Slashdot Mirror
400,000 PCs Infected With Fake "Antivirus 2009"
nandemoari writes "The second month of Microsoft's campaign against fake security software has resulted in the removal of the rogue "Antivirus 2009" application from almost 400,000 infected PCs. Microsoft claims that December's version of the Malicious Software Removal Tool (MSRT) — the free utility included in Windows Update every month — specifically targeted 'Antivirus 2009.' According to Microsoft, MSRT removed the rogue application from over 394,000 PCs in the first nine days after it was released on December 9."
In having to do support for assorted windows users, I've seen assorted popup/redirect stuff pushing that particular fine piece of software a lot. Most disconcertingly, it even happens to users visiting what one would think of as reputable sites, on machines with fully updated AV that reports no issues.
I really don't have the time or interest to figure out if the AV is just sucking, and not reporting infections that actually do exist, or if whoever is pushing the software has compromised a bunch of ad providers; but it seems to be a big issue in windows land(poor bastards).
I wonder how many of the clueless will complain to microsoft that the removal tool removed software THEY HAD PAID FOR
iirc some of the malware and adware 'vendors' had eulas that forbade users to remove their programs
It'll never happen, but I'd like to see one of those guys try to sue microsoft for violating their EULA -would microsoft try to claim that the EULA was invalid?....
One can always dream.
-I'm just sayin'
Yep, got called round to my brothers house to fix his computer cos it had this stuff on it.
I don't know exactly what it was supposed to be doing, the computer would boot up into winxp and then just freeze. Safe mode worked but safe mode with networking did not, so I guess it was calling home somewhere (thinking about it now I should have just unplugged the network cable to see if that stopped the computer freezing).
Anyways I didn't have any stuff with me and without net access I decided the path of least resistance was to reinstall windows (my brother did not have anything he wanted to keep).
I should have brought round a ubuntu live cd with me.
Thanks Microsoft for thoughtfully protecting all the Zunes from this outbreak.
Well, the reason you install these programs like Defender is so it deletes the malware for you.
Replace Microsoft with Kaspersky, AVG or one of those other "reputable" AV vendors and ask the same question. They have just as much ability to delete a program.
nobody I know actually uses MSRT
You might be surprised. The version of MSRT that comes from Windows Update runs in the background once a month and only alerts you when it notices a problem. I've never knowingly run it, but sure enough, if I check my Windows Update history I've installed the December edition.
On a side note, maybe this explains the persistent disk thrashing episodes I still get with Vista, maybe once a month or so...
Breakfast served all day!
Try this instead.
1. Run Hijackthis and look for any suspicious startup entries. Even the average computer user will be able to rule out most entries as things they recognize, meaning you won't have to google more than a handful, which will probably take 5-10 minutes at the most.
2. Install Unlocker. http://ccollomb.free.fr/unlocker/
2. Browse to locations of files linked to by suspicious startup entries. Check date created.
3. Go to Windows directory, sort files by date, google suspicious files found since above date. Remove files confirmed to be malware or files for which you cannot find any information. (If you can't find any info on them, they're either randomly generated malware names, or malware too new to show up yet in a search.)
4. Do the same in Windows\System32.
5. Run a system cleanup to delete all Temp files and Temporary Internet Files.
6. Now delete the original malware folder.
7. Delete the startup entries with Hijackthis.
8. Restart computer. Should be clean.
The best part is, this will work with virtually *any* malware infection, and will generally catch things that even Malwarebytes misses.
There is no -1 Disagree mod. Slashdot.org/faq defines mod options. USE IT.
Here's some fun trivia: Contrary to popular belief, Windows only rode on top of DOS through version 3.11. 95 and 98 only looked like they did, by optionally loading 16-bit legacy DOS drivers as part of the Windows startup process, and by providing both DOS VMs and an option to boot into DOS Mode (which actually was MS-DOS) for backwards compatibility with legacy DOS apps.
This page has a pretty good overview of Windows 95 architecture, with some diagrams that show the various OS components, none of which is a full copy of DOS that has a GUI riding on top of it as found in Windows 3.11 and earlier. Instead, there is a 32-bit kernel which uses 32-bit device drivers exclusively, unless the user installs a legacy DOS driver.
If any DOS apps are run within Windows 95, they run in their own DOS virtual machine, and if no DOS apps are running, no DOS VM is created. These VMs are similar to those in Windows NT; what is not similar to Windows NT is the ability to load DOS device drivers to support legacy hardware that had no 32-bit protected-mode driver.
Those DOS drivers almost always ran slower than 32-bit drivers and frequently caused problems, to the extent that one of the first steps in troubleshooting a Windows 95 system was to check the autoexec.bat and config.sys for unneeded DOS drivers, or simply renaming those files to get rid of the gunk.
If there really were a copy of DOS running underneath Windows 95, renaming autoexec.bat and config.sys would have removed all the device drivers, leaving you with no access to your CD-ROM drive due to a lack of MSCDEX.EXE, which is needed by all versions of DOS, including the "DOS Mode" of Windows 95.
My truck is like a series of tubes.