Jump to content

Top Security fake AV


EPPack

Recommended Posts

Before I continue, I got out of this nasty pickle by doing a full system restore, so I'm back in business, but I want to verify that this was what I had, and if there's any better way to deal with it.

When I got home last night I found out that my hubby, who is not very technical, had been googling for work purposes (yes, I believe him :P and probably ran into one of those poisoned links that open you to the badboys. Turns out the machine (XP Pro SP3) had a blue screen, and when I rebooted, it came up more or less OK, up to a point. It then started running the Top Security scan (scam!). I've seen this before, if not this particular variety, but what was bad this time is that it had completely disabled my Task Manager, and would not run ANYTHING at all, nada. Couldn't even do a Ctr-Alt-Del, said "task manager has been disabled by Administrator". I couldn't bring it up in safe mode, nor do anything at all in my formidable arsenal to try to get rid of this nasty. It either hijacked or was showing a desktop background (or a screen that looked like that) filled with ads and scares telling me to basically pay for a fix. You all know that drill.

From what I've seen here, I believe this is a variety of the fake Antivirus Pro etc ilk, but as noted, I hadn't seen it to completely shut down everything. Thank god I do a full system backup (to a different drive) via Acronis, and I was able to restore everything back to normal, but does this sound "typical" for this rogue AV? Other than restoring, is there any way to fix this? If you can't RUN anything, what can you do?

<sigh> the badboys are winning :)

Thanks

elaine

charlottesville, va

Link to post
Share on other sites

There are always ways to deal with this, even though nothing appears to work. The forums are full with similar issues here. In most cases, renaming the file helps though.

Understood, and normally that's what I would have immediately done if I could have stopped the bogus scan, but unfortunately I couldn't find the file in question that was causing this. It was probably running out of tmp files, not sure, and there were a number of them out there, but many of them are locked as they are in use, and my unlocker tool wouldn't run either. About the only things I could do was run windows explorer in a sortof abbreviated mode, and I could shut down/restart the system. Everything else was disabled. In the past, I had discovered on a friend's machine that had been hit, I could fake it out by opening the Malwarebytes executable in IE and it would run so I could kill the beastie, but this time couldn't even do that, no browser either.

When it wouldn't boot in safe mode (which may or may not have been another effect of this thing, dunno) that's when I threw in the towel and restored the system. I had pretty much run out of other ideas ;) I'm all for learning other options tho, if I get hit again.

Thanks!

elaine

Link to post
Share on other sites

  • Staff

Hi,

Another tactic being used by malware is, they use an own "whitelist" of allowed programs and block the rest. Windows System files are on their own whitelist as well (otherwise there would be problems), so in such cases, you can have luck when you rename the file that won't run to iexplore.exe, winlogon.exe etc... ;)

Link to post
Share on other sites

Another tactic being used by malware is, they use an own "whitelist" of allowed programs and block the rest. Windows System files are on their own whitelist as well (otherwise there would be problems), so in such cases, you can have luck when you rename the file that won't run to iexplore.exe, winlogon.exe etc... ;)

Hmm, interesting idea! explorer.exe would be a good one to use since that was about all that would run. Thanks!

*Hopefully* this particular nasty won't hit again, but I will definitely remember this tip.

elaine

Link to post
Share on other sites

  • Staff
*Hopefully* this particular nasty won't hit again, but I will definitely remember this tip.
Prevention is the best teacher, so Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again! ;)

Link to post
Share on other sites

Prevention is the best teacher, so Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again! ;)

Fervently agreed! I've got a TON of utilities I run to protect myself (and no, I'm not saying they are stepping on each other :o I've been a computer professional since 1970, and with PCs pretty much since they started, but this is believe it or not (and knock wood!) the first time EVER I've been hit this hard, and been forced to restore. The BEST utility I run is the simplest, the little startup monitor from Mike Lin http://www.mlin.net/StartupMonitor.shtml It can be annoying because it flags on everything, including what you WANT to install, but if it flags and I'm NOT installing something, i.e., something has hit, it has saved my skin big time many times over the years by letting me know about it in time to prevent damage. In this case, unfortunately it was my technology-challenged hubby who was at the keyboard, and in his defense, it may not have tried to install itself in any conventional way, who knows? He knows about the StartupMonitor flagging and what to do, but it may not have triggered that, who knows?

But I will certainly check out your site (and I run Secunia regularly too)! Again, many thanks!

elaine

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.