Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
6051 Views 10 Replies Latest reply: May 30, 2011 1:13 PM by tonygibbs16 RSS 1 2 Previous Next
Hayton Volunteer Moderator 4,590 posts since
Sep 27, 2010
Currently Being Moderated

Apr 26, 2011 5:56 PM

Spotify and "Windows Recovery" fake AV

UK users may be especially at risk from infection by this new fake AV, according to an item in CNET News (which cites this article).

 

Apparently users of Spotify (a streaming music service) are succumbing to an exploit by malware in an advertisement inside the Spotify application, which requires no user interaction to activate it. Once activated, it connects to a server at  91.213.217.198 - located in Switzerland, according to Utrace, but registered to Offshore Hosting Ltd, which has an address in Chisinau in Moldova. From the server it downloads the fake AV which immediately attempts to connect to a number of domains in order to download further malware, including a rootkit.

 

The above IP address hosts a whole set of malware domains, so my advice is to put the address into your firewall's Connections list with a status of Blocked.

Windows Recovery fake AV.JPG


Volunteer Moderator  Leeds, UK
No PM's please
  • ConorD62 Champion 586 posts since
    Apr 9, 2010
    Currently Being Moderated
    1. Apr 26, 2011 7:26 PM (in response to Hayton)
    Re: Spotify and "Windows Recovery" fake AV

    *Looks at lucozade bottle*

     

    Spotify, you say?

     

    A lot of my friend have recently been hit with this, I'm not sure if Malwarebytes has a fix out yet, but I see a lot of threads on their forum about it.

     

    Message was edited by: ConorD62 on 26/04/11 19:26:34 CDT

    If you need any help, please send me a message, the same goes for any malware questions.
  • lalalala Newcomer 1 posts since
    May 4, 2011
    Currently Being Moderated
    2. May 5, 2011 6:47 AM (in response to ConorD62)
    Re: Spotify and "Windows Recovery" fake AV

    It has, which brings me to my problem... I had this, first thing I did was use my restore point I had saved 29th of April. This got rid of the annoying popus and the rogue AV screen. Though when I restarted the computer McAfee wouldn't protect the computer anymore. Real time scanning had been disabled and whenever I'd try to enable it it'd stay on for about 3 seconds and then turn itself off again. After this I let malwarebytes go after what was left of the threat. I figured this would help McAfee re-enable real-time scanning, but it didn't. It still refuses to stay on for longer than 3 seconds. Does anyone know what's causing this? Could there be more of the virus left?

  • paul15 Newcomer 3 posts since
    May 10, 2011
    Currently Being Moderated
    4. May 10, 2011 5:06 PM (in response to Hayton)
    Re: Spotify and "Windows Recovery" fake AV

    Hi Hayton,  I have went along with your advice and have an identical issue to lalalala.

    The Microsoft package (2nd one removed many)

    They were EXPLOIT: Java/CVE2008-5353.ax and a few other java related ones

    Also Trojan: win32/fake sysdef and Trojan Downloader: java/open connection.ak

     

    My macafee software will only stay active for a few seconds and it won run a scan.   Im currently online via safe mode.

     

    Is it possible that the virus has affected macafee? If so should I remove it then re-download? If so will it cost me money again?

     

    Also how do I get Rkill and HijackThis?

     

    Sorry for all the questions but I do note have a clue about what to do next.

     

    Any help or hints would be greatly appreciated

     

    Thanks

    Paul

     

    UPDATE:

    ALSO A few days before this virus attacked my computer this one showed up and I restored windows to an earlier date which appeared to remove it

    http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-201 1

     

    Could it be possible that both are linked?

     

    Message was edited by: paul15 on 10/05/11 17:06:49 CDT
  • paul15 Newcomer 3 posts since
    May 10, 2011
    Currently Being Moderated
    6. May 12, 2011 3:12 PM (in response to Hayton)
    Re: Spotify and "Windows Recovery" fake AV

    Hi, Thanks for all the help.

    Still cant get mcafee to run a scan or have real time scanning on.

    Ialso think a back up scan online would we a great idea.

     

    Ran rkill and got the following note

     

    "This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 12/05/2011 at 22:39:26.
    Operating System: Windows Vista (TM) Home Premium


    Processes terminated by Rkill or while it was running:

    C:\Users\Paul\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ALB20TH6\iExplore[1].exe


    Rkill completed on 12/05/2011 at 22:39:30. "

     

    Currently running Malaware and hope to get something from it.

    Then I will go onto the next step.

     

    Will let you know how I get along

     

    Cheers

     

    Ran Malaware and found 2 registry trojans, 1 trojan folder and 2 malaware files.

    Tried Macafee and again it popped of after a few seconds.

    Running Malaware again on a full scan.

    How do I send the viruses to Macafee for testing? Sorry for all the questions but Im not the best with computers....If it wasnt already obvious!

     

    Message was edited by: paul15 on 12/05/11 15:12:07 CDT
  • paul15 Newcomer 3 posts since
    May 10, 2011
    Currently Being Moderated
    8. May 19, 2011 4:08 PM (in response to Hayton)
    Re: Spotify and "Windows Recovery" fake AV

    Hayton,

    Thanks for all the help.

    Good news is that all seems to be back to normal and Mcafee is once again working fully.

    Have updated and Im currently running a scan.

    Once Ive got my confidence up I will re-enable Java

     

    The screenshots in fakesysdef are identical to what showed up on my screen and I think just before it what looked like a regular update of a product showed up and I clicked it so Im guessing it was one of these , Java/OpenConnection.AK, and Java/CVE-2009-3867.AP

     

    cheers

    Paul

  • tonygibbs16 Newcomer 3 posts since
    May 30, 2011
    Currently Being Moderated
    9. May 30, 2011 12:49 PM (in response to paul15)
    Re: Spotify and "Windows Recovery" fake AV

    ´╗┐Hi all,

     

    I don't know if this virus came via Spotify or not, but I have just spent most of this weekend removing it.

     

    This is a nasty one.

     

    Although it doesn't delete anything it seems to do so and sets settings in the Registry to stop WindowsTaskManager from running, and hides a lot of folders and files.

     

    Here is how I removed it:

     

    1. I used the TrendMicro Fake AV Removal tool available at the following link, to scan the computer in Safe Mode first, along with MalwareBytes AntiMalware programme.

     

    http://esupport.trendmicro.com/solution/en-us/1056510.aspx

     

    The TrendMicro program allowed me to kill rogue processes, and set some Registry values back to default values.

     

    2. Once these 2 programs said the computer was clean in Safe Mode, I went to Normal Boot and found Virus was still present, and was switching off McAfee Real Time Scan.

        - So I ran these 2 programs again, and used them to clean up the scomputer again.

     

    3. I then had to go into C:\Documents and Settings folder and unhide all of the folders and files that the Virus had made Read Only and Hidden.

     

    THEN I was able to get my computer back to working state.

        - I am glad that I had access to another computer and was able to run Chkdsk from the Windows XP Recovery Console (from my Windows XP Setup CD) to confirm that my hard disk drive was fine and that this was a virus.

     

    I hope that this is useful.

     

    Regards,

        Tony

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (1)