PDA

View Full Version : 2nd Warning: Microsoft Windows Rogue "Antivirus 2009" program.



zburns
11-02-2008, 09:55 AM
On Oct 11, 2008, I made the following post: IMPORTANT: WARNING. Illegal Microsoft Anti Virus Pop up AD.

--------------------------------------------------------------------------------

This is a short thread but all should read it. About 40 minutes ago, I open a North Carolina artist's website on Google, and immediately got a "full page" Microsoft Official looking page for Antivirus 2009, claiming I had 62 infections and a Trojan whatever. Wanted me to open it, let it scan my computer, etc.. and buy it!!

I opened another window for Yahoo answers and the first post was telling me that this was a "rogue" microsoft impersonation.

Could not close any of the three or four windows that kept reappearing when I tried to close any of them. Never opened any file, etc.. Finally just turned this computer off and rebooted.

Here is the funny part and how to be certain it is a "rogue". One of the small dialogue windows, labeled "Windows Internet Explorer" said exactly as follows: "Dont close this window if your want you PC to be clean." (if you did not catch the bad english grammar, it is the use of "your" and "you" in reverse order: this from an official Windows site?)

The quotes are mine, the rest is the exact dialogue in the small window. Again it is a very official looking Microsoft site but it is a rogue.

Yesterday, Nov 1, 2008 Opened a file from a google page, the so called official Microsoft site called "Antivirus 2009" showed up, opened by itself (all of this in about a second), ran "hundreds, or more, files in what I call the "activity line". I reacted quickly and was able to close the "running" file. (The first time, no files were ever open, as far as I know, but I could not close any of the several dialogue pop up boxes -- had to turn the computer off to get rid of it.

Last time, I could not "close" their "stagnant" open window so I turned off this computer. The first time, I figured "the rogue data" to be in my RAM worse case. This time, the rogue program opened and ran thru my files, for maybe 2 seconds or slightly less. Now I assume my hard drive has infections from the rogue.

I googled Microsoft and some other forum sites about "Antivirus 2009"; best explanation from a quick review -- it is a mess. Worst outcome I read, clean the hard drives, lose your data, reload Windows. There is a lot information about this on the web including what it does to your computer.

In addition to my Vista "sleep" problems which seem to be similar to Wise Monkey's, I now occassionally have "failure to boot" show up after long periods of "sleep". Not a big deal yet, but I wonder if it is a "infection" from the above. Last nite at 4am, I woke up, could hear my computer running loud and clear, no video, quick look and "failure to boot".

The one thing I can tell for sure: "Antivirus 2009" is no joke. If you see it pop up, try to close it (I could not close it the first time, Oct 11, but the windows and pop up dialogue box were stagnant, nothing was "running" as it did yesterday), if it does not respond, turn off your computer power immediately. Whether "it" can leave a "residual program behind" the first time you see it, I will leave to Wise Monkey, Rick, Rob or others who know this stuff much better than I.

The Wise Monkey
11-02-2008, 06:10 PM
Wow, bad luck man.

What AV are you running?

zburns
11-02-2008, 07:00 PM
ESET NOD32, v 3.0. It was highly recommended, good reviews, etc.; but it reports back to me that it never has "blocked" an attack. But I am pretty careful about what I open. WM, do you see a lot of blocked attacks with your AV?

It is not clear to me whether Antivirus 2009 is malware or a virus but it is a "rogue", no doubt about that. I have read it is a marketing scheme to get you to buy it as an AV security program; also, seen the words trojan and AV to describe the problem. I think a non-english group is behind it because of the bad grammer in the official dialogue box.

The link below has about 12 posts about Antivirus 2009, about getting rid of it; problem is some of the solutions are scams also; I say this because they come "at you" like a salesman screaming in your face. They do not seem legit.

Post # 9 on this link says a lot about the problem and the cure by using a Microsoft service called "easy assist"; but you probably pay for the service. http://forums.cnet.com/5208-6132_102-0.html?forumID=32&threadID=300720&messageID=2808996

You have to be able to trust whatever web entity provides a solution; that's what I looking for next. It appeared in July of this year. I think it spreads via legit websites that anyone of us would routinely click on.

