Watch out for this Spyware...

steveinaz

SOB, hackers should have to face a penalty of having their fingers crushed in a Craftsman vice.

"Antivirus Soft"

This little %^&*($! spyware program ruined my Sunday, and half of Monday chasing down files, stopping processes, wading thru registry keys, and running PC Tools Spyware Dr.

It shows itself as false alerts on your desktop, and then tells you to download "Antivirus Soft" to cure the problem. Of course then they get your credit card info, address, etc. I didn't fall for it, but I was a computer tech for 20 years, so I recognized the signs.

You'll need to work from an F8 bootup, and select "Safe mode w/Networking" and select "Administrator." After you clear up everything, and then run your spyware software of choice, (also empty all temp files/tmp internet files/and prefetch directory) then and only then should you go into your regular boot-up, log-in scenario. If it "gets" you again, while in safe mode, tell your spyware program to run a startup, then repeat. You may have to do this several times to clear this PITA--I'm not certain I have it killed off completely yet.

This thing will even cleverly de-activate your spyware remover, just simply re-install it while in safe mode, run the scan, and select "scan at startup" until you kill this bugger.

More tips:

http://www.removevirus.org/remove-antivirus-soft.html

Kex

I haven't noticed anything unusual yet on our Win XP laptops or our Win 7 laptops (all protected by the free Microsoft Security Essentials software, behind a modem-based firewall). Is there any indication of how the infection usually occurs at first?

Systems

Do you have the full paid version of Spyware doctor running now so it has real-time protection?

I've been using the full paid version of Malwarebytes-Antimalware( also real-time) along with MSE for layered protection.

Yes, these new fake virus alerts are nasty....

Also make sure all windows updates are ran and you are using IE 8 with all its updates. Just keep running windows updates till you don't see any new critical patches. Or use Opera or Firefox with the no script add-on.

If you ever see any window that pops up asking you any question about security or wanting to scan something. You need to shut the computer down. Just clicking on cancel or x'ing out of it starts the process...

steveinaz

Well, I do frequent the naked midget wrestling website, aside from that, I'm not sure what caused it---

But seriously, just soon after loading "Ad-Aware" it started--how wierd is that? I doubt there is a connection, but that is the only recent change to my computer.

steveinaz

Lorthos wrote: »

Do you have the full paid version of Spyware doctor running now so it has real-time protection?

...

Yes, you can't repair anything without the license. $29.95; and it's good for 3 computers.

I immediately disconnected my network cable as soon as I noticed it.

danger boy

yesterday my laptop locked me out of my user profile... took a while to get it back.. it was either a virus or just a normal windows brain fartage.

steveinaz

The Antivirus Soft trojan keeps you from opening ANYTHING. That's why you've got to go safe mode/administrator.

AGUERRA

man that sux. i hate people who do stuff like this. i wish i could just get online and not have to worry about get a virus. these days using your computer is like having sex you dont know what your gonna catch!!!!!:eek:

Jstas

It's not new. It first came out in 2006 under a different name and has been through several permutations. The virus scanning companies managed to stop it but they found a new exploit and and it's been active once again.

They hijack your system and rely on a ransom of whatever they are charging to release your system. But they never really release it, they just put the software dormant until they either wake it up again or a timer expires and then, another ransom. It doesn't offer any protection at all and only opens up ports and permissions for more spyware to jump on. In addition, it overhcharges your credit card and there is no valid customer service number to call.

Malwarebytes.org's tool is very effective against it but you'll want to check your registry anyway and get rid of any lingering entries. Those could lead to another exploit recently identified.

Malwarebytes.org:
http://www.malwarebytes.org/

You can use some other tools to help you out. HijackThis from TrendMicro will scan your registry for any suspect entries and you can use it to track down the rogue processes and registry entries.

HijackThis from Trend Micro:
http://free.antivirus.com/hijackthis/

Of course there is the venerable Spybot Search and Destroy which has an immunization feature that will close down the exploit rather well.

Spybot
http://www.safer-networking.org/index2.html


By the way, both HijackThi and Spybot can now run is Windows Safe Mode and they are much more effective there.

