Ransomware - Should Avast Have Blocked It?

Yesterday my laptop was hit by what I later found out (thanks to Malwarebytes) was a Winlock Trojan.

It happened when I was browsing an innocuous web page using Opera and I don’t think I even clicked on the link which apparently may have launched it.

Getting rid of it was a pain and took me most of the day but what concerned me as much as the nasty nature of this attack was the fact it had got through both Avast and the anti-malware program I use. Avast usually flags up malicious web site pages or links, at least when I’m using Firefox it does. But this time, with Opera, nothing.

Anyone else here had anything similar?

There is no Antivirus program which detects 100% of all viruses.

Everyday there are more than 50,000 viruses coming out so no AV is 100% and hence there is something called “self caution” to be implemented and plus keeping all your software and windows up to date and having a second layer of security like MBAM Pro or COMODO Firewall.

If you got infected its your fault anyways…not avast’s fault and more ever the machine can be kept there running all day and it wont get infected,can we have a non-clickable format of the link you clicked on.

Layered security is the only approach.

I’m not sure what it was I clicked on if I did in fact click on it. I was looking for wallpapers using Bing Images, clicked on several links opening new tabs to all the host web sites that I was interested in, then opened one of the tabs and before the page had even finished loading that’s when it happened.

As part of the process of getting rid of it I wiped my browser history throughly and deleted all my cookies, not just those I’d collected that day so I have no records

As for it being my fault: really? The whole nature of a trojan like this is that you don’t know its there. You can take precautions but if you’re searching for something the whole point of it is you’re going to be going to previously unknown web sites.

I have Avast and an anti-malware program all religiously kept up to date (and firewall obviously). I’d done my weekly updating and maintenance including virus and malware scans only 24hrs earlier. I also use an additional Firefox and Opera Web Rep plugin to the Avast one.

Ever since I had this laptop, my first true computer, I’ve manually scanned everything it is possible to scan I’ve ever dowloaded first with Avast, then Malwarebytes and finally, sometimes, a legacy AV used just for this purpose. If it is a compressed file I even rescan after opening it. That’s how cautious I am.

What more could I have done except not click on a link which, of course, if I had known was infected, I wouldn’t have gone anywhere near?

it is usually spread with software download…
if you want a virus check, follow guide at top in virus and worms forum section

As said I scan everything I download but maybe that was it as I’d downloaded some wallpapers earlier and was going to batch scan them once I’d finished. So it might be it wasn’t even the specific web site I was on but I just don’t know.

What browser were you using?? this is a firm indication that it was some how a drive by drop and hence something link NoScript is necessary.

Which 2 side my antimalware apps you were using? if it would have been something solid like Malwarebytes Pro or winpatrol free it would have caught it ::slight_smile:

Plus,why do people search for wallpapers,I dont understand cant people live with default wallpapers and by the way what type of wallpapers were you searching for? :o

I was using Opera. I’ve been trying it out recently but if anyone knows or thinks that it might have some security weakness which might have been an element in what happened I’ll certainly consider the matter.

This might have nothing to do with this Winlock trojan but ironically I was reading up about how Java can be a weak link in the security and related browser security matters only a few weeks ago. That term you used: “drive by drop” I hadn’t heard before then so it immediately rang a bell in connection with this article:-

http://blogs.kqed.org/newsfix/2013/01/11/experts-warn-users-to-disable-widely-used-java-software/

That isn’t the only place I’ve come across such advice either; the general recommendation seems to be to disable Java.

I have Spybot as my active anti-malware although. I’ve never seen much evidence of it doing anything, presumably it is working away quietly in the background but it certainly did nothing in this case. If there is a malicious URL it is Avast that goes into action and pops up a warning.

I use Malwarebytes (Free) as an on demand scanner for downloads and regular quick and full system scans. One thing I find a bit annoying with it is that you can’t do a targetted scan of a download when it is already running. You assume it is protecting you but I like to see a report confirming that particular file/folder is clean. To get this you have to close it down, highlight the file and launch the targetted scan from the context menu.

Anyway Avast is automatically updated and both the above are religiously updated on a weekly basis and that was done only 24hrs before this attack accurred. My anti-nasty stuff present and correct of that I’m certain.

