Fake Antivirus Software Uses Ransom Threats

The most prevalent malware variant during August was TotalSecurity W32/FakeAlert.LU!tr, a malicious program that masquerades as antivirus software in order to sell worthless licenses for non-existent malware. On its own it accounted for 37.3 percent of all malware threats detected by the company during the month.

Unlike standard fake antivirus programs, however, the new version of TotalSecurity takes the ruse a stage further by preventing any applications other than a web browser to run, claiming they are "infected." The user is invited to have the infection cleaned by buying the bogus TotalSecurity product.

Read More:

Fake Antivirus Software Uses Ransom Threats - PCWorld

Used to be I could fix these without even having my keyring usb drive with me (rare occasion that is!) by tapping F8 while starting up, selecting Safe Mode with Networking, resetting IE, proxy and hosts file and downloading Malwarebytes. Anymore, Malwarebytes is not catching many of these as they are polymorphing, encrypting or obfuscating (or all three!) and the only sure way to clean up is to boot the computer from USB into my custom WinPE or Ubuntu environment provided that's possible on the hardware. If that doesn't work I take it back to the shop to plug the drive into a bench system for cleaning. If that's not an option I do it manually by running http://live.sysinternals.com/autoruns.exe. What a lifesaver -- that little cache of utilities runs right from the webpage and since the apps run from the browser cache, none of the malware has figured out how to block it. I can get signatures on all the startup code for all user and service accounts and even launch a websearch for unfamiliar items right from autoruns. Usually that and malwarebytes gets the computer clean enough for a standard boot and thorough scan with Security Essentials, which just keeps getting better and better. The current beta is smaller, faster and lower overhead while catching more malware earlier.

It's a love/hate relationship with this malware stuff -- you kind of have to respect it, I enjoy fighting it and I could not make a living without cleaning it up but it's still evil and the average Joe absolutely hates it and hates me if I clean the computer, install MSSE and he gets infected again because his rugrats click ignore...

http://live.sysinternals.com/autoruns.exe. What a lifesaver -- that little cache of utilities runs right from the webpage and since the apps run from the browser cache, none of the malware has figured out how to block it.

Exellent little app!

Corrine said:

Bleeping Computer has had instructions for removing Total Security for some time: How to remove Total Security (Uninstall Guide).

That's great when it's exactly that malware, that variant and the only malware instance. Anymore, with all the polymorphism, infection helpers, droppers and whatnot, just removing one startup item is not enough.

Actually, sysinternals has a LOT of useful tools.

Windows Sysinternals: Documentation, downloads and additional resources

Explore the site sometime. Good software and it's free to boot.

File and Disk Utilities
Networking Utilities
Process Utilities
Security Utilities
System Information Utilites
Miscellaneous Utilities

FIVE FAVORITE SYSINTERNALS TOOLS AND WHAT THEY DO
Derek Schauland lists his favorite Sysinternals tools -- the ones he uses the most often -- and shows what each of them does.
Five favorite Sysinternals tools and what they do | Network Administrator | TechRepublic.com