This is a very useful "How To:" to get rid of Antivirus Soft:

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-soft

And, for those who aren't as computer savvy as some of us, http://www.bleepingcomputer.com has many useful tools and documents to help rank amateurs through the processes that sometimes seem to come naturally to the computer experts among us.

steveinaz

Just using Spyware Doctor wasn't enough--I had to delete some registry keys, and chase down some erroneously named files as well--though there is a common naming convention. Make sure while in Safe/Administrator mode that you also select "show all hidden/system files" otherwise you won't find the directories/files listed. You may also have to change file attributes before you can delete them.

I LOVE a challenge, especially a computer challenge.

Jstas

steveinaz wrote: »

Well, I do frequent the naked midget wrestling website, aside from that, I'm not sure what caused it---

But seriously, just soon after loading "Ad-Aware" it started--how wierd is that? I doubt there is a connection, but that is the only recent change to my computer.

No, it very well could have been from the Ad-Aware. There have been quite a few corrupted downloads of Ad-Aware lately. But honestly other anti-adware and anti-spyware programs have become so effective that you don't really have run multiple programs to make sure you clean everything out. That and anti-virus software has gotten pretty good at it as well.

But Ad-Aware has been known to kinda take brides from spyware companies like Alexa so that their software doesn't target Alexea's efforts. That's not such a big deal because all Alexa stuff really does is collect usage info. But it's communication paths are insecure and open up ports that other software exploits to get on your system.

I used to be a proponent of Ad-Aware because it was faster than the other programs and the more memory you had the better. It used hash tables to scan for software patterns and it took 1/3rd the time of everyone else. But for the past 2-3 years, they have gotten progressively worse and now they aren't worth the time.

steveinaz

Ad-aware won't be on my system anymore--it's just too strange that shortly after loading it, here comes Antivirus Soft. My surfing habits rarely change.

heiney9

Steve, that's not spyware it's actually a very nasty virus. I got it once at home even running and scanning daily Vipre anti-virus. Got it once at work and I had a friend get is so bad she had to wipe her HD and start over. It also disables "system restore" I know back-up once a week with Acronis.

Nasty, nasty virus

H9

steveinaz

Yep, disables system restore, Task Manager, practically everything. It will also disable your spyware removing software if you don't beat it to the punch by having it scan at startup while in Safe mode. That's why the processes have to be shut down via safe mode; then the registry keys that call up the dll's and executables need to be deleted before trying to get back in Normal mode. It also "hides" a couple folders under your profile in the application data sub-folder. It's a SOB.

heiney9

My friend who got it knows nothing about computers and she didn't say anything to me until a few days later and after she had clicked on all the pop-ups several times. Her computer was Fubar'd by the time she said something.

At home I was able to catch it (well Vipre did) before it went ballistic, but we still ended up wiping and loading a recent back-up file I had made of my system HD. In the end it was easier than doing what you have, hunting everything down. My brother does system IT for a living and doing it the way I did was far easier.

bruss

I have taken this off my moms computer 3 times now. Did It add a proxy to your web browser to redirect to localhost? Removing that was how i got malwarebytes onto her pc.

AsSiMiLaTeD

I've been very lucky I suppose. I've never really run an AV for any period of time, and I've never gotten a virus or spyware. I have fairly safe browsing habits, but know that doesn't protect me fully.

steveinaz

bruss wrote: »

Did It add a proxy to your web browser to redirect to localhost? Removing that was how i got malwarebytes onto her pc.

Yep, you've got to repair your internet connection after cleaning everything up. Your internet will work fine in Safe mode w/Networking however.

shadowofnight

steveinaz wrote: »

I'm not certain I have it killed off completely yet.

You probably havent yet.

I have been clearing this from a lot of friends pc's lately ( All XP so far ) ...this puppy the virus programs nor the spyware programs clear this completely even in a safe mode boot and trying to kill it there.

You boot into safe mode....go to tools... folder options...view...UNcheck the " Hide protected operating system files ( Recommended ) " ...you need to do this to see the executable file that is hosing you.

Pop open msconfig ...in the startup tab you should be able to recognize what should and shouldnt be automatically starting up in your OS...you will typically see the exe file there...every one has been obvious in the many I have cleared...but if you are not sure...use another pc to search info on that particular exe file...most of them have been so bold as to be put in files that are named the same as the phoney antivirus or spyware popups you are seeing on your pc. They dont care because unless you UNcheck that option in your folder option you wont even see it.

