Fake Antivirus - How To *PREVENT* Infection??

Macintosh / G5 1.8 powerpc
August 7, 2010 at 16:23:49
Specs: XP PRO, 2GB

Folks,

Please pardon the length of this post, but it is something that is causing a significant issue for many of my friends and acquaintances, and which may also be of help to many others here.
--------------------------

I deal with a lot of "average users"....people who use the computer daily....primarily Internet based activities...but are not "power users."

They are very comfortable with what they do, but don't know the difference between a file and a directory.

Among this group, there seems to be a CONTINUAL, REPEATED problem with Fake Antivirus malware.

These malware installations may have a different design, but they all seem to have the following characteristics:

- In MSCONFIG / STARTUP 1 (often 2) entries are inserted to trigger an .exe file at startup.

- The executable is named a random string of lower case letters (example: qgesnntssd.exe)

...and placed within a folder named with a different random string of lowercase letters as well (example: ffwtlwyq)

- The file is always placed / located at:

C:\Documents and Settings\{accountname}\Local Settings\Application Data\

Example:

C:\Documents and Settings\{accountname}\Local Settings\Application Data\ffwtlwyq\qgesnntssd.exe

- The ability to surf the web via a browser is disabled via the LAN settings with the Internet Options window by checking the lower 2 Proxy Server options.

When the malware is running is usually blocks msconfig, task manager, command window, and disables whatever antivirus software may be installed.

Removing the infection is not difficult, however, for most users, once it is running, to them, it appears as if they have lost complete control of their computer.

QUESTION:
Does anyone know how this can be PREVENTED from happening?

I have come across this problem on computers that are fully protected with various anti-virus products. All of which have current subscriptions are have up-to-date definitions (AVG, Nortons, McAfee, etc)

I'm not sure exactly how infection occurs, but I think that is starts are pop-up when on the web which tricks the user into clicking some button within the window.

Once that occurs....I THINK (but an not sure) that click somehow authorizes the malware to run "behind" whatever anti-virus protection they may have and that, from there, it begins to disable those items above.

There MUST be some type of configuration or protection that will identify and BLOCK this from occurring even if the user is "tricked" in to clicking something within the pop up.

HOWEVER, some users have reported that infection has occured when the computer was connected to the internet, but idle...so, I am wondering if this category of malware can infect a computer without any user action.

> PLEASE HELP OTHERS - Report back what did/didn't work for those referencing this thread.<


See More: Fake Antivirus - How To *PREVENT* Infection??

Report •


#1
August 8, 2010 at 07:26:54
"I have come across this problem on computers that are fully protected with various anti-virus products. All of which have current subscriptions are have up-to-date definitions (AVG, Nortons, McAfee, etc)"


Not the best protection to say the least.
IMO Avast free knocks those right out of the water and offers better realtime protection as well as no scheduled scans, just lots of free updates daily...no muss, no fuss.

People that clear out the infections properly need better protection using free programs like Spyware Blaster, Threatfire and WinPatrol along with their AV of their choice.
Also the free version of Malwarebytes, just update and run it every 2 weeks.

That at least builds up the resistance to a higher level.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

#2
August 8, 2010 at 12:57:57
"IMO Avast free knocks those right out of the water and offers better realtime protection"

Have you observed Avast stopping the program after the user "takes the bait" and clicks something within the "You're Infected !!!" pop-up window (of which all of the fake anti-virus / ransomware have some version) ?

While I have not actually witnessed what these "common users" are doing to allow the infection to get past their current anti-virus programs.....I am simply assuming that, again, they are clicking on one of the buttons in that pop-up (it does not matter which one....but a "common user" will assume that a "CLOSE" or "DECLINE" button will do so....which it, of course, does not...it simply triggers the executable to do its thing.).

What is puzzling is that I have gotten a copy of the executable to try to replicate the infection (in order to come up with a better configuration to automatically stop it)...

But, I cannot even access the file....my AV will recognize and remove it before it can even activate the pop up)

HOWEVER....the machine I use for the test will have the SAME AV as the "common user".

The only thing I can think of is that the way that initial pop-up occurs is different through a web browser than from a stored file (which is what is, initially, letting it past their current AV?).

I simply cannot figure out WHAT these people are doing.

To ask the question again, though, I am hoping there is a KNOWN product that will, even AFTER a button is clicked in that initial pop-up.....will recognize and block the executable from running.

Have you witnessed AVAST stopping these infections After the user "takes the bait" and clicks any button within that window?

If so....I shall begin recommending AVAST...and installing it on the computers of those whom I help.

> PLEASE HELP OTHERS - Report back what did/didn't work for those referencing this thread.<


Report •

#3
August 8, 2010 at 16:23:04
"Have you witnessed AVAST stopping these infections After the user "takes the bait" and clicks any button within that window?"

Avast tells you that a site is dangerous and then says to abort the connection. Then you just click on OK and you can keep surfing the net. Simple as that.

Some HELP in posting on Computing.net plus free progs and instructions Cheers


Report •

Related Solutions

#4
August 9, 2010 at 06:45:50
If you notice, the OP is not talking about his system, which is a MAC anyway - he's talking about clients, almost none of whom will have even heard of SUSE, let alone want to use it.

Most of these bogus programs I've seen have been on XP machines - the startup files and proxy settings can be altered without referral to the user. Avast (free) is certainly no better at stopping these instances - I know as I've just come from a customer with Avast(free) which had let Antivir GT install itself (it's the only reason I'm posting this at this time) The paid for version has more protection as it has 'script shield', but I cannot recommend Avast for other reasons.

The best prevention is education - and a 'paid-for' security suite, preferably on Windows 7.

"I've always been mad, I know I've been mad, like the most of us..."


Report •

#5
August 9, 2010 at 15:01:15
johnr
"The best prevention is education - and a 'paid-for' security suite, preferably on Windows 7."

Thanks for the post.

Yes, now that you mention it, most of these infections have been on XP machines. However, it is not uncommon to see them on Vista...but just not as much.

Have you observed the "paid for" products stopping these on XP ?

While I do believe that McAfee and Nortons are superior to the free products...I've tended to stay with programs such as AVG Free for the "average user" for 2 reasons. 1) AVG tends to be a "lighter" program...taking up less resources...and 2) because there is no subscription fee (to be ignored) .

With many (most) of these average users....I've noticed that they don't renew their "paid for" products...since they still see the little icon down in the lower right...they assume it is like any other program....you just use it forever...why pay twice? Most don't know / understand the function of virus definitions.

I guess the basic question is...has it been your experience that with XP....the only programs that will stop these Fake Antivirus programs AFTER the user has "taken the bait" and clicked within the pop-up , are the major subscription based products (e.g. McAfee, Nortons, Kasper., etc)?

AND.....I have not delt with Windows 7 that much, yet....but have not yet had anyone ask me to help with such an infection.

Is Windows 7, because of it's construction, immune to the methods used by this category of malware?

Thanks

> PLEASE HELP OTHERS - Report back what did/didn't work for those referencing this thread.<


Report •

#6
August 9, 2010 at 17:58:08
Get them to press Alt+F4 to close the Window as soon as they see the fake screen telling them they are infected. Closing the screen with the corner X still lets it through. If they don't click the mouse on the pop-up screen they will avoid infection.

AVG does detect and stop these - mine has done so many times. MSE and Avast do likewise. Unfortunately these bogus antimalware nasties are changed so frequently it is possible for any AV to run into new variants before they have updated their data bases. Make sure AVG is set for automatic updates (which is the default anyway).

This website makes a good case for running scheduled scans if available:
http://blogs.techrepublic.com.com/s...
In a nutshell he is saying that AV's do not continuously scan "the file system" (which would be a gigantic overhead), only when files are manipulated.


Long Range Golfer


Report •

#7
August 11, 2010 at 23:39:21
Today.....went back to the same guy I'd helped just 3 days ago.

Same type of malware...EXACTLY...just a different name...but it used the same method described above in the first post.

He does have an XP machine.

I got a copy of the .exe file (as always....an exe file named a random string of lower-case letters.)

BUT...as a test...I loaded it on a new Windows 7 machine running updated AVG....then ran the executable.

Well...AVG did not see it as a virus....so it must not have been in their DB yet.

HOWEVER..on Windows 7....nothing happened when the file was run.

I did notice that the file was active (running in the background) in the task manager...but it did not appear to be doing anything.

After ENDING it via the task manager...no other ill effects seemed to exist.

On the XP...I loaded Spybot with Teatimer, since it monitors and locks the registry. And....their router was configured with OpenDNS.

I hope that will help stop these things this time.

We'll see.

> PLEASE HELP OTHERS - Report back what did/didn't work for those referencing this thread.<


Report •


Ask Question