Virus Possibly from a Flight Sim Site

[PutPut]

I spent the morning trying to get rid of a virus called AV Security. It tells you that you are infected and the only way out is to buy the AV Security software ($50 for a 3 month license!) This is bogus, they are really after a credit card number. It came right through my AVG free antivirus. I googled it and found it is really running amuck and very hard to delete in that it disables ALL the executables in your Windows files and all your apps like Photoshop, FSDS, FSX, etc. I solved the problem by restoring to yesterday noon (July 3, 2010) I lost a little design data in the process. The reason I mention this in this forum is that since I picked it up after yesterday noon I can verify that the only web sites I visited since then were SOH, Avsim, Simviation, and Flightsim. I did receive a few spam letters that I did not open.

Hope you don't see this little Nasty! Paul

 

[Bjoern]

I visit Avsim, Flightsim and SOH on a daily base, but never noticed anything like this.

The benefit of a Spybot S&D immunization, popup blocker in Firefox and Antivir?

 

[kilo delta]

Might be worth downloading Malwarebytes free version as there's a risk that the virus/trojan may still be lurking on your computer.

 

[gigabyte]

PuPut, that type of "Scareware" has been around for several years, it comes and goes in cycles, as soon as the security vendors get a handle on the payload deliver they are using and add protection for it they find a new way around it. The best protection is as with most things keep your security software up to date and be vigilant with your backups (and make sure your backup plan includes the registry and System State even if you have System Resore turned on).

The Bad news is you may have picked it up days or even weeks ago, one of the newest tricks they are using is a dorman period and or a wait time before the malware payload is released. I had a system infected in March that had been offline for almost 3 weeks and the user triggered the payload part way though the first day back to work after their vacation. In that case the system was off line but powered up while the user was away, when they reutrned the system received a security patch the first thing after they logged in, a complete system scan found nothing (normal procedure for Trend Micro - after any update it runs a full system scan).

The user had still not connected to our Intranet let alone the Internet, however they ran a report and saved it in HTML format, when they double clicked on the html file to open it ie was the program that opened the report, and poof the scareware Infection message, Luckly they were smart enough to pull the plug and call me before they did anything. After some serious investigating I foumd the file that had carried the payload, it had been dormant for almost a month. I was able to clean it with some serious effort and as far as I can tell it was using a cookie counter to trigger the payload, simply stated it went wild when the number of stored cookies reached a specifec amount the payload was released and the next time ie was started the message appears.

I am not trying to scare you or anyone, I just want to point out even if it appears you were infected by a specific site, or had only visited a few in a specific period of time, it is not absolute proof, of the cause you might have picked up the bug weeks ago and something you did or some external signal set it loose.

The only good thing about these D2M malware attacks is it keeps a lot of people in secure steady employment, mind you I would gladly accespt some insecurity to get rid of the crap completely but that is not happening any time soon...

 

[PutPut]

I realize I could have gotten this bug some time ago and probably did. I mentioned it here because it was one of the few times I could identify the sites I had recently visited.

Paul:salute:

 

[gajit]

I visit Avsim, Flightsim and SOH on a daily base, but never noticed anything like this.

The benefit of a Spybot S&D immunization, popup blocker in Firefox and Antivir?

Same here - visit all of those daily.

 

[kilo delta]

I visit Avsim, Flightsim and SOH on a daily base, but never noticed anything like this.

The benefit of a Spybot S&D immunization, popup blocker in Firefox and Antivir?

Something else that I would advocate using is a modified Hosts file. I've been using variants of this over the last couple of years and would highly recommend it.

 

[Sedr37]

I visit Avsim, Flightsim and SOH on a daily base, but never noticed anything like this.

Me too - no probs ever.

 

[ericts]

AV Virus

I had that S.O.B. and it borked my Windows to the point that I deleted it and am now running Ubuntu on this system. If it were a newer system I would have gone to the trouble of fixing it, but it is an older single core which runs Linux just fine. No FSX for a while though. :-( That AMD 6-core looks very nice.

As to where I got the virus, I use Ad Block Plus on most sites, but I disabled it on one site because it had a nag-script that was very irritating. Many users on that site (non-flightsim) reported getting the virus through a malicious advertisement on the site.

 

[Cactuskid]

I got hit with it last year. My computer was so badly infected that I finally wiped the OS disc and reinstalled Windows to get rid of it. So far, McAfee has been doing a pretty good job of keeping my computer clean...