Fake anti-spyware menace - best way to prevent infection?

titaniumx3

titaniumx3

titaniumx3

Soldato
Joined
11 May 2006
Posts
5,786
This has happened to me twice now and this time I wasted the whole day trying to get things back to how they were. I managed to get rid of the virus using malwarebytes but was left with missing registry entries that prevented my normal security programs and parts of windows itself from running. Ended up reinstalling windows and I wasn't even looking at anything dodgy on the internet, I was just clicking through some google search results and BAM, everything goes **** up! :mad::mad::mad:

What's the best way of avoiding these fake anti-spyware programs? How do they actually run? I didn't even click anything, it just installed on my computer as soon as I loaded up the website.

Also, if I had UAC turned on, would it have prevented the infection? :o
 
Leave UAC on! :p

1. When performing a fresh install, try and avoid connecting to the internet until the install is complete. That means unplugging ethernet cable, disabling wireless e.t.c. before you begin.

2. When the Windows install completes, set up your firewall and install your preferred anti-malware software ( which you downloaded previously, hopefully from a clean computer! ).

3. Once those two defence layers are set up, enable internet connectivity. Initially, go only to Windows Update and start your anti-malware programs so that they can be updated. Do NOT launch a browser and visit any site from an admin account.

4. Set up a Standard User account and do all your day-to-day stuff from there. e.g. surfing the web.

5. Optionally, set up AppLocker ( or Software Restriction Policy on Vista ) to only allow execution of programs from C:\Program Files and C:\Windows. If, while surfing from a Standard User account, some malware somehow manages to bypass your other defence layers and lands on your hard drive, it won't be able to launch.
 
Adding 'Web of Trust' to your browser can help. It rates google results for safety, and blocks known malware sites from loading. Apart from that keep Windows updated, turn UAC on, and use a decent AV and firewall.
 
Blue160 said:
Adding 'Web of Trust' to your browser can help. It rates google results for safety, and blocks known malware sites from loading. Apart from that keep Windows updated, turn UAC on, and use a decent AV and firewall.
Click to expand...

Along with general common sense, if you don’t know what it is then don’t open it.
 
as long as you never say yes the the uac conformation they can only infect the current user, so as long as you have a different user to log in with removing them is not too hard...

some very smart people write and deploy these programs I dont htink its possibly to avoid them
 
I was browsing with firefox 4 and using microsoft security essentials. I believe common sense goes a long way in preventing infections, and my computer has only been infected with malware like three times, first time it wasn't my fault and second time it was my fault (don't ask!).

This time round though, it came totally out of the blue. The google search result was actually an old thread from a well respected forum (head.fi) hence why I was not at all suspicious.

I've since reinstalled windows, scanned all my disks and everything seems clean and back to normal. I now have UAC eventhough I'd love to turn it off.

The thing is, apart from my internet browser, theres is nothing else I use on my computer that is a major security risk. Is there anyway I can make firefox more secure? Some way of preventing anything from being installed when browsing websites?
 
eXor said:
Leave UAC on! :p

1. When performing a fresh install, try and avoid connecting to the internet until the install is complete. That means unplugging ethernet cable, disabling wireless e.t.c. before you begin.

2. When the Windows install completes, set up your firewall and install your preferred anti-malware software ( which you downloaded previously, hopefully from a clean computer! ).

3. Once those two defence layers are set up, enable internet connectivity. Initially, go only to Windows Update and start your anti-malware programs so that they can be updated. Do NOT launch a browser and visit any site from an admin account.

4. Set up a Standard User account and do all your day-to-day stuff from there. e.g. surfing the web.

5. Optionally, set up AppLocker ( or Software Restriction Policy on Vista ) to only allow execution of programs from C:\Program Files and C:\Windows. If, while surfing from a Standard User account, some malware somehow manages to bypass your other defence layers and lands on your hard drive, it won't be able to launch.
Click to expand...

i wouldnt say #1 on your list is really needed these days in win 7
was in the past because windows firewall wasnt enabled on install of windows
 
Last edited:
I've seen a few of these fake AVs use PDF exploits. So if you have adobe reader installed it might be worth getting rid of. I use chrome these days to open PDFs.
 
I just had to completely reformat my father-in-law's laptop because he fell for one of these things - it completely wrecked windows. He said a warning came up that he had a virus and he had to download this program to get rid of it :o
 
I've decided to make regular system images instead going all paranoid when using my computer, which kind of spoils the experience for me.

I rarely do any mission critical work on this machine and any important or sensitive data is saved on external storage. I figure that if I do a complete system image of my boot drive and program partitions every week (maximum size is about 500gb) I should be sorted.
 
This is pretty drastic but it does work...

http://www.windowsnetworking.com/articles_tutorials/Software-Restriction-Policies.html

It might take some trial and error, as some badly designed programs might need exceptions created but at work we used to get 2+ of these infections a week, since implementing this on all client computers I've had 0 for the last 18 months.

Essentially you want to block executables from running under C:\Users\Yourname, almost everything should run from Program Files or Windows folders anyway. The only time it becomes an issue is if you download a program off the net and try and run it from a folder in the user profile. You could add an exception to for example C:\Users\Yourname\Downloads to get around it.
 
Best way to prevent it would be to not install it.... when you get the fake virus websites that trick you in to installing software, end the browser process with task manager. Then do not reload the session when you reopen the browser.

If you have it installed it can be cleaned in 15mins easily. Using three or four tools.

Firstly you need a registry file that fixes the corruption of the running of applications

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]
[-HKEY_CURRENT_USER\Software\Classes\pezfile]
[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

[HKEY_CLASSES_ROOT\.exe]
@="exefile"
"Content Type"="application/x-msdownload"
Click to expand...

Copy that in to a file fix.reg and copy that on to a usb stick a long with.

rkill.exe (also have a couple of its variants, basically renamed version of rkill as some malware blocks rkill process)

Then have malware bytes on the usb as well.

Process:

run the reg file.
run rkill to kill malware processes (do not restart) (be patient when running this app, as it can take a few mins to load, with no indication)
then install and update and run malware bytes, clean virus.

restart and you are done.

Another app that is useful is tfc.exe (temp file cleaner by old timer) this speeds up the malware bytes quick scan because it cleans out temp locations. but it can take a long time. Sometimes i will manually clean out local settings temp folders to speed up scan.
 
Last edited:
PR. said:
The only time it becomes an issue is if you download a program off the net and try and run it from a folder in the user profile. You could add an exception to for example C:\Users\Yourname\Downloads to get around it.
Click to expand...

For a standalone executable, I switch to the admin account and create a subfolder for it under Program Files.

For installers, I switch to the admin account and install from there. If switching is inconvenient, one could also right click on the executable and "Run as administrator".

Avoids inadvertently creating holes in this very effective defensive layer by adding exceptions and neglecting to delete them once they have served their purpose.
 
Yer, I had to create a few exceptions for ours as AutoCAD and Adobe both create .tmp files in the Users Temp folder that are actually executables.
 
You must log in or register to reply here.
Back
Top Bottom