Fake Avast Alert Popping up on customer screen

Viruses and worms
1

I am not sure where to add to this post. Customer called me claiming he had a virus alert. I took control of his pc, only to see what appeared to be a fake alert (similar to the fake AVG alert, but this time it was saying avast. I quickly checked his real time shields and nothing was showing as detected, This confimed my belief that it was a fake alert. I closed each screen on his desktop, and immediately ran update malwarebytes, full scan…

Results:

two infected files: Trojan.downloader

from log:

Files Infected:
c:\Windows\System32\config\systemprofile\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\0PS72R2M\sjnlgn[1].htm (Trojan.Downloader) → Quarantined and deleted successfully.
c:\Windows\SysWOW64\config\systemprofile\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\0PS72R2M\sjnlgn[1].htm (Trojan.Downloader) → Quarantined and deleted successfully.

will reboot and see if removal succesful? will follow up

Steve

2

Follow up after Malware bytes run:

I have run malware bytes, and deleted infected files and rebooted as per malware instructions. I even ran TFT to completely delete temp files. I then ran a boot scan with avast, and still the fake alerts seem to be popping up. Oh yeah, i even restored the computer to an earlier date when running correctly with system restore. I can not think of anything else short of a complete re-install, which on a sony vaio laptop without recover disks is going to be a pain in the ass. I have been a huge fan of avast and install it on all my clients computers, I may have to re-consider

Steve

Note: I have heard that AVG can find and remove the fake avast alert…is this so. should i temporarily uninstall AVAST, install AVG and run a full scan. Do you think this might help?

3

Essexboy, i was referred to your suggestion page, i will contact customer and download and run OTL. Funny thing i ran Malware again, it did not seem to detect anything, but then the pop up appeared again. Customer got frustrated, and I was not able to re-run malware, to see if the infested files re-appeared…

A long time supporter of AVAST,

Thank you

Steve

4

Download DDS and save it to your Desktop from here:
http://download.bleepingcomputer.com/sUBs/dds.scr

Double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:
     1. DDS.txt
     2. Attach.txt

Save both reports to your desktop. Post DDS.txt back to topic.

5

Read this post earlier this am as I have the same issue as selby’s client. I actually did click on the upgrade link though it looked to me to be suspicious as well. After nothing happened, I ran avast! scan and detected 5 infected files from the time I “downloaded” my upgrade, moved to chest and deleted. So, yes, it is a pop-up virus. One file wasn’t able to be deleted and was identified by avast! as a decompression bomb. That individual file was in another user’s temp files, roaming, iTunes, …dmg. Gave up on that and started reading these posts to figure out how to get the mentioned pop-up from appearing on screen every time I reboot.

Downloaded and ran MBAM quick scan and full scan with no infected files found.

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5595

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

1/25/2011 8:35:29 AM
mbam-log-2011-01-25 (08-35-29).txt

Scan type: Quick scan
Objects scanned: 166729
Time elapsed: 9 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5595

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18999

1/25/2011 10:15:45 AM
mbam-log-2011-01-25 (10-15-45).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 304311
Time elapsed: 1 hour(s), 19 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Where is this pop-up virus residing and how do I rid my machine of it!?

6

Hi Guys, back after another session with customer, did another full scan with malware bytes, zero detections found.
I then had customer run DDS, and his system blue screened after 80 % run of DDS. I asked customer to start windows in safe mode, then run DDS again, again it blue screened. Customer told me that he has been getting blues screens lately, i am not sure if it is related to this fake alert trojan?

I am at my wits end

Steve

7

Here is the initial malware byte report from scan, no when i run MWB now, it does not pick up any infections, however the false screen is still appearing, I will ask customer to do a print screen to show you what it looks like. I will try running OTL , maybe that will run without crashing the pc, but unable to generate DDS file at this time

Steve

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5591

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

24/01/2011 6:17:37 PM
mbam-log-2011-01-24 (18-17-37).txt

Scan type: Full scan (C:|)
Objects scanned: 242804
Time elapsed: 29 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\System32\config\systemprofile\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\0PS72R2M\sjnlgn[1].htm (Trojan.Downloader) → Quarantined and deleted successfully.
c:\Windows\SysWOW64\config\systemprofile\AppData\Local\microsoft\Windows\temporary internet files\Content.IE5\0PS72R2M\sjnlgn[1].htm (Trojan.Downloader) → Quarantined and deleted successfully.

8

Have a look in the startup folder - the sneaky blighters hide there sometimes - and AVG would be no better than Norton or ESET

OTL can run from safe mode - but ensure all users is selected

9

Essex boy, another moderator told me to try dds, but as I have already posted, the system goes blue screen every time i try to run dds. I will try OTL, but in the mean time here are some prints screens of what the fake alert looks like

10

Ok Essexboy, was able to run OTL on customer’s pc, here are the two txt documents it generated

Thanks in advance for your attention to this issue

Steve

11

Nothing visible there so lets take a peek in the start menu

[*]Run OTL. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in


C:\Users\tom\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup /s

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]There will be just one log this time