The Wise Monkey
11-03-2008, 04:05 AM
I run Bitdefender Total Security 2009, but I know that NOD32 is very highly respected. It is normal not to receive too many attacks - if you are receiving lots, then I would be very worried!

I don't know why your AV didn't pick this up. Does you AV come with a firewall?

zburns
11-03-2008, 01:23 PM
The eset Nod 32 does not have firewall unless purchased separately. I use the Windows firewall and Windows defender.

--------------------------------------------------------------------------
You will not believe this!! I just clicked on "My super pc" build and then "forums". Then I immediately went to Welcome Center, Performance, Advanced Tools, opened Task Manager on the Advanced tools page.

Three Apps running: in order, (Rogue) Antivirus 2009, My super pc build and forums. I clicked on End Task and Antivirus 2009 disappeared, but "My super pc build" and "forums" stayed put.

--------------------------------------------------------------------------------

Approx: 2:45 pm. EST. MY MISTAKE !!! I am wrong with the above "You will not believe ......" . Task manager is picking up this forum subtitle: "2nd warning, Microsoft, Rogue Antivirus 2009"... My mistake, my panic. One good point: Task Manager looks like a good tool. Will also show you how many users on your computer; the apps running; real time processes running; real time services running. Since I am the only user, not sure what this means about "hijack" type illegal users if they exist and will they show up as a second user.

The Wise Monkey
11-03-2008, 02:06 PM
Hah, it is quite easy to get confused with task manager sometimes. The number of users is the number of people logged on locally i.e. if you go to Start->Switch User and login as someone else, this will say number of users = 2.

zburns
11-03-2008, 02:47 PM
Thanks WM for the addition on "users". Under Task Manager, will not Applications, or Processes or Services show something if Antivirus 2009 is running; does not one of these categories pick up the "real time activity"? May not be named "Anti..2009" but something should show, am I right? ESet shows under Apps. The Processes Tab shows random activity for either CPU or Memory; the Services Tab shows Status either "running" or "stop".

So I assume a rogue app will show by itself. Or could it be embedded within a Windows program, and the program still run? But if that is the case the Rogue would have to have access to Windows code which is unlikely?

Does Apps, Process and Services cover everything running? I guess this is the question; if not, I have to look elsewhere. Or does some high level IT person at Microsoft have access to something on my computer that I do not have access to or easily have knowledge of? Thanks.

The Wise Monkey
11-04-2008, 03:47 AM
Task Manager would show you pretty much everything, but it is difficult to tell what most things mean. A program could call itself svchost.exe, and you wouldn't be able to tell if it was different from all the other svchost.exes that run by default.

If you click "Show processes from all users" then you will be able to see all of the Windows processes as well. Have a look through these to see if there is anything out of the ordinary.

zburns
11-04-2008, 10:12 AM
I actually did what you suggest several days ago, without knowing what I was doing exactly. This time, after your reply, I did notice the vert scroll bar cut itself in half when "show all processes" was checked. However, the count jumped from 52 to 54 which could be coincidental, but the count is there whether "show all process" is checked or not. I looked at every line item in processes and services looking for anything regards Antivirus 2009", and see nothing that helps. However, I am able to open files under processes so that's a help; under services, the PID number also looks useful as far as looking something up. All this for review!! Thanks much for your input.

Cirndle
11-15-2008, 03:37 AM
I will put some icing on the cake. First, if this happens to your computer, do not use it anymore with a network connection. You are leaving the door open still, stealing passes, cc info, anything else you can imagine.

Unplug you cable, or shut your router off.
Go find another computer from a friend and download the following:

1.Kill Box- this bad boy deletes anything like a service or process this is being stubborn as hell.
http://killbox.net/downloads/KillBox.exe

2. ProccesExplorer- From microsoft, this program monitors proccess like task manager, but shows you in realtime what happens. Example: you open an app, it runs through 2 handles, grabs 3 dlls, and then starts 4 services. And the cool part is it shows you what is linked to them.
http://download.sysinternals.com/Files/ProcessExplorer.zip

As far as looking to see if a service or process is legit, there is a database online search google for it, and basically you can check the size of the file, and where it should be to find out. AVG free version would be helpful right now.

