• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos2 Stats

VirusDoctor from another site--may or may not be detected/infected

Hey,

I was just reading online when a window popped up for Virus Doctor. The schema was Windows 2000/XP and I clicked 'X' on each of the pop-ups including the one asking for a download. This then shut down my browser, Firefox (latest version.) I have NIS2008 and it was updated today before the intrusion.

I thought I had all the blocks correctly configured for NIS, so any idea how this happened? I ran a full-system scan and it detected nothing--am I free from this Malware or could it still be lurking on my computer?

I also checked out the virus defition for Virus Doctor here on Symantec;however the picture didn't line up with what I saw, maybe because I stopped it right away. I also opened up the History in Firefox and apparently I got this window from the following addresses:

Addresses are as follows, without the spaces: 

Name: VirusDoctor-Online Protection

http:// scanner.av-best.info/scan.php?campaign=mmb_11761620791&landed=4

Name: paramss=sbbOnK6ruq2elZejsZja0tCYo9fdzLjD4dLAmJilqJyU --

http:// run.av-best.info/ paramss=sbbOnK6ruq2elZejsZja0tCYo9fdzLjD4dLAmJilqJyU

Name: install.php (in twice)
http:// download.av-best.info/install.php?campaign=mmb_11761620791&country=en&coun…
That was all I could read in the history menu
 

Am I infected?

Replies

Kudos1 Stats

Re: VirusDoctor from another site--may or may not be detected/infected

Hi.

Yipes! Hate that stuff...

Here is what I would do:

1 - You are running NIS 2008 and you should be entitled to a *free* upgrade here to the new NIS 2009:

http://www.symantec.com/home_homeoffice/support/special/upgrade2007/vista/migration_start.jsp?site=nuc

2 - Run a Full System Scan. If there is nothing found proceed as below.

3 - Download Malwarebytes' Anti-Malware - http://malwarebytes.org/mbam.php (on-demand malware scanner)

4 - Deselect "Start with Windows" and Update the Database in Malwarebytes. Then run the scan.

Please report back here with your findings.

Thanks.

Message Edited by Compumind on 03-28-2009 10:07 PM
CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8
Kudos0

Re: VirusDoctor from another site--may or may not be detected/infected

The same thing happened to me today from this "virusdoctor".  Mostly same http address except after the "=mmb_", I had the following, 4052020751&landid=4" .  Probably part of the tracking cookie mechanism?  Same semi-trustworthy appearance except for all the flashing warnings.  This one said I had 5-7 viruses and my hard drive was compromised. 

I NEVER clicked on anything, it just popped up like this.  I believe it even had the Internet Explorer icon in the upper left and may have had some sort of Windows reference.   I closed everything and immediately ran a full system scan.  I have Norton 2009 and all it could find was a tracking cookie.

Since this computer is new and I'm learning vista by trial and error, this frustrates me!

I hope I didn't get anything.  I will check back to see what works for this if anything at all.

Kudos0

Re: VirusDoctor from another site--may or may not be detected/infected



Here is what I would do:

1 - You are running NIS 2008 and you should be entitled to a *free* upgrade here to the new NIS 2009:

http://www.symantec.com/home_homeoffice/support/special/upgrade2007/vista/migration_start.jsp?site=nuc

2 - Run a Full System Scan. If there is nothing found proceed as below.

3 - Download Malwarebytes' Anti-Malware - http://malwarebytes.org/mbam.php (on-demand malware scanner)

4 - Deselect "Start with Windows" and Update the Database in Malwarebytes. Then run the scan.



Thank you so much for this! It helped solve my problem!

1. I couldn't upgrade my Norton product *freely*. It kept saying Communications Error/Failure. Oh well.

2. I installed the free trial version of Anti-Malware--however when I tried to update the database, it kind of froze up. The version was updated two days ago, and I ran a full system scan. I got the following:

 Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

 Files Infected:
C:\Users\******\AppData\Local\Mozilla\Firefox\Profiles\3hfy81j0.default\Cache\88C89EA9d01 (Rogue.Installer) -> Quarantined and deleted successfully.

Anywho, I feel a lot better knowing that I'm not some hapless victim of keystroke logging or other maladies. ^^

Any ideas on why Norton didn't pick up on either of these files? I don't know if they were caused by the intrusion today or at some earlier point.

