Three Indicted In Scareware Scam That Netted $100M

alphadogg writes "Three men are facing federal fraud charges for allegedly raking in more than $100 million while running an illegal 'scareware' business called Innovative Marketing that tricked victims into installing bogus software. The company's products generated so many consumer complaints that in 2008 the FTC brought a civil action against Innovative Marketing and call center partner Byte Hosting, effectively putting them out of business. On Wednesday, a grand jury in Chicago handed down criminal charges, meaning the three men now face jail time if convicted." One of the men indicted is in Ohio and the others are believed to be in Ukraine and Sweden. Microsoft's Digital Crimes Unit helped out with the case.

Fake AVs

[DigiShaman]

Is this the same group that created all of those XP Antivirus 200X programs? Christ all mighty! That's some serious malware that's almost impossible to remove! I can only imagine how much the developers got paid.

Re:Fake AVs

Do you do online banking on these machines afterwards?

Re:Fake AVs

[armanox]

Have you tried recently? More recent versions disable safe mode, have no uninstaller, and can keep me busy for an entire day.

Re:Fake AVs

[Pax681]

was just chatting to a friend about this and he then sent me this as a very effective removal tool

http://download.cnet.com/Remove-Fake-Antivirus/3000-2239_4-10915342.html

Re:Fake AVs

[sv_libertarian]

I took one off a friend's computer, and the AVG boot disc (linux based) scanned everything, but it still didn't kill it all. No safe mode, but I got lucky, it was a slow loading virus, and I was able to kill it in the task manager before it could block the antivirus software, and redirect web traffic. Then the AVG was able to work. I once again made my pitch for installing linux to no avail...

Re:Fake AVs

[lambent]

why would they bother installing linux, since they have a friend who is skilled and willing enough to clean it up for them?

i've been down this road too many times. i have now been forced to never offer "clean up" support for friends and family. it makes me sad, but it's the only way they learn : (

Re:Fake AVs

[flappinbooger]

they are getting tougher, that's for sure. But there are still tricks to get rid of them. The problem is the friends they bring with....

Re:Fake AVs

[gcatullus]

Not all of them are so easy, yes google is your friend, but many times the googled answer has been reinstall windows, which is easy I suppose except for having the person dig up all their software cds and licenses.

Re:Fake AVs

[Pax681]

yup cleaned a machine 2 weeks ago with it on.

i imagine i'll be back at that customer again very soon..lol his urge to spank the monkey of dodgy free porn sites is greater than his need for a clean running machine

Re:Fake AVs

[Peach+Rings]

I had a run-in recently from a drive-by malware install (curse you Chrome!). It immediately disabled task manager and locked me out of regedit and msconfig, and icons began to fill my desktop as I gazed on in horror... I couldn't install MalwareBytes because the malware killed the installer process immediately. I couldn't even download anything with an ad-aware-like filename since the request was hijacked and I got a scareware page instead.

A reboot into safe mode failed. Luckily, I had Process Explorer on a thumbdrive and was able to wrangle it dead with judicious use of Kill Process Tree and very fast clicking, since the processes restart each other when you kill them. Then I could use autoruns to nuke anything remotely non-Microsoft from my startup, and then I could install malware removal tools and antivirus scanners.

While it's easy to bash Windows after this privilege-escalation browser-hijacking nightmare, the tools available for defeating malicious software even when it has root are impressive. The problem of regaining control from a hostile takeover is fascinating and despite the panic it's always fun to engage in combat using your own little tricks.. it's like sitting in the computer lab on locked-down machines and trying to break free :) In middle school, there were very few icons on the desktop, nothing in the start menu, task manager was locked out, Run didn't work, none of the usual key combinations were effective... but I discovered that you could embed a hyperlink to file://c:/windows/cmd.exe in a word document and control+click it to bring up the DOS prompt!

And frankly the only reason that I was able to recover control from the malware is because XP's internal security is a wreck and there are a million different things to lock down individually. Let's face it, if somehow malicious code found a way to be executed as root on my linux system, there are no tools on earth short of going over the entire filesystem in a different OS with a text editor that can save you. Even rudimentary tools like Autoruns have no analogue in Linux.. there are rc.d scripts and .bashrc scripts and .xsession scripts and rc.conf and etc etc etc scattered all over the place, it's a mess. Well, I don't want to turn this into a unix haters rant...

Re:Fake AVs

[s122604]

Yep, I spent last weekend getting one of these fake av's off my wife's spare laptop ( an old p4 that refuses to die)..

I got the main scareware off easily, but Malwarebytes, MSE, and a few other programs could not get rid of the underlying Aleuron.h root kit

end result, gave up , blew up the xp home and didn't reinstall, its now an ubuntu machine exclusively..

Re:Fake AVs

[gcatullus]

Same issue I've seen with redirecting of web traffic it was crazy - I figured that it would only effect firefox and IE on the machine, but it even effected a new install of chrome. Browser looked fine until you googled microsoft, avg, trend micro, etc. Just plain nasty

Re:Fake AVs

[the_bard17]

Just a heads up, if they've got a router. I've seen a few bits of malware that log into a router using default credentials, then point it to a custom DNS server. It was fun finding that out after a fresh reinstall...

Re:Fake AVs

[oddaddresstrap]

Indeed, the new ones are bad. However, this has worked for me:
Take the drive out and put it into a fully-updated Windows box as a second drive, then run updated MS Security Essentials and updated MalwareBytes against it. It takes a while to run full scans, but it seems to work ("seems" being the operative word).

Re:Fake AVs

[Lumpy]

And is a good lesson to teach that user.

you chose to use Microsoft, you get to pay the piper......

My wifes Ubuntu box crashed when its hard drive failed... I recovered her user directory to another drive and reinstallation of all software was easy...

Same for my mac.. I can install a fresh OS and not haveto reinstall any of my apps.

Re:Fake AVs

[Whyte+Panther]

Because I would absolutely trust an unstaller app provided with a malware "virus scanner". I think I'll cut out it's heart by my self, thank you very much.

Re:Fake AVs

One word.... "Combofix"

Seems to remove it everytime I use it.

Re:Fake AVs

[Mister+Whirly]

Exactly. If you are trying to clean an infected Windows machine while running infected Windows, you are doing it wrong. BartPE or any of the bootable Live CDs are your friend. In particular, UBCD4Win works wonders and has saved me hours of frustration in the past. And I deal with at least 2 infected comupters a month of all different types of malware/virus/trojan/rootkit problems. So far have not needed to start over from scratch once. Once you learn the newest tricks the malware authors are using, it is pretty easy to clean the machines.

Re:Fake AVs

[pnewhook]

I had the same thing and luckily I had Process Explorer installed..

I'd be quite happy if the verdict came down to just shoot them. Seriously. I'm tired of this crap constantly trying to infect my computer and the crap emails I get every day. I'm careful and have only been infected twice ever, and the spam filters take care of most of the email, but seriously - how much effort is spent creating and then creating prevention for this crap??

Once convicted, summarily shoot them.

Re:Fake AVs

[spidercoz]

I've done that. Cleaned up a friend's mom's pc once, explained to her that it was because she kept going to those stupid crap game sites that popped up all over a few years ago, I forget which, the big one. Anyway, got it cleaned up, put noscript on and blacklisted the site. Couple months later found out she had disabled noscript and completely ignored everything I told her. Surprise surprise, the machine was trashed. Told her she's on her own. The work I did would've easily been $100 at a shop and she thought I would do it again for free. Bullshit, lady. You did exactly what I told you not to and got screwed because of it. Look at this as an object lesson.

I swear, Pavlov's dog was smarter than some of these people.

