AntivirusGT

[wasted]

Greetings

Daughter's laptop got hit by AntivirusGT. Constant "alerts" popping up about
this, that and the other infection, and of course it would fix them if she
paid out. She couldn't access antimalware websites because of redirects.

She brought it to my house yesterday for me to try and fix. I downloaded
onto my computer, changed name and saved to CD, both MBAM and
SUPERANTISPYWARE.

Installed MBAM, and ran it without updating (because I wasn't letting it
link to my network at any cost) - it found nothing in normal mode, and
during the scan there were the same incessant popup "alerts" from AVGT. Went
to safe mode - no popups occurring, but MBAM still found nothing.

Whilst still in safe mode, installed SAS, again without updating - and it
found and removed stuff referring to AntivirusGT.

Rebooted to normal mode - success, it's gone!

Sent daughter home and from there she updated MBAM and SAS and ran both -
nothing more found and all is OK.


Questions:-

1. Should I have installed MBAM in safe mode?

2. If the answer to question 1 isn't relevant, any guesses/info on whether
MBAM would have "worked" had I allowed it to update. I'm worried about this
because I pay for the full version myself to have the real-time protection.
I moved to it from SAS because at that time, on my 64bit system, SAS could
only be updated by uninstalling and reinstalling

2. How does this AVGT get onto computers in the first place.

Cheers

JP






__________ Information from ESET NOD32 Antivirus, version of virus signature database 5334 (20100802) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

[David H. Lipman]

From: "wasted" <rubbish@xxnone.notreal.com>

| Greetings

| Daughter's laptop got hit by AntivirusGT. Constant "alerts" popping up about
| this, that and the other infection, and of course it would fix them if she
| paid out. She couldn't access antimalware websites because of redirects.

| She brought it to my house yesterday for me to try and fix. I downloaded
| onto my computer, changed name and saved to CD, both MBAM and
| SUPERANTISPYWARE.

| Installed MBAM, and ran it without updating (because I wasn't letting it
| link to my network at any cost) - it found nothing in normal mode, and
| during the scan there were the same incessant popup "alerts" from AVGT. Went
| to safe mode - no popups occurring, but MBAM still found nothing.

| Whilst still in safe mode, installed SAS, again without updating - and it
| found and removed stuff referring to AntivirusGT.

| Rebooted to normal mode - success, it's gone!

| Sent daughter home and from there she updated MBAM and SAS and ran both -
| nothing more found and all is OK.


| Questions:-

| 1. Should I have installed MBAM in safe mode?

| 2. If the answer to question 1 isn't relevant, any guesses/info on whether
| MBAM would have "worked" had I allowed it to update. I'm worried about this
| because I pay for the full version myself to have the real-time protection.
| I moved to it from SAS because at that time, on my 64bit system, SAS could
| only be updated by uninstalling and reinstalling

| 2. How does this AVGT get onto computers in the first place.

| Cheers

| JP



No. What you should have done is updated another computer.

Obtained the "rules.def" file (the latest signatures).
"C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes'
Anti-Malware\rules.ref"

And copied the latest rules to that infected computer then ran MBAM.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

