Scareware or not

Topic

New Reply

I recently had to use Microsoft recovery to eliminate a virus a picked up.
Since then a program called “Vista Total Security” keeps popping up telling me I have several virus problems. They want me to register to remove the problems.

I do have CC Cleaner and Spybot Search and Destroy, which should have cleared any spyware.

Is this program a part of Microsoft or just a look alike Scareware?

Any recommendations?

Thanks,

Reply | Quote

Replies

No it’s not part of Microsoft, it’s scareware.
Removal instructions from Bleeping Computers.com

Reply | Quote

If the fake alert appeared after a virus infection you may also have a rootkit that Malwarebytes is often unable to remove. It is worth the extra 5 minutes scanning with Kaspersky TDSS Killer.

One of the best ways I’ve found to overcome these fake alerts is to use the following process:

Download Malwarebytes Anti-Malware, and Autoruns from Sysinternals plus the Kaspersky tool above on a clean machine and transfer them to USB stick or CD.

Boot the affected machine into Safe Mode Without Networking.

Run Kaspersky TDSS Killer

Run a System Restore to a time before the infection. This will require a reboot and it’s important to re-enter Safe Mode Without Networking to complete the Restore.

Run Autoruns and remove any rogue or fake antivirus remaining

Run Malwarebytes Anti-Malware removing anything they find.

Finally, boot into normal mode and re-run Malwarebytes, this time updating the program.

I’ve seen dozens of these fake alerts on client machines and the above technique has worked every time.

Whichever way you clean up: afterwards you should ensure your AV program is fully up to date, but also make sure your Adobe Flash Player, Adobe Reader and Java are fully patched. Particularly important is Flash Player as many of these fake alerts arrive via poisoned animated adverts on websites that require no user interaction to launch the attack. Also consider the use of ad-blocking ad-ons in your browser such as ADBlock Plus.

Some of these fake alerts run a script that changes the hidden file attribute on the contents of your documents and pictures folders, making it appear they have been removed. It’s tedious in the extreme to reset that attribute on every file, so if it has occurred, you could select the show hidden files and folders option.

Reply | Quote

Tinto, very good explanation, easy to follow. Thanks. This will hopefully help many others with this problem. I, with your permission of course, will be copying these steps to a notepad file and placing them on a flash for future use. Thanks again.

Ted

p.s. I would assume this same procedure will work on Win 7 as well.

Reply | Quote

Tinto, very good explanation, easy to follow. Thanks. This will hopefully help many others with this problem. I, with your permission of course, will be copying these steps to a notepad file and placing them on a flash for future use. Thanks again.

Ted

p.s. I would assume this same procedure will work on Win 7 as well.

You’re very welcome Ted. By all means keep a copy to hand. Hopefully you’ll never need it!

The key is to stop the trojan before it can launch the attack and that’s where Safe mode without networking comes in. When in Safe mode without networking, all instances of the problem that I have come across have not been active, allowing you to use the cleanup and removal tools.

There are programs, such as rkill, that can be used to disrupt the trojan without using Safe Mode Without Networking, but I have had mixed results with this: when active, some variants are clever enough to stop the rkill, mbam and other processes.

Oh, and yes, the process applies across XP through Vista to Win7.

Reply | Quote

Ran across one case where the trojan was active in safe mode and it killed explorer.exe as well so there was no access to Start preventing you from running any programs! Had to evoke task manager, go to the services tab and kill the trojan process. Then, I was able to start explorer and clean the PC.

Jerry

Reply | Quote

Ran across one case where the trojan was active in safe mode and it killed explorer.exe as well so there was no access to Start preventing you from running any programs! Had to evoke task manager, go to the services tab and kill the trojan process. Then, I was able to start explorer and clean the PC.

Jerry

Good tip Jerry!

I’ve seen it in Safe Mode too, but never Safe Mode Without Networking. However, these things are moving targets and could easily have variants that are active in without networking mode by now.

Thanks!

Reply | Quote

Thank you one and all.
Great information to what appears to be a common problem.

Once again, thank you….

Reply | Quote