Ok, i doubt it was on its own, but anyway, have been using avast for ages, it recently updated its self (to v5 i presume) to have a more user friendly interface etc.
Then i just got a trojan (fake antivirus), and when i loaded avast from the system tray, its the old 4.8 interface??

Im kind of worried the trojan somehow did this in order to stay alive!

Have run spybot and removed some crap, and have avast doing an on boot full scan now, but im kind of worried by the (apparent) revert - anyone seen this before?

OK, full on boot scan found nothing, so i guess the fake antivirus (which is still there) did screw with avast, any ideas what i should do?

Hi carrot332, welcome to the forum

Usually with those fake AV things, the first recommendation is to use malwarebytes:

For this I will steal a post from another ;D

Do you possibly have the name of this fake av?

As for going back to 4.8, I have not seen this before.

Have you run system restore?
Can you be sure you had 5? (It would be pretty obvious if you did…it would have looked like the picture.)

Ok, good news: malwarebytes got the sucker!
bad news: Yeah i def. had v5 before this thing, AND it came out of an exe being run in sandboxie!

heres the malwarebytes log:

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.5730.13

23/06/2010 09:29:15
mbam-log-2010-06-23 (09-29-15).txt

Scan type: Quick scan
Objects scanned: 109124
Time elapsed: 5 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 5
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite (Rogue.AntivirusSuite) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqgffskh (Rogue.AntivirusSuite.Gen) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqgffskh (Rogue.AntivirusSuite.Gen) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asam (Trojan.Agent) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command(default) (Hijack.StartMenuInternet) → Bad: (“C:\Documents and Settings\Administrator\Local Settings\Application Data\ave.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”) Good: (iexplore.exe) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Application Data\rjbfxfdiy\ywqjtpmtssd.exe (Rogue.AntivirusSuite.Gen) → Quarantined and deleted successfully.
C:\WINDOWS\herjek.config (Malware.Trace) → Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Application Data\asam.exe (Trojan.Agent) → Quarantined and deleted successfully.

So do i re update avast or what should i do from here (appart from using a VM for possable dodgy stuff, as sandboxie just aint up to it)

Ok, I’m no expert, but there are some things that I have noticed in the log.

The database version for malwarebytes is out of date, the current one is: 4227

-I would update and scan again to catch anything that may have been missed.

You scanned in safe mode. IIRC MBAM works better in normal mode, so it would be better if you could.

Windows 5.1.2600 Service Pack 2 (Safe Mode) Internet Explorer 7.0.5730.13

You’re service pack level is out of date, and needs updating, and so does internet explorer. BUT I would wait until you can be sure that you are clean before updating this.

So after you have let MBAM deal with this, and rebooted, are you still having trouble with it?

Do you by anychance remember where this came from? I’m sure the avast! team would like a look at it to improve detection. If you are going to post a link, please make it non-clickable to prevent others becoming potentially infected. Thanks.

From the log it looks like this is the one that you had: http://www.bleepingcomputer.com/virus-removal/remove-antivirus-soft

Yes, if your system is clean now, update to 5.0.545. (Not in sandboxie…!!!)
asyn

you forgot to do one thing…always update MBAM before scan, so you have scanned with an old database ( Database version: 4052 )
Latest is 4228. So update and scan again

OBS: already posted by scott…

Ok, malwarebyte updated and didnt find anything new, which is good.
Will look into the latest xp service pack, im sure there was a reason to avoid it when it 1st came out, but thats probably fixed.
IE7 is only ever used for compatibility testing websites, never normal browseing so will not really be an issue.

The reason that log was done in safe mode, and not using the latest update, was because a whole bunch of other junk came with this virus - it contantly tried to conect to outside sources and periodically crippled any new program i tried to open in normal mode (it even killed notepad++ ffs). The only reason avast would open at all was because it was already in the system tray.

Just really glad i have more than one PC to check useful forums like this and download fixes!

With regard to posting the infected file, i wont post here but if there is somewhere the file can be sent to (not a public forum - its a real nasty bugger!) i will happily do so.

Im still amazed it got out of sandboxie!

Thanks for all your help.

Send it to virus(at)avast.com
asyn

By not updating, you are leaving yourself vulnerable to attack as many security improvements have been included in updates since…

For the infected file, you can send it in a password protected archive to virus(@)avast.com with the subject: Undetected malware.
Possibly with a link to this thread and info on how it got to you.

I have sent a pm to our resident malware expert essexboy (the one who I quoted off) asking just to double check if there is anything else that needs to be done as he is the one who would know. He is usually on later in the day, so hopefully he will see this…

Thanks all, i do intend to update everything, i was just giving my (obviously flawed) reasoning behind not already doing so.

Thanks alot

You’re welcome…!!
And, really a very good idea to update your system asap…
asyn

I would also recommend updating to IE8 even if you do not use it, as it is an integral part of windows

If you have any remaining problems let me know and I will have a look

Hi, do mind reporting this to the sandboxie forum?