Avast didn't catch Antispyware Software download-why?

I was working on my pc (XP sp3), doing a MWB scan when suddenly it flashed a msg. that something had downloaded and was blocked. Too fast to see what it was. Then icons appeared in the systray and the active/open tray for Antispyware Soft. After that message had flashed I stopped the MWB scan and did an Avast system scan…“no virus”. Stupid. I should have let the MWB scan finish! Then couldn’t open MWB again (ASW did its job apparently) to rescan. everything is blocked now. Was online w. FF so kept it open. the only windows I had open were 2 from Avast forums and another one from a homeschooling site. wasn’t surfing anything else. It just downloaded. Why didn’t Avast catch it and stop it? and even tho MWB said it blocked it, apparently it’s doing it’s work.

Now I keep getting the standard pop-up messages and periodically IE opens to that web site for me to buy it. fat chance! Went to the MWB site where instructions are to remove it but I can’t print anything, can’t download it as a pdf cause can’t open Adobe. Will have to go to neighbor to get the instructions and MWB again to install. But why didn’t avast get it?

I may not be able to get the stuff til tomorrow so will leave pc on and FF open overnight, turning off the internet connection cause I’m afraid if I close everything I won’t even be able to boot up tomorrow.

Help!

Antispyware Soft got me last night. Completely took over my system and Avast!
Reboot, F8 to start up in safe mode w/networking. Then downloaded Malwarebytes’ Anti Malware which did the job. Good luck.

hi topio,

antispyware soft is in the same family as antivirus soft, here is a link to try,

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-soft

it can be stubborn sometimes to get rid of so please post back if any help is needed, also post the logs so others can see whats going on.

good luck

Sat

topiogigio,
After you have got rid of this (assuming you can get rid of this) I strongly recommend the NoScript add-on for Firefox, for preventing this type of drive by download.

  1. Mudpuddle: It worked!! Thanks so much! I found that I could still download so I saved MWB on a disc. Was going to wait and do it tomorrow/today, but when I found I couldn’t even play Solitaire I went ahead with it (strange what motivates us sometimes!).

I was so nervous I wasn’t sure I’d be quick enough on the proxy thing but I guess I way. Altho…while installing it I got an error message and wasn’t sure it had installed but went ahead and apparently it did. then I changed the exe to firefox.exe and sent a shortcut to the desktop. Rebooted, launched MWB and updated. Updates downloaded but I didn’t get the error message but went to IE and changed the proxy thing anyway–unchecked it.

I guess I should go back and check it again as it was but don’t remember how it was! Can you tell me how to reset it the way it was, please?

Did the Quick Scan and for a long time thought it wasn’t going to find anything but then it came up with 7 items. To Show Results, all were selected, Removed Selected. It said it couldn’t remove all. Rebooted. Log didn’t automatically open so I opened it. one item on the log said “deleted on reboot” so maybe that was the one that wasn’t removed during the process.

I have to tell you I’m pretty proud of myself! I’m 76 years old and my son is my computer guru but he was gone tonight–lives about 60 miles away, but I called him right away anyway. Then, since I could still use FF I googled here and found your post. There were some other sites given but decided to try yours first. I’d gotten a virus back in Jan, and one in April and had to go to a neighbor’s to download MWB and Avast free and have DS help me–this after I found out local shops wanted from $99 to $300 to fix it and prob. would have stripped my hard drive which I didn’t want to do. This I did myself and tho it was simple with your directions, I’m still proud of me!

Someone in something I’d googled tonight said that sometimes we get these from pdf’s from Adobe. I thought I’d upgraded the Reader but will check it again.

Thanks again! I think I may buy the paid version of MWB now…they say it would have stopped this.

  1. Mudpuddle: It worked!! Thanks so much! I found that I could still download so I saved MWB on a disc. Was going to wait and do it tomorrow/today, but when I found I couldn’t even play Solitaire I went ahead with it (strange what motivates us sometimes!).

I was so nervous I wasn’t sure I’d be quick enough on the proxy thing but I guess I way. Altho…while installing it I got an error message and wasn’t sure it had installed but went ahead and apparently it did. then I changed the exe to firefox.exe and sent a shortcut to the desktop. Rebooted, launched MWB and updated. Updates downloaded but I didn’t get the error message but went to IE and changed the proxy thing anyway–unchecked it.

I guess I should go back and check it again as it was but don’t remember how it was! Can you tell me how to reset it the way it was, please?

Did the Quick Scan and for a long time thought it wasn’t going to find anything but then it came up with 7 items. To Show Results, all were selected, Removed Selected. It said it couldn’t remove all. Rebooted. Log didn’t automatically open so I opened it. one item on the log said “deleted on reboot” so maybe that was the one that wasn’t removed during the process.

I have to tell you I’m pretty proud of myself! I’m 76 years old and my son is my computer guru but he was gone tonight–lives about 60 miles away, but I called him right away anyway. Then, since I could still use FF I googled here and found your post. There were some other sites given but decided to try yours first. I’d gotten a virus back in Jan, and one in April and had to go to a neighbor’s to download MWB and Avast free and have DS help me–this after I found out local shops wanted from $99 to $300 to fix it and prob. would have stripped my hard drive which I didn’t want to do. This I did myself and tho it was simple with your directions, I’m still proud of me!

Someone in something I’d googled tonight said that sometimes we get these from pdf’s from Adobe. I thought I’d upgraded the Reader but will check it again.

Thanks again! I think I may buy the paid version of MWB now…they say it would have stopped this.

Tarq57: Thanks! I do have NoScript but have it disabled at the moment. It was fine for awhile and then I did an update when it came through and after that we didn’t get along. I don’t remember what was happening but I finally disabled it. May just not have been able to figure out the new version. I can enable it again and see what happens.

So you’re saying that it would have stopped ASW?

And I’m sorry for posting my reply to Muddpuddle twice! Nothing seemed to be happening so I clicked Post again. Am new to this forum and haven’t learned the ropes yet!

I guess I need to post the log now, right? Will do so in a separate post.

Here is the MWB log from my process of getting rid of ASW:

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4105

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/16/2010 12:05:02 AM
mbam-log-2010-05-16 (00-05-02).txt

Scan type: Quick scan
Objects scanned: 127951
Time elapsed: 10 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aesvjthr (Rogue.AntivirusSuite.Gen) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aesvjthr (Rogue.AntivirusSuite.Gen) → Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Polly\Local Settings\Application Data\taurxsngx\hflsmcdtssd.exe (Rogue.AntivirusSuite.Gen) → Delete on reboot.

I hope I did this right; never did it before.

Had the same happen on my wife’s laptop this afternoon. Avast didn’t catch it (surprised me). Found the instructions on several sites about safe-mode, proxy setting, and removal. Running Spybot SD right now…

Since Avast allegedly has anti-malware protection I didn’t think I needed something else. Or maybe because I’m running the free version?

“” The reason for the growth in numbers is what is known in technical terminology as ‘polymorphism’, an old defence technique which involves changing the binary checksum of every copy (or download) of a piece of malware. This makes it much more difficult for antivirus programs to detect the programs. “”

Fake antivirus overwhelming scanners
http://news.techworld.com/security/3203072/fake-antivirus-overwhelming-scanners/

As the OP here is on XP - it is absolutely crucial that you stop browsing as admin, ever. You really should be using a limited user account (see my signature for a very secure XP setup). Failing that, at least you should run your browser and internet-facing stuff in general sandboxed (even the free Sandboxie variant can do this for you, preferebly set to drop rights as well).

Well, it’s 10:30 pm on Sunday and I just finished cleaning out another attack of Antispyware Software! I had seen a post while looking for answers yesterday that it might be being downloaded via a PDF. Now I believe it! When it happened Sat. I wasn’t surfing…had 4 windows open: 2 from Avast forum, one from a Homeschooling site and one at the Yahoo list I own. I was moving back and forth between the member list and a mailbox in Eudora, removing members from Moderation. While doing that, I got an email about a pdf that had been posted on another list I’m on. I went there and opened it to look at it. I’m not sure how concurrent that was with the attack but very close.

Tonight I created a pdf and uploaded it to the Files section of my Yahoo list. I think while I was there I opened either that one or another one there. Then zap—was attacked again.

I went through the same process as yesterday (muddpuddle here had said what he’d done and I also used the directions Metallica has posted on the Malwarebytes forum site to remove it.

Tomorrow I’m going to buy the paid version of MWB!And will prob get paid Avast as soon as I can. But I’m wondering how and when the rogue ASW is getting to me. After I’d cleaned it up this time I scanned all the Adobe stuff I have with Avast. all ok. tried to scan the indiv. Adobe folders with MWB but it didn’t do it so I’m running a whole scan as we speak. If they’re accessing my computer through my using a pdf, how? Is it only when I’m online opening, uploading or looking at a pdf? Or how are they getting to me?

Avast did catch something…the message window opened and it said that it had blocked this: JS:Pdfka-gen and gave a url: hxxp://nadwq.com/b/pdf/all.pdf|>(gzip) . Avast put it in the virus chest. When I looked at it, this:

  1. Name: 6510ad[1].exe
  2. Orig. Location: C:/Documents & Settings/my name/Local Settings/TempInternetFiles/Content/IE5/2MDOR3TI
  3. Virus: Win 32:Rootkit-gen (Rtk)

I’m really spooked about using pdfs now.

In addition to my suggestions above:

1/ Stop using Adobe Reader. There are better, less junky, less bloated and more secure alternatives, such as PDF Xchange Viewer.
2/ In your PDF reader, disable javascript and disable opening PDF attachments in external applications.
3/ Disable opening PDFs in your browser (the darned browser integration). Really, it’s not that hard to download the PDF and open it manually.
3/ Whatever reader you use, go use Secunia PSI to keep up with vulnerabilities and security updates.