Solved Infection by fake AV virus

[gregrocker]

Visiting a friend who is massively infected by fake AV scan. All of his files are hidden and nothing will run. I just ran bootable Windows Defender Offline which appears to have found nothing. System Restore is infected back a few days although there are more points to go back further. Any advice on where to go from here?

I have ComboFix and Unhide programs but don't know how to install them when it's locked up like this.

It's Vista so I'm inclined not to spend much time before copying out data to wipe and install Win7.

Toshiba Satellite AMD 2gh 2 gb RAM

 

[pparks1]

Microsoft stand-alone security scanner and malware bytes...is what I would use if it were a friends machine and they wanted it saved.

If it were my machine, without question, a format and reinstall would be in order.

 

[kegobeer]

Greg, I'm with you and Parks on this one - copy what you can and nuke it.

 

[gregrocker]

Isn't MS Standalone is now Windows Defender? Found nothing, lame as ever.

Can't get into Safe Mode or run mbam.exe from New Task in Task Mgr (Not Found).

Yeah inclined to copy out files using 7 DVD, wipe and install 7. With help from here a few weeks ago I cleaned up one of these but it took twice the time to reinstall and he wants 7 anyway and has ready cash.

Thats two friends in a month infected with Fake AV running MSE. Time to upgrade? What AV do you recommend to catch these, or can they be caught?

Thanks.

 

[kegobeer]

These kinds of attacks are hard to defend against, because the user allows the rogue app access. Once that happens, there's not much to do except try to recover the important data and start all over again. As always, education is the key to preventing this kind of attack.

Personally I'd keep recommending MSE, and recommending the user enables automatic updates so MSE definition and engine updates are installed every day.

 

[profdlp]

The last time my dingaling housemate got her computer infected it was SUPERAntispyware that did a better job than either MSE or MWB. I like both of those, but SUPER seems to be the one with a leg up on this type of problem.

 

[gregrocker]

Update: System Restore will not work at all. I cannot run any .exe from Task Manager. The files are still hidden in boot mode when trying to copy out using the DVD, Repair CD or Paragon Rescue.

I've now gotten explorer.exe to open my flash stick from Task Manager in Safe Mode. Am running RKill, ComboFix and MBAM quick scan. If it cleans up enough I'll run Unhide. I just need to get his files off of desktop which I can do from Win7 DVD if they'll Unhide.

 

[kegobeer]

I'd remove the drive and slave it into another computer, and see if you can access the files that way.

 

[gregrocker]

OK. Malwarebytes and Combofix in Safe Mode have cleaned it up enough to get in Control Panel>Folder Options and Unhide files. They are all there. I'm running Unhide now to make double sure then will copy out his files, wipe and Reinstall.

Thanks all. Just a bit of a scare when I couldn't see them in Win7 DVD explorer or Paragon Rescue CD. Didn't think they'd be hidden there for some reason.

 

[gregrocker]

Now hanging on BIOS screen, won't F2 to enter Setup or F12 to boot DVD or flash stick, but has booted into Windows once. Feels hot so I am cooling it down now.

 

[F5ing]

How in the heck did it get so hot? Sounds like you might have to clear out CMOS. May have to use a bootable CD/DVD/UFD to recover the data.

 

[Golden]

Greg,

If you're still having trouble booting into Windows and need to recover data off the disk/s prior to clean install, I recommend this to a bootable CD/USB:

https://www.f-secure.com/en/web/labs_global/removal/rescue-cd

Regards,
Golden

 

[gregrocker]

The BIOS splash screen just sat there for minutes ignoring all hotkeys then would to boot into Vista.

I finally got GWScan (WD Diagnostics) to autostart to wipe the HD, thinking this would force autostart the 7 installer. But 7 DVD or stick wouldn't start so I popped in 8 DVD which did start, installed, then I installed 7 over it.

What was apparently needed was a BIOS update because as soon as I installed that from Windows the BIOS screen just zipped by. Seven runs great on it with every driver in installer and updated via Updates.. Just finishing it now.

 

[boohbah]

another notch in your bedpost greg ,well done

 

[gregrocker]

Thanks everyone.

I'm leaving him with MSE and strong warnings about looking for MS insignia on any pop-ups warning of infection.

 

[Jacee]

Isn't MS Standalone is now Windows Defender? Found nothing, lame as ever.

Can't get into Safe Mode or run mbam.exe from New Task in Task Mgr (Not Found).

Yeah inclined to copy out files using 7 DVD, wipe and install 7. With help from here a few weeks ago I cleaned up one of these but it took twice the time to reinstall and he wants 7 anyway and has ready cash.

Thats two friends in a month infected with Fake AV running MSE. Time to upgrade? What AV do you recommend to catch these, or can they be caught?

Thanks.

Greg, if you have the time to read this, you might find it interesting
https://community.qualys.com/blogs/securitylabs/tags/malware

In typical malware fashion it looks for common security software and disables their function, once it has successfully infiltrated the machine. Then it connects to its command & control server to wait for instructions and receive software updates.

Malicious code embedded on an unprotected website, is just waiting for the next computer with outdated software (java/ Adobe, etc) to land in it's trap.

 

[gregrocker]

So as Kegger said earlier, the first line defense is education to always look for MSE or Windows insignia on these Virus Scan popups? If none or even suspect, then shut down machine to close the internet connection?

Run the Secunia Software updater to make sure there are no holes? http://secunia.com/vulnerability_scanning/online/

This is what has worked for chronics like my Dad, my roommate and now hopefully this latest victim.