What I find, among my friends and those I talk with is some basic Internet smarts. From this is how the thieves and crooks of the Internet ply on. These people should be treated exactly the same as the armed robber. Stealing is stealing, breaking in another person's computer should be treated the same as breaking into someone's living quarters (whether you are armed or not the penalty should be the same).
Enough, the first part of this lesson is recognize one of the tricks spy/mal ware scammers get their goods on your computer and with your permission (albeit but forced). For the most part, this will deal with Antivirus 2009, which can go under a variety names:
XP Antivirus;
Vitae Antivirus;
Windows Antivirus;
Win Antivirus;
Antivirus Pro;
Antivirus Pro 2009;
Antivirus 2007, 2008, 2009, 2010, and 360;
System Antivirus;
Vista Antivirus;
AntiSpywareMaster;
XP AntiSpyware 2009,
You are happily cruising the net, maybe doing a research on a subject matter, or looking up something maybe just what is ailing your children. Google, Yahoo, Cuil and any other search engines aren't immune, and unless they catch it, you may be one of the first victims. It evens gets by WOT (web of Trust which I recommend having ). What they do is construct innocent looking websites which the search engines find, but when you arrive are redirected to their site.
So Step by step here is what happens.
1. Hit the first search term (Google they came up 2nd or 3rd, and Cuil 1st). Where most people go first.
2. They reduced my Flock browser and covered it up with their notice (here I uncovered it slightly)
3. Close their window with X (circled). Always do this.
4. At next popup. Close that with the X
5. and quickly close your browser (or tab if you prefer to save your session) on the X too (start a new session).If the following types of screens showing the scan results occur closing out your explorer/browser is going to be difficult. It can be done through the Task manager for Windows operations, and Monitor in Linux.
So let's walk through the steps
6. Copy of phony results. Enough to make one panic if they didn't know better. They are clubbing by fear. Another popup box with a Windows Security look-a-like logo (another part of the ploy). Whatever you do don't click anwhere's except the X. Even inside the popup and not on the buttons will automatically prompt from your browser for the download.
7.Download that popped up. DON'T DOWNLOAD!!!, HIT YOUR BROWSER CANCEL, DON'T RUN, HIT CANCEL OR X.
8.Now the nag popup occurs. It is now a futile operation to cancel the nag window via the X (except in one case), for it quickly reopens again. Don't hit any of the other buttons, or you can expect the download prompt again. (see 7 above ). Your Final Solutions
Once we reach the screen window at 8), the fight is on. Closing via the X only results in it quickly reopening and too quickly for you to close the tab or browser.
But not all is lost some tricks can be done here.
9. Pull up the Task Manager - via Ctrl-Alt-Del(ete).
Click on the application tab
Click on explorer/browser affected
Click end task
If prompt select OK.
10. Another alternative, but requires a fast clicking of the mouse. Is drag their popup box such that Xs are aligned over the Tab X or Browser X. Double click and you'll beat the popup. One more popup may appear but it can now be Xed out too.
For extra peace of mind run your Antivirus. It will probably just clean up your Browser's cache. Defense Solutions
1. Have a good antivirus installed. It may not stop from getting to the site but will warn. Or have it integrated in your browser AVG has a toolbar. Figure 11) shows what my AVG did in Windows (yes I redid the hit in Windows). Note another thing is you must know what your warnings from your Antivirus program looks like and behaves, the imitators will try and duplicate these too. If uncertain you can always use the Task Manager to see what is running and close things down and run you Antivirus program.
2. If you don't have an antivirus I recommend getting one of these three: AVG Free, Comodo, or Avast ( I have used any one of these three, prefer the first two). Plus haveSpybot S&D and Lavasoft Ad-aware installed
3. If using FireFox or Mozilla like browsers (Flock) have "No Script" installed - here is what I got in 12) from a "No Script" FireFox. It put a quick stop to the whole affair.Alright - you've been infected. Now what.
HSymptoms of infection is constant popups declaring your infection, stating to removing infections you need antivirus protection. Directing you to the phony site. Unfortunately thousands if not millions have fallen for this ploy, and purchased the phony antivirus protection. (It merely becomes even more entrenched). Also the longer the phony warnings stays on the slower your machine becomes and the more entrenched it becomes.