Kudos0

Re: VirusDoctor from another site--may or may not be detected/infected

Yeah, these people try to exploit your memory of the previous OS and, by quickly downloading and flashing images, they try to coerce you to get their trackers into your system.

Do you have 64-bit? I do, too, and I was a little afraid that the Malware link above wouldn't work for me, but it still found those two files I mentioned in my reply above. I highly recommend downloading the free trial and giving it a go. 

Security tips for Vista:

You're already doing well by having a "trusted" Anti-Virus program installed. Make sure you go through every option in your Norton Center and fine-tune all the precautions you need, going to even an extreme length. Couple this with the Vista's security of asking for permission for opening certain files, running programs, etc. can also help alert you to any malicious software trying to worm its way into your system.

If you're having repeated trouble with a certain computer compromising your security, be sure to set up a specific Network Protocol under your Norton Options menu. I do not know the specifics for accurately doing this, however I'm sure you can find a solution somewhere in the forums.

Be sure and use all the precautionary measures like being aware when your personal info is being asked for, by whom, etc. Always check for the authentification in the address and the security icon in the lower corner of your browser when completing forms or transactions. Make ridiculous passwords like cheesyFarquath786,using characters and numbers alike; just don't forget where you write them down!

And if you're still having problems, do your browsing on a separate account that doesn't have Administrator privileges. I currently run on my Admin account, but I may have to bottle up my pride and go on another account. A lot of malicious content can only be successful through the Administration level.

Finally, keep close tabs here on Norton and the online Virus manual! I don't know how long the free trial lasts for the Malware address listed above but I suggest to use it as often as you are able!

Hope this helps!

Kudos0

Re: VirusDoctor from another site--may or may not be detected/infected

I do have 64 bit and am a bit hesitant to download much of anything since this new computer seems so clean. 

My old Dell Win XP died (motherboard I think) on 2/24.  So far I have 3 other personal friends in three states whose Dell desktops all died in one way or another on that date.  We suspect some sort of common update or pulse on or around 2/24.   Still investigating.

Anyway, because of this brief history I really, really don't want to download much at all.  Your info about the Admin account is very useful.  I will change my account to a non-administrator one.  UGH!

By the way do you know anything about malicious activity while the computer is in sleep mode?  I read somewhere you should require a password on wake up from sleep so if anyone can get in while the  PC is sleeping, they will still have to figure out the password.  I did notice the other day while it was sleeping something woke it up.  It may have just been the auto update for virus definitions?  No one was around to bump the mouse or keyboard.  Since I'm still healing from the Dell death, I changed the preset settings to not sleep at all for now and wait for me to shutdown.  At least this way its either on or off.  That I understand.

I'll try the malware download tomorrow.  Thanks.

Kudos0

Re: VirusDoctor from another site--may or may not be detected/infected

Malwarebytes Anti-Malware found four infected items:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) - Bad: (0) Good:(1)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijak.DisplayProperties) - Bad:(1) Good:(0)

C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BCM24Q90\AntivirusInstaller[1].exe (Rogue.Installer)

C:\Users\Owner\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RMAMBV9E\AntiVirusInstaller[1].exe (Rogue.Installer)

I managed to fix and quarantine.  I'd like to empty the quarantine just to be sure but don't know how yet on this machine.

It is very disturbing they can get into the registry and make changes without Norton blocking or even noticing. 

Kudos0

Re: VirusDoctor from another site--may or may not be detected/infected

Hi -

Glad to assist you!

Let me point out something...

Security should really be done in a layered approach - I.e. NIS 2009 or 360 and Malwarebytes with the latest defs.

Enable the pop-up blocker in your web browser if possible.

When you get a pop-up, look at it. The sometimes phony "X" may be the "lure" so you can click on it.

What I do is go into Windows Task Manager and end that process. Of course, you have to know what it is, so get familiar with the usual "default" processes upon startup.

Here is a great site to check on the validity and use of a process:

http://www.liutilities.com/products/wintaskspro/processlibrary/

Post with any questions!

CompumindNIS 2009, XP-SP3, Vista-SP2, IE 8

This thread is closed from further comment. Please visit the forum to start a new thread.