PDA

View Full Version : Avast failed to catch malware


Dr. Tom
08-15-2012, 11:50 AM
I have the latest version of Avast Free installed and updated. Today I got hit with malware that totally took over my computer. Avast did not catch it.

The malware looks like an FBI page. It states you have committed a computer crime and must pay a $200 fine through a website (forgot the name). The crimes are things like pirating software, downloading child pornography, etc. For help it gives the email address as fines@email removed.

I called Avast. Avast said this has been around for about four months. They also said it was not a virus, but something I got with a download. Well, I have not downloaded anything in the last several weeks.

Anyone know of a anti-malware program that would trap this? Because this is known and Avast did not trap this, I am not pleased with Avast. I am looking to get a better program and I am willing to pay for it.

Avast did say they could access my computer and fix it, but the cost would be $99.

Fortunately, I have my computer backed up. The only thing on the C:/ partition is the operating system. So I used Acronis to restore it. I lost only a few files that were on the desktop. All my other important data on the other partitions is still OK.

Tom

Funtimes
08-15-2012, 12:06 PM
MalwareBytes is a must have. It probably would of got rid of it.

MikeN.
08-15-2012, 12:12 PM
MalwareBytes is a must have. It probably would of got rid of it.

Actually this is the fastest and easiest method of cleaning a machine by having an image to use to restore the machine to exactly the way it was before the infection. Sure Malwarebytes probably would have gotten rid of it plus having to do a number of other scans to ensure it all was gone and that nothing more had come in after it. Trust me, from somebody that sits here posting scans and reading logs this is the preferable way.





Fortunately, I have my computer backed up. The only thing on the C:/ partition is the operating system. So I used Acronis to restore it. I lost only a few files that were on the desktop. All my other important data on the other partitions is still OK.

Tom


Here is what he got

http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/

Dr. Tom
08-15-2012, 12:17 PM
Thanks for the reply Funtimes.

I have Malware Bytes. It says it is running. The problem with this malware is that it takes over the computer and you can do nothing. Upon a reboot, it is still there. A very wicked piece of malware.

Tom

Funtimes
08-15-2012, 12:22 PM
Actually this is the fastest and easiest method of cleaning a machine by having an image to use to restore the machine to exactly the way it was before the infection. Sure Malwarebytes probably would have gotten rid of it plus having to do a number of other scans to ensure it all was gone and that nothing more had come in after it. Trust me, from somebody that sits here posting scans and reading logs this is the preferable way.



Well, why did he post this sentence in the first place?

"Anyone know of a anti-malware program that would trap this? Because this is known and Avast did not trap this, I am not pleased with Avast. I am looking to get a better program and I am willing to pay for it".

jholland1964
08-15-2012, 01:02 PM
The infection on this computer is very likely the FBI MonkeyPak Ransomware or the Reverton Trojan.

This infection is installed onto a computer when the user visits a hacked web site that contains malicious scripts that exploit vulnerabilities on the computer to install the FBI Ransomware without their knowledge or permission.

Anti-virus programs generally do not protect against Trojans, so really Avast is not at fault here. The infection attacks computers that are not fully up to date or have various programs that are not fully up to date.

This requires the use if a very special tool for removal which should be used first and then the other tools should also be used to be sure that other infections have not been brought in by these others.

Please do the following instructions from bleepingcomputer:

http://www.bleepingcomputer.com/virus-removal/remove-fbi-monkeypak-ransomware

These steps must be done using Safe Mode with Networking as the infection sets itself to start as soon as the computer is booted to normal mode.

To do this, turn your computer off and then back on and when you see anything on the screen, immediately start tapping the F8 key on your keyboard.
You should be taken to a black screen with the Windows Advanced Options Menu. Use your arrow keys to highlight Safe Mode with Networking and hit the enter key.
The computer should then continue to Safe Mode with Networking and may prompt you to log in with your user name and password. Be sure to use the user name and password for the user that is infected with FBI MoneyPak Ransomware.

Once you are fully logged in then download the Emsisoft Emergency Kit to your desktop from the link below:

http://www.bleepingcomputer.com/download/emsisoft-emergency-kit/

This is a very large download and may take awhile depending on your internet connection speed.

Once the file has been downloaded, right click on the EmsisoftEmergencyKit.zip and select the Extract menu option.