I have Spybot as my active anti-malware although. I've never seen much evidence of it doing anything, presumably it is working away quietly in the background but it certainly did nothing in this case.
a usless program, and you dont need it when you have Malwarebytes http://www.pcmag.com/article2/0,2817,2412372,00.asp
." [b]In testing, it proved almost 100 percent ineffective[/b].
I use Malwarebytes (Free) as an on demand scanner for downloads and regular quick and full system scans. One thing I find a bit annoying with it is that you can't do a targetted scan of a download when it is already running.
Upgrade to PRO Version, then you get autoupdate and a protection module it is a one time fee for a Lifetime License

We do not know if he has Malwarebytes pro realtime or just the scanner
neither do we know if he has just the Spybot scanner (which btw is not useless- it finds things MB misses (and vice versa) does he have Spybot’s T-timer on?
T-timer works with Avast with no conflicts
What Firewall?

@wyrmrider

We do not know if he has Malwarebytes pro realtime or just the scanner
don't we!..... you should read reply #6 then
I use Malwarebytes (Free) as an on demand scanner for downloads and regular quick and full system scans.
neither do we know if he has just the Spybot scanner (which btw is not useless- it finds things MB misses (and vice versa)
you mean tracking cookies? why have all forums that provide free malware removal help stopped using it years ago. ::)

For the excellent removal of tracking cookies you could usenon-residential free Super Anti Spyware, some of these tracking cookie-removals demand a reboot.
Or you can use an extension like CookieMonster “send me your cookies” in Google Chrome. At the end of the browser session they are all eaten, and there are no more cookies in the “cookie jar” ;D

polonus

Yes, I do have the Spybot T-Timer on and always use the Spybot “Immunize” feature after updating too. However what I’ve never been sure of is what the T-Timer is actually doing. I know what it is supposed to do but I’ve never had any messages from it at all let alone as regards, program or registry changes.

What Spybot is unsatisfactory for is quick on demand scans, it might be thoroug but it is snail slow. This is why I installed Malwarebytes and use that for this particular task. You get an immediate report once done and its logged, stored for some time and easily accessible.

Malwarebytes (free version).

Windows Firewall.

I have been wondering whether just to use Spybot as an on demand weekly/monthly maintenance tool and perhaps get Malwarebytes Pro. But the Spybot T-Timer uses so few system resources that seems almost churlish, it’s not doing any harm and maybe doing some good. I’m just not sure what exactly. :slight_smile:

AVs and the like constantly asking or telling you stuff can be very annoying but there is happy medium between that and being totally, anonymously silent like Spybot seems to be.

Spybot is rubbish…if you would have had MBAM Pro it would have been better. :slight_smile:

Spybot S&D was not bad “back in the day” and was fairly effective. I used to use it years ago. However, in recent years MBam has far surpassed SpyBot for effectiveness and OS security.
Sometimes a software program will remain at a static state and never improve beyond that. Spybot S&D would fall into that catagory.
As for TTmr. I have read many threads over the years where there have been issues between Avast and TTmr.
Anyway, just in my experience :slight_smile:

Perhaps do all such browsing in a sandbox?

How do I do that exactly?

There are hidden nasties like this out there like this Winlock trojan we all know that, but surely if sandboxing a browser session was a solution we’d all be doing it as standard practice. In fact I thought that was what Spybot may have been doing as much with it’s ‘immunisation’ tool. Maybe I’ve misunderstood its purpose.

As far as Spybot goes I agree with the others in that it is rubbish, the Real time teatimer function is also known to corrupt the functionality of avast so imo it would be best uninstalled.

Maybe that’s the reason he got infected,maybe if spybot wouldnt have been there avast would have saved the day Umm ::slight_smile:

Using avast Internet security is one way to get sandboxed web browsing.

“avast! Internet Security includes all the features you need to be safe”

"Sandbox

An isolated virtual environment, so risky sites and apps cannot harm your PC."

If using avast free AV you can use Sandboxie and run your browser in it.

sandboxie DOT com

“Sandboxie runs your programs in an isolated space which prevents them from making
permanent changes to other programs and data in your computer.”

Thanks all for the suggestions/info.

I’ve not read before that Avast and Spybot are in any way incompatible. I’ve been using them together for over two years and prior to that with MSE. This is the first time I’ve been victim of a successful attack ever, in all other cases of dodgy links on web sites Avast has flagged and blocked it. If there were any contra-indications involving Avast and Spybot/T-Timer when working together surely in two years of use I would have had more trouble.