~ Tom Petty & The Heartbreakers
This is a nasty variant of the aka "Security" Rougeware. Its called "Personal Security" and looks to be from the same scammers that create "Antivirus 2009, 2008, 2007, etc".
First off lets explain "Rougeware", this is software that is offered to you via web sites or advertising banners that state you have a problem with your computer, and they can fix it.
Once the software is downloaded and installed, it uses "smoke & mirrors" to trick you into thinking it found all the problems, and will remove them ONLY if you register the product.
In reality, registering the product does not help at all, after you pay your $40 (sometimes up to $80) to register it, the scammers just leave you $40 less, and a program that continues to infect your computer and even blocking certain programs from running.
Lets take a look at the signs of this variant...
The first window displayed on your desktop is the bogus security center. Its job is to trick you to think its Windows Security center, and that you have no virus protection.
DON'T CLICK ANY BUTTONS... Not even the [X] to close the Window!
(click to enlarge)
After the above is displayed, your then presented with yet another window that is pretending to scan your computer, and it miraculously finds lots of viruses, trojans, etc.
DON'T CLICK ANY BUTTONS... Not even the [X] to close the Window!
(click to enlarge)
During your use of the infected system you will see this window several times, attempting to trick you that you have 42 threats on your system, and it offers to remove them for you.
DON