Rogue.AntivirusSuite Trojan

I’m a free user so you get what you pay for, but it’s sad that this Trojan goes totally undetected by Avast. My son clicked on a bad site by mistake and it totally took over and locked down normal processes like task manager and added proxy servers to IE and Firefox rendering them nearly useless and flashing porn sites, etc. Here are the registry keys it downloaded:

HKEY_CURRENT_USER\Software\avsuite
HKEY_LOCAL_MACHINE\SOFTWARE\avsuite
HKEY_CURRENT_USER\Software\avsoft
HKEY_CURRENT_USER\SOFTWARE\avsoft

Interestingly, I was able to start in safe mode and run a full scan with Avast and it detected nothing. SUPERAntiSpyware picked it up in a safe mode scan, but could not terminate the process or quarantine the Trojan.

The only way I found it possible to rid my computer of the malicious Trojan was to: A) kill certain processes with HijackThis; and B) run MalwareBytes which found the keys above listing the first two as Rogue.AntivirusSuite and the last two as Trojan.Fraudpack.

Good luck with this one if you get infected - you will spend a few hours trying to remove it and most likely will have to download HijackThis and rename it in order to find the suspicious processes and kill them before running MBAM.

thanks for posting this…there’s been some similar reports recently…I guess the devs are reading…Avast, are you there ???

edit: on a side note, virus protection is the same on free and paid versions :wink:

edit: would you mind giving the link to the infected site, making it unclickable by replacing http with hxxp…

edit: interesting, doesn’t justify that Avast doesn’t detect either, but interesting:
http://social.answers.microsoft.com/Forums/en-US/msescan/thread/af7ab937-0d54-473d-8bb8-d7b065962329
http://social.answers.microsoft.com/Forums/en-US/msescan/thread/d04d5e65-fd5c-4dc1-a658-40dfd7216f0f

I will ask my son to show me what he clicked on and post the link later today if possible. I know it’s impossible to detect every single threat, and still think Avast is the best by far, but this one’s been hiding out there for a while and I hope for the sake of others they find a way to lock it down.

I don’t know what to think honestly, can’t tell if all AVs are equally useless against rogue or not…thing is as said it’s been reported so many times now that Avast didn’t stop a rogue install…and to some extent, this is almost understandable as there’s “just” another software install process going on…but what I don’t get is why nothing’s detected by Avast when the rogue’s already installed and the system is over infected with trojans…
Were avast services disabled by the infection on your son’s computer?

adding: it’s not just a matter of being able to detect every single threat, Avast seems completely unable to detect any rogue… (I haven’t experienced that personally, just read reports).

This is the SAME baddie I picked up a few days ago. (See “Fake Anti-virus not removed”)

I was able to avoid a lockout by switching USER name, then running a scan. Didn’t need
Safe mode or Hijack.

Avast didn’t find or kill it. Or prevent it from getting through into the machine in the first place.

It breezed right through Firewalls, Avast on-axis and High security settings.

Only the SpyBot scan nailed and squashed it. Malwarebytes would probably work too.

The thing I can’t fathom is WHY Avast didn’t snag this doggone invader when it obviously
contained all the earmarks of a Trojan.

I wonder if “mode of transport” may be a factor here. I suspect it’s riding in a Java applet, since
just prior to the event I noticed a series of little coffee-cup icons (java) marching leftward
along the taskbar…first one, then two, then three, etc. all by themselves and I hadn’t even clicked on anything.

Don’t know for sure, but I suspect an innocent-looking javascript may be providing cover for this thing, perhaps unintentionally, lurking in an ad or display on an otherwise OK website.

It completely fooled Avast, before and after.

There maybe rootkits in your son’s computer.

Please follow Essexboy’s instructions.

Thanks for the feedback. I don’t believe this Trojan disabled Avast, and I will check for rootkits. The best we could do to narrow down where this bug came from was somewhere within the following website’s pics:

http://www.collegehumor.com/pictures/

Can’t be sure which one he clicked on, but it happened immediately following the click whereby it linked to some sort of porn site. Sorry i couldn’t be more helpful with the exact website.

Hi Nubularist,

Make the link you give non-click-through by putting hxtp or wxw…
It could have been this link from that site you mentioned: http://www.google.com/safebrowsing/diagnostic?site=static.ak.connect.facebook.comhttp://www.google.com/safebrowsing/diagnostic?site=static.ak.connect.facebook.com
The last time suspicious content was found on this site was on 2010-03-08.

Malicious software includes 9 trojans, exploit via a stack overflow “var window.location.search = 1;”,

polonus