Now that you know what exe file is hosing you....uncheck it in the msconfig startup and reboot again in safe mode ( You need to do this because some of these sob's even start up in safe mode ) ...THEN , once you have booted the second time in safe mode you can go to that offending folder and kill the exe file...delete it..flush it

Then you boot normally and run both malwarebytes and your antivirus program with full scans ( Updated to the newest date of course )

These have been the most alabama tick dug in ones to date....and this has worked for everyone...absolutely 100% clean. The trick that makes them so bad is they are regarded as a needed OS startup file...so the malware and virus programs are powerless while the exe is running....make the file visible....use msconfig to stop it from running and reboot and kill that sob....good luck.

steveinaz

Wicked, I forgot all about msconfig. Thanks man! I know some of the files include "sysguard" in their name as well as "flvt" or "fltv" something like that--doing a quick file properties command will show that they are not Microsoft files; in fact there is no info listed---suspicious in and of itself.

Knucklehead

My mother-in-laws laptop caught this freakin virus...what a pain in the neck to remove....almost worth it to wipe your hard drive and start over.

steveinaz

From what I've read, it actually does no real damage (unless of course you by the product that doesn't exist) as in "file corruption" but it is a massive PITA for sure, and can re-invent itself if not completely removed.

steveinaz

Correction to post #20, the files have "ftav" in the name.

shadowofnight

steveinaz wrote: »

From what I've read, it actually does no real damage (unless of course you by the product that doesn't exist) as in "file corruption" but it is a massive PITA for sure, and can re-invent itself if not completely removed.

No file corruption...MAJOR PITA....I remember actually cussing at the very first pc I encountered this on. I also remember saying " Who's your daddy now , B*#ch " when I had defeated it


Steve....just kill the offending exe and thats it...let your malwarebytes and antivirus program do the rest...after you make it visible... its usually all by itself in a folder .

Before you make all files visible, you will usually see a folder in your program files that appears empty...but of course you cant delete the empty folder because of the hidden exe running ( From OS startup ) from within the folder. Most, thinking an empty folder cant be causing anything ... they disregard it.

KrazyMofo24

I've gotten those before years ago, but haven't had any issues after I stopped using IE.

Rivrrat

My daughter got that nasty POS on her laptop (her AV had expired and I didn't know it). It locked me out of everything, including getting to safe mode to try to get malaware bites on it.

It cost us 85 bucks to get it out. That's first time I've paid to have a computer fixed. :mad:

She has AVG on her computer now, along with Malaware Bites and CCleaner.

Serendipity

I currently don't use any antivirus software and only rely on the Windows Firewall.

dragon1952

There's another one called 'Antivirus Free' I think....does the same thing. It screws up your IE to redirect anything you do to their website, or anything you try to open to come up with an error, but since I already had Firefox I was able to browse for a solution. I can't remember what I was browsing for that night, but it came up in a Google search and all I did was click on the result.

I-SIG

I think I got the old version of this a few years ago. It didn't shut the system down the way you describe, but no AV or MW program I could find would get rid of it. I used the Toshiba recovery system to start fresh after transferring all my personal files to an EHDD.

Wes

Systems

Just thought I would let you guys know, I've been beta testing the new version of Malwarebytes-Antimalware.

It has quite a few new features:
1. A new scheduling engine for our customers. It will feature realtime updating, more finely-grained scheduled scanning/updating, and a streamlined interface. It will also be able to run "flash" scans.
2. Compatibility with Remote Desktop Protocol (RDP) for our corporate customers.
3. A brand new advanced heuristics detection module that will be integrated into both scanner and protection module.
4. Integration of IP blocking options and other customizable policies into the main program interface as requested.
5. Heavily improved command line interface allowing customers to scan and remove automatically and silently.
6. A rewritten updating module that will hopefully limit the common errors users have been seeing. More changes will follow server-side.
7. Full proxy support, including authentication and integrated into the GUI.
8. Countless minor bug fixes and various optimizations.

The new version should be released pretty soon...

steveinaz

Got the sucker cleared, I just had 2 registry entrys left, and they just provided the text to show the 2 evil files loading at msconfig, although the target files were gone.

I'm clean.