Possible Warning - Anyone hit by "Antivirus soft" ??

[Maganus]

Hey All,

 

Wanted to get some feedback from others who might possibly have had a similar problem. While fairly new to the site and checking some of the content, I'm not new to computers, gaming, programming (lighter that some here I'm sure though), etc. First point though is to ask, has anyone else been hit by a piece of malware called "Antivirus soft," particularly if you have recently? To those who don't know what I'm talking about, maybe you can just move on by this post. For anyone who does...

 

My Second question would be, have you tracked down the source of the offender file that you received it through?

 

The reason I put this out there is because it's my belief that through my recent moding of Fallout 3, that one of the files I grabbed in packet form, probably one of those made to use through FOMM had this attached and opened my system to let this be introduced. To the moderators, those great Mod makers out there, the community at large, and any other giant space hamsters that might be reading this please understand that I'm not trying to throw around wild accusations or ruffle anyone's feathers, simply trying to figure some things out. (Please understand that I totally accept the risks that come with moding and using someone elses files, worked what I could to protect myself, and will do more work in the future, but if I can save someone else from this, fan-fricking-tastic)

 

The cause for my tracking this back to files from the site comes from the following

1) This is the only site that I've used to pull mods from for the game, because it's just that bad*** so far,

2) Most of the content that I've used so far, I've double checked, save for the packaged loaders

3) I haven't downloaded anything from any other sources for nearly two weeks (worked some system restore files to check for file source, files not contained in earlier settings that were a problem, a recent load from May 14th contained the file, none before)

4) I've let nothing else around my firewall for access and my network is disabled unless I am actively using it.

 

Anyway, this is just part of my looking into this trouble and trying to find a culpret because this was a hell of a bug to work around until I got my control system up and running to help isolate the problem and it took some time to work it (two hours roughly), so I'm trying to save others from a similar hell.

 

With that, any thoughts are helpful, and GL with your moding.

~Mags

[LHammonds]

NOTE: Most infections that come from your computer are from executable programs (.exe or .com). Mod archives typically do not contain any files that can be infected (actually, what I'm trying to say is "contain files that will spread the infection"). The very few that do have executable files in them, you can upload to www.virustotal.com to have it scanned by 30+ updated virus scanners to see if it is likely to be infected (rather than a possible false positive from one particular scanner).

 

I did a little research on "Antivirus soft" and here is what I found:

 

Possible source (Websites or Trojan droppers): "Potential victims can get infected with Antivirus Soft while visiting unknown and unreliable websites. The program can also enter victimized systems with a help of Trojan applications. All this is done without a user's knowledge and consent."

- Source

 

Possible source (Facebook website): "I was using facebook today... but nothing else i can think of where I downloaded this virus."

- Source

 

Possible source (PDF, Adobe Reader exploit): "It is also common for this rogue to be installed on your computer through the use of malicious PDF files that exploit known vulnerabilities in older versions of Adobe Reader."

- Source

 

Possible source (PDF, Adobe Reader exploit): "It appears to have been attached to a .pdf attachment to an email sent to me via my Comcast account."

- Source

 

Possible source (Fake Online Scanner, Facebook, MySpace): "Usually, such rogue programs come from various misleading websites, fake online scanners, but it can be also promoted in Facebook, MySpace and similar websites"

- Source

 

The LHammonds recommendation is to NOT use Internet Explorer since infected sites such as MySpace and Facebook can auto-install software on your PC using IE without you ever knowing it. I go so far as to configure a rule in my Comodo Firewall to deny access to the Internet for Internet Explorer unless I give it explicit access (each and every time it tries to connect). I have this firewall rule because if a trojan does gain access to my computer, it cannot use the common tactic to instantiate IE as a hidden application (you never see it in the task bar) which can then be used to auto-download other viruses. This tactic is used quite a bit to a large success because people "allow" IE to have explicit access to the Internet even if every other application is blocked!!!