[wasted]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:i375ts01eic@news3.newsguy.com...
> From: "wasted" <rubbish@xxnone.notreal.com>
>
> | Greetings
>
> | Daughter's laptop got hit by AntivirusGT. Constant "alerts" popping up
> about
> | this, that and the other infection, and of course it would fix them if
> she
> | paid out. She couldn't access antimalware websites because of redirects.
>
> | She brought it to my house yesterday for me to try and fix. I downloaded
> | onto my computer, changed name and saved to CD, both MBAM and
> | SUPERANTISPYWARE.
>
> | Installed MBAM, and ran it without updating (because I wasn't letting it
> | link to my network at any cost) - it found nothing in normal mode, and
> | during the scan there were the same incessant popup "alerts" from AVGT.
> Went
> | to safe mode - no popups occurring, but MBAM still found nothing.
>
> | Whilst still in safe mode, installed SAS, again without updating - and
> it
> | found and removed stuff referring to AntivirusGT.
>
> | Rebooted to normal mode - success, it's gone!
>
> | Sent daughter home and from there she updated MBAM and SAS and ran
> both -
> | nothing more found and all is OK.
>
>
> | Questions:-
>
> | 1. Should I have installed MBAM in safe mode?
>
> | 2. If the answer to question 1 isn't relevant, any guesses/info on
> whether
> | MBAM would have "worked" had I allowed it to update. I'm worried about
> this
> | because I pay for the full version myself to have the real-time
> protection.
> | I moved to it from SAS because at that time, on my 64bit system, SAS
> could
> | only be updated by uninstalling and reinstalling
>
> | 2. How does this AVGT get onto computers in the first place.
>
> | Cheers
>
> | JP
>
>
>
> No. What you should have done is updated another computer.
>
> Obtained the "rules.def" file (the latest signatures).
> "C:\Documents and Settings\All Users\Application
> Data\Malwarebytes\Malwarebytes'
> Anti-Malware\rules.ref"
>
> And copied the latest rules to that infected computer then ran MBAM.
>
>
> --
> Dave

Thanks David - didn't realise there was a file that could just be copied - I
could have got it from my own computer!! Of course there won't be a next
time (!!!), but I've copied your input just in case!


__________ Information from ESET NOD32 Antivirus, version of virus signature database 5338 (20100803) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

[Lil' Abner]

"wasted" <rubbish@xxnone.notreal.com> wrote in
news:W9Odnft-3s7OcsvRnZ2dnUVZ8k6dnZ2d@brightview.co.uk:

> Greetings
>
> Daughter's laptop got hit by AntivirusGT. Constant "alerts" popping up
> about this, that and the other infection, and of course it would fix
> them if she paid out. She couldn't access antimalware websites because
> of redirects.
>
> She brought it to my house yesterday for me to try and fix. I
> downloaded onto my computer, changed name and saved to CD, both MBAM
> and SUPERANTISPYWARE.
>
> Installed MBAM, and ran it without updating (because I wasn't letting
> it link to my network at any cost) - it found nothing in normal mode,
> and during the scan there were the same incessant popup "alerts" from
> AVGT. Went to safe mode - no popups occurring, but MBAM still found
> nothing.
>
> Whilst still in safe mode, installed SAS, again without updating - and
> it found and removed stuff referring to AntivirusGT.
>
> Rebooted to normal mode - success, it's gone!
>
> Sent daughter home and from there she updated MBAM and SAS and ran
> both - nothing more found and all is OK.
>
>
> Questions:-
>
> 1. Should I have installed MBAM in safe mode?
Yes, but Safe Mode with Networking so you can get updates. But bypass your
router if you're worried about your other computers. Personally I never do
when I'm in Safe Mode and haven't ever had a problem.

> 2. If the answer to question 1 isn't relevant, any guesses/info on
> whether MBAM would have "worked" had I allowed it to update. I'm
> worried about this because I pay for the full version myself to have
> the real-time protection. I moved to it from SAS because at that time,
> on my 64bit system, SAS could only be updated by uninstalling and
> reinstalling

I had the same problem the other day. I installed it in Safe Mode but it
wouldn't let me update so I ran it anyway and it found nothing. I finally
updated it from another computer (vis memory stick) and then it found all
kinds of stuff. So the updates defintely make a difference. It turns out
that the malware had enabled a proxy server in IE and that is why I
couldn't update. I'll remember to check that the next time I try to update.

> 2. How does this AVGT get onto computers in the first place.

Never heard of that exact one but I imagine it's just another variant of
all the other rogue antimalware/antivirus apps.
My customers always ask me the same question. There's lots of ways they may
have gotten it.
From http://en.wikipedia.org/wiki/Rogue_security_software
"Some rogue security software, however, propagate onto users computers as
drive-by downloads which exploit security vulnerabilities in web browsers,
pdf viewers, or e-mail clients to install themselves without any manual
interaction.
More recently, malware distributors have been utilizing SEO poisoning
techniques by pushing infected URLs to the top of search engine results
about recent news events. People looking for articles on such events on a
search engine may encounter results that, upon being clicked, are instead
redirected through a series of sites[6] before arriving at a landing page
that says that their machine is infected and pushes a download to a
"trial" of the rogue program."

