anti malware

Discussion in 'PC Hardware, Software and Displays' started by Davros, Apr 1, 2010.

  1. Davros

    Legend

    Joined:
    Jun 7, 2004
    Messages:
    15,026
    Likes Received:
    2,372
    Got hit with xp antimalware 2010 today
    absolutely didnt download it
    so does anyone know how a web page could copy a file ave.exe to c:\documents and settings\davros\application data\
    without me knowing about it ?
    would javascript or java have the ability to copy a file to a users pc without them authorizing it ?
     
  2. digitalwanderer

    digitalwanderer Dangerously Mirthful
    Legend

    Joined:
    Feb 19, 2002
    Messages:
    17,321
    Likes Received:
    1,812
    Location:
    Winfield, IN USA
  3. Malo

    Malo Yak Mechanicum
    Legend Veteran Subscriber

    Joined:
    Feb 9, 2002
    Messages:
    7,120
    Likes Received:
    3,182
    Location:
    Pennsylvania
    Javascript, flash or browser vulnerability is the usual way. Combofix is great for getting rid of those nasty ones.

    Always have people in the company I work for getting those on XP, can't say I've seen it occur on W7 yet.
     
  4. Davros

    Legend

    Joined:
    Jun 7, 2004
    Messages:
    15,026
    Likes Received:
    2,372
  5. digitalwanderer

    digitalwanderer Dangerously Mirthful
    Legend

    Joined:
    Feb 19, 2002
    Messages:
    17,321
    Likes Received:
    1,812
    Location:
    Winfield, IN USA
    I didn't think it a hard question, I found it an alarming one.

    Noscript keeps them type of problems under a bit more control.
     
  6. Davros

    Legend

    Joined:
    Jun 7, 2004
    Messages:
    15,026
    Likes Received:
    2,372
  7. ShaidarHaran

    ShaidarHaran hardware monkey
    Veteran

    Joined:
    Mar 31, 2007
    Messages:
    3,984
    Likes Received:
    34
    There is no way for this software to get on your PC without you downloading something you shouldn't have. Ave.exe comes from browsing porn sites. Go check your download history in whichever browser you use. You'll see video.exe in there.

    Guaranteed.

    Anyway, combofix + malware bytes anti-malware is the prescribed method for removal, though when I last cleaned up the exact infection you described it was necessary to do so manually by using process explorer to locate the folder in which ave.exe was stored and delete the file from there. The file is set to hidden/protected O.S. file so you'll need to change your explorer view options so you can see these files. You'll of course need to do this from safe mode.
     
  8. Davros

    Legend

    Joined:
    Jun 7, 2004
    Messages:
    15,026
    Likes Received:
    2,372
    Sorry no, don't get me wrong I enjoy lesbian porn as much as the next man but as this pc is in the living room it is never ever used for porn
    also I would of got a dialog box like so:
    [​IMG]
    (I never choose open btw always save)

    then I would have gotten another dialog box
    [​IMG]
    and I always save in downloads nowhere else

    So how did ave.exe end up in documents and settings\davros\application data\
    I would not of saved it in there in fact because that folder is a system folder I would never have been given the option to save there
    unless I accidentally clicked on folder options and took the ticks out of hide hidden files and folders and hide protected operating system folders.

    first thing I noticed was I got a popup saying your computer could be infected, I closed it then a windows opened up scanning files 38 virus's detected. My firewall poped up ave.exe is trying to access the internet I blocked it I also got a windows security warning antivirus is turned off (could of been fake) so I opened task manager and ended ave.exe (no other process was suspicious i know what processes are running on my pc)
    the process ended and the little icon near the clock disapeared, then 10 seconds later it reapeared (the process and the icon) so I shut the pc down and used the pc upstairs to find a solution

    So the question still remains how did it get on to my pc.
     
  9. Albuquerque

    Albuquerque Red-headed step child
    Veteran

    Joined:
    Jun 17, 2004
    Messages:
    3,845
    Likes Received:
    329
    Location:
    35.1415,-90.056
    Someone mentioned earlier, an exploit in Java, Flash or Quicktime is the most likely suspect. There were a huge pile of infected videos on MySpace and Facebook a while back; they'd play back with Flash, which would end up writing data to the disk.

    When you play a flash game, you're downloading data. Same with running a Java app.
     
  10. Neb

    Neb Iron "BEAST" Man
    Legend

    Joined:
    Mar 16, 2007
    Messages:
    8,391
    Likes Received:
    3
    Location:
    NGC2264
    When you browse the web files are stored in a cache although it should be virtualised in Vista with UAC on IIRC and protect better. Nasty ads, java, flash material. Flash can also store 3rd party files/share files between when used unless set to not do it by configuring Flashplayer by their config page. The Web browser cache is located in your application data folder and hidden by default.

    Maybe InPrivate (not enought though) surfing or VM surfing for future? :smile:


    What the spyware your PC contracted does and how to remove it.

    http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010

    [​IMG]
     
    #10 Neb, Apr 5, 2010
    Last edited by a moderator: Apr 5, 2010
  11. Tahir2

    Veteran

    Joined:
    Feb 7, 2002
    Messages:
    2,978
    Likes Received:
    86
    Location:
    Earth
    A friend had a similar problem yesterday, prevented him from browsing.

    Removed it for him and cleaned his system but advised to reinstall Windows - once these pesky trojans make their way into your PC you can never trust it again.
     
  12. Neb

    Neb Iron "BEAST" Man
    Legend

    Joined:
    Mar 16, 2007
    Messages:
    8,391
    Likes Received:
    3
    Location:
    NGC2264
    There should be no problems with this malware. Also the link I gave allows him to manually check out all the changes/additions the malware did so that it can be reversed though the AV solution/utility should take care of that. Ofcourse this implies Davros is disconnected from internet and brings the program(s) to remove malware in a USB memory or disc to the infected computer.
     
  13. Davros

    Legend

    Joined:
    Jun 7, 2004
    Messages:
    15,026
    Likes Received:
    2,372
    oh yes, i did allready had one ready as ive removed many anti*** 2009 from people's pc's in the past
    first time its ever got me though

    "whats your administrator password"
    "er I dont know"

    cue several hours of going through every pet/girfriend/favourite thing ect :(
     
  14. Tahir2

    Veteran

    Joined:
    Feb 7, 2002
    Messages:
    2,978
    Likes Received:
    86
    Location:
    Earth
    Rainbow tables?
    As with all trojans and malware it sometimes highlights the lack of awareness of the user and usually they have other demons lurking on their system too in my experience. I always advocate the, "back up data" and format route, but that is just me.
     
  15. tommysand

    Newcomer

    Joined:
    Apr 7, 2010
    Messages:
    1
    Likes Received:
    0
    Don't think the malware problem will be much better in Windows 7. Just wait a few months and I am sure W7 users will face the same problems as the XP users now. The bad guys just have to find out the weaknesses of the OS and then they will do their thing again. The best malware protection is always clever surfing :cool: altough you can never be sure today ...
     
  16. ShaidarHaran

    ShaidarHaran hardware monkey
    Veteran

    Joined:
    Mar 31, 2007
    Messages:
    3,984
    Likes Received:
    34
    This is the problem. You didn't close the popup, you clicked on a picture that was designed to trick you. By clicking the "close" icon, you actually accepted the agreement to install this fake AV software on your PC.

    I'm a PC tech, I've been fighting this POS for the last 2 years now. You have no idea how many people insist they "didn't click on anything" without realizing they did in fact click on something.

    Next time you see one of these, close the browser entirely.
     
  17. Davros

    Legend

    Joined:
    Jun 7, 2004
    Messages:
    15,026
    Likes Received:
    2,372
    No I actually closed the whole browser.
     
  18. caveman-jim

    Regular

    Joined:
    Sep 19, 2005
    Messages:
    305
    Likes Received:
    0
    Location:
    Austin, TX
    This is bullshit.

    This kind of payload can be delivered inside of a malicious advertisement or document (PDF anyone). The advert uses an unpatched exploit to elevate and break out of the browser and silently download and install.
     
  19. ShaidarHaran

    ShaidarHaran hardware monkey
    Veteran

    Joined:
    Mar 31, 2007
    Messages:
    3,984
    Likes Received:
    34
    Jim, could you tell me how it is that clients whose PCs I've disinfected have gotten this infection when they:
    1) haven't had Adobe Reader on their system
    2) been running Firefox with javascript disabled

    I do this for a living, Jim. I know WTF I'm talking about. I've cleaned literally thousands of instances of this very infection. It's the most common PC problem right now. Perhaps I jumped the gun when telling Davros he got it from a porn site, but I've observed the particular fake AV program he mentioned (AVE.exe) only in this circumstance (browsing porn, downloading video.exe).

    Lots of things are possible in theory, they don't happen in the real world though. Every instance of fake AV software installation on a PC can be traced back to an action the user took. Advertisements generate the point of infection, its up to the user to click on the wrong thing to actually allow the infection onto their PC though.
     
  20. Silent_Buddha

    Legend

    Joined:
    Mar 13, 2007
    Messages:
    16,338
    Likes Received:
    5,304
    Which may not be enough. Javascript isn't the only way to exploit a browser, it's just the easiest (especially when combined with flash).

    And Firefox unlike Chrome and IE on Win7 doesn't support Mandatory Integrity Control, so it's far easier for a malicious website/advertisement to raise their priviledge level in the OS and thus gain the ability to arbitrarily write files in locations it shouldn't be able to. And if you are on XP, then you don't have that in any browser.

    MIC as with any protection isn't foolproof but it does make things significantly harder for potential malware that targets the browser.

    Anyway, that said, it's just as likely they could have clicked on something in e-mail, IM client, pirated application, whatever... It's becoming increasingly popular for people to repackage pirated applications and games such that the installer also installs malware onto a users system.

    Regards,
    SB
     
Loading...

Share This Page

  • About Us

    Beyond3D has been around for over a decade and prides itself on being the best place on the web for in-depth, technically-driven discussion and analysis of 3D graphics hardware. If you love pixels and transistors, you've come to the right place!

    Beyond3D is proudly published by GPU Tools Ltd.
Loading...