Deleting it will not remove and depending on the variety uninstalling won't either. Instead it reinstalls itself. It may even disable your real Antivirus programs. The crooks here constantly update this antivirus rogue ware so it can avoid detection.
So how do you remove it? Well do you want to do this yourself or use antivirus software? As a DIY, I have no recommendations of which software to use. There are several dealers out there but a good starting pointing which software would be PC Mag's forum. PC mag will direct you to the Bleepingcomputer.com A very good starting point.
Now if you are up to the challenge here is the manual way of removing (It's not for the novice to do this). Please reboot your computer into safe mode. This disables a lot of drivers and functions. But will allow you access to remove this virus.
Find and stop these Antivirus 2009 processes:
av2009.exe
Antivirus2009.exe
AV2009Install.exe
av2009[1].exe
AV2009Install_880405[1].exe
AV2009Install_880405[2].exe
c:\Program Files\Antivirus 2009\av2009.exe
c:\WINDOWS\system32\ieupdates.exe
Power-Antivirus-2009.exe
AV2009Install[1].exe
ieexplorer32.exe
%PROGRAMFILES%\Antivirus 2009\av2009.exe
AntivirusPro2009.exe
%PROGRAMFILES%\AV9\av2009.exe
Find and Remove these Antivirus 2009 DLL files:
shlwapi.dll located usually in c:\WINDOWS\system32
wininet.dll located usually in %UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V
Remove these Antivirus 2009 Registry files:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run\15358943642955870504508370025739
HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\”Antivirus” = “%ProgramFiles%\Antivirus 2009\Antvrs.exe”
HKEY_CURRENT_USER\Software\Antivirus
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start
Menu2\Programs\Antivirus 2009
HKEY_CURRENT_USER\Software\75319611769193918898704537500611
HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ieupdate"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "75319611769193918898704537500611"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}
Remove these Antivirus 2009 files:
av2009.exe
Antivirus2009.exe
AV2009Install.exe
av2009[1].exe
Antivirus 2009.lnk
Uninstall Antivirus 2009.lnk
AV2009Install_880405[1].exe
AV2009Install_880405[2].exe
c:\Program Files\Antivirus 2009
c:\Program Files\Antivirus 2009\av2009.exe
c:\WINDOWS\system32\ieupdates.exe
c:\WINDOWS\system32\winsrc.dll
c:\WINDOWS\system32\scui.cpl
%UserProfile%\Desktop\Antivirus 2009.lnk
%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk
%UserProfile%\Start Menu\Antivirus 2009
%UserProfile%\Start Menu\Antivirus 2009\Uninstall
Antivirus 2009.lnk
%UserProfile%\Start Menu\Antivirus 2009\Antivirus2009.lnk
Power-Antivirus-2009.exe
AV2009Install[1].exe
ieexplorer32.exe
ieexplorer32.exe-removed_skip
AntivirusPro2009.exe
Conclusion.
I have never been infected with this program, encounter through various search engines and other rogue like applications. My course of action has always been my friend the Task Manager. Get to know it. Plus I am a heavy FireFox user, and with that "No Script" is usually installed.
As can be seen from the steps it's better to nip these culprits before they even enter the gate - "No Script", or an good Antivirus with a toolbar (warns of bad sites in search engine results). WOT is good and should be installed.
Next is some smarts in how to act with these crooks. Stopping them at the door with the Task Manager or even if are uncertain having your system just plain out right shut down (good process for the novice). As always instruct your family or loved ones all these people. Awareness is a good defense.
Stopping them, is far better then trying to remove them. But remember the protection is only as good as the person is using it. The best locks don't work if they aren't used right. Firewalls and Antivirus protections are good, but we must still exercise some defense and be educated what the crooks do out there and their techniques. Because you the operator can let the crooks through your defenses.
It should be noted according to the FTC and it's a good read.
"At the request of the Federal Trade Commission, a U.S. district court has issued a temporary halt to a massive “scareware” scheme, which falsely claimed that scans had detected viruses, spyware, and illegal pornography on consumers’ computers. According to the FTC, the scheme has tricked more than one million consumers into buying computer security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus. The court also froze the assets of those responsible for the scheme, to preserve the possibility of providing consumers with monetary redress."
But this isn't going to stop similar events from happening or from other countries. As an internet traveller be on your toes.
0 comments:
Post a Comment