Sunday, March 14, 2010

Off to fix spyware

One of our friend's kids saw one of those "Oh Noes!! U has teh Spywarez! Download me 2 fix!" thingies, and clicked on it. (Note: this is only a picture, from a known safe site):


Of course, the danged "fix" tool is the spyware.

So I'll be back later, with some security posts (I've been terribly lax on those lately). In the meantime, you might want to read this about spyware, and this about scareware, and this about what your options are.

UPDATE 14 March 2010 11:24: Oh, this should be your first stop if you think you're infected.

UPDATE: I should have said it was the kid of one of our friends. Coherent writing FAIL. I blame Global Warming, or something ...

9 comments:

ASM826 said...

Borepatch,

Had this one on a work system last week. There was file named av.exe, it was set in the prefetch and would automatically reinstall on reboot. The registry and explorer.exe were both set so that the default command interpreter was av.exe, meaning that if you deleted av.exe, you could not run most exe files. It overrode the university Symantec product and kept Malwarebytes from starting.

I succeeded, but I think it might have been easier to reload the OS. If you get caught, email or call me and I'll you in some detail what I did to get out of it.

Alan said...

And people wonder why I refuse to run Windows.

wolfwalker said...

ASM286: This is a good reason to keep a second PC around. A couple of months ago I had to clean a machine (not my own) that was infected with a different vicious "fake antivirus" malware. It kept MalwareBytes from running and also hijacked the machine's browser, blocking me from reaching any antivirus sites.

I simply plugged my laptop into the person's Internet connection, then searched for "how to remove" and program name. Got step-by-step instructions for how to disable it so I could run MalwareBytes, and MalwareBytes then cleaned the infection.

For this one, I typed "remove av.exe" into Firefox's search box and immediately found this page, again with simple step-by-step removal instructions.

(Note that bleepingcomputer.com is a trustworthy antivirus site, which among other things produces the brutally effective malware-cleaner called ComboFix.)

Mike Golch said...

I got nailed by this as well.

WoFat said...

Children who download virus programs should be subjected to global warming Of course, I know - as do we all - adults who are as bad, and as dangerous. Said adults should be impaled.

Danimal said...

You're a better man than me, Gunga Din. I, too, and the dedicated "computer guy" for just about everyone who has ever met me. I no longer bother trying to repair infections -- they're just too hard to rip out completely. Just reformat and let them reinstall. They'll learn not to do it in the future.

NotClauswitz said...

My neighbor got hit by that scareware thing.

elmo iscariot said...

Allow me to be That Guy for just a moment:

"When I got spyware, _my_ first stop was an Ubuntu boot disk!"

Man, that felt good. Sorry, it's just, I never get to be the smug computer guy, but the little orange disk makes me feel all undeservedly leet.

JP said...

None of this for me at home anymore. All Linux all the time!