Home   Groups   Digests   Personalise   Search   Login
  POV-Ray : Newsgroups : povray.off-topic : Fake AV Server Time
4 Sep 2024 07:14:49 EDT (-0400)
  Fake AV (Message 1 to 3 of 3)  
From: Invisible
Subject: Fake AV
Date: 11 May 2010 07:35:46
Message: <4be94112$1@news.povray.org>
 
http://googleonlinesecurity.blogspot.com/2010/04/rise-of-fake-anti-virus.html

This looks suspeciously like what happened to one of the computers here 
at work the other day. The AV software insists that there's nothing 
wrong even after multiple scans, but when a certain user logs in, 
windows pop up all over the place warning of a dire malware infection.

Now I can understand visiting a website and getting a browser window pop 
up rendered to look like the Windows Security Center (although isn't the 
titlebar supposed to indicate it's a browser window?), but I am 
mystified as to how this software can open windows just because somebody 
logged into the PC. This surely indicates that something has been 
installed locally. And yet repeated AV scans detect nothing...

In the end, erasing the user profile silenced the popups forever. But 
I'd still wondering how the hell it got this way in the first place.


Post a reply to this message
From: scott
Subject: Re: Fake AV
Date: 11 May 2010 07:41:57
Message: <4be94285@news.povray.org>
 
> logged into the PC. This surely indicates that something has been 
> installed locally. And yet repeated AV scans detect nothing...

You could just use one of those "spy" tools (forget which one now, but 
former SysInternals probably have something) to check which process owns the 
fake AV alert window.  Then just see where it's running from, or google the 
name or whatever.


Post a reply to this message
From: Invisible
Subject: Re: Fake AV
Date: 11 May 2010 07:45:35
Message: <4be9435f@news.povray.org>
 
scott wrote:
>> logged into the PC. This surely indicates that something has been 
>> installed locally. And yet repeated AV scans detect nothing...
> 
> You could just use one of those "spy" tools (forget which one now, but 
> former SysInternals probably have something) to check which process owns 
> the fake AV alert window.  Then just see where it's running from, or 
> google the name or whatever.

Obviously the first thing I did was run Process Explorer to see what 
processes are running. I found nothing unusual. I hadn't thought of 
using it to check which process owns the window though; it's not a 
feature I usually have call to use. (I have a sneaking feeling the 
answer would just be IEXPLORE.EXE, which seemed to be running directly 
after login...)

Then again, I also crawled around in the registry and found nothing 
unusual. But deleting the registry hive fixed the problem, so clearly 
there *was* something interesting in there that I didn't see.

The problem is fixed now, so I can't investigate further. I did find it 
rather alarming however that our AV system that we pay a lot of money 
for could apparently find nothing wrong...


Post a reply to this message

Copyright 2003-2023 Persistence of Vision Raytracer Pty. Ltd.