# AVG scam running amok



## EricT

Hi all-

I recently ran into a scam attached to a trojan that I thought I should share.

AVG has been targeted by a company in Panama offering to sell "Antivirus Gold" which looks to be a very well done phishing scheme. One of my customers has AVG that I installed for them, so they were a bit confused when they got an active desktop that was telling them to pay for... antivirus gold.

Turns out, it was a simple trojan in winnt/system32 directory. An entry in the hosts file, a localhost redirect to dcsresarch.com, which weve all seen at some point here, and the active desktop was set to a web page that was the antivirus gold scam. 

Spybot 1.3 was run before I got there, so there may have been more errors that were fixed prior. As near as I could tell, removal of the trojan and a reset of the display properties, and correction in the hosts file were all that was needed.

I am surprised grisoft hasnt a public announcement on thier frontpage about this, I suspect this one will become pretty popular in the coming weeks.

I used TDS-3 to double check for other trojans, but none were to be found. The real AVG took care of this one. The trojan was parading as some "intel debug" process (according to hijackthis) and was hookdump.exe - although, over at castlecops I saw this same infection attached to 2 different trojans, so take that as you will.

Eric


----------

