Alpha Anti-Virus hijack attempt

For discussions about security.
Message
Author
User avatar
nubc
Posts: 2062
Joined: Tue 23 Jan 2007, 18:41
Location: USA

Alpha Anti-Virus hijack attempt

#1 Post by nubc »

Lately I have been frequenting two sites, one of which is this forum. The other site is more commercial than Puppy Forums, but the fact is, the unsolicited, unclicked download attempt occurred while I was on Puppy Forums. I was using Windows XP SP3 at the time, with AVG running and updated. I have since run MalwareBytes Anti-malware scan, which found no malware. Alpha Anti-Virus is a rogue antivirus. I guess I am trying to identify the source by elimination, and this forum is my starting place.

EDIT: I removed the expression "less respectable" and replaced it with "more commercial".
Last edited by nubc on Wed 04 Nov 2009, 23:57, edited 5 times in total.

User avatar
Lobster
Official Crustacean
Posts: 15522
Joined: Wed 04 May 2005, 06:06
Location: Paradox Realm
Contact:

#2 Post by Lobster »

The unsolicited, unclicked download attempt occurred while I was on Puppy Forums. I was using Windows XP SP3 at the time, with AVG running and updated.
This maybe a page hijack - normally activated by rogue porn or other dubious sites.
http://en.wikipedia.org/wiki/Page_hijacking

You can use the noscript plug-in for Firefox
Puppy Raspup 8.2Final 8)
Puppy Links Page http://www.smokey01.com/bruceb/puppy.html :D

User avatar
nubc
Posts: 2062
Joined: Tue 23 Jan 2007, 18:41
Location: USA

#3 Post by nubc »

By "less 'respectable' than Puppy Forums", I meant the other site is commercial, runs commercial ads, and doesnt have the noble purpose of a support forum, that is, one is more likely to encounter malware on the other site. The download was preceded by a popup telling me I have malware, that I need this anti-virus. I killed it with the X in the upper right corner, but soon after, exactly when I left Puppy Forums there was another much larger popup showing the Alpha Anti-Virus download progress bar, which I killed immediately. Fortunately, I was on dialup, so the download was slow. That may be the end of it, especially if I delete temporary files, but the fact remains, this happened on Puppy Forums, with only one instance of IE7 running. Consider this thread to be a "heads up" in case there are other reports of Alpha Anti-virus.

cthisbear
Posts: 4422
Joined: Sun 29 Jan 2006, 22:07
Location: Sydney Australia

#4 Post by cthisbear »

Use Hitman Pro 3

The first behavioral scan and multi-vendor cloud confirmation
anti-malware and scan your comp over the net.

Small, fast..if you have a reasonable connection.
You get a onetime license to remove any problems that are found.

http://www.surfright.nl/en/hitmanpro

""""""""""""

After you use it...uninstall it straight away, or buy the license.

I use these as well as for nasties.
All Windows comps I fix get scanned with these after using
Puppy to clean XP.

DR Web Cureit

Malware Antimalwarebytes

SuperAntispyware.

RemoveIT Pro v4- SE

AntiVir Free Version

All download links are on my post here.

http://117.53.171.171/forum-replies.cfm?t=1261484&p=3

Chris.

Caneri
Posts: 1513
Joined: Tue 04 Sep 2007, 13:23
Location: Canada

#5 Post by Caneri »

Well Chris,
The solution seems to be to stop looking at pRon..and that's not acceptable.
We need another solution for us normal guys that like a bit of titties and beer...cripes, what's a guy to do now a days.

@Ed,
yup no scripts works well but still not enough..maybe just use Puppy on a live cd and import the pRon links via usb stick.

That's just my idea and nobody has EVER thought of it...Eric
[color=darkred][i]Be not afraid to grow slowly, only be afraid of standing still.[/i]
Chinese Proverb[/color]

User avatar
nubc
Posts: 2062
Joined: Tue 23 Jan 2007, 18:41
Location: USA

#6 Post by nubc »

1. I dont have Alpha Antivirus on my computer. It was an attempt to install Alpha AV from a popup. You dont have to download something to get a popup, am I right? I closed the popup by using the X in the upper right corner; maybe this was the click that initiated the download attempt.

