Security tool fake-AV

Hi all,

Well today a staff member handed me their laptop to have a look at (a toshiba something with vista HP on it), it was infected with the security tool fake antivirus product. I am always really impressed with these types of infections they are very well written and can be a complete headache for anyone to try and remove. usually access to the command prompt and task manager is disabled, and the code is buried in all sorts of places so malware products find it tricky to remove, a reboot later and there it is still well and truly stuck on your computer.

Now the extra problem with this laptop is that it has never had any antivirus products installed on it and of course also had various p2p clients installed on it which is obviously just asking for trouble.

The fix for this one was simple as I was fairly sure that the infection must have been recent because the security tool is fairly prominent on an infected machine and generally causes a nuisance.

All I did was roll back to the last system restore point (type “system restore” into vista’s search function, this will work for any OS from XP upwards) and viola it was gone. Next I installed the Comodo internet security suite (free firewall and av product www.comodo.com ). I then disabled the system restore feature and rebooted the laptop so it removed the system restore backups. (as viri’s and trojans can reside in these locations and antivirus products cannot remove them, although they are generally only a risk if you use system restore to revert to a point where the viri’s reside).
A quick reboot later I began a full av scan with comodo and also installed malwarebytes http://www.malwarebytes.org/ and ran that, both came up clear, several reboots after that the security tool has not reappeared so all now seems to be well. Then re-enabled the system restore feature.

The laptop can now be handed back to the staff member with a scathing reminder to: not use p2p services, have and use av products, and never do general browsing as administrator and treat uac prompts whilst browsing with a very high amount of suspicion.

These type of events always take me back to my first IT job working for a repair workshop, I mostly repaired home users pc’s and they would phone up saying “my machines all messed up and doing weird things” OK I’d say, you’ve got AV haven’t you. ” yes of course I have”, Ok you better bring it in then.

80% of the time you could bet that they have norton or mcaffee installed and it was a year or two out of date at least. Then you go down the “well I take it you’ve got a backup of all your work ” (blink) blank stare fiasco.

ahh lovely!

Post a comment

You may use the following HTML:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Powered by Sweet Captcha
Verify your real existence,
Drag the biggest seed to the flowerpot
  • captcha
  • captcha
  • captcha
  • captcha