[PCWorld]

Post your comments for Scam Antivirus App Spreads Malware here

[DoDoMan1]

I belive there is a lot of virus that were made to sell more of the anti-virus products, if you stop and look at the times that we are hit the hardest it is the frist and second guarters and the last quater of the year, it looks like a boust to start and finish the year.

[oldschoolh4ck3r]

Good observation. This is why I believe that the best antivirus application is one that's FREE. I've found that the free ones are generally better and faster. A really good app would also protect the HOSTS file and monitor the system for suspicious activity.

[kcredwolf]

FYI- I have run into another one, calling itself Antivirus360. Zone Alarm & AVG both show clean scans, but this ugly program keeps appearing. Nasty!

[kywriter]

This article begs the question: What must the normal user do when such an attack is underway? Clicking the 'X' in the right corner is not a sure thing and killing the process using the Task Manager is iffy.

[OldOnliner]

kcredwolf said:

FYI- I have run into another one, calling itself Antivirus360. Zone Alarm & AVG both show clean scans, but this ugly program keeps appearing. Nasty!

The Microsoft Malicious Software Removal Tool should remove AV360. (This was covered in a PCWorld article in January or early February.) The MRT.EXE program is updated as part of Microsoft's monthly "Patch Tuesday" (2nd Tuesday of each month) along with the monthly batch of Windows Updates. (You can find MRT.EXE in your System32 folder. The current version should have a file date of 2/9/2009.)

To use it:

WindowsXP - Click the Start Button and click Run and type "MRT.EXE" (without quotes) and hit enter. Say "yes" if prompted to run as administrator.

Vista - Press the Windows button (usually lower left side with windows logo on it) and the "R" key on the keyboard at the same time. This opens the Run dialogo box. Type in "MRT.EXE" (without quotes) and hit enter. Say "yes" if prompted to run as administrator.

Run the Full Scan option.

Go to lunch.

Come back from lunch and get MalwareBytes Anti-malware at - http://www.malwarebytes.org/ - and run it, too.

I couldn't believe it this weekend. We sold two new PCs - a laptop and desktop - with working AV programs installed - and still these PCs came back on Monday with fake AV programs running on them! One was the "Antivirus 360" craplet, the other was something called "Anti-Virus-1". I just blew them away and went back to factory.

People think having an AV means having some kind of invulnerability to this stuff. It doesn't work that way! These are scams, they present to users a false promise/premise, and con the user into clicking and executing a bogus program, bypassing all protections. It does this because the computer user tells the non-thinking PC to do so and, like an obedient and dumb servant, the PC does exactly what it is told to do. That's how PCs work!

The pests aren't really doing anything yet, they're just trying to gain access, so they can hide from or disable your AV, and start a party on your PC. Protected PCs don't "detect" anything because at this stage they're just annoying web based pop-ups. (With no network connection, these pests often won't show any symptoms beyond slow startup.)

[Sunfell]

Some of the craplets in the fake 2009 family do pop up alarms when the system is not connected to the Internet. I noticed that an infected machine insisted that several ports were being scanned at that very moment, even though I had the network cable coiled up on the floor and the wi-fi disabled. This iteration also disabled my favorite cleaning tools- including Malwarebytes Anti-Malware and Spybot S&D. They refused to run.

[OldOnliner]

Sunfell said:

Some of the craplets in the fake 2009 family do pop up alarms when the system is not connected to the Internet. I noticed that an infected machine insisted that several ports were being scanned at that very moment, even though I had the network cable coiled up on the floor and the wi-fi disabled. This iteration also disabled my favorite cleaning tools- including Malwarebytes Anti-Malware and Spybot S&D. They refused to run.

Curious... Was this a machine that was running without a current AV/IS? Was it short on Windows updates? Was it sued for P2P file theft and sharing?

The reason I ask is the few machines I saw this past week were new, out of the box Dells, Emachines and HPs - laptops and desktops both - and all had their default install of McAfee, Norton 360, and Norton IS respectively. It's not clear to me whether the owners had ever actually gone through with setting up the programs. In one case, I know the owner was looking in a search engine for a free Anti virus program to use instead of the Norton 360 that with their new Emachine.

The results for all these machines were pretty minor annoyances, easily dealt with. In one case, the HP, there was no sign of an issue until it was plugged into the network. The symptoms resulted from a BHO that was somehow installed in IE which makes me suspect he'd never enabled NIS or it stopped the other nasty stuff except the BHO which remained active.

Anyway... nowadays we just clean the mess and don't waste a whole lot of time analyzing the 5 W's and the H of such things.

[Sunfell]

Hi, Old Onliner-

This computer was a WinXP pro laptop running a current AV. Being mobile, it would automatically be updated when connected to our network, so it is possible that this malware slipped in before MS and McAfee had a fix. This machine was used by kids, so it is very possible that a site was visited which downloaded this malware. I figured that the malware loaded other rude surprises in the machine which disabled the use of my usual tools to clean these things with. (I do need to learn how to get to the BHOs without using Hijack This!- then I could have fixed the HOSTS problem that kept the recursive element running.) This damn thing totally hosed the HOSTS file, as well as other things.

I ended up re-imaging the machine, and warned the user not to permit his kids to use it, but those warnings tend to be ignored. We keep our images updated just for that sort of thing- I have to manage about 150 laptops. I've had to clean AV 2009 off at least five of them so far. This is the first time I was not successful.

[Deadhacker]

Old Onliner wrote:
the few machines I saw this past week were new, out of the box Dells, Emachines and HPs - laptops and desktops both - and all had their default install of McAfee, Norton 360, and Norton IS respectively.
---
In my experience, those are the three least-effective AV packages available in the world today. Last time I checked, they were rated at only 15% effective under the AV100 tests.
I always recommend Avast and AVG (depending on what the user's comfort zone is) for my users at home. Or using linux instead, since there are so few viruses targeting linux.