Replies

The missing piece in this “blow by blow” article is exactly the process used to disinfect the PC. Did it require running the scanners in Safe Mode? How did the latest versions of the scanners get on the PC if it was disconnected – USB stick, CD burned on another PC, etc.?

Yes the ComboFix/Malwarebytes scans usually were run in Safe Mode (with networking) since we wanted to download the latest copies with updates. Safe Mode also gives us a better chance to run these scans without being interfered with by the virus. Rkill if necessary to stop virus processes long enough to get our scans started. Tough cases required a boot scan using something like Kaspersky’s rescue disk.

My PC business averages one infected customer PC a day. The fake AV viruses are usually what they have. Most come in the same way (a popup window or ad). Many times the customer claims they clicked on the X to close the window and things went downhill from there. I have received a popup and tested the X myself and verified their claims.

The infected PCs have had a variety of protections including Norton, McAfee, MSE, etc. If anyone has found a protection that detects the contents of these bogus popups please share. We want to try it!!

Echoing earlier posts: We usually have to kill the processes with RKill and run ComboFix/Malwarebytes to get the PC cleaned up enough to put it back on its own internal protections. Regularly use Kaspersky rescue disk to boot to a non-Windows OS and scan. Also safety.live.com, TDSSKiller, and F-Secure’s Blacklight. Occasionally have to run an EXE reg fix to restore file associations. Also have to reset IE Proxy to get back online.