This trojan has been around for a few weeks now and I’ve picked it up twice. Both times my Avast 4.8 has been up to date. Why is there no blocking of this trojan yet? Yes, I know Malwarebytes gets rid of it, and supposedly the Pro version will block it from getting on your PC. Why is Avast not doing the same? ???
Riverviewfan
I’m going to add my “me too”. I got it tonight, was able to remove it all. At least I’m fairly certain I did.
But when I found posts that this thing has been known about for over a month and Avast didn’t even
blink, I’m more than a little upset. >:(
BTW : I followed the most common instructions for removing av.exe from my machine.
In the manual removal instructions nobody bothered to say, remove the program. On my
Vista machine it was marked as a System file under \Users\username\AppData\Local\av.exe
So to go searching for it you need to be able to see System files.
Do a search of the entire registry, I found two more locations where that damn thing
had set itself up to run. No, I forgot to copy the registry keys.
Jim
How to remove XP Internet Security 2010, Antivirus Vista 2010, and Win 7 Antispyware 2010
Automated Removal Instructions using Malwarebytes’ Anti-Malware:
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010
What this programs does:
Antivirus Vista 2010, Win 7 Antispyware 2010, and XP Internet Security 2010 are new rogues that are exactly the same program, but are shown with different names and interfaces depending on the version of Windows that it is run on. After I wrote this guide, I was told that this rogue goes under quite a few different names, which I have listed below:
•Antivirus Vista 2010
•Vista Antispyware 2010
•Vista Guardian
•Vista Antivirus Pro
•Vista Internet Security
•Vista Internet Security 2010
•XP Guardian
•XP Antivirus Pro
•XP AntiSpyware 2010
•XP Internet Security
•XP Internet Security 2010
•Antivirus XP 2010
•Antivirus Win 7 2010
•Win7 Guardian
•Win 7 Antivirus Pro
•Win 7 Antispyware 2010
•Win 7 Internet Security
•Win 7 Internet Security 2010
When installed, this rogue pretends to be an update for Windows installed via Automatic Updates. It will then install itself as a single executable called AV.exe that uses very aggressive techniques to make it so that you cannot remove it. First, it makes it so that if you launch any executable it instead launches Antivirus Vista 2010, Win 7 Antispyware 2010, or XP Internet Security 2010. If the original program that you wanted to launch is deemed safe by the rogue, it will then launch it as well. This allows the rogue to determine what executables it wants to allow you to run in order to protect itself. It will also modify certain keys so that when you launch FireFox or Internet Explorer it will launch the rogue instead and display a fake firewall warning. Last, but not least, when try to browse to a web site, it will hijack your browser and state that the site is a security risk and not allow you to visit it.
there are tons of rogues changing every day… even though we’re trying to watch (and detect) them all, there’s still a probability of missing some (new) of them… malware authors are always checking their new creations against mostly used AV engines (including us) to carry a non-detection in first hours of a new variant emision…
Hi Riverviewfan,
What you have to remember that the users that are troubled by this have been installing this rogue av software themselves by clicking on everything indiscriminately.
If you are aware of the danger of the social engineering you won’t fall for these scams.
If you use the proper in-browser protection like surfing Firefox with the additional extensions ABP Plus, NoScript, RequestPolicy, you will never even see the malicious pop-ups, because the malcode won’t run and the rogue cannot be installed - not a rogue from the past, the present or the foreseeable future.
A resident av solution (and you only can have one!) cannot find all malware. That is why people use additional non-resident anti-spyware like MBAM and/or SAS and clean the crap from their machines using ATF Cleaner, also very impo5rtant to keep your third party software fully updated and patched using Secunia PSI to be protected against the exploits these malicious fake av programs use to try and get your attention and an eventual install that you will regret. As always malcreants speculate on the unawareness and fear of their potential victims,
polonus
i got this last night! what a pain! it went right by avast. although it blocked a rootkit it said. but the computer was going crazy. AND I didn’t click on any window or pop up or anything… it just loaded itself as soon as i visited a site.