OK, now a question from me. How did you manage to install SuperAntispyware
in Safe Mode? Every time I've tried it, I got a popup saying it couldn't be
installed in Safe Mode.

--
--- Everybody has a right to my opinion. ---

[wasted]

"Lil' Abner" <blvstk@dogpatch.com> wrote in message
news:Xns9DC8D53811B70butter@wefb973cbe498...
> "wasted" <rubbish@xxnone.notreal.com> wrote in
> news:W9Odnft-3s7OcsvRnZ2dnUVZ8k6dnZ2d@brightview.co.uk:
>
>> Greetings
>>
>> Daughter's laptop got hit by AntivirusGT. Constant "alerts" popping up
>> about this, that and the other infection, and of course it would fix
>> them if she paid out. She couldn't access antimalware websites because
>> of redirects.
>>
>> She brought it to my house yesterday for me to try and fix. I
>> downloaded onto my computer, changed name and saved to CD, both MBAM
>> and SUPERANTISPYWARE.
>>
>> Installed MBAM, and ran it without updating (because I wasn't letting
>> it link to my network at any cost) - it found nothing in normal mode,
>> and during the scan there were the same incessant popup "alerts" from
>> AVGT. Went to safe mode - no popups occurring, but MBAM still found
>> nothing.
>>
>> Whilst still in safe mode, installed SAS, again without updating - and
>> it found and removed stuff referring to AntivirusGT.
>>
>> Rebooted to normal mode - success, it's gone!
>>
>> Sent daughter home and from there she updated MBAM and SAS and ran
>> both - nothing more found and all is OK.
>>
>>
>> Questions:-
>>
>> 1. Should I have installed MBAM in safe mode?
> Yes, but Safe Mode with Networking so you can get updates. But bypass your
> router if you're worried about your other computers. Personally I never do
> when I'm in Safe Mode and haven't ever had a problem.
>
>> 2. If the answer to question 1 isn't relevant, any guesses/info on
>> whether MBAM would have "worked" had I allowed it to update. I'm
>> worried about this because I pay for the full version myself to have
>> the real-time protection. I moved to it from SAS because at that time,
>> on my 64bit system, SAS could only be updated by uninstalling and
>> reinstalling
>
> I had the same problem the other day. I installed it in Safe Mode but it
> wouldn't let me update so I ran it anyway and it found nothing. I finally
> updated it from another computer (vis memory stick) and then it found all
> kinds of stuff. So the updates defintely make a difference. It turns out
> that the malware had enabled a proxy server in IE and that is why I
> couldn't update. I'll remember to check that the next time I try to
> update.
>
>> 2. How does this AVGT get onto computers in the first place.
>
> Never heard of that exact one but I imagine it's just another variant of
> all the other rogue antimalware/antivirus apps.
> My customers always ask me the same question. There's lots of ways they
> may
> have gotten it.
> From http://en.wikipedia.org/wiki/Rogue_security_software
> "Some rogue security software, however, propagate onto users computers as
> drive-by downloads which exploit security vulnerabilities in web browsers,
> pdf viewers, or e-mail clients to install themselves without any manual
> interaction.
> More recently, malware distributors have been utilizing SEO poisoning
> techniques by pushing infected URLs to the top of search engine results
> about recent news events. People looking for articles on such events on a
> search engine may encounter results that, upon being clicked, are instead
> redirected through a series of sites[6] before arriving at a landing page
> that says that their machine is infected and pushes a download to a
> "trial" of the rogue program."
>
> OK, now a question from me. How did you manage to install SuperAntispyware
> in Safe Mode? Every time I've tried it, I got a popup saying it couldn't
> be
> installed in Safe Mode.
Thanks for the input Lil' Abner - the Safe Mode installation just "did it"
from the installation file. I had renamed the file but have no idea whether
that made the difference or not.



__________ Information from ESET NOD32 Antivirus, version of virus signature database 5338 (20100803) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com