Re:Fake AVs

[spidercoz]

lol, dead on, man

Re:Fake AVs

[Peach+Rings]

Uh any convictions of particular criminals won't stop the flow, and shouldn't be depended on to stop the flow. In other words, there's no point in prosecuting them. The problem is a technical one not a legal one.

Re:Fake AVs

[oh-dark-thirty]

I've had good luck using combofix on variants of this malware. It works about 90% of the time to at least beat it into submission, I can then manually remove any remnants.

Re:Fake AVs

[oh-dark-thirty]

X2

Re:Fake AVs

[Xoltri]

Instead of using kill process tree you can use suspend process. That way it won't relaunch itself or other related processes. Then you can kill them all without having to click really really fast.

Re:Fake AVs

[s122604]

Fail on that: Malwarebytes and MSE both can find Aleuron.h file, indicative of a particular flavor of root kit. They both find it, but they cannot remove it.

I googled around and the consensus was, "eh, just rebuild"

not saying its not possible, just not easy....

Re:Fake AVs

[oddaddresstrap]

Not to say you're not right, but what would prevent MSE and/or MWB from removing it? We're scanning a non-boot drive from a clean machine with no malicious code running.

Re:Fake AVs

[kryliss]

On machines that I deal with regularly, I do a full install, update and patch, install all needed drivers, Turn off swap space, defrag, clear out all cache and temp files, then do a full ghost of the drive. Data such as music an pictures are kept on a separate partition/drive. The ghost usually takes about 10 minutes to restore.

Re:Fake AVs

[hairyfeet]

No shit! The only worse one I've come across is the "security tool" scareware...now that is a royal PITA to kill! Runs in safe mode, respawns processes, really nasty piece of work that one is. As for TFA while I'd love to say good riddance to bad rubbish, knowing somebody else will just pick up where they left off. No shortage of scumbags anywhere that I can see.

Re:Fake AVs

[Ihmhi]

The mistake you make is doing it for free.

Family owes me a favor. Friends and co-workers pay.

Would you honestly ask your buddy who's a landscaper to "do you a favor" and mow your lawn for free? How many landscapers would say yes?

Re:Fake AVs

[Ihmhi]

I have no idea what Process Explorer is, but considering the parent and grandparent post I'm sure as hell going to be looking into it.

Re:Fake AVs

[DDLKermit007]

Man there's a new one that I'm seeing on the bench recently that does all that, and disables anything including explorer, and task manager from running. Offline drive scans don't catch it, and I've yet to figure out where the hell it's stored (not in the usual random user's folder). I can find a whole ton of it's copies, but never the original file. I've had to wipe so many damn machines because of that one. At least with explorer running you can force a few things to happen that'll help with it's location if it's in odd spots.

Re:Fake AVs

[DigiShaman]

Process Explorer is like the Task Manager, but far more advanced. It's just a single executable, so it's very portable.

Autoruns is sorta like MSConfig or Hijackthis on steroids.

Basically, you run Process Explorer to kill the thread in question, then use Autoruns to prune the malware from bootup and other places it has it's hooks into. If successful, you've neutered the malware enough to allow a 3rd party anti-malware program to be executed.

Re:Fake AVs

[DigiShaman]

That's because the EXE file association was hijacked. Once you run an EXE, Windows makes a callback to the Malware. If you right-click on the EXE file however, I've found that you can opened it up with another option in the context menu.

The registry value that Windows should be set to

HKEY_CLASSES_ROOT\exefile\shell\open\command
The (Default) key should be set to:
"%1" %*

Re:Fake AVs

[DigiShaman]

Not sure if it's possible, but I've always wondered if a virus could be written into binary registry keys. Basically, the Windows kernel executes, loads the registry hive, then the virus is spawned from code inside it.

Re:Fake AVs

[pnewhook]

That's like saying there will always be murderers, so there's no point in trying to convict them. You should try and stop getting killed instead.

Re:Fake AVs

[sv_libertarian]

Actually I didn't do it for free. He gave me a killer deal on two .22 handguns, and a .22 rifle for my trouble.

Re:Fake AVs

[sv_libertarian]

in retrospect that sounds so bad...

Re:Fake AVs

[game+kid]

PE is a beauty. The only thing it really misses is Task Manager's Up Time clock (Performance tab), which appears to be the only way in Windows to get the total system up time exclusive of standbys and hibernates. (Other methods, and I've tried many, just count time from boot. Let me know if I missed one.)

If that makes it to PE, I'd happily let even malware delete taskmgr.

Re:Fake AVs

[Peach+Rings]

Oh, right that happened too. I had to right-click Process Explorer and hit Run As... and run it as myself.

Re:Fake AVs

[sjames]

Let's face it, if somehow malicious code found a way to be executed as root on my linux system, there are no tools on earth short of going over the entire filesystem in a different OS with a text editor that can save you.

Just boot the rescue disk, that's what it's there for.

Of course, I wouldn't praise XP too strongly, since the same holes that let you kill the malware (you think) are what let the malware in in the first place.

Re:Fake AVs

[RockDoctor]

and very fast clicking, since the processes restart each other when you kill them.

Ah, the old "Robin Hood"/ "Friar Tuck" trick. That's so 1970s.

Re:Fake AVs

[psiclops]

umm yeah, except when i had one i had redirected my web traffic making it near-impossible to google search from the infected machine.

Great news

[Zedrick]

...but hopefully only the beginning. Let's hope "Microsoft's Digital Crimes Unit" can help take down Symantec next.

Re:Great news

[dwiget001]

It would be real news of "Microsoft's Digital Crimes Unit" took down -- Microsoft!!!

Re:Great news

[maxume]

Whichever Microsoft group it is that puts together Security Essentials is working on that too.

Re:Great news

[Kjella]

Well, we already heard they have a guy to take out IE6. I think WinME is already fairly dead, but if they could put a bounty on Vista's head too... WinXP and Win7 are actually nice products, Microsoft remind me a bit of Intel. They may hit their Itanics, but they keep coming back with a vengance.

Re:Great news

[virtualonliner]

Symantec (and McAfee) is much worse. For starters, it's not inobtrusive like other scareware.

Re:Great news

[Xoltri]

Symantec and McAfee are partially responsible for this problem. They were the ones that got users used to whipping out their credit cards when their computer told them their antivirus subscription was over and needed to be renewed. No longer was it good enough to go to the store and buy a boxed antivirus solution with free lifetime updates. Now they wanted money from you every year.

Now grandma gets a popup about how her xp antivirus needs her credit card information. She doesn't know the difference. It's really a smart social engineering solution that was set in motion by the greedy major antivirus companies.

Re:Great news

[corerunner]

mod parent up

Equivalent to 38 murders

[mrnobo1024]

According to the Department of Transportation, one human life is worth $2,600,000, meaning that the damage of this scam was approximately equal to that of 38 deaths. To put this in perspective, the Manson family almost earned death penalties for only 27. I hope the judge takes this into account when deciding sentencing.

Re:Equivalent to 38 murders

[jank1887]

wow. loved reading that.

"This study presents a figure of $2.2 million (in 1988 dollars) as the recommended value to use in benefit-cost analyses as the willingness-to-pay to avert a fatality...The GDP implicit price deflator increased about 18 percent from its average value in 1988 through 1993. Therefore, the 1988 figure of $2.2 million dollars wasincreased 18 percent to yield a 1994 figure of $2.6 million dollars."

awesome.

Re:Equivalent to 38 murders

[Seth+Kriticos]

The article you point to writes about 1994 Dollars. Based on the CPI (consumer price index), that would be equivalent of 3,179,729.73 today's dollars.

Dividing the 100M by this amount yields around 31.45 fatalities. Still better than the Manson family, I guess..

Re:Equivalent to 38 murders

[fustakrakich]

Wonderful! Except nobody died... murder and fraud are two different things. I hope the judge takes this into account when deciding sentencing.

Re:Equivalent to 38 murders

[spidercoz]

lolwut? you're saying these douchebag scammers are on the same level as mass murderers? dude, get a fucking grip

Re:Equivalent to 38 murders

[hellop2]

Well, based on my own price index, which I call the 20-Ounce Coke Index, the value of a human is worth about $6.3 million.

Why?

Because the price of a 20-ounce Coca Cola in 1994 was $0.59. Today it is $1.69. Which is a factor of about 2.865, because 0.59 * 2.865 = 1.69.

So $2,200,000 * 2.865 = $6,303,000.

This is why...

[smooth+wombat]

I tell everyone, both at work and the few who know I work in the IT field, that whenever you are asked if you to install something, the answer is always no. I don't care if it tells you your computer will explode and burn your house down, the answer is no. I don't care if it tells you that 1 million babies will be killed if you don't install the software. The answer is still no.

No, no, no, no, no!

Of course not making them admin helps in this regard, but malware can still find a way to install itself so the answer is always no when asked if you want to install "Ultimate Web Cleaner Deluxe Plus!".

Re:This is why...

[spidercoz]

real problem is all the buttons do the same fucking thing, that's why it's a SCAM

Re:This is why...

[Xoltri]

Not using an admin account is not a defense to these xp antivirus programs. It installs itself to the users profile so even if they are using a limited user account it still puts an icon in the system tray, changes the wallpaper and popups up messages about how they are infected and need to provide credit card details. So don't count on that any longer as a defense, at least not in Windows XP at least.

Re:This is why...

[cyberjock1980]

Yes, but I predict the future "no" will also install it. There's nothing that says if you click "no" it won't install anyway. For most programs, if you click "no" you'd expect some kind of EXIT command. Us sane programmers have a GUI that works as we intend. There's no reason why malware/spyware won't have a "yes" and "no" button that does the same thing, right? If I wanted to force you to install a software program, I'd make sure that if you click no it still performs the yes function.

Re:There are still more out there!!

[maxume]

Hopefully AntiMalWareBytes is a typo and not an additional source of your problems, the name of the popular malware removal tool is Malwarebytes' Anti-Malware.

Re:There are still more out there!!

[KahabutDieDrake]

HAHA, I just reformatted yesterday because of that garbage. It didn't seem worth the effort of digging it out, especially as good as it is at defeating any attempt to do so. So I just ghosted to a good install and moved on. I'm going through some log files right now to see if I can figure out where it came from, so I can block the domain/IP. It's not looking good so far.

Symantec and Norton

[mangu]

You beat me to it. Symantec may have done some good stuff, but that was over twenty years ago. Same with Norton but, after they merged together, "scareware" seems the most appropriate name for what they have been doing.

I liked the "pink shirt" book, though, was of great use to me in the 1980s.

 

Re:Damn govm't interference

[Fuzzums]

Free Market already took care of the nice cinema in my town.
I'm sure Free Market also has a nice solution for scareware.

Re:Finally.

Having spent time on a lot of sites, slashdot trolls are still some of my favorites just because they are restricted to text so you get these wonderful monologues of fail in the middle of semi rational discussions. I'll drink a beer to you tonight AC.

Re:Obligatory reference

[morgan_greywolf]

I agree. There's no such thing as 'digital crime': fraud is fraud, whether it's committed online or not.

Re:Damn govm't interference

[BillX]

One of the guys is in Ukraine; civilian nukes can't travel that far :-(

Re:There are still more out there!!

[RPGonAS400]

Yes - I was just typing off the top of my head and got it wrong.

Scareware claiming viruses on my Linux computer

[Rick17JJ]

On several occasions over the years, I have encountered scareware which said that viruses and spyware had been detected on my Linux computer. Each time that was while I was browsing the Internet while using Linux at home. I had never heard of any Linux viruses actually circulating in the wild, so I was skeptical that they had actually detected both viruses and spyware on my computer.

On each of those occasions, it offered to scan my hard drive for viruses and spyware. Despite trying to say no and/or close their web page the advertisement reappeared and pretended to start scanning my hard drive. It said that it was scanning my drive C, with a progress bar showing that a scan was supposedly in progress. That seemed bogus, because drive letters are not used in Linux for designating hard drives or partitons.

I had a firewall enabled in both my DSL router and on my computer, with all the incoming ports and most of outgoing ports closed. So, I doubted that it was actually quite that easy to effortlessly scan my hard drive, like that.

After about 60 seconds of scanning my hard drive, they announced that several several viruses and several types of spyware had been found on drive C and also in my registry. Linux does not have a drive C and also does not have a registry, so again that seemed bogus. They then recommended that I purchase their anti-virus product to solve the problem. Not having actually noticed that I was using a Linux instead of Windows, they did not offer me a Linux version.

On at least one of those encounters with scareware over the years, it even tried to download their antivirus program to my computer just after I again tried to close the tab (or possibly a pop-up). Firefox then asked me what program it should use to open a Windows executable file. It also gave me the alternative of choosing where to save the file, or canceling the download. Of course, I did not even consider trying to download the program and see if I could get it to run under WINE.

After the most recent scareware encounter, I immediately installed the NoScript and AdBlock plug-ins for Firefox. I did that on both my Linux computer and my Windows computer. I had finally had enough of scripts and advertisements. Now, when I encounter an occasional trusted web page which requires scripting enabled, I right-click on the icon in the lower right to either temporarily or permanently allow scripts for just that web page. I am not a computer expert, but my guess is that without scripting enabled, I would probably have less trouble closing the advertisement without it instantly reappearing again.

Re:Scareware claiming viruses on my Linux computer

[S77IM]

If you browse using Firefox with NoScript and AdBlock on Linux behind a two user-configured firewalls and are somewhat up-to-date on the state of Linux viruses, then yes, you are a computer expert.

  -- 77IM

Re:Scareware claiming viruses on my Linux computer

[spidercoz]

it took all that for you to decide it was bullshit?

Re:Scareware claiming viruses on my Linux computer

[Mashiki]

That's the reason why most malware succeeds. It fools people into believing that it's something else. Human stupidity is a great thing, it leads to technological expansions, and it also leads to self-destructive behavior.

Re:Scareware claiming viruses on my Linux computer

[Jaysyn]

Yeah, I was thinking the same thing. I'm lucky if my friends even know what a firewall is & I've given up trying to get them to use NoScript. I just charge them to clean their PCs now.

Re:Scareware claiming viruses on my Linux computer

[SheeEttin]

Right. What you were seeing was just a simulation/mockup of a virus scanner program within your browser (i.e. probably rendered with GIFs and/or Javascript), usually themed to look like the default Windows XP theme. After announcing it "found viruses", it tries to download the installer. It does this the same way every other file is downloaded, by changing the location (i.e. the page you're viewing) to the binary. This is the same behavior you get when clicking a link to a file the browser doesn't know how to handle.

I've seen these a few times myself, and because I'm running Linux, I just giggle and close the tab. ;)

Re:Scareware claiming viruses on my Linux computer

[Rick17JJ]

Well, it really did not take that long to decide it was total bullshit, but despite trying repeatedly to close the tab, it kept reappearing in my browser and continuing on. So, I was busy trying to figure out how to get my browser to stop showing the scareware advertisement. At the same time, I was noticing with some amusement the incorrect information and impossible claims that it was making. The first time it happened, I had never even heard of scareware, so I was kind of curious, yet nervous about the aggressiveness of the program.

