- ...as soon as you notice the annoying pop-ups and fake/suspiciously-looking security centre warnings, restart your system and boot it up into "Safe-Mode with Networking". On most laptops you need to press/hold F8 to get the screen from which to choose Safe-Mode...
- ...the problem usually is, that the spyware will de-associate .exe files and you wont be able to start any programs, such as command line, reg-edit or even a browser (browsers start-up page and proxy-settings are also changed, so be careful to fix your browser settings). If you are lucky safe-mode will prevent the spyware running, but in my case safe-mode didnt help. But there's a surprisingly simple trick: If you have numerous accounts on your XP system and you usually use only one of them select the one that you use rarely or never (quite often this is the administrator account), and if you are lucky it turns out that the anti-virus will not have infected that user-account!
- ...I was lucky that my Admin-user account wasn't infected and from there I was able to manually look for the process in windows task manager and search my system for such files and delete them manually [be careful not to delete system files - also most likely you will have to enable the viewing of system files under win-xp].
- ...in safe-mode I was also able to run the following tools: Malwarebytes, SpyBot Search & Destroy and SUPERAntySpyware. The reason for running "Safe-Mode with Networking" is you can connect to the internet to update to the latest anti-spyware/virus definition files. If a connection to internet cannot be established make sure to install the latest versions and for SpyBot Search & Destroy you can install the latest definition files separately, which is very handy. Run all the tools in sequence (rebooting - back into safe-mode [this is important!!]) Each software found different elements of the spyware and were able to remove most of it. This will take a lot of time, each scan can take much more than an hour (I tend to set the process priority for the scan to "Real Time" as the OS scheduler this way allocates more CPU time to the process & the scan will run quicker).
- ...once I was relatively sure the system was clean, I run the fullest possible scan with SUPERAntySpyware again, this detected a few more issues and only when I was pretty sure the system could be clean I then booted up normal win-xp.
You might be done now! - but in my case my exe file associations were still broken (the fake-anti-virus devastation it left behind). In order to fix-this you can manually edit the registry, download registry entries to merge with your registry or simply run a tool for XP which is what I've done this time and worked like a treat.
I recommend you also do your own research, I found many useful articles online, such as this one, and depending on the version of spyware/anti-virus you might need to take a slightly different approach. Good luck!
I just received a little bit of extra advice... "combofixer, ccleaner. combofixer fixes registry issues usually and ccleaner just does a little tidy up for your history, cookies etc just to remove anything lingering.", I've done this now too on my machine.
ReplyDeleteSystem already cleaned so not quite sure if it did much, but still pretty sure it didn't damage it either :-)
Unbelievably my netbook caught a simillar fake anti-virus virus just a week later again... This one was somewhat harder to get rid off, but a combination of several-hour scans through an uninfected back-up account resolved and deleted the virus.
ReplyDeleteI also came across this article it shows that at least law enforcement in some countries is doing something against these criminal virus distributors - http://www.bbc.co.uk/news/technology-13078297
so how do viruses / rogue-ware get onto a latop / pc simply by going to a page but not actually clicking or ineracting with it...?
ReplyDeleteWell I searched around for 10 minutes on wikipedia and I found out that this is called a "drive-by-download" or "drive-by-installation" and is not too hard to implement from a coding point of view :-(
Two ways to do this:
-all major web browsers request a favicon at a web page. If this file is not existent, a custom HTTP 404 (not found) page can download a trojan horse
-Windows Metafile vulnerability - located in gdi32.dll, arises from the way in which Windows operating systems handle Windows Metafile (WMF) vector images, and permits arbitrary code to be executed on affected computers without the knowledge or permission of their users
[1] http://en.wikipedia.org/wiki/Drive-by_download
[2] http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability