anti malware

Davros

Legend
Got hit with xp antimalware 2010 today
absolutely didnt download it
so does anyone know how a web page could copy a file ave.exe to c:\documents and settings\davros\application data\
without me knowing about it ?
would javascript or java have the ability to copy a file to a users pc without them authorizing it ?
 
Javascript, flash or browser vulnerability is the usual way. Combofix is great for getting rid of those nasty ones.

Always have people in the company I work for getting those on XP, can't say I've seen it occur on W7 yet.
 
I didn't think it a hard question, I found it an alarming one.

Noscript keeps them type of problems under a bit more control.
 
There is no way for this software to get on your PC without you downloading something you shouldn't have. Ave.exe comes from browsing porn sites. Go check your download history in whichever browser you use. You'll see video.exe in there.

Guaranteed.

Anyway, combofix + malware bytes anti-malware is the prescribed method for removal, though when I last cleaned up the exact infection you described it was necessary to do so manually by using process explorer to locate the folder in which ave.exe was stored and delete the file from there. The file is set to hidden/protected O.S. file so you'll need to change your explorer view options so you can see these files. You'll of course need to do this from safe mode.
 
Sorry no, don't get me wrong I enjoy lesbian porn as much as the next man but as this pc is in the living room it is never ever used for porn
also I would of got a dialog box like so:

(I never choose open btw always save)

then I would have gotten another dialog box

and I always save in downloads nowhere else

So how did ave.exe end up in documents and settings\davros\application data\
I would not of saved it in there in fact because that folder is a system folder I would never have been given the option to save there
unless I accidentally clicked on folder options and took the ticks out of hide hidden files and folders and hide protected operating system folders.

first thing I noticed was I got a popup saying your computer could be infected, I closed it then a windows opened up scanning files 38 virus's detected. My firewall poped up ave.exe is trying to access the internet I blocked it I also got a windows security warning antivirus is turned off (could of been fake) so I opened task manager and ended ave.exe (no other process was suspicious i know what processes are running on my pc)
the process ended and the little icon near the clock disapeared, then 10 seconds later it reapeared (the process and the icon) so I shut the pc down and used the pc upstairs to find a solution

So the question still remains how did it get on to my pc.
 
Someone mentioned earlier, an exploit in Java, Flash or Quicktime is the most likely suspect. There were a huge pile of infected videos on MySpace and Facebook a while back; they'd play back with Flash, which would end up writing data to the disk.

When you play a flash game, you're downloading data. Same with running a Java app.
 
When you browse the web files are stored in a cache although it should be virtualised in Vista with UAC on IIRC and protect better. Nasty ads, java, flash material. Flash can also store 3rd party files/share files between when used unless set to not do it by configuring Flashplayer by their config page. The Web browser cache is located in your application data folder and hidden by default.

Maybe InPrivate (not enought though) surfing or VM surfing for future? :smile:


What the spyware your PC contracted does and how to remove it.

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010

rogueprograms.jpg
 
Last edited by a moderator:
A friend had a similar problem yesterday, prevented him from browsing.

Removed it for him and cleaned his system but advised to reinstall Windows - once these pesky trojans make their way into your PC you can never trust it again.
 
A friend had a similar problem yesterday, prevented him from browsing.

Removed it for him and cleaned his system but advised to reinstall Windows - once these pesky trojans make their way into your PC you can never trust it again.

There should be no problems with this malware. Also the link I gave allows him to manually check out all the changes/additions the malware did so that it can be reversed though the AV solution/utility should take care of that. Ofcourse this implies Davros is disconnected from internet and brings the program(s) to remove malware in a USB memory or disc to the infected computer.
 
oh yes, i did allready had one ready as ive removed many anti*** 2009 from people's pc's in the past
first time its ever got me though

"whats your administrator password"
"er I dont know"

cue several hours of going through every pet/girfriend/favourite thing ect :(
 
Rainbow tables?
As with all trojans and malware it sometimes highlights the lack of awareness of the user and usually they have other demons lurking on their system too in my experience. I always advocate the, "back up data" and format route, but that is just me.
 
Don't think the malware problem will be much better in Windows 7. Just wait a few months and I am sure W7 users will face the same problems as the XP users now. The bad guys just have to find out the weaknesses of the OS and then they will do their thing again. The best malware protection is always clever surfing :cool: altough you can never be sure today ...
 
first thing I noticed was I got a popup saying your computer could be infected, I closed it

This is the problem. You didn't close the popup, you clicked on a picture that was designed to trick you. By clicking the "close" icon, you actually accepted the agreement to install this fake AV software on your PC.

I'm a PC tech, I've been fighting this POS for the last 2 years now. You have no idea how many people insist they "didn't click on anything" without realizing they did in fact click on something.

Next time you see one of these, close the browser entirely.
 
There is no way for this software to get on your PC without you downloading something you shouldn't have. Ave.exe comes from browsing porn sites. Go check your download history in whichever browser you use. You'll see video.exe in there.

Guaranteed.

This is bullshit.

This kind of payload can be delivered inside of a malicious advertisement or document (PDF anyone). The advert uses an unpatched exploit to elevate and break out of the browser and silently download and install.
 
This is bullshit.

Jim, could you tell me how it is that clients whose PCs I've disinfected have gotten this infection when they:
1) haven't had Adobe Reader on their system
2) been running Firefox with javascript disabled

I do this for a living, Jim. I know WTF I'm talking about. I've cleaned literally thousands of instances of this very infection. It's the most common PC problem right now. Perhaps I jumped the gun when telling Davros he got it from a porn site, but I've observed the particular fake AV program he mentioned (AVE.exe) only in this circumstance (browsing porn, downloading video.exe).

This kind of payload can be delivered inside of a malicious advertisement or document (PDF anyone). The advert uses an unpatched exploit to elevate and break out of the browser and silently download and install.

Lots of things are possible in theory, they don't happen in the real world though. Every instance of fake AV software installation on a PC can be traced back to an action the user took. Advertisements generate the point of infection, its up to the user to click on the wrong thing to actually allow the infection onto their PC though.
 
Jim, could you tell me how it is that clients whose PCs I've disinfected have gotten this infection when they:
1) haven't had Adobe Reader on their system
2) been running Firefox with javascript disabled

Which may not be enough. Javascript isn't the only way to exploit a browser, it's just the easiest (especially when combined with flash).

And Firefox unlike Chrome and IE on Win7 doesn't support Mandatory Integrity Control, so it's far easier for a malicious website/advertisement to raise their priviledge level in the OS and thus gain the ability to arbitrarily write files in locations it shouldn't be able to. And if you are on XP, then you don't have that in any browser.

MIC as with any protection isn't foolproof but it does make things significantly harder for potential malware that targets the browser.

Anyway, that said, it's just as likely they could have clicked on something in e-mail, IM client, pirated application, whatever... It's becoming increasingly popular for people to repackage pirated applications and games such that the installer also installs malware onto a users system.

Regards,
SB
 
Back
Top