This will start the Windows compressed file extraction wizard. Follow the steps to extract the file and the Emergency Kit will be extracted to a folder called EmsisoftEmergencyKit on your desktop. Please double-click on the EmsisoftEmergencyKit folder to open it.

When the folder is open, double-click on the Start.exe button to launch the Emsisoft Emergency Kit.
When the screen opens you will be shown several options,
Please click on the Emergency Kit Scanner option. When you click on this option, if you see a Windows message asking if you would like EmergencyScanner.bat to run, please allow it to do so by clicking on the Run or Yes buttons.

You will then be shown a screen prompting you to update the program.
Please click on the Yes button to check for any available updates. The Emergency Kit will now download and apply any available updates. When it is done, click on the Back to Security Status link.

You will now be at the main screen for the Emsisoft Emergency Kit

Now click on the Scan PC option in the left hand navigation menu.

Select the Deep Scan option if it is not selected and then click on the Scan button to start scanning your computer.

When the Emsisoft Emergency Kit is finished scanning your computer, you may be presented with an alert box stating that you have a high-risk infection. If you see this alert, please click on the Close button and you should now be at the scan results screen.

Click on the Quarantine Selected Objects button, which will remove the infections and place them in the program's quarantine. You can now close the Emsisoft Emergency Kit program.

Please reboot your computer into the normal Windows mode and when you are back at your normal Windows desktop please continue with the next step.

The next step will be to Update MBA-M and do a Full Scan with it. Have it Remove/Quarantine everything found.

Post back here with the MBA-M log.

MikeN.
08-15-2012, 01:29 PM
Thanks for the reply Funtimes.

I have Malware Bytes. It says it is running. The problem with this malware is that it takes over the computer and you can do nothing. Upon a reboot, it is still there. A very wicked piece of malware.

Tom
Now you really have things confused here. In your first post you said you used an Acronis image to restore your machine. Why would you now be running Malwarebytes to remove an infection that is no longer there? Just rebooting a machine is not going to stop most infections.




Fortunately, I have my computer backed up. The only thing on the C:/ partition is the operating system. So I used Acronis to restore it. I lost only a few files that were on the desktop. All my other important data on the other partitions is still OK.

Tom

Look at what he asked. Wants to know if somebody can recommend an av that would have caught this infection because he feels Avast should have caught it since they "allegedly" knew about this particular type of malware and did not provide definitions to catch it. To me the sentence is pretty self explanatory.

Well, why did he post this sentence in the first place?

"Anyone know of a anti-malware program that would trap this? Because this is known and Avast did not trap this, I am not pleased with Avast. I am looking to get a better program and I am willing to pay for it".

Paul_D
08-15-2012, 02:45 PM
I have the latest version of Avast Free installed and updated. Today I got hit with malware that totally took over my computer. Avast did not catch it.

The malware looks like an FBI page. It states you have committed a computer crime and must pay a $200 fine through a website (forgot the name). The crimes are things like pirating software, downloading child pornography, etc. For help it gives the email address as fines@email removed.

I called Avast. Avast said this has been around for about four months. They also said it was not a virus, but something I got with a download. Well, I have not downloaded anything in the last several weeks.

Anyone know of a anti-malware program that would trap this? Because this is known and Avast did not trap this, I am not pleased with Avast. I am looking to get a better program and I am willing to pay for it.

Avast did say they could access my computer and fix it, but the cost would be $99.

Fortunately, I have my computer backed up. The only thing on the C:/ partition is the operating system. So I used Acronis to restore it. I lost only a few files that were on the desktop. All my other important data on the other partitions is still OK.

TomWhat Avast told you is 100% correct. Avast is purely an ANTI-VIRUS application, and this is not a virus. Likewise anti-malware applications do NOT catch viruses. You need at least one of each. Malwarebytes is excellent.

The two apps complement each other. They do NOT replace each other.

Also, you should not have posted that email address, as it is clearly a scam address.

billm65
08-15-2012, 03:11 PM
Also, you should not have posted that email address, as it is clearly a scam address.
Definitively agree with Paul on this. You should go to your post and delete that URL.

MikeN.
08-15-2012, 03:15 PM
Also, you should not have posted that email address, as it is clearly a scam address.
Definitively agree with Paul on this. You should go to your post and delete that URL.