That was a drive by - there is an item on the blog about it. This malware changes on a daily basis and AV’s are always playing catch up
See http://blog.avast.com/2010/02/18/ads-poisoning-–-jsprontexi/
Your assumptions are completely bogus. There was no “indiscriminate clicking” involved once I clicked on the URL. Avast gave a warning that it blocked a Javascript attack, but then the trojan just came right on through. I didn’t have to click on anything else after reaching the infected website and I didn’t install it. I was using a fully patched XP machine and IE8 at the time. I do have Firefox installed, but the website in question wasn’t one I’d suspect to be infected, so I was using IE8.
Posting instructions as to how to remove it is helpful once you get the infection, but the question remains - why after one month is Avast NOT BLOCKING this dangerous trojan? I understand no AV is going to catch everything on the first day - but a month later?? That’s complete BS! This should be in a definition file by now.
From what I’ve seen on the net, none of major AV solutions are doing a good job stopping this trojan. I’d be furious if I’d paid for a license from Avast, or Symantec, or Kaspersky etc. only to discover they couldn’t stop it either. Only MBAM Pro seems capable of stopping it before it gets on your system. I guess I’m going to have buy an MBAM Pro license tonight if Avast is going to sit on their ass for a few more weeks before updating their definition file to include it and it’s behavior.
Derek
Maxx supplied the answer to your question.
I added the bold to highlight the answer. In other words, XP Antivirus 2010 trojan gets code changes very often.
Frankly, I doubt this is being altered everyday. If it was, the Trojan’s authors would have likely found a way to disable the removal procedure that has been posted in many places over the last month or so.
Why is Malwarebytes able to remove it, but not Avast? Avast isn’t even capable of removing it, let alone blocking it before it gets on your system. It certainly doesn’t say much for the “Avast Evangelists” if your solution is to use someone elses product!
In the 50 or so case I have removed the trigger files are always slightly different
AV’s Used whilst being infected are :
Norton
Kaspersky
AVG
Avira
Nod32
Avast
et al
Basically no antivirus as of today, when I started the latest case has yet been able to stop it.
There are some cases where the only way to kill it was through a PE environment
So you can complain and decide to use another av to block it - but which one ?
Did you pass the files to Avast for analysis and inclusion ?
I have read that most rogues are server-side polymorphic these days which means the packaging of the file can change multiple times while on your machine and thus get around whatever AV you are using. This has apparently initiated the steep rise in scareware in the past two years (not to mention that the bad guys are all organized now).
You both have an insecure web-facing application that is allowing a drive-by download.
Scan for out of date and insecure software and update.
Secunia Online Software Inspector (OSI)
Secunia Personal Software Inspector (PSI)
Is that PSI going to do its thing without attempting to install Java or whatever the OSI attempted to do when I briefly started to try this Secunia?
Whatever Drivers it finds out of date, will Secunia give you the option of updating them there?
Or is it up to us to go who knows where to find the appropriate latest Drivers?
Secunia will not look for drivers, it looks for programs that is a security risk / out of date
Try the oline scan, very quick
Precisely as I noted earlier in the thread, no other AV seems to be able to stop it getting on the machine in the first place. I’ve read reports that MBAM Pro can though.
But riddle me this Essexboy - WHY won’t Avast REMOVE it now?? Malwarebytes has no problem with it, and apparently has been able to remove it for over a month now.
No, the files have long been deleted. I do have one of the infected URL’s that I could pass on if someone would kindly let me know where to send it. Then the Avast team can determine how to stop it.
Riverviewfan
A good suggestion! I updated a few things, but after checking the various release notes, the only security fixes were to Java, which I was only a couple of versions back on. Was that the source of my problem? I sort of doubt it, but it’s possible. In any event, I’m running MBAM Pro now with its real-time protection module (along with Avast), so we’ll see if that keeps this trojan away for a while.
Riverviewfan
Thanks, Pondus! I guess I misunderstood someone on some previous occasion. I thought Secunia checked out Programs AND Drivers. In that case, well heck, I don’t even have hardly any programs in my computer.