• Scareware or not

    • This topic has 7 replies, 5 voices, and was last updated 14 years ago.
    Author
    Topic
    #476752

    I recently had to use Microsoft recovery to eliminate a virus a picked up.
    Since then a program called “Vista Total Security” keeps popping up telling me I have several virus problems. They want me to register to remove the problems.

    I do have CC Cleaner and Spybot Search and Destroy, which should have cleared any spyware.

    Is this program a part of Microsoft or just a look alike Scareware?

    Any recommendations?

    Thanks,

    Viewing 2 reply threads
    Author
    Replies
    • #1280249

      No it’s not part of Microsoft, it’s scareware.
      Removal instructions from Bleeping Computers.com

      • #1280261

        If the fake alert appeared after a virus infection you may also have a rootkit that Malwarebytes is often unable to remove. It is worth the extra 5 minutes scanning with Kaspersky TDSS Killer.

        One of the best ways I’ve found to overcome these fake alerts is to use the following process:

          Download Malwarebytes Anti-Malware, and Autoruns from Sysinternals plus the Kaspersky tool above on a clean machine and transfer them to USB stick or CD.
          Boot the affected machine into Safe Mode Without Networking.
          Run Kaspersky TDSS Killer
          Run a System Restore to a time before the infection. This will require a reboot and it’s important to re-enter Safe Mode Without Networking to complete the Restore.
          Run Autoruns and remove any rogue or fake antivirus remaining
          Run Malwarebytes Anti-Malware removing anything they find.
          Finally, boot into normal mode and re-run Malwarebytes, this time updating the program.

        I’ve seen dozens of these fake alerts on client machines and the above technique has worked every time.

        Whichever way you clean up: afterwards you should ensure your AV program is fully up to date, but also make sure your Adobe Flash Player, Adobe Reader and Java are fully patched. Particularly important is Flash Player as many of these fake alerts arrive via poisoned animated adverts on websites that require no user interaction to launch the attack. Also consider the use of ad-blocking ad-ons in your browser such as ADBlock Plus.

        Some of these fake alerts run a script that changes the hidden file attribute on the contents of your documents and pictures folders, making it appear they have been removed. It’s tedious in the extreme to reset that attribute on every file, so if it has occurred, you could select the show hidden files and folders option.

    • #1280262

      Tinto, very good explanation, easy to follow. Thanks. This will hopefully help many others with this problem. I, with your permission of course, will be copying these steps to a notepad file and placing them on a flash for future use. Thanks again.

      Ted

      p.s. I would assume this same procedure will work on Win 7 as well.

      • #1280268

        Tinto, very good explanation, easy to follow. Thanks. This will hopefully help many others with this problem. I, with your permission of course, will be copying these steps to a notepad file and placing them on a flash for future use. Thanks again.

        Ted

        p.s. I would assume this same procedure will work on Win 7 as well.

        You’re very welcome Ted. By all means keep a copy to hand. Hopefully you’ll never need it!

        The key is to stop the trojan before it can launch the attack and that’s where Safe mode without networking comes in. When in Safe mode without networking, all instances of the problem that I have come across have not been active, allowing you to use the cleanup and removal tools.

        There are programs, such as rkill, that can be used to disrupt the trojan without using Safe Mode Without Networking, but I have had mixed results with this: when active, some variants are clever enough to stop the rkill, mbam and other processes.

        Oh, and yes, the process applies across XP through Vista to Win7.

    • #1280350

      Ran across one case where the trojan was active in safe mode and it killed explorer.exe as well so there was no access to Start preventing you from running any programs! Had to evoke task manager, go to the services tab and kill the trojan process. Then, I was able to start explorer and clean the PC.

      Jerry

      • #1280352

        Ran across one case where the trojan was active in safe mode and it killed explorer.exe as well so there was no access to Start preventing you from running any programs! Had to evoke task manager, go to the services tab and kill the trojan process. Then, I was able to start explorer and clean the PC.

        Jerry

        Good tip Jerry!

        I’ve seen it in Safe Mode too, but never Safe Mode Without Networking. However, these things are moving targets and could easily have variants that are active in without networking mode by now.

        Thanks!

        • #1280374

          Thank you one and all.
          Great information to what appears to be a common problem.

          Once again, thank you….

    Viewing 2 reply threads
    Reply To: Scareware or not

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: