE address bar shows h y y p://antivirus - computer- scan. com/2009/1/en/free scan.php?id=77011801 - IE status bar and the 3rd tab shows h y y p://windowsxp - privacy. net/?id=12193338844 (I changed the URL to prevent accidental click or copy/paste) Those sites are malicious according to http://trustedsource.org/ Quote
Guest Jack Posted December 7, 2008 Posted December 7, 2008 "Malke" <malke@invalid.invalid> wrote in message news:%23W2KsX6VJHA.4896@TK2MSFTNGP02.phx.gbl...<span style="color:blue"><span style="color:green"> >> Based on the above info, is my PC infected?</span> > > Probably with some malware but possibly not seriously as yet. IOW, it is > probably still possible to get the machine clean fairly easily.</span> Are you saying that by the time we see a pop-up message, we're all infected before we respond to the message? If that's the case, why do malware writers bother asking us if we want to scan our PC? Why don't they just install it silently? <span style="color:blue"> > Depends on what else the user is infected with and what vulnerabilities > s/he > has such as obsolete versions of Java, Adobe Reader, operating system > patches (which means you, BTW), etc.</span> I have Acrobat Reader 8.1.2 but I wasn't using it at the time AV2009 warning popped up. Btw, I know Acrobat Reader 8.1.2 has a security vulnerability and I also know that Acrobat Reader 8.1.3 and Acrobat Reader 9 are available but I haven't updated my Acrobat Reader yet. I don't have Java. My OS is WinXP SP2 with patches up to Nov 2008. I believe it is the same as having XP SP3 + latest patches. Quote
Guest Jack Posted December 7, 2008 Posted December 7, 2008 "Jack" <Jack@> wrote in message news:uhecAICWJHA.2576@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > Btw, I did a full scan with Avast after posting the first message. No > infections found. I'll get the tool from malwarebytes later just for the > heck of it. I have no important data in this laptop anyway. ></span> I changed my mind. Instead of installing removal tools, I manually searched for AV2009 infection. Not one of the following exists: %UserProfile%\Desktop\Antivirus 2009.lnk %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll %UserProfile%\Start Menu\Antivirus 2009 %UserProfile%\Start Menu\Antivirus 2009\Antivirus 2009.lnk %UserProfile%\Start Menu\Antivirus 2009\Uninstall Antivirus 2009.lnk c:\Program Files\Antivirus 2009 c:\Program Files\Antivirus 2009\av2009.exe c:\WINDOWS\system32\ieupdates.exe c:\WINDOWS\system32\scui.cpl c:\WINDOWS\system32\winsrc.dll My Avast antivirus doesn't warn me about anything other than doing its regular updates. Zonealarm doesn't ask me if some process that I've never heard of want to access the internet or the trusted zone. Everything else looks normal, no system slow down etc. I'm confident that I've dodged a bullet. Quote
Guest Malke Posted December 7, 2008 Posted December 7, 2008 Jack wrote: <span style="color:blue"> > Are you saying that by the time we see a pop-up message, we're all > infected before we respond to the message? If that's the case, why do > malware writers bother asking us if we want to scan our PC? Why don't they > just install it silently?</span> I'm saying that there is no way for me to know the state of your computer before you got the popup message from AV 2009. All I can surmise from your posts is that your machine is probably not fully patched since you don't have XP SP3. Since you haven't kept your operating system updated, there is a logical possibility that you haven't kept other programs updated that can be vectors for infection (Flash, Adobe Reader, Java, MS Office, etc.). Therefore it would be wise to be proactive and do scanning to be sure the machine is clean. I've had clients who got the popups for AV 2009 (or variants) and who quickly closed out of the messages (one woman just shut her machine off with the power button!) and they were fortunate: the malware didn't install. I've had other clients who went to a webpage with a malicious banner ad (for ex.) which took advantage of their older, vulnerable Java and they got severely infected with multiple trojans. Some malware does install silently and some doesn't because it can't. Of course malware writers would prefer not to bother with the social engineering and just install their cr p silently if they could! There tend to be far less "drive-by" malware installs on Vista than on XP. For a good understanding of malware installs, a great place to start is with some of the many articles that Ben Edelman has written. http://www.benedelman.org/ Another excellent reference is MVP Sandi Hardmeier's website: http://msmvps.com/blogs/spywaresucks/Default.aspx Malke -- MS-MVP Elephant Boy Computers - Don't Panic! FAQ - http://www.elephantboycomputers.com/#FAQ Quote
