Results 1 to 8 of 8
  1. #1
    3 Star Lounger
    Join Date
    Jan 2004
    Location
    Las Vegas, Nevada, USA
    Posts
    342
    Thanks
    1
    Thanked 0 Times in 0 Posts

    Scareware or not

    I recently had to use Microsoft recovery to eliminate a virus a picked up.
    Since then a program called "Vista Total Security" keeps popping up telling me I have several virus problems. They want me to register to remove the problems.

    I do have CC Cleaner and Spybot Search and Destroy, which should have cleared any spyware.

    Is this program a part of Microsoft or just a look alike Scareware?

    Any recommendations?

    Thanks,
    Richard Spring

  2. #2
    Super Moderator CLiNT's Avatar
    Join Date
    Dec 2009
    Location
    California & Arizona
    Posts
    6,121
    Thanks
    160
    Thanked 609 Times in 557 Posts
    No it's not part of Microsoft, it's scareware.
    Removal instructions from Bleeping Computers.com

  3. #3
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    If the fake alert appeared after a virus infection you may also have a rootkit that Malwarebytes is often unable to remove. It is worth the extra 5 minutes scanning with Kaspersky TDSS Killer.

    One of the best ways I've found to overcome these fake alerts is to use the following process:


    • Boot the affected machine into Safe Mode Without Networking.

    • Run Kaspersky TDSS Killer

    • Run a System Restore to a time before the infection. This will require a reboot and it's important to re-enter Safe Mode Without Networking to complete the Restore.

    • Run Autoruns and remove any rogue or fake antivirus remaining

    • Run Malwarebytes Anti-Malware removing anything they find.

    • Finally, boot into normal mode and re-run Malwarebytes, this time updating the program.


    I've seen dozens of these fake alerts on client machines and the above technique has worked every time.

    Whichever way you clean up: afterwards you should ensure your AV program is fully up to date, but also make sure your Adobe Flash Player, Adobe Reader and Java are fully patched. Particularly important is Flash Player as many of these fake alerts arrive via poisoned animated adverts on websites that require no user interaction to launch the attack. Also consider the use of ad-blocking ad-ons in your browser such as ADBlock Plus.

    Some of these fake alerts run a script that changes the hidden file attribute on the contents of your documents and pictures folders, making it appear they have been removed. It's tedious in the extreme to reset that attribute on every file, so if it has occurred, you could select the show hidden files and folders option.

  4. The Following User Says Thank You to Tinto Tech For This Useful Post:

    Medico (2011-05-20)

  5. #4
    Plutonium Lounger Medico's Avatar
    Join Date
    Dec 2009
    Location
    USA
    Posts
    12,631
    Thanks
    161
    Thanked 936 Times in 856 Posts
    Tinto, very good explanation, easy to follow. Thanks. This will hopefully help many others with this problem. I, with your permission of course, will be copying these steps to a notepad file and placing them on a flash for future use. Thanks again.

    Ted

    p.s. I would assume this same procedure will work on Win 7 as well.
    Last edited by Medico; 2011-05-20 at 17:48.
    BACKUP...BACKUP...BACKUP
    Have a Great Day! Ted


    Sony Vaio Laptop, 2.53 GHz Duo Core Intel CPU, 8 GB RAM, 320 GB HD
    Win 8 Pro (64 Bit), IE 10 (64 Bit)


    Complete PC Specs: By Speccy

  6. #5
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Quote Originally Posted by Ted Myers View Post
    Tinto, very good explanation, easy to follow. Thanks. This will hopefully help many others with this problem. I, with your permission of course, will be copying these steps to a notepad file and placing them on a flash for future use. Thanks again.

    Ted

    p.s. I would assume this same procedure will work on Win 7 as well.
    You're very welcome Ted. By all means keep a copy to hand. Hopefully you'll never need it!

    The key is to stop the trojan before it can launch the attack and that's where Safe mode without networking comes in. When in Safe mode without networking, all instances of the problem that I have come across have not been active, allowing you to use the cleanup and removal tools.

    There are programs, such as rkill, that can be used to disrupt the trojan without using Safe Mode Without Networking, but I have had mixed results with this: when active, some variants are clever enough to stop the rkill, mbam and other processes.


    Oh, and yes, the process applies across XP through Vista to Win7.

  7. #6
    Super Moderator jwitalka's Avatar
    Join Date
    Dec 2009
    Location
    Minnesota
    Posts
    6,792
    Thanks
    117
    Thanked 798 Times in 719 Posts
    Ran across one case where the trojan was active in safe mode and it killed explorer.exe as well so there was no access to Start preventing you from running any programs! Had to evoke task manager, go to the services tab and kill the trojan process. Then, I was able to start explorer and clean the PC.

    Jerry

  8. The Following User Says Thank You to jwitalka For This Useful Post:

    Tinto Tech (2011-05-21)

  9. #7
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Quote Originally Posted by jwitalka View Post
    Ran across one case where the trojan was active in safe mode and it killed explorer.exe as well so there was no access to Start preventing you from running any programs! Had to evoke task manager, go to the services tab and kill the trojan process. Then, I was able to start explorer and clean the PC.

    Jerry
    Good tip Jerry!

    I've seen it in Safe Mode too, but never Safe Mode Without Networking. However, these things are moving targets and could easily have variants that are active in without networking mode by now.

    Thanks!

  10. #8
    3 Star Lounger
    Join Date
    Jan 2004
    Location
    Las Vegas, Nevada, USA
    Posts
    342
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Thank you one and all.
    Great information to what appears to be a common problem.

    Once again, thank you....
    Richard Spring

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •