1 2 Previous Next 10 Replies Latest reply: May 30, 2011 3:21 PM by tonygibbs16 RSS

    Spotify and "Windows Recovery" fake AV

    Hayton

      UK users may be especially at risk from infection by this new fake AV, according to an item in CNET News (which cites this article).

       

      Apparently users of Spotify (a streaming music service) are succumbing to an exploit by malware in an advertisement inside the Spotify application, which requires no user interaction to activate it. Once activated, it connects to a server at  91.213.217.198 - located in Switzerland, according to Utrace, but registered to Offshore Hosting Ltd, which has an address in Chisinau in Moldova. From the server it downloads the fake AV which immediately attempts to connect to a number of domains in order to download further malware, including a rootkit.

       

      The above IP address hosts a whole set of malware domains, so my advice is to put the address into your firewall's Connections list with a status of Blocked.

      Windows Recovery fake AV.JPG

        • 1. Re: Spotify and "Windows Recovery" fake AV
          ConorD62

          *Looks at lucozade bottle*

           

          Spotify, you say?

           

          A lot of my friend have recently been hit with this, I'm not sure if Malwarebytes has a fix out yet, but I see a lot of threads on their forum about it.

           

          Message was edited by: ConorD62 on 26/04/11 19:26:34 CDT
          • 2. Re: Spotify and "Windows Recovery" fake AV
            lalalala

            It has, which brings me to my problem... I had this, first thing I did was use my restore point I had saved 29th of April. This got rid of the annoying popus and the rogue AV screen. Though when I restarted the computer McAfee wouldn't protect the computer anymore. Real time scanning had been disabled and whenever I'd try to enable it it'd stay on for about 3 seconds and then turn itself off again. After this I let malwarebytes go after what was left of the threat. I figured this would help McAfee re-enable real-time scanning, but it didn't. It still refuses to stay on for longer than 3 seconds. Does anyone know what's causing this? Could there be more of the virus left?

            • 3. Re: Spotify and "Windows Recovery" fake AV
              Hayton

              "... it downloads the fake AV which immediately attempts to connect to a number of domains in order to download further malware, including a rootkit."

               

              You may have got rid of the fake AV, but not necessarily any other malware which came after it and because of it.

               

              First thing to do is to make sure that you have all the latest updates from McAfee and Microsoft (Optional as well as Critical). While you're at it, check you've got the latest versions of Java (if you have it), and ensure that your browser is on the latest version. There have been a slew of updates recently to a whole host of applications in order to fix security holes. Make sure everything you have is on the latest version.

               

              If there is a problem with connecting to any websites, go into Safe Mode with Networking (reboot and keep tapping F8) and try connecting from there.

               

              Reboot to let the updates complete installation, and try running a McAfee Full Scan. See if it picks anything up. If the malware prevents a McAfee scan from running, go back to Microsoft and run their Malicious Software Removal Tool (you will need administrator privilege for this). Even if it finds nothing, go to this Microsoft Support page and follow the instructions there.

               

              If you have a rootkit on your system it will be difficult to find it, let alone get rid of it. Let us know what results you get from the above measures. Afterwards you can try cleaning up with Malwarebytes, SuperAntiSpyware, and SpyBot. Anything that escapes those we can try ferreting out with McAfee's Getsusp tool, which looks for anything that's not on the Approved list and flags it for investigation.

               

              If you run into problems connecting to websites, or downloading, installing and running software, let us know. You may need to get Rkill and HijackThis to identify and kill rogue processes.

              • 4. Re: Spotify and "Windows Recovery" fake AV
                paul15

                Hi Hayton,  I have went along with your advice and have an identical issue to lalalala.

                The Microsoft package (2nd one removed many)

                They were EXPLOIT: Java/CVE2008-5353.ax and a few other java related ones

                Also Trojan: win32/fake sysdef and Trojan Downloader: java/open connection.ak

                 

                My macafee software will only stay active for a few seconds and it won run a scan.   Im currently online via safe mode.

                 

                Is it possible that the virus has affected macafee? If so should I remove it then re-download? If so will it cost me money again?

                 

                Also how do I get Rkill and HijackThis?

                 

                Sorry for all the questions but I do note have a clue about what to do next.

                 

                Any help or hints would be greatly appreciated

                 

                Thanks

                Paul

                 

                UPDATE:

                ALSO A few days before this virus attacked my computer this one showed up and I restored windows to an earlier date which appeared to remove it

                http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-201 1

                 

                Could it be possible that both are linked?

                 

                Message was edited by: paul15 on 10/05/11 17:06:49 CDT
                • 5. Re: Spotify and "Windows Recovery" fake AV
                  Hayton

                  If you've had two fake AV's on your system you may have a lot of damage to undo.

                   

                  First, if you've got all the latest McAfee and Microsoft updates, you're on the way. If not, keep in Safe Mode with Networking and download them. You say you ran both the MSRT and the Windows Live scanner? Good, that's progress.

                   

                  Next, disable Java.  There isn't much - if anything - you need it for, and it looks as if you're being hit with Java exploits. Disable it in your browsers at a minimum; or uninstall it from your system (you can always get it back later if you need it, and as a bonus you'll have the latest version).

                   

                  McAfee may have been disabled either by one of the fakes or by something else that got downloaded afterwards. Try running a full scan in Safe Mode. What we really need here is a way to run a scan from the web, but I don't know if that's available from McAfee (if not it surely ought to be. I'll have to ask).

                   

                  Next, you need to download a couple of programs.

                   

                  RKill : get it from bleepingcomputer here, but read the instructions first (there's a link at the bottom of the page). You can ignore the Buy Now button, I think, because this is supposed to be freeware. The 'iExplore.exe download link' button is in case the malware recognises RKill and tries to block it. RKill should take care of any  processes that have been started by the malware.

