Anti Virs 2009

[Zonie]

Was just wondering iif anyone has seen an increase in infections from this and other Trojans lately? In the last 5 days, I have been unindated with calls for problems with this.

[Ferrit]

Actually saw this on the increase a month or so ago. Its a nasty piece of work that's for sure.
Safe mode and malwarebytes and spybot updated seem to do it,as well as kill the restore file

[slgrieb]

I see so much of this and its variants that I wouldn't notice an increase unless infections increased about 100 times. Currently, my normal procedure is to start any malware removal by running 2 passes of ComboFix, followed by Spybot S&D, and Eset's online scan, or installing and running a trial version of NOD32 on the computer in place of the online scan.

[geoscomp]

The last 6 or 7 machines I got in this week with the fake antivirus derivatives also all had an interesting zlob rootkit.

[Niclo Iste]

That is correct. The infection rate has picked up. The likely culprit in my questioning of clients is it happened right after they clicked a microsoft update window / microsoft security window. It's a fake that looks very close to the real thing. There are other methods but the string of infections I've cured lately fit that M.O.. I suspect since it's the holidays the fake ups tracking mail that carries it is succeeding very well at the moment too.

[Guts3d]

Just had a lady call about this and ask me if I could fix her comp tonight, I reminded her it is Christmas Eve here and the earliest I can see it is Friday. ( Off work until January 5th! )

[Kodiak]

It is now AV 2010. Same procedure apply to getting rid of this variant also. I have done probably 50 of these in the last 4 months.

[Zonie]

Haven't seen the AV2010 yet, but this other one has either mutated or brought something else with it. Several I have tried to clean in safe mode, I had to rename combfix, smith fraud and then even had malwarebytes and spyotbot not even run. In task manager it would show the process running but nada on the program. I have found going to google's spyware doctor usually cleans it up enough to get the rest of the tools running.

[Niclo Iste]

A few tips for you when in a situation where it won't let you open your tools for removing the infection. Check the startup folder and the run folder in the registry. Remove anything that has gibberish for a name or is even named antivirus200x or similarily named to whatever the infection claims to be. Secondly go to the program files folder and delete all gibberish folders (gibberish being folder names similar to aiwx3bxeb), folders named after the infection, and check for a folder named SAV if you don't have norton/symantec installed because this is a fake folder designed to keep you away from the infections files. Also go into the documents and settings and check each profiles hidden folders of application data, and the local settings\application data for any folders with gibberish names or even named similar to the infection. A final note change the home page to the web page or you may stand to reinfect yourself. Once this is done do your scans/clean ups if those still fail because the infection is stil running reboot back into safe mode then do your clean up.

[slgrieb]

The current crop of Smitfraud variants has been a pretty hot topic lately. Just a Geoscomp says, Zlob is a frequent companion, and Virtumondo remains one as well. I've seen fewer infections of this from porn sites recently, and a lot more from bogus ecards. 'Tis the season, I guess.

MS recently released new versions of their Malicious Software Removal Tool, that have enhancements specifically targeting these infections.