2. I am not looking at porn, and I'm pretty sure you can encounter Alpha AV anywhere on the net. Can anyone claim that it's impossible to contract Alpha AV on Puppy Forums? (not being rhetorical, a real question)

3. I used Malwarebytes Anti-Malware, which found no infection. When recommending security software, one should make a point of correctly spelling the vendor and product, because the crooks use misspellings of legit software to name their junk.

User avatar
Aitch
Posts: 6518
Joined: Wed 04 Apr 2007, 15:57
Location: Chatham, Kent, UK

#7 Post by Aitch »

nubc

It was a flash popup fake AV scam
Alpha Antivirus is installed through the use of fake online anti-spyware scanners and Trojan viruses. Trojans, usually FakeAV, display fake security alerts and notifications stating that your PC is infected or under attack by an Internet virus. FakeAV variants may also download additional malware. In this case is also installs a password stealer on the compromised computer. Once active, AlphaAntivirus will be automatically configured to imitate system scan and display bogus results each time you log on into Windows. As we have already mentioned, the scan results are fake, you may safely ignore them. The main goal of this infection is to trick you into purchasing totally useless software.
source: http://www.2-spyware.com/remove-alpha-antivirus.html

Definitely doesn't originate on Puppy forum - we are too quick for that!

As long as you closed the popup, then your browser & then shut down/rebooted & ran normal AV program you should be OK

I recommend using SandboxIE if using Windoze

http://www.sandboxie.com/

Just delete the sandbox after browsing ... [Very useful for that other purpose, Eric :wink: ]

If in doubt - try Chris's earlier remedies

Aitch :)

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

Re: Alpha Anti-Virus hijack attempt

#8 Post by Flash »

nubc wrote:... the unsolicited, unclicked download attempt occurred while I was on Puppy Forums. ...
Apparently the same thing happened to me about 3 weeks ago. I was moderating this forum from my brother's Windows computer, probably using Firefox, and an "antivirus scan" window popped up without me clicking anything to start it. Later my brother told me his AV software found a relatively benign growth in his computer which might have been caused by it. Unfortunately I deleted his email telling me what it was. I told John Murga about it and he changed a few things. It may not be this forum's server that's responsible.

User avatar
rjbrewer
Posts: 4405
Joined: Tue 22 Jan 2008, 21:41
Location: merriam, kansas

#9 Post by rjbrewer »

Doing some work for a friend that just got his pc (xp) back
from the shop all cleaned up and updated .

Hooked it up and quickly found that many google searches
were being redirected.

When hitting "back" in I.E., fake antivirus crap showed up. The
only way to stop it was with reboot or shutdown.

Works fine with puppy cd.

Inspiron 700m, Pent.M 1.6Ghz, 1Gb ram.
Msi Wind U100, N270 1.6>2.0Ghz, 1.5Gb ram.
Eeepc 8g 701, 900Mhz, 1Gb ram.
Full installs

User avatar
nubc
Posts: 2062
Joined: Tue 23 Jan 2007, 18:41
Location: USA

#10 Post by nubc »

Happened again today at 11am. I had just closed the only IE7 window where I was reading this forum, and the popup Warning!!!! appeared, with nothing else on desktop. This time I closed the popup with Task Manager by killing "iexplore.exe" and there was no subsequent download attempt. So I would say if you click anything on that first popup, you will thereby initiate the undesired download. Right now I am running security scans, and will report anything significant.

I must say, the circumstantial evidence is strong that this problem originates with Puppy Forum, or its servers. It may be a trojan, a downloader, or some kind of infection on my Windoze puter, but barring those possibilities it must be originating here. It probably only affects Windows computers using IE, but what about a curious Windows user who explores our friendly forums and comes away with a little momento for his interest.
Warning!!!!! Your computer needs antivirus to protect it from further corruption. Alpha Antivirus....
Last edited by nubc on Mon 11 Jan 2010, 12:17, edited 4 times in total.

User avatar
James C
Posts: 6618
Joined: Thu 26 Mar 2009, 05:12
Location: Kentucky

#11 Post by James C »

I occasionally access this forum from a Windows computer, using XP SP3 and Firefox 3.5.4 at the moment, and luckily have had no hijack attempts from here yet.( Haven't booted my Puppy box this am) However, I have seen these hijack attempts a number of times elsewhere.

I personally use AVG Free 9.0, Malwarebytes' Anti-Malware, SUPERAnti-Spyware and SpywareBlaster........in an attempt to keep the bad stuff at bay.

Think I'll go boot Puppy now.......... :)

User avatar
plankenstein
Posts: 120
Joined: Sun 16 Nov 2008, 00:49
Location: Arkansas, USA

#12 Post by plankenstein »

I had the same thing happen to me @ work a couple of times recently. Running XP SP3 and IE7. It's only been here that I have run into this, but then again I haven't been surfing much of anywhere else lately.
I carefully plan ALL my random acts! :lol:

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

hijack attempts

#13 Post by prehistoric »

These are not necessarily due to the forum. There are infected systems all over the net. If you are running something that isn't right up to date with fixes for cross-site scripting or code injection attacks you can get hit by a compromised system in between, or at a linked site. The more systems in a path, the more opportunities. Getting to your ISP may not expose you, getting to Switzerland may, if you live elsewhere. (There is nothing special about Switzerland, I could have said Eniwetok.)

I've seen two infected Windoze systems in the last few weeks that were running AVG 8.5 free. (I haven't had experience with AVG 9.0.) I consider Norton hopeless and am not impressed with McAfee's recent performance. The number of signatures in virus/malware databases is now in the millions, and new strains are appearing daily, if not hourly, stressing all systems which depend on fast signature updates. Simply going away for the weekend and leaving your computer off can put you at risk when you check the news on return, if you don't update your protection first.

I've recommended Comodo Internet Security, though I admit it takes some work to get it adjusted so you can use it conveniently. A new problem: last week people using this got hit by Windows Defender, a real M$ protection program which quickly decided Comodo was malware. (The irony here is that Comodo has been ahead of the pack in using behavioral analysis to identify malware without waiting for a signature. It appears M$ is now using this approach, but has neglected to identify Comodo as an ally. Comodo must not pay Bill.)

Recent attacks definitely go after protection software. Some identify themselves as security software, even Windows components. Don't depend on appearance, there are many versions of the same malware with different "skins". If you can't restore to a point before infection, check the prefetch cache for strange things.

Best advice of all: don't use Windoze for browsing. Run Puppy from RAM.

cthisbear
Posts: 4422
Joined: Sun 29 Jan 2006, 22:07
Location: Sydney Australia

#14 Post by cthisbear »

" I must say, the circumstantial evidence is strong that this
problem originates with Puppy Forum, or its servers. "

::::::::::::::::::::::::::::::::::::::::::::

I am sorry to tell you in quite this fashion.

But >>>>Absolute Bullshit Moment.

I am running XP most times on this Puppy Forum.

Two different computers.
Not a sniff or a whiff of these Nasties.

IE...the shittiest browser you could use. WHY?????????
Once again I will state...don't use it.

I run Seamonkey in Windows.
Don't go past Server Pack 2 in XP.
No updates.
All I do is fix comps.
All MS updates do is slow and F....P comps.
Put a firewall on...not MS crap.

////////

Luthers answer may be best.

By Luther on Oct 29, 2009

Okay…I think I have the real fix for this phukkin Alpha crap.

I tried all of the suggested fixes to no avail. I searched my registry and it wasn’t there. So I let the alpha thing run for a second and noticed where the Alpha.exe file location was.

It showed it was in
C:\program files\x86\Alpha
(something to that effect)

Since the Alpha program starts automatically based upon the executable file, I just deleted that S.o.b.

Before you start deletion attempts, make sure you open the task manager and end the Alpha process first (or it won’t let you delete it).

And to all the “free

User avatar
prehistoric
Posts: 1744
Joined: Tue 23 Oct 2007, 17:34

security tool

#15 Post by prehistoric »

Security tool is one of the names I have seen with this general behavior. Unfortunately, we now appear to be dealing with custom malware generators. Changing appearance is easy, for those with the tools.

I have also seen malware which pretends to be a relatively old infection. This complicates removal, and may help them identify your protection software, which takes predictable actions.

