Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fake Antivirus Overwhelming Scanners

Posted by CmdrTaco on from the i'd-rather-be-phishing dept.

ChiefMonkeyGrinder writes "Rogue or bogus programs passing themselves off as real antivirus software have been one of the malware themes of 2009, but the APWG's numbers for the first half of the year show that the organisation's members detected 485,000 samples, more than five times the total for the whole of 2008."

10 of 334 comments (clear)

  1. Are we surprised? by Canazza · · Score: 5, Informative

    Adverts for these things get into legitimate sites all the time through things like adwords, even though they're normally taken off quite sharpish, they're still there. They still cause problems and numpties do click on them. The old IBK error keeps appearing. As long as people aren't educated as to how this all works the problem will remain huge.

    The problem with Anti-virus is that every few years a new guy appears on the block. First it was Norton, then Mcafee, then AVG, Kaspersky, and now whatever AV's the in-thing to use. There are new viruses out there all the time too, and if there's one thing that normal people are aware of it's that there are alot of viruses out there, and that your AV doesn't give 100% protection, so when something pops up saying "You're infected! Our AV will cure it!" they're likely to believe that their current AV is defective, because clearly this one spotted it, they download it and BAM! world of trouble.

    It's depressing sometimes, but gladly, I've not had to remove it from any PCs in a while, whenever I do I recommend they replace their browser with Firefox and Adblock plus (Not noscript, I did that once and I got bollocked for that a bit because 'using the web was too hard as he had to press buttons every site he went on', the guy was a real pleb but nevermind) - and ABP stopped all the ads, and thus, stopped them downloading and installing that shite.

    --
    It pays to be obvious, especially if you have a reputation for being subtle.
  2. Re:AV2009 To The Rescue by Darkness404 · · Score: 5, Informative

    Note to clueless mods, Antivirus 2009 is one of these fake antiviruses, mod them funny, not interesting....

    --
    Taxation is legalized theft, no more, no less.
  3. Combofix by Anonymous Coward · · Score: 5, Informative

    I'm posting to say: COMBOFIX. This thing magically removes Antivirus 2009 and 2010, even the rootkit versions that MBAM falters on (or that prevent MBAM from running, even in safe mode).

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Use it. Love it. Marvel at its simplicity, its beauty.

  4. Re:Yeah, very very scary... by Krneki · · Score: 4, Informative

    A classic, they are more interested in stoping you using different no-cd cracks then they are in your security.

    Uninstall this crap.

    --
    Love many, trust a few, do harm to none.
  5. Re:AV2009 To The Rescue by kimvette · · Score: 5, Informative

    See my other post on this subject. Antivirus XP (and variants) can be removed by hand but it's a tedious process. Malwarebytes removes it VERY easily though. With some Antivirus ($FOO) variants you do need to rename the Malwarebytes installer filename and then the executable filename but once you get the process launched it will fully automate the removal process. IMHO Malwarebytes is the very best ad/malware removal utility at the moment, with Spybot S&D and Superantispyware being tied for a very distant second.

    --
    The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
  6. Re:Major pain by Krneki · · Score: 4, Informative

    Start with removing them from local Admin group for a start.

    --
    Love many, trust a few, do harm to none.
  7. Getting these all over the place by Girtych · · Score: 5, Informative

    I work for a IT department here in California, and we get about three fake-antivirus-infected computers every week. Lately, the malware's been getting more difficult to remove- it's been hooking into system processes so that it can continually replace itself if part of the program gets deleted.
    Thankfully, we've found a fairly nice remedy that doesn't force us to wipe the hard drive. Don't bother with Ad-Aware or Spybot S&D anymore- they've become very ineffective as of late.

    First we hit it with a scan from Malwarebytes Anti-Malware, a free scanner you can download here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?tag=mncol

    Then, on the infected computer, we download and run (in safe mode) a somewhat obscure free program called Combofix, which is available here: http://www.combofix.org/

    After that, we run one more follow-up scan with Malwarebytes to ensure that the computer is clean.

    So far, this combination of steps has eliminated the infections that we've come across.

    1. Re:Getting these all over the place by Ephemeriis · · Score: 4, Informative

      There seems to be very little response from the traditional/big/mainstream antivirus companies.

      We usually install something centrally-managed for our clients, like Panda or Symantec. They do a decent job of stopping viruses, and it makes for less work for us... But they do absolutely nothing for these new rogue things. They don't get detected, they don't get blocked, they don't get removed... Nothing at all.

      You wind up having to actually sit down at the machine and run through a battery of individual scans... Slaving the HDD to another machine, booting into safe mode, booting into normal mode... Far more time-consuming than I'd like.

      --
      "Work is the curse of the drinking classes." -Oscar Wilde
    2. Re:Getting these all over the place by Z34107 · · Score: 4, Informative

      ^This.

      I work help desk at the college I'm enrolled at, and removing this virus and its variants from student laptops is pretty much the entirety of my job description.

      I recommend running ComboFix first, because it will generally neuter a virus enough for MalwareBytes to install and remove it. If the virus keeps ComboFix from running, rename it to magickitties.exe - some kill AV processes by name.

      Anything more interesting than that, download the free Windows AIK. Make an image of the drive using ImageX. Mount the image (and the registry hives on the image) on a clean PC and do a scan on that. Reimage the PC with the clean image.

      Just creating an image with ImageX is sometimes sufficient to remove the rootkit portions. ImageX is file based, and the rootkit portions hide from the MFT. ImageX simply fails to gather the rootkit portion, because it hides too well.

      Usually, all it takes is 10 minutes of letting ComboFix run and 30 minutes of letting MalwareBytes run. Very slick.

      --
      DATABASE WOW WOW
  8. Re:The worst offenders by Deathlizard · · Score: 5, Informative

    To remove norton, Don't bother with the uninstaller. Get the Norton Removal tool from their site:

    http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039

    This is for ANY install of ANY norton products. It also gets rid of shared files and their registry settings.

    --
    In Soviet Russia, Trojan exploits YOU!