Join 3,425 readers in helping fund MetaFilter (Hide)


THESE SCAREWARE VARIANTS ARE GETTING TOO STRONG
April 21, 2011 4:46 PM   Subscribe

"XP Security 2011" --- did I really just get absolutely beaten by a Windows scareware virus?

I booted in Safe mode (F8). Cannot run Windows Update in Safe Mode, cannot run Microsoft Security Essentials in Safe Mode. In ordinary boot mode, cannot run Microsoft Security Essentials at all, Microsoft Update gives very strange error messages, the "Windows Firewall" control panel has been COMPLETELY TAKEN OVER by the virus, and the relentless fcckkrr keep sending out popups -- that look SO CONVINCING!! It is scaring the shit out of my grandma, and also angering me. Are those people being prosecuted, they should end up in prison!! So, it's reinstall-operating-system time? snark BUY A MAC snark BUY WINDOWS 7 --- ---- --- --- so, does XP Security 2011 officially pwn Windows XP completely?
posted by shipbreaker to Technology (18 answers total) 3 users marked this as a favorite
 
download malwarebytes antimalware and the most recent manual definitions file onto another computer and put them on a flash drive.
boot into safe mode...try to install malwarebytes from the flash drive..run the update file afterward (no network access)...
try to launch the program...and do a full scan.
you may need to rename the exe....I like to try mbam.bat, mbam.com, and mbam.scr. if those don't work, rename it to explorer.exe
sometimes this tricks the malware into allowing it to run.
It should clear out the infection.

Hope this helps.
posted by AltReality at 4:52 PM on April 21, 2011 [1 favorite]


(Previously)

I recommend combofix, but there are many good suggestions in that thread.
posted by sharkfu at 4:52 PM on April 21, 2011


Start here: http://www.metafilter.com/user/77879 - read down.
posted by episodic at 4:53 PM on April 21, 2011


The trusty combo of RKill and MalwareBytes should do the trick. Hopefully you can download those OK... full instructions at http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware-2011 (URL refers to the Win7 version of the same malware). Good luck.
posted by dirm at 4:56 PM on April 21, 2011 [1 favorite]


I like RogueKiller for this. You need to rename the .exe as a .com (The virus hooks itself to .exe's through the registry so renaming to .com avoids triggering this.) Choose option 2. When you're all done, run MalwareBytes. I've successfully gotten rid of it this way on numerous occasions.

When you're all done, you need to turn on Windows Firewall and Automatic updates (if you had them on before, that is. A lot of help they were!)
posted by Obscure Reference at 5:02 PM on April 21, 2011


If you run a successful scan of Malwarebytes I would also recommend running CCleaner on your system, and then looking at the active processes that remain afterwards for anything fishy (especially something operating out of My Documents).

One way that these things propagate are through unpatched plug-ins, like Flash, Adobe Reader, and Java. It really does pay to keep those files up to date. You can do that with File Hippo.
posted by codacorolla at 5:04 PM on April 21, 2011 [1 favorite]


Yep, check my profile as episodic mentions. And feel free to me-mail if you have questions.
posted by deezil at 5:07 PM on April 21, 2011


Nthing MalwareBytes. Best thing ever. And CCleaner!

Also, I'm honestly not being a snarky asshole about this -- any time you get a weird error message, Google the error from a different computer! Doing this can give you worlds of information on processes, errors, and potential threats, and information on how to remove them.

Ex-Heretical used this as a diagnosis/removal-aid tool and they were a computer professional, so I feel it might be decent advice.
posted by Heretical at 5:15 PM on April 21, 2011


What Dirm said. It'll fix ya right up.
posted by brownrd at 6:23 PM on April 21, 2011


I've had this same thing happen twice... on this computer, and I haven't had to reinstall windows yet (running 7). nthing running/installing malwarebytes in safemode (start bashing F8 right after you power up the computer to get into safemode).
posted by itheearl at 6:44 PM on April 21, 2011


I was just recently helping a roommate get rid of one of these fuckers. You could kill the popups through Task Manager, but it lodged itself in the OS so that every time you try to run another program, the scareware would start instead. We figured out that it only started up when you tried to run a program directly, but not if a program was started as a result of opening a file. Thus, we were able to run the real antivirus by right clicking on a random file and choosing "Open With...", then browsing to the AV program.
posted by domnit at 7:19 PM on April 21, 2011


I guess the sad thing is, I thought I was already doing everything right. Running Automatic Updates, every night. Running Microsoft Security Essentials. Strong Firewalls, set to On. Maybe the one thing I failed to do was make sure that Popup Blockers were in place on Internet Explorer --- and then when grandma saw the first popup she said "Oh, oh dear!" and then clicked on "OK" instead of closing it with the "x". And from that moment on, it was pure viral infection. This virus even shows up while in Safe Mode! WWW TTT FFF !?! Now my fear it, that even if I nuke it from orbit and set up what I think is a "bulletproof" Windows XP, it'll just be a matter of time before I get another phone call.

Also, I don't particularly like being the "computer/IT guy" who gets called in, to find something that stumps me, and now I got grandma thinking, "Oh, I guess he's not really that good. Perhaps I should have called someone else." What IS it with this virus?!?????

FFFFFFFUUUUUUUUUUUU
posted by shipbreaker at 8:54 PM on April 21, 2011


Not to be "That Guy", but it sounds like this is a machine set up for someone else who isn't tech savvy but just needs to use the tinternets? If so, have you considered Ubuntu, particularly the big pointy clicky Netbook Remix? It also has the added advantage that you can set Grandma up with a regular user account and yourself with the root account. That way, it'd be kind of hard to break it even if she tried.
posted by dougrayrankin at 3:45 AM on April 22, 2011 [1 favorite]


Kapersky Virus Removal Tool (free) fixes that one every time.
posted by cp7 at 7:18 AM on April 22, 2011


I've dealt with this virus before. There is absolutely no guarantee that any combination of combofix, rkill, malware bytes, and or cccleaner will absolutely clear you out. Nor will rootkitty or Stinger or even the Kaspersky or BitDefender live discs.

Also, it's bad advise to recommend combofix to the unsavvy. You can seriously bork yourself.

Advice to check bleepingcomputer (no offense to Deezil, his profile is great) is always your best bet, however with this particular brand of infections if you do not absolutely NEED to save the system, nuking from orbit is your best bet.

That said, anything you do MUST involve disconnecting yourself from the internet, or it will always dial home. Always. I recommend RKill then CCleaner then MalwareBytes then SuperAntiSpyware Portable then Malwarebytes again after reboot, and like I said, you will likely still have the infection.

Ideally after the first malwarebytes reboot (while still disconnected from the internet) and the system is back on, you reboot AGAIN and boot to either your rescue disc OR (better) use the MSDaRT to verify your system file integrity. (It's torrentable.) You can absolutely use the recovery console from your boot discs for this---but I like the MSDaRT kit and use it a lot.

I also bet you dollars to donuts that the infection came through flash, probably on facebook. If not, it's from an email or an infected PDF from a non-updated Adobe Reader. (And/or if using Reader turn off javascript in settings)

If you want to go as secure as you can on this system, use a modified hosts file, run flashblock and adblock (and kick IE to the curb, only because they're not extensible), consider Spybot's resident protection, and make goddamn sure that your Flash and Reader (or PDF X-Change, Sumatra, Foxit, whatever) are as up to date as they can be, and either uninstall Java or allow it to autoupdate itself.
posted by TomMelee at 7:21 AM on April 22, 2011 [1 favorite]


Also, don't trust the X. The X is usually a lie, as the window borders are drawn and not actually part of the window. What you want is Alt+f4 when the window is highlighted. Clicking the X is usually tantamount to clicking "ok."

But seriously, give her a hosts file, and/or put PeerBlock on the system with the ads and malware lists activated.
posted by TomMelee at 7:24 AM on April 22, 2011


I would also recommend formatting any flash drives you've connected to the machine since it's been known to be infected. I had a particularly nasty one that I caught from an infected public computer that, thankfully, Microsoft Security essentials was able to block when I mistakenly plugged it in to a clean machine.
posted by codacorolla at 10:12 AM on April 22, 2011


Also would suggest that if you go with XP again, make sure that the main user is set up as a "Limited Account", and not an administrator. Still keep a password-protected administrator account for doing admin tasks, but your day-to-day login should be as a limited account.
posted by xedrik at 1:39 PM on April 22, 2011


« Older Is anyone familiar with an Eas...   |  I'm curious about ritual super... Newer »
This thread is closed to new comments.