Was already accomplished before you posted. Crash removed it from all posts. See time stamp of his edits

Paul_D
08-15-2012, 03:16 PM
Also, you should not have posted that email address, as it is clearly a scam address.
Definitively agree with Paul on this. You should go to your post and delete that URL. Unfortunately he can't now. The edit time limit has well and truly expired.

Edit: Thanks Crash. Good to see you're on the ball.

Dr. Tom
08-15-2012, 06:17 PM
Thank you all for responding.

My intension was to make this malware known to other computer users. I think WorldStart has the largest audience and this would help the most people if their computer picked up this malware.

When I got the malware, I was having a bad day. That was the apex of things gone wrong and it was only 8 AM. It has been a long, long time since I had picked up any malware that I have forgotten many ways to get back into Windows. I have not used SAFE mode for over four years now. So I panicked, installed a fresh copy of my C:/ partition and came to WorldStart because here is where you get the best advice and to warn others of this malware.

I do have a very safe backup to get me running in short order. I only use my C:/ partition for Windows XP. I use the D:/ partition for all programs. I store all my files, including emails, on the G:/ partition. Takes a bit to set up. I store a back up of all partitions on an external hard drive. So when things go bad, all I need to do is copy the C:/ partition back to my computer. I use Acronis for this. All I lose are files stored on the desktop, which are not really important.

I think it would have been a good exercise to follow the fix that Mike and Judy provided. I only have three other computers I could have used to access WorldStart. But being that I had other problems at the time, I used my sure cure of copying my clean copy of my C:/ partition.

After I restored my computer I ran Malware Bytes and Avast to confirm the other four partitions were clean. And they were free of malware.

Sorry my original post was confusing. I was confused as I had too much on my plate at the time. I should have gone to another computer to search out a solution, but I was overloaded and not thinking wisely.

My problem with Avast was they knew what the solution was but would not tell me. They could have said what the malware was and told me to search it out. Instead Avast would have fix my computer over the Internet, but only for a fee of $99. I thought that was excessive. I would have paid a small fee for the verbal answer.

Tom

jholland1964
08-15-2012, 06:35 PM
After I restored my computer I ran Malware Bytes and Avast to confirm the other four partitions were clean. And they were free of malware.


Sorry my original post was confusing. I was confused as I had too much on my plate at the time. I should have gone to another computer to search out a solution, but I was overloaded and not thinking wisely.

My problem with Avast was they knew what the solution was but would not tell me. They could have said what the malware was and told me to search it out. Instead Avast would have fix my computer over the Internet, but only for a fee of $99. I thought that was excessive. I would have paid a small fee for the verbal answer.

Tom

Thanks for the explanation Tom. Understand your frustration, not so much that Avast didn't protect, because most anti-virus programs truly would not offer protection for this or other trojans, but the fact they wanted to charge you for the clean up. But that also really isn't out of line I guess, based on what I know are local charges here for infection clean up at various computer shops.
But yes, still annoying for sure. I am glad you posted it, gave me a chance to find out what it was and the fact that it needs a totally different tool than is commonly used.

Glad too all of your other files proved to be clean. One thing to note about this infection,
this infection is known to exploit vulnerabilities in out-dated and insecure programs
So you do need to check this out and be sure everything on the computer is truly fully up to date, not just the Operating System which of course is a "given" but your other programs also, browsers, java, flash players, and other software.
You might run Secunia Personal Software Inspector to check things out.

http://www.bleepingcomputer.com/download/secunia-psi/

HARLEY
08-15-2012, 07:01 PM
Glad you had the sense to keep an image around.

But blaming any security software doesn't help ,when it was most likely a user screwup, :)

Did you have all the shields configured right,especially Webshield?

Where you using I.E. with WOT..........SpywareBlaster?

It's a ransom-ware trojan that only infects through malicious sites/links and I.E. is the main transportation device as it's the most vulnerable browser for these attacks.

Crash Override
08-15-2012, 07:07 PM
Unfortunately he can't now. The edit time limit has well and truly expired.

Edit: Thanks Crash. Good to see you're on the ball.
It was a team effort....thanks goes to Judy.

billm65
08-15-2012, 09:10 PM
It was a team effort....thanks goes to Judy.

It is nice to see such quick response when something is posted that may harm other members. Very much appreciated.

Crash Override
08-15-2012, 09:19 PM
It is nice to see such quick response when something is posted that may harm other members. Very much appreciated.

If EVERYONE works together, things just mesh nicely, and we can get this forum back to what it once was.