My computer was hijacked to:
hxxp://mega-antiviral-ms.com/200099/scan/

I stopped it as soon as I saw it and no page loaded.

I looked up the url in NetLab which reported the IP as 78.26.179.131, in the Ukraine.

My firewall, and an updated version of TrojanHunter was running, but I had temporally killed avast home for speed. A “quick scan” with TrojanHunter after the hijack found nothing:
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan (autostarted files, running executables)
No trojan files found

I have to leave for an appointment and am afraid to leave the computer on while I’m gone (though perhaps I will unleash something when I next boot up …)

I will scan with Avast when I return.

Is there anything else I should do?

Does anyone have any experience about this url and ip? I found nothing through a google search.

Thanks for any help.

Ellen

NetLab Report:
% Information related to ‘78.26.161.0 - 78.26.191.255’

inetnum: 78.26.161.0 - 78.26.191.255
netname: RENOME-SERVICE
descr: Renome-Service: Joint Multimedia Cable Network
country: UA
admin-c: RSM-RIPE
tech-c: RSM-RIPE
status: ASSIGNED PA
mnt-by: RENOME-MNT[/center][/left]
mnt-lower: RENOME-MNT
mnt-routes: RENOME-MNT
source: RIPE # Filtered

role: Renome Service Tech Staff
address: Kosvennaya str., 78, Odessa, Ukraine, 65000
org: ORG-RA159-RIPE
phone: +380487597596
fax-no: +380487597596
mnt-by: RENOME-MNT
abuse-mailbox: abuse@odessa.tv
admin-c: WU-RIPE
admin-c: GA-RIPE
tech-c: WU-RIPE
nic-hdl: RSM-RIPE
source: RIPE # Filtered

% Information related to ‘78.26.128.0/18AS34187’

route: 78.26.128.0/18
descr: Renome-Service: Joint Multimedia Cable Network
remarks: Renome-Service: Aggregated Route
org: ORG-RA159-RIPE
origin: AS34187
member-of: RS-RENOME
mnt-by: RENOME-MNT
source: RIPE # Filtered

organisation: ORG-RA159-RIPE
org-name: Renome-Service
org-type: LIR
descr: Renome-Service: Joint Multimedia Cable Network
address: Renome Service
Andrew Gaidulyan
Kosvennaya str., 78
65000 Odessa
UKRAINE
phone: +3 80487597596
fax-no: +3 80487597596
abuse-mailbox: abuse@odessa.tv
admin-c: GA-RIPE
admin-c: WU-RIPE
admin-c: WU-RIPE
mnt-ref: RENOME-MNT
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
source: RIPE # Filtered

Posted to correct subject.

Please modify your post and change http to hXXp in the URL to the suspect site so it isn’t active, this avoids accidental exposure to it.

e.g. hXXp://mega-antiviral-ms.com/200099/scan/

This is a rouge/fake antivirus/security site.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

• 1. SUPERantispyware On-Demand only in free version. - 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

These should hopefully block what it sending you to this site.

David,

Thank you so much. I didn’t know about hxxp. Sorry about that.

Because I have this appointment, in my firewall, I blocked addresses beginning with 78.26. and all ports (in and out), and that seemed to have stopped the hijacking. Before I did that, even google searches for the url and the ip address brought up virus warning screens.

I’ll try the remedies you suggested when I get back.

Two questions about avast home. I scanned my c drive and it turned up nothing. Should it have? (I didn’t scan archives and I don’t know if I have to set it to scan memory, I just installed it a few days ago and am still learning it.) Does it automatically scan memory?

Thanks again for your help.

Ellen

No problem, not many do know about breaking a link to avoid accidental exposure (until told ;D).

A real easy way to protect your system if you have to go it is to disconnect the modem/router, nothing is going to get out or in. Some firewall have a quick means of blocking all outbound and inbound connections.

The detection was by the web shield and it is there to intercept malware on the web getting on to your system, hence the only option Abort Connection. This just drops the download of that infected element, not your internet connection. So it isn’t surprising that you didn’t find anything on your system.