Guest FromTheRafters Posted December 7, 2008 Posted December 7, 2008 "Jack" <Jack@> wrote in message news:ux5dtxDWJHA.4896@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > > "Malke" <malke@invalid.invalid> wrote in message > news:%23W2KsX6VJHA.4896@TK2MSFTNGP02.phx.gbl...</span> <span style="color:blue"> > Are you saying that by the time we see a pop-up message, we're all > infected before we respond to the message? If that's the case, why do > malware writers bother asking us if we want to scan our PC? Why don't they > just install it silently?</span> Diversity. If other vectors of ingress fail, ask the user to do something. These programs are written for diverse targets, similar to the way web designers may need to write for a diverse set of browsers. <span style="color:blue"> > I have Acrobat Reader 8.1.2 but I wasn't using it at the time AV2009 > warning popped up.</span> The mere presence of vulnerable software might be enough - if the malware can access a vulnerable program (and run it) it could use that to escalate. It may not be necessary that you have the vulnerable program already running when the malware attempts to infest your system. I'm speaking generally - not about this malware specifically. Quote
Guest FromTheRafters Posted December 7, 2008 Posted December 7, 2008 "Jack" <Jack@> wrote in message news:uhecAICWJHA.2576@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > Thanks to all for your reply. > more inline... > > "FromTheRafters" <erratic@nomail.afraid.org> wrote in message > news:uQ04oj%23VJHA.1224@TK2MSFTNGP04.phx.gbl...<span style="color:green"> >> In my opinion, you are probably not infected. If "probably" is good >> enough for you (and it shouldn't be), then there is no need to check >> further. The tools offered by other posters aren't that hard to use so >> why not increase your confidence by running them. >></span> > > I feel the same way too. With all the defensive actions (limited user > account, up to date patches, End Task the process etc) on my part, I'd be > really impressed (or confused :-)) if this malware infects my PC. > > Btw, I did a full scan with Avast after posting the first message. No > infections found. I'll get the tool from malwarebytes later just for the > heck of it. I have no important data in this laptop anyway. ><span style="color:green"> >> You did good by ending the process with task manager. >> Yes, some use the "x" button as another "yes" button.</span> > > Thanks. I was once a programmer. I believe we can put the same codes in > OK, Cancel, X button when those events are triggered. That is why I chose > to end task instead of clicking. > > What I still don't understand is how the heck do I get AV2009 pop-up while > browsing 2 websites that appear to be safe (encarta.msn.com and > bestbuy.com). All of a sudden, there is a 3rd IE7 tab, with the following > info:</span> Advertising content allowed by the "safe" websites, or compromised otherwise "safe" websites. You never really know a place is "safe" - the best you can do is to keep your system as up-to-date with patches for both the system and the application software. They could even (in some cases) cause your browser to go to the "safe" site after visiting their malicious site (DNS poisoning or similar) - so you must consider the administration of your system to include your router. [...] Quote
Guest FromTheRafters Posted December 7, 2008 Posted December 7, 2008 "Jack" <Jack@> wrote in message news:uyUQMWEWJHA.4728@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > > "Jack" <Jack@> wrote in message > news:uhecAICWJHA.2576@TK2MSFTNGP02.phx.gbl...<span style="color:green"> >> Btw, I did a full scan with Avast after posting the first message. No >> infections found. I'll get the tool from malwarebytes later just for the >> heck of it. I have no important data in this laptop anyway. >></span> > > I changed my mind. Instead of installing removal tools, I manually > searched for AV2009 infection. Not one of the following exists:</span> [...] Additional malware could easily hide those things from you, which is why the others hinted at the possibility that a newer version of that malware may do things unknown as yet to be associated with it. Rootkits are all the rage these days... <span style="color:blue"> > My Avast antivirus doesn't warn me about anything other than doing its > regular updates.</span> Absence of evidence is not evidence of absence. style_emoticons/) <span style="color:blue"> > Zonealarm doesn't ask me if some process that I've never heard of want to > access the internet or the trusted zone.</span> Nor would it if a sophisticated malware were doing just that. I'm not a proponent of outbound filtering of that type anyway because it assumes malware is already running on the system, and yet ignores that fact when touting its usefulness. <span style="color:blue"> > Everything else looks normal, no system slow down etc. I'm confident that > I've dodged a bullet.</span> ....as long as you're confident - after all, it's your choice. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.