Scam Antivirus

Topic

New Reply

In recent months I have seen many fake antivirus scams infecting Windows XP machines! These PCs had current versions of either Symantec corp AV or the new Microsoft AV, with up to date definitions. Autorun is also disabled in most cases. The best defense has been education, but that only goes so far. Most of these don’t take hold if you shut down the browser (or Windows) without clicking anywhere on the scam browser window. Is anyone successfully keeping this junk off their PCs? Any help would be greatly appreciated!

Reply | Quote

Replies

Hi Gordon,

You have covered the basics. Keeping AV and antispyware definitions up to date and practicing safe surfing and email handling are very important. Educating people about what to look for and how to respond when confronted with threatening situations is very important. All the protection in the world will be of little value if we do not become more savvy in our practices.

I have received an XP and a Vista machine in for cleaning in the last two weeks due to variants of phony AV software. In one case, the client clicked on a link out of panic due to the message that his computer was infected. The other one received a false antivirus pop up on Facebook and clicked on it thinking it was a message from her antivirus software, and it promptly locked up everything on the computer except the link demanding a credit card number for the “Pro” version.

I try to teach all my clients to slow down, look and think before clicking, and if in doubt pull up Task Manager to safely close the browser. I also install Web Of Trust for IE and Firefox to help keep my clients away from known infected sites, and I show them how it works. Still, just as with antivirus definition updates, there is an unprotected time period between discovery of a new infection and the update necessary for protection.

Reply | Quote

I have not encountered any problems with this sort of scamware, not even on the XP laptop that I have, and IE at that.

I’m very fastidious in keeping the browser cache cleaned out and limiting the add-on’s I use in the browser as well. This of course
presents it’s own issues as I have to keep loging onto sites etc. but that’s alright by me.
Keeping your software and os patched and up to date goes a long way too.
Too many ppl out there running IE 6 with XP SP1; Malware come and get me, I’m bored and in need of a challenge.

Reply | Quote

Using OpenDNS can also add to the passive protection from known malware and phishing sites, etc., there’s a free, basic version.

Reply | Quote

Hi Gordon :

For Preventing “Rogue antivirus” programs I would recommend PAYING
for the “Professional” ( real-time protection ) Version of Malwarebytes
Anti-Malware, available for download from http://www.malwarebytes.org/mbam.php .

Reply | Quote

Hi Gordon :

For Preventing “Rogue antivirus” programs I would recommend PAYING
for the “Professional” ( real-time protection ) Version of Malwarebytes
Anti-Malware, available for download from http://www.malwarebytes.org/mbam.php .

Avast Free does just as well. AVG Free, lacking rootkit protection, is not as good. Also, both Zone Alarm Free and Comodo Firewalls can help, due to their popup warnings — but only if those warnings are heeded by the end user!

-- rc primak

Reply | Quote

Thanks for all your suggestions!

Reply | Quote

I’m trying to clean up my daughter’s PC. AntiVirus2009 was one of the over 3,000 trojans, worms, viruses, and trackers I’ve found using the paid AVG Suite (and all it’s free removal tools), free MalwareBytes, and Spybot Search & Destroy.

I’ve got it all cleaned up, EXCEPT AVG is reporting the Generic12.BOPU trojan infecting services.exe I’ve done the reboot remove option and now none of the others apps are seeing it. AVG is still reporting it, and it’s resident shield and identity protection is reporting attempts to write to other system files and execute them. AVG IS NO HELP. Although their software identifies the trojan, their tools and resources don’t seem to recognize it. Now AVG is wanting me to pay more for removal services and help that I’ve already paid for! It’s looking a lot like the Antivirus2009 scam at this point.

Any help or feed-back is appreciated.

Reply | Quote

I have found only one way to truly be sure a Windows PC is clean after a serious malware attack. Backup the data and settings, then do a clean install of Windows. This sounds extreme, but by the time you go through all the cleanup tools and manual processes, it isn’t that much more. You are guaranteed to have a clean machine and your PC will run faster. Once you get it all put back together and your data restored, I HIGHLY recommend you make an image of the disk. That way any future problems can be taken care with a quick data backup (should be doing that anyway) and a re-image. I use Ghost, but there are several other options (some of them are free). Good luck!

Reply | Quote

Here’s another one that can remove stubborn infections: SUPERAntiSpyware (has free and paid versions; haven’t tried either of them myself)

Reply | Quote

Hi Robert :

Not knowing the degree to which you still may be “infected”, I
recommend you seek the Help of an experienced, CERTIFIED,
Volunteer “Malware Removal Specialist” that can be found on many
“Advanced Malware Removal” Forums, such as the One at GeeksToGo
at http://www.geekstogo.com/forum/forums.html OR even the Spybot
One at http://forums.spybot.info . The GeekstoGo Experts request
posting a “Log” from the “OTL” program, available for download in
their “Malware and Spyware Cleaning Guide” .

Reply | Quote

I just have to chime in with a Whoops! here Just found myself infected with a Vista Antispyware rogue.
Yes, I did click when I shouldn’t have – in my own defense, they’ve mimicked the design of the the MS dialogues so closely – I thought it was from MS.
I’ve got some screen shots to post later.
Don’t mock me too much.

Reply | Quote

The bad guys are getting really good at mimicking the look and feel of the real stuff. This is the bad side of “social engineering”. I’ve been trying to educate my users to beware.

Reply | Quote

I have also been bitten. I used the free SUPERAntiSpyware and it seem to work well in getting rid of the infections however now I am having difficulties in communicating w/ devices, downloading, opening applications. I came to the conclusion to re-install Windows XP Home edition HOWEVER Winddows XP Home edition came pre-installed on my computer and I never requested the actual CD before the warranty period expired. Is there such a thing as a free version available for download?

Reply | Quote

Winddows XP Home edition came pre-installed on my computer and I never requested the actual CD before the warranty period expired. Is there such a thing as a free version available for download?

I would not trust any unofficial downloads.

Many computers sold without Windows on CDs or DVDs have a hidden partition that can be used to recover the system. For example, Dell does that, but I’ve never needed to use it, so I don’t know what is included. Did you get any documentation from your system’s manufacturer?

Reply | Quote

I have also been bitten. I used the free SUPERAntiSpyware and it seem to work well in getting rid of the infections however now I am having difficulties in communicating w/ devices, downloading, opening applications. I came to the conclusion to re-install Windows XP Home edition HOWEVER Winddows XP Home edition came pre-installed on my computer and I never requested the actual CD before the warranty period expired. Is there such a thing as a free version available for download?

What happened to you most likely was damage to certain Windows System Files caused by the Super Antispyware cleanup. Short of a full reinstall, you might have been able to restore those files using the Super Antispyware tab which has the “Repair” label. Often, this is all you need to do. If you had Avast Antivirus (also free), there is an extensive Repair database, called the Avast Virus Recovery Database (VRDB). This database must generate itself during idle CPU cycles, and you have to enable it. It is disabled by default, because of the system performance hit you take for a few days while the VRDB is generated. Once generated, this is like the Super Antispyware Repair module on steroids. Better even than Windows System Restore, and much more secure against infections entering into the recovery files. Both Super Antispyware and Avast have Help items on how to start and use these recovery modules. I hope you never have to use them, but just know that these are nondestructive options built into these free programs just for cases like yours.

If you haven’t reformatted or reinstalled Windows yet, try the Super Antispyware Repair module.

Sorry, but there is no free lunch at Microsoft. If you were not using Microsoft’s own antivirus, they will not reinstall Windows XP for you at any cost. So if you need XP Install disks, you will have to find a legitimate full version, and even on Amazon.com, there are plenty of fakes being offered at steep discounts. But there are copies out there, and folks with Netbooks still use XP Home. (BTW, you cannot use anyone else’s copy to reinstall Windows XP on your computer. Doing so could cause not only your copy to be flagged, but also the installed copy on the other person’s computer.)

You could request the OEM reinstall media for your computer, but you would be charged for that, in all likelihood.

-- rc primak

Reply | Quote

Reloading Windows is a sure-fire way to clean up your PC. What kind of PC do you have? As long as you have the original license sticker for XP Home (usually somewhere on the outside of the case, has a hologram and the XP license key on it), ask the vendor if you can purchase replacement media (CD). I don’t think the PC still has to be under warranty for that. It may be sold as the recovery disc set for your PC, which includes XP. I’ve gotten these from HP for non-warranty PC’s for around $30 shipped. A recovery disc is a good way to go, as they include all the drivers for all the hardware (audio, video, nic, etc.). You probably can find a copy of XP out there somewhere in cyberland (ligit?). Good luck!

Reply | Quote

To follow up; I found this postto be very useful, with the exception that in my case the Vista 2010 spyware executable was ave.exe
I was almost able to remove the whole thing – but Windows Defender and the Security Center weren’t quite behaving normally.
I decided that rebuilding the system was going to take less time than further registry spelunking.

Reply | Quote