All we have to do now is find what is responsible for the hijack or connection to the site.

avast will scan files before they are opened, so that should apply to those which are loaded into memory. Prior to starting an on-demand scan memory will be scanned, before opening the Simple User Interface to do any on-demand scan…

Hi David,

If I had had AVAST running, it would have stopped this trojan - at least 60 variants are listed in the database. The rogue anti-virus program was WinAntiVirus from WinSoftware. A trial version of Spyware Doctor found it and listed seven related registry keys and no files. (I ran it first instead of AVAST because its name implies it specializes in spyware and trojans and I think of Avast as mostly a virus checker, although I know it checks for trojans too.)

(It also found registry keys and no files for IEFeats (which “modifies Internet Explorer’s default pages, displays pop-up advertisements and downloads additional malware without the user’s permission.”) and Backdoor.Redghost (“allows the attacker unauthorized remote access to the infected machine.”) I was unable to find these in AVAST’s db. Are they there under other names?

I removed all the registry keys Spyware Doctor found for all three trojans and then scanned my computer with SuperantiSpyware, SpywareBlaster and Hijack This. None of these scans found any problems, so I think I’m out of the woods as far as these trojans are concerned. And I haven’t been hijacked to any rogue sites. I’ve also completed a memory and C: partition scan with Avast in standard mode. (I have a slow pc and scanning takes a very long time. Scans of two of my nine partitions found nothing; I’ll finish scanning with Avast in the next few days.)

I have a few questions:

1. According to this web page: en.wikipedia.org/wiki/WinAntiVirus_Pro_2006#cite_note-6 ,
   the trojan installs itself via popup boxes claiming your system is infected and asking if you want to scan it now The popups have three options (OK, Cancel, and the X on the top right to close the box). These options are each linked to a site that will download a trojan.
   How did I get to that web page? Was I infected before I was hijacked there? Did one of the registry keys Spyware Doctor found hijack me to that site or was it another method?

2. Why were no files found by the anti-trojan scanners? Can I assume that I stopped the trojan by creating a rule in my firewall to stop in and out communication with the IP address behind the URL that insisted I had a virus?

3. Manual removal instructions are here:
   www.windowsvistaplace.com/remove-winfixer-win-antivirus-pro-2007/othersoftware
   I searched for quite a few of the files listed on this page and didn’t find them, but I didn’t look for each one. None of the listed processes have been running. Is the action I’ve taken enough or do I need to search for all these files and/or use one of the removal tools. I’m kind of reluctant to use a removal tool, on the principle if it ain’t broke don’t fix it.

4. Is real-time spyware protection guard’s similar to real-time anti-virus guard’s in that you should only run one at a time? If so, which of these real-time protectors is best. Please add any I didn’t include.
   Superantispyware, SpywareGuard, TeaTimer from Spybot Search & Destroy, Spyware Doctor,?

Thanks!

If anyone is curious about Spyware Doctor’s log, I’ll post it.

Ellen

The problem is that there is no standard or convention for malware names and are likely to differ from one AV or anti-spyware to another.

SpywareBlaster won’t find anything as it isn’t an active anti-spyware, but an immunisation tool, to block various sites in yours browsers settings.

If you haven’t got a firewall that blocks unauthorised outbound connections your in trouble from the start, as any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential. This could prevent further infection after any attack.

Malware can also come with a rootkit designed to hide the malware, so if you don’t find the rootkit (if one is used) then the malware remains hidden. The other thing is that they simply aren’t detected and no single security application will give 100% detection/protection.

The two tools I suggested are probably the most successful at the detection of these rogue/fake security alerts, MBAM probably the better of the two on rogue applications. So I tend to go for the known tools and don’t spend time looking for a specific tool or you could be looking for a long time.

You have to be extremely careful in the anti-spyware you choose as there are a high number that are nothing more that scam/scumware, so you need to investigate before installing. I haven’t heard of SpywareGuard before; well I find I have it is so old as to be a waste of time as it hasn’t had any developement for a considerable time, it hasn’t even been tested on Vista and that has been out for some time.

As I said I tend to stick with the more well known applications with some history behind them. You can buy the Pro version of SAS for a small one off fee and that provides resident protection and that is the option I choose.

I also stopped using S&D some time ago, the newer version is meant to be better but I feel thear are better options, and I gave you what are currently the two most effective anti-spyware/malware products. These are commonly recommended by many anti-malware forums.

I have zero knowledge of spyware doctor, though someone else might.