2nd computer hit with FAKE AV...Process to clean it up?

Started by Jan Regnier, May 04, 2011, 01:54:38 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jan Regnier

Does anyone have the process for cleaning this up? 

I just got the 1st computer cleaned up today and now a 2nd computer got hit!  They aren't going anywhere (on the internet) they are not supposed to be so I can't get mad about it (I guess) - but I don't want to have to run the computer hospital with every machine that gets hit if there is a process to clean it up that I can do.  I don't mind the time it takes - I just want to have the process that works.


Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Robin Deatherage

Do you ever use ComboFix and Malwarebytes.  I've found that between the two I can usually get things cleaned up.  Sometimes have to start off running them in safe mode and then run them again normal.
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Jan Regnier

I use Malwarebytes and I have used combofix - but haven't this time..I will go get it though.  I used Sophos to clean it up but after it does that it doesn't let you access programs!  I am in safe mode  - I'll keep trying for awhile...
Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Orlando Alonzo

Robin is correct both are very good tools.

Download Malwarebytes. Install and update it.  Disable System Restore. Reboot in safe mode. Scan with Malwarebytes.
Orlando F. Alonzo III
RPM Insurance Agency • Staten Island, NY • oalonzo@rpminsurance.com

Bob

I'm curious since you say they don't visit bad sites..  Are they getting notification of fake AV update and clicking.  Run  services.msc

Sort by name, go to messenger, disable service.   Also check startup and remove msmsgs.  Native network messenging tool but sometimes exploited to trick users.  No need for it so adds an extra level of caution disabling service.  On by default I believe.

Then it's teaching even management to know your products.  Everyone should know their AV product.  Educating will prevent clicking on spoof say update AntiVirus 2011 etc..


Jeff Golas

Update Acrobat Reader, Java, and Flash. Update your browsers if they're dated. That'll stop the infections. As for what to do with a fake virus infected computer - wipe it and start over. Easier and more guaranteed.

Jeff
Jeff Golas
Johnson, Kendall & Johnson, Inc. :: Newtown, PA
Epic Online w/CSR24
http://www.jkj.com

Jeff Zylstra

#6
My best luck comes when I remove the hard drive and attach it to another computer via a USB cable.  When you are not booting the computer from an infected hard drive, the malware doesn't get a chance to load first, so you have a much better chance of disinfecting it.  Just go right click on the START button in Windows, choose EXPLORE, and then right click on the infected hard drive and choose the "Run MalwareBytes" option.   HTH.


P.S.  I would be somewhat careful of Combofix, however.  I've bricked a computer with that utility before, so I'm a little bit leery of it now. 

I also had an issue with Clonezilla last week when I tried to re-image a Dell XP computer, so I'm leery of re-imaging now too!  It keeps saying that the target partition is smaller than the source partition.  It's not.  It's 4 times larger than the drive it was originally imaged from.  And it also borked the hard drive's MBR, so I couldn't fix the errant hard drive if I wanted to, so it got a fresh Windows install with updates, service packs and assorted software again.  That's way more work than I have time for. 
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Jan Regnier

Bob--

The person today was on MSN and clicked on something on that website...  The fake Microsoft product came up and she didn't OPEN it but she did click on the "X" to cancel out of it.. 

I will continue for a while longer trying to beat this piece of "stuff" into submission...I don't like giving in to this stuff!! 

Jeff - everything does get updated - but I will confirm she on the most current..

Thanks, guys...
Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Jeff Zylstra

Quote from: Jeff Golas on May 04, 2011, 02:51:36 PM
Update Acrobat Reader, Java, and Flash. Update your browsers if they're dated. That'll stop the infections. As for what to do with a fake virus infected computer - wipe it and start over. Easier and more guaranteed.

Jeff

Is it possible to keep Flash updated for more than 2 days?   They update more often than our AV product!
"We hang the petty thieves, and appoint the great ones to public office"  -  Aesop

Bob

Quote from: Jan Regnier on May 04, 2011, 03:01:07 PM
Bob--

The person today was on MSN and clicked on something on that website...  The fake Microsoft product came up and she didn't OPEN it but she did click on the "X" to cancel out of it.. 

I will continue for a while longer trying to beat this piece of "stuff" into submission...I don't like giving in to this stuff!! 

Jeff - everything does get updated - but I will confirm she on the most current..

Thanks, guys...


The X was an image map.  In other words a link.  Best way to close is ALT+F4, in future.  :)

Robin Deatherage

Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Jan Regnier

Quote from: Robin Deatherage on May 04, 2011, 03:51:46 PM
Jan is it the AntiVirus System 2011 one?  If so this should help.  http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011

No, Robin, it wasn't that one!  It said "XP HOME Security"....

I can access programs as ADMIN but not as the STATXXX.
Jan Regnier
jan.regnier@meyersglaros.com
Meyers Glaros Group, Merrillville, IN 26 Users
EPIC 2020, Office 365, Indio

Alice

Quote from: Robin Deatherage on May 04, 2011, 03:51:46 PM
Jan is it the AntiVirus System 2011 one?  If so this should help.  http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011
Robin - I must say you have links to the most colorfully named web sites I've ever seen. I know that's bad grammar but does describe it best.  ;)

Robin Deatherage

Quote from: Alice on May 04, 2011, 04:03:19 PM
Quote from: Robin Deatherage on May 04, 2011, 03:51:46 PM
Jan is it the AntiVirus System 2011 one?  If so this should help.  http://www.bleepingcomputer.com/virus-removal/remove-antivirus-system-2011
Robin - I must say you have links to the most colorfully named web sites I've ever seen. I know that's bad grammar but does describe it best.  ;)
LOL! Alice I wish I was that creative myself.  Wasn't, www.experts-exchange.com, at one time www.expertsexchange.com?   ;D
Robin Deatherage, CIC
Chas. Lunsford Sons & Associates | Roanoke, VA
Applied Private Cloud Server; TAM 2014; Fax@vantage v9; Office 2010;
Applied Hosted Exchange; 3 Office Locations

Alice