 

My other recommendation is to use Firefox with the following add-ons: NoScript, WOT, Adblock Plus. WOT lets you know if a site you are going to is known to have a poor reputation. It even shows you the green or red icons in google searches before you click the link!!! NoScript and Adblock will prevent 90% (my very own made-up stat) of the web-based auto-infections and you can configure certain sites (like the Nexus) to be allowed to use scripts and ads while still preventing all the other sites you visit from possibly exploiting your browser.

 

Also use Spybot Search & Destroy and SpywareBlaster to update your web browsers "known bad sites" filters so it blocks sites that have malware that tries to auto-install on your computer.

 

And as recommended in most of the pages above to cure this particular virus, download, install and use MalwareBytes on a regular basis.

 

LHammonds

[ScourgeBlack]

I go so far as to configure a rule in my Comodo Firewall to deny access to the Internet for Internet Explorer unless I give it explicit access

 

 

How do you deny access for the Internet Explorer? I've been using Comodo Firewall for quite some time now but I didn't know you could completely block IE.

[LHammonds]

How do you deny access for the Internet Explorer? I've been using Comodo Firewall for quite some time now but I didn't know you could completely block IE.

You can define a rule to have IE "Ask" for permission or outright deny (without the option to connect).

 

Here is how you do it using the latest version of Comodo Internet Security (assuming you have Win7, 64-bit):

 

1. Right-click the comodo icon in the task bar and choose Open
   
2. Click the Firewall tab, click the Advanced button
   
3. Click Predefined Firewall Policies
   
4. Click Add
   
5. Type a policy name such as Web Browser - IE
   
6. Choose Copy From --> Predefined Security Policies --> Web Browser
   
7. Edit each of the Allow items (green icon) and change the action to Ask (yellow icon) and finally click the Apply button to create the new policy.
   
8. Click Apply on the Predefined Firewall Policies window.
   
9. Click Network Security Policy
   
10. On the Application Rules tab, click the Add button.
    
11. Select Use a Predefined Policy and choose Web Browser - IE
    
12. Then select the Internet Explorer executable. On my machine, I browse to C:\Program Files (x86)\Internet Explorer\iexplore.exe and then click Apply to add the rule.
    
13. Repeat the above 3 steps for the 64-bit version as well. Mine points to C:\Program Files\Internet Explorer\iexplore.exe
    

As a general rule of thumb, you should be using a Predefined policy for every application in that list rather than having a "Custom" policy for each. If a pre-defined policy does not fit what you want to accomplish (like with IE for example), then create one just as I have just done. The most-used policies in my setup are either "Trusted Application" or "Blocked Application"

 

BACKUP!!!! - When you have a lot of rules configured, it might be wise to backup your settings every once in a while so you can import them on other PCs or the same PC if you have to re-install Windows. It will save you tons of time re-configuring everything and getting Comodo back to the very smart mode you have it trained in right now. :thumbsup: This can be done by going into the "More" tab and selecting "Manage My Configurations" and exporting your active configuration.

 

LHammonds

[pob255]

Unfortunately these days just browsing the web is leaving your self open to attack (remember to view a webpage you download it) another one I've seen quite a bit recently is "safe" website carrying attacks not directly but because most internet ad's are not coded into the website, just a frame for the ad which then comes from a 3rd party ad server (esp flash based ads which form the main route for malicious code on safe sites)

And it's these ad servers that seem to be a major target for thoes behind viruses now, which make sense from their point of view because if you can get your malicious code one to one server it rappidly gets crosslinked to hundreds to thousands of web pages.

 

The only time I've been got by a virus was vis this route on a safe site I trusted.

Luckily my anti-virus setup stopped it, but it still managed to do some minor damage (create a couple of reg keys and change a file association or two)

So I managed to scrub it out and repair without too much hassle.

I cannot remember the last time I found anything nasty hiding is something I'd actively downloaded.