400,000 PCs Infected With Fake "Antivirus 2009"

nandemoari writes "The second month of Microsoft's campaign against fake security software has resulted in the removal of the rogue "Antivirus 2009" application from almost 400,000 infected PCs. Microsoft claims that December's version of the Malicious Software Removal Tool (MSRT) — the free utility included in Windows Update every month — specifically targeted 'Antivirus 2009.' According to Microsoft, MSRT removed the rogue application from over 394,000 PCs in the first nine days after it was released on December 9."

family tech support

[EpsCylonB]

Yep, got called round to my brothers house to fix his computer cos it had this stuff on it.

I don't know exactly what it was supposed to be doing, the computer would boot up into winxp and then just freeze. Safe mode worked but safe mode with networking did not, so I guess it was calling home somewhere (thinking about it now I should have just unplugged the network cable to see if that stopped the computer freezing).

Anyways I didn't have any stuff with me and without net access I decided the path of least resistance was to reinstall windows (my brother did not have anything he wanted to keep).

I should have brought round a ubuntu live cd with me.

Re:Understating the menace.

[PCM2]

nobody I know actually uses MSRT

You might be surprised. The version of MSRT that comes from Windows Update runs in the background once a month and only alerts you when it notices a problem. I've never knowingly run it, but sure enough, if I check my Windows Update history I've installed the December edition.

On a side note, maybe this explains the persistent disk thrashing episodes I still get with Vista, maybe once a month or so...

Re:Malwarebytes

[Endo13]

Try this instead.

1. Run Hijackthis and look for any suspicious startup entries. Even the average computer user will be able to rule out most entries as things they recognize, meaning you won't have to google more than a handful, which will probably take 5-10 minutes at the most.
2. Install Unlocker. http://ccollomb.free.fr/unlocker/
2. Browse to locations of files linked to by suspicious startup entries. Check date created.
3. Go to Windows directory, sort files by date, google suspicious files found since above date. Remove files confirmed to be malware or files for which you cannot find any information. (If you can't find any info on them, they're either randomly generated malware names, or malware too new to show up yet in a search.)
4. Do the same in Windows\System32.
5. Run a system cleanup to delete all Temp files and Temporary Internet Files.
6. Now delete the original malware folder.
7. Delete the startup entries with Hijackthis.
8. Restart computer. Should be clean.

The best part is, this will work with virtually *any* malware infection, and will generally catch things that even Malwarebytes misses.