Fake anti-virus virus

Status
Not open for further replies.
Originally Posted By: OVERK1LL
Originally Posted By: javacontour
Why do folks browse with admin rights?

These things can't install if you don't have admin rights, do they?


They install to the Default User profile or the active user profile. So while they may not affect other accounts, they can sure wreak havoc on the one you are using. And if it is an admin account then yeah, it can get a lot worse.


+1.

You really have to be careful. As mentioned some instancs are really a PITA. Sometimes easier to reformat, but in some cases people don't have their office disc or other software titles for reinstall. Not to mention where I work, a reformat is probably a min of 2-3 hours or more depending on what department the unit belongs to.

Some of the Malware will install rootkits that will continue to manifest new malware after removal. Some install to more than one user profile. Some change the host file, or add proxy to browser. Some of the newer stuff is even hiding all of your files. The worst ones are the ones that BSOD in safe mode (typically rootkits). A lot of them will even hide in system restore files.

MSE is good, it's just not good sometimes at stopping malware threats. Malwarebytes is good, and from what I've read the pro version that has an active scanner is supposed to help stop some of the fake a/v malware.
 
The rootkits do indeed suck. Wife's computer got one about a year ago. HitmanPro that I previously mentioned was able to identify the threat and remove it.
 
Originally Posted By: buickman50401
Originally Posted By: javacontour
Why do folks browse with admin rights?

These things can't install if you don't have admin rights, do they?

Some can IIRC depending on how they are "delivered" to the system (javascipts and broswer helper objects).

Sandboxie is a good program (though you have to pay for it) which can be set to run programs such as your browser in a "sandbox" where they can't make changes to the machine. Its basically like running a mini virtual machine for those specific programs.

Originally Posted By: Dan55
After removing the Trojans make sure you check the Security Center settings located in Control panel. Make sure Firewall, Windows Update and Virus Protection are all turned on!

Definitely. If they aren't and you can't turn them back on, there are a couple of easy fixes using the command line IIRC.

OP might want to run HitmanPro3.5. Its free to use indefinitely as a scanner. If you activate the removal feature, its a 30day trial. A quick scan with it will tell you if there is anything that has been overlooked. Top notch program that can remove many nasties missed by other programs.

Combofix is another good last resort tool as well.

Also I suggest Firefox with Adblock and Noscript if security from these types of infections is a concern. Noscript is a bit of a pain at first since it may disable some functionality of some web pages until you whitelist them but will prevent most of these infections.


Don't you have to give an admin password in order for it to ultimately install?

I can see where something might torque your personal settings, changing the browser proxy, etc so you pass through where they want you to go.

I guess I don't see how something can break out of userland and get admin rights unless the user supplies an admin password.

Doesn't Vista, Win7 and Server2008 have UAC or something of that sort so you are prompted before actions that change the system are permitted?
 
She got the virus from clicking on a gardening site. She didn't know what was going on and didn't stop it. My mother 80 yrs old got the same one. Looks like they target older folks that are not computer savory that use gardening sites??
 
Originally Posted By: javacontour


Don't you have to give an admin password in order for it to ultimately install?

I can see where something might torque your personal settings, changing the browser proxy, etc so you pass through where they want you to go.

I guess I don't see how something can break out of userland and get admin rights unless the user supplies an admin password.

Doesn't Vista, Win7 and Server2008 have UAC or something of that sort so you are prompted before actions that change the system are permitted?

A limited user account can help prevent some infections, and limit damage in some cases, but with the way the malware is being delivered these days it can still cause problems and sometime find a way out of user land particularly if it isn't actually "installing" anything. These fake AV malware programs of course do require you to actually click something to install it so in those cases a user account could prevent infection (could but not always).

The UAC in Vista and particularly in Win7 is an excellent feature. With 7 they finally got it right and even running as admin you'll still get the UAC popup and so long as you're paying attention and not clicking on it willy-nilly you'll be fine. Heck even as admin, I can't run Ccleaner, Malwarebytes, Superantispyware and sever other programs without allowing it through a UAC prompt.

I run as admin simply because a lot of what I do on the box requires it. I do a lot of offline development for sites I put together for other people and I need full admin rights to run xampp (an apache, mysql, and php stack) so I can do offline development of sites using forum software, Wordpress, or Joomla before putting them on a live server.

That being said here's a word of warning to for anyone running Chrome for their browser. Chrome does not install in the program files directory. Instead it installs in the users profile (%/user/appdata/). This is a "very bad thing". Programs are supposed to be installed in the program files folder because when installed there extra protections attached to modification of files in the program files folder do not exist. It potentially allows behavior that would otherwise not be permitted to occurr if it were installed in the OS's default install directory.

For this reason, I stopped using Chrome except for testing the rendering of the sites I develop.

Originally Posted By: Blaze
Thanks for all the great info!!.. I'm D/L Hitman Pro.

Also at a bare minimum use Firefox (or Opera) with Adblock and Flashblock installed. A lot of the malware these days comes through these two vectors. With flashblock in FF you can still watch all your youtubes and other flash content, but you have to click on a little "play" button to allow that particular piece of flash content to load.

If you are really paranoid you can install Noscript in Firefox, though it is a bit of a pain to use until you have it "trained" for the sites you regularly visit.
 
Originally Posted By: lebrimal
Get Linux, Ubuntu and wont happen again...

Very true... since you can't actually do anything useful on linux unless you're a CLI junkie and enjoy hunting through a package manager for some obscurely named piece of software that's a poor attempt to mimic functionality of software found in Windows (and Mac) OSes.

Oh but its FREE! Yes and so are 75% or more of the programs I routinely use in Windows (some are even ports of Linux software - the difference being they oddly enough work better in Windows).

Just kidding about the linux part. However, seeing tired old suggestions of "install Linux, problem solved" are well... tiring. For those that want to use Linux, more power to you I guess.

For the rest of the planet (avg. Joe user) they just want something that works without having to dig through forums and man-pages to out why their sound isn't working properly or why their video card isn't functioning correctly only to discover that the drivers don't provide full 3D acceleration or are lacking some other important (and basic) functionality. But wait! We can solve this if we edit a handful of config files and cross our fingers that the next time a library is updated some dependencies aren't broken.
 
We had a fake anti-virus program load itself on our Windows 7 machine while one of the kids was using it, and this was on a limited account (no administrative rights), spooky, nasty. Also, the Verizon anti-virus (re-badged McAfee) didn't detect it. The removal process was a 20+ step process, which I didn't want to dive into. I keep a relatively current image of our drives as a back-up and ended up re-imaging the drive.

My wife encountered the same thing starting just a short time later and she quick shut the computer off. It wasn't there when we re-started the computer. I suspect she aborted the nasty download before it completed. It was almost as if the fake anti-virus displayed warning screens to "knock the user back on their heels" giving them enough time to download the payload. I don't know...

Anyway, I told everyone if this type of situation occurs again to quick turn the DSL modem off then shut down the computer and I'll investigate. I figure nothing will stop a bad download faster or colder than shutting off the modem.

Since then my son encountered something similar and he quick shut the modem off and we were OK.

That was several months ago and it's been quiet since. I'm not sure if this is the best strategy but it's something...
 
Status
Not open for further replies.
Back
Top Bottom