Of course I did not even consider giving the scareware permission to scan my computer and did not even consider purchasing their product. But, after finally trying to close the tab or pop-up again, it started trying to download their program to my computer anyway.

I finally exited from Firefox and just to be safe, I unplugged my Ethernet cable. Ahead of that, I had noticed the URL where the advertisement was coming from. So, as an experiment, I added that URL to my hosts file and diverting it to my 127.0.0.1 loopback address. I then reconnected my Ethernet cable and restarted Firefox and went back to the same companies web page without the linked scareware advertisement appearing.

Despite already knowing that is was bullshit, I later looked up the names of the two viruses names it had mentioned, elsewhere on the Internet. It said they only infected certain versions of Windows.

Re:Scareware claiming viruses on my Linux computer

[Rick17JJ]

What I meant, is that for me computers are just a hobby, not an occupation. However, I have had several computer courses and computer networking courses in the past, but have never turned it into an occupation and have not stayed up to date with some of the technology changes.

Even so, I realize that my skills are way beyond what the average computer user has, so I hesitated in saying that I was not an expert.

I also noticed the URL where the scareware advertisement was coming from. Just as an experiment, I added its URL to my hosts file in a way that diverted it harmlessly to the 127.0.0.1 loopback address on my computer. When I then went back to the same companies web paged, the link to the scareware advertisement was blocked. That trick would work for either a Windows, Mac or Linux computer. Of course, the average computer user would not know how to do something like that.

There are also many important parts of computers and networking where my knowledge is lacking, so I do not really think of myself as an expert.

Re:Scareware claiming viruses on my Linux computer

[sjames]

Some of those are actually fairly amusing to watch when you're running Linux. They do a fairly good job of making the browser window look like an XP desktop running a virus scanner (which of course, finds tons of viruses).

Almost worth it

[ArchieBunker]

$100 Million split 3 ways? Now you're talking values that make a few years of jail time worth it. That or take the money and run to another country.

Re:Almost worth it

[JSBiff]

Maybe if they blew it all on coke and hookers. If they bought real estate, boats, or other valuable assets, the government will probably seize them (at least in the case of the guy in the U.S. - the guys in the other country might get away with their share of the money).

Re:Almost worth it

[tepples]

Maybe if they blew it all on coke and hookers.

How much Coca-Cola and how many Hercules Hooks could 100 million USD buy?

Re:There are still more out there!!

[Lumpy]

install a blocking hosts file and privoxy. It stops 99% of all that crap. dont leave it up to the browser adblocking... stop it before it can even get to the browser.

Re:There are still more out there!!

[s122604]

Ok, I'll take one for the "knows a lot less about this stuff than my friends/relatives think I do" team

How do you do this?

Is it something you install locally, or on your router/firewall?

Re:There are still more out there!!

[h4rr4r]

Format the machines and start again. I cannot understand why windows folks bother with this. If the install has been infected you can never trust it again, wipe and start over.

Re:There are still more out there!!

[spidercoz]

No, it doesn't. No one anti-crapware app is sufficient. And my personal experience w/ Malwarebytes hasn't impressed me much. You usually need at least a couple scanners to run in succession, along with using process explorer and autoruns to get a good cleaning.

Re:There are still more out there!!

[Mashiki]

Generally you need two. Malwarebytes is good for a newbie however and will catch almost anything, it's actually what I install on customer machines and then schedual an automated run for it. The other I'd suggest is Spybot S&D, besides having a nice host file it checks against known malware. I know some people like prevx, but I find it mediocre at the best.

Re:There are still more out there!!

[Jaysyn]

Download & setup Privoxy.

http://sourceforge.net/projects/ijbswa/files/
http://www.privoxy.org/user-manual/quickstart.html

Grab a decent HOSTS file & stick it in your %SystemRoot%\system32\drivers\etc\

Alternatively, you can install Spybot & let it's Immunize function generate a HOSTS file for you.