                   

                  Then download and run the free version of Malwarebytes (you don't need the PRO version). This ought to remove all traces of the fake AV programs. If the malware tries to stop you connecting to the site, download it to a flash drive and rename it, then run it from there. Do a quick scan; leave anything it finds in quarantine so that if necessary files can be sent to McAfee Labs for analysis (if this is something new).  If it finds more than one or two items, rerun it as a full scan (which will probably take a while).

                   

                  After that, try running a McAfee scan again. If it's still blocked, you'll need to try the Stinger tool, which you get from here. Again, there's a link on the page to instructions on How to use Stinger, which you will need to read.

                   

                  Let me know how you get on.

                   

                  Message was edited by: Hayton on 11/05/11 05:24:47 IST
                  • 6. Re: Spotify and "Windows Recovery" fake AV
                    paul15

                    Hi, Thanks for all the help.

                    Still cant get mcafee to run a scan or have real time scanning on.

                    Ialso think a back up scan online would we a great idea.

                     

                    Ran rkill and got the following note

                     

                    "This log file is located at C:\rkill.log.
                    Please post this only if requested to by the person helping you.
                    Otherwise you can close this log when you wish.

                    Rkill was run on 12/05/2011 at 22:39:26.
                    Operating System: Windows Vista (TM) Home Premium


                    Processes terminated by Rkill or while it was running:

                    C:\Users\Paul\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ALB20TH6\iExplore[1].exe


                    Rkill completed on 12/05/2011 at 22:39:30. "

                     

                    Currently running Malaware and hope to get something from it.

                    Then I will go onto the next step.

                     

                    Will let you know how I get along

                     

                    Cheers

                     

                    Ran Malaware and found 2 registry trojans, 1 trojan folder and 2 malaware files.

                    Tried Macafee and again it popped of after a few seconds.

                    Running Malaware again on a full scan.

                    How do I send the viruses to Macafee for testing? Sorry for all the questions but Im not the best with computers....If it wasnt already obvious!

                     

                    Message was edited by: paul15 on 12/05/11 15:12:07 CDT
                    • 7. Re: Spotify and "Windows Recovery" fake AV
                      Hayton

                      Good news/bad news/good news then  :-)

                       

                      Good : RKill didn't find any processes running that shouldn't have been there.

                      Bad : You apparently still had some kind of infection, even after running the Microsoft scan.

                      Good : Malwarebytes has located (and presumably removed) some at least of the infection. The Malwarebytes authors do advise that if something serious is found then you should run it again, because a second scan will sometimes get to files or registry settings that were not obviously suspect in the first scan.

                       

                      I'll have to consult one of the other mods about sending in files for analysis, there have been one or two changes lately and my info I think is out of date.

                       

                      I don't know if you've checked on the malware that the earlier scan found, but Microsoft rates all three as Severe. For future reference, I would avoid like the plague a product  that goes under the name of HDD Defragmenter.

                       

                      If you're interested, see the Microsoft Encyclopedia entries for fakesysdef, Java/OpenConnection.AK, and Java/CVE-2009-3867.AP

                       

                      After the Malwarebytes full scan is finished, reboot your PC and go into Safe Mode (keep tapping the F8 key). See if you can run a McAfee scan in Safe Mode :

                      ... right-click the hard drive in My Computer (XP) or Computer (Vista/Win7)  and select 'Scan'.

                       

                      All you'll see is activity in the taskbar near the clock, hovering over the McAfee icon will give a progress report.

                       

                      If you still can't run a scan, I'll have to confer. Something is disabling your McAfee after it starts, which implies that something else is active that shouldn't be.

                      • 8. Re: Spotify and "Windows Recovery" fake AV
                        paul15

                        Hayton,

                        Thanks for all the help.

                        Good news is that all seems to be back to normal and Mcafee is once again working fully.

                        Have updated and Im currently running a scan.

                        Once Ive got my confidence up I will re-enable Java

                         

                        The screenshots in fakesysdef are identical to what showed up on my screen and I think just before it what looked like a regular update of a product showed up and I clicked it so Im guessing it was one of these , Java/OpenConnection.AK, and Java/CVE-2009-3867.AP

                         

                        cheers

                        Paul

                        • 9. Re: Spotify and "Windows Recovery" fake AV
                          tonygibbs16

                          Hi all,

                           

                          I don't know if this virus came via Spotify or not, but I have just spent most of this weekend removing it.

                           

                          This is a nasty one.

                           

                          Although it doesn't delete anything it seems to do so and sets settings in the Registry to stop WindowsTaskManager from running, and hides a lot of folders and files.

                           

                          Here is how I removed it:

                           

                          1. I used the TrendMicro Fake AV Removal tool available at the following link, to scan the computer in Safe Mode first, along with MalwareBytes AntiMalware programme.

                           

                          http://esupport.trendmicro.com/solution/en-us/1056510.aspx

                           

                          The TrendMicro program allowed me to kill rogue processes, and set some Registry values back to default values.

                           

                          2. Once these 2 programs said the computer was clean in Safe Mode, I went to Normal Boot and found Virus was still present, and was switching off McAfee Real Time Scan.

                              - So I ran these 2 programs again, and used them to clean up the scomputer again.

                           

                          3. I then had to go into C:\Documents and Settings folder and unhide all of the folders and files that the Virus had made Read Only and Hidden.

                           

                          THEN I was able to get my computer back to working state.

                              - I am glad that I had access to another computer and was able to run Chkdsk from the Windows XP Recovery Console (from my Windows XP Setup CD) to confirm that my hard disk drive was fine and that this was a virus.

                           

                          I hope that this is useful.

                           

                          Regards,

                              Tony

                          1 2 Previous Next