Dealing with this level of sophistication on my own was a challenge. You no longer have to do this. Run searches, but be cautious about what advice you accept. There are people poisoning search engine caches to direct you to malware. People providing reputable tools will have a track record, legitimate sites, and a discussion forum.

As for browsers under Windows, switching from IE to Opera will eliminate most threats. I run Firefox 3.5.4 with Noscript, which requires some thinking to decide what scripts to allow. I haven't tried Seamonkey on Windows. Running Seamonkey on Puppy works very well.

User avatar
nubc
Posts: 2062
Joined: Tue 23 Jan 2007, 18:41
Location: USA

#16 Post by nubc »

I ran updated AVG 8.5 and latest Malwarebytes Anti-Malware, both report my computer is clean. I searched the C-drive for "alpha", nada. I visit maybe 15 sites on a typical day, Linux news, email, YouTube, etc, but Puppy Forums is the only place I get this popup for Alpha AV. Of course I can use FF 3.5.4 instead, or just use Puppy liveCD, or upgrade IE7 to IE8. I can do a workaround from my end, no problem. Sooner or later, the antivirus industry is gonna clean out Alpha AV, spic and span.
Question: Why does this occur only on Puppy Forums? I close the IE7 browser, up comes the popup. Okay, it's an IE7 exploit. So then something is exploiting IE7 and I only experience the exploit here.

muggins
Posts: 6724
Joined: Fri 20 Jan 2006, 10:44
Location: hobart

#17 Post by muggins »

Why on earth would anyone still be using IE?

User avatar
nubc
Posts: 2062
Joined: Tue 23 Jan 2007, 18:41
Location: USA

#18 Post by nubc »

IE users: 60% of all computers, newbies (potential converts to Linux), office workers, techs who service Windows
http://en.wikipedia.org/wiki/Usage_shar ... b_browsers
Last edited by nubc on Tue 10 Nov 2009, 05:30, edited 2 times in total.

User avatar
SirDuncan
Posts: 829
Joined: Sat 09 Dec 2006, 20:35
Location: Ohio, USA
Contact:

#19 Post by SirDuncan »

@nubc:
Well, I haven't had any problems when visiting with my Win7RC install. Not that this really means anything since I surf in FF. My first piece of advice is to upgrade IE7 to IE8. They fixed a ton of security flaws between the two. Even if you don't use IE for surfing, merely having it on the computer can still allow some exploits, so get the most secure version of it. The second piece of advice is to get your Win install fully upgraded. Third piece of advice is to use a different browser. If you go with FF/SeaMonkey, install adblock plus and consider installing noscript (I think noscript works with SeaMonkey).

@all:
Multiple people have seen this happen while on the forums. This leads me to believe that it is a cross scripting attack coming from an ad on the site. Has anyone noticed what ad was being shown when the attack happened? Also, if this is being initiated by Adobe Flash (as Aitch says above), why has the popup not presented itself to people running Puppy? Or has it and no one has said anything? Flash is crossplatform, so even if it couldn't get the download initiated on its own, it shouldn't have any problem creating a popup.

This is certainly not the way we want to greet potential new users (or old users visiting from their game/legacy/etc. system). We need to confirm where it is coming from and take steps to get rid of it.
Be brave that God may help thee, speak the truth even if it leads to death, and safeguard the helpless. - A knight's oath

User avatar
nubc
Posts: 2062
Joined: Tue 23 Jan 2007, 18:41
Location: USA

#20 Post by nubc »

Housecall found and fixed 3 rootkits and 3 trojans. When I upgraded AVG to version 9, it complained that the following program should be removed before proceeding:
{B5AB638F-D76C-A8F2-F3CEAC50212}
A search did not find this key in registry. Possible malware: AproposMedia, URLSearchHook. Seeq
Furthermore, 27 Windows XP / IE7 updates became immediately available after the above changes.
Before I hear a chorus of "I told you so's", none of the above points conclusively to a source, nor does it explain why popups occur only on Puppy Forums. But I am inclined to think this laptop had some preconditions for the current problems.
Last edited by nubc on Wed 11 Nov 2009, 22:10, edited 1 time in total.

Post Reply