Also,
if you are using windows firewall, and you have it configured to block all incoming traffic as default, then this shouldn't of happened. I think there is some kind of software that is making outgoing traffic and therefore a dataminer, but is opening a port to talk on. Get a free firewall, there all alot of good ones.

A preventative measure:
Sandboxie- This program is kind of like running a virtual PC on your computer, or going through a proxy to the internet. It makes surfing the net safer, by putting your computer in a ready only state, where stuff can't be written to your hard drive, or ram. Meaning, no more drive by warez downloads, malware, etc. Or get virtual PC, and install and build a virtual machine, no way of gettings viruses on actual machine, and if your virtual gets infected, just reload the default image.
http://www.sandboxie.com/SandboxieInstall.exe


Please take what I have presented to you and use, and tell other users, because I mean it is cool if I get work because there computer is infected to death, but if they never call me neither of us win.

zburns
11-15-2008, 09:10 AM
Several days after the Nov 3, 4 replies to my original thread, Antivirus 2009 struck (as I open a site) three times in one day; shut computer down, rebooted, SOP when it happens. Nothing since then. Right now it is not a major inconvenience; ultimately if I have too I will "clean" the whole computer and reload Vista from the disc.

But what I want to find out is what "it" is, ie. virus, worm, trojan or malware ( I do not even know the the precise definitions of these terms ). Then I want to find evidence of it on my computer. I am told that Microsoft Easy Assist Service ( I am sure for a fee ) will "look" at my rig, find the rogue, eliminate it and tell me what it found.

Have you seen this thing? It's like a "lighting bolt hit"!! "Boom" its on your screen static, in a millisec its running 1000mph, and in about 2 sec later if I did not "close" it, I cut off power. It is "very Microsoft security official looking". Shield, colors of Microsoft security stuff, etc.

I am not sure how my Microsoft Firewall is configured right now but I will find out today. Thanks for the input!!

The Wise Monkey
11-16-2008, 05:15 AM
I have experienced what you are talking about - it appeared as the first returned result on a Google search I was doing. Luckily, I haven't seen anything else since.

zburns
11-16-2008, 01:16 PM
Is it possible that the "rogue" is inside our computers waiting for a "external" or "internal" trigger? Or do you have some "logic" that says it is not "inside." It has run about 1 to 1.5 sec on my rig several times, scanning; seems to me it has been in my hard drive, that being the case.

The Wise Monkey
11-17-2008, 05:03 AM
I doubt that it would have any access since your firewall would have stopped it. It is much more likely that it is just a gif image that imitates a hard drive scan. Windows files are going to be called the same on every PC, so it is fairly easy to imitate a scan of the Windows directory.

zburns
11-17-2008, 09:14 AM
Just a couple of comments. My intrusions happened the way you describe -- a returned result from a google search (I even remember the website). At first I received only a static image with the opportunity to open the file; it was the incorrect use of "english" that alerted me. The last intrusion was as I described: If there was a static page, I never saw it, it just ran with typical "file" names (unreadable because of speed) flashing by, looking like a scan.

Your explanation is clear so I will not ask any questions there; however, your explanation raises another question about the mechanism within "firewall" to block.

Windows files have different names but common to all computers using windows. Does not the "firewall" have to see something beyond the Windows file name, ie. some of the code or a "id further than the file name", all of which is confidential or is "randomly" changed via updates". The id could even be code that automatically changes based on a "date and time" algorithm. If the file names are commonplace and readily available, then any hacker could get thru "firewall" with any malicious code he wants to use.

The Wise Monkey
11-19-2008, 08:37 AM
The whole point of a firewall is to stop any remote access to your computer. In addition, you cannot just overwrite core OS files without some kind of checks. In most hacking situations, the attacker would name the file/program as something similar to an OS file, so it would be less likely to be noticed.

For example, svchost.exe is a very common Windows program that is essential to the running of the system, and there are usually multiple versions of this program running. An attacker could name their program svchast.exe, which is so similar that you would probably not notice it.

A vast majority of the OS files are called the same thing on every machine, but once they are installed they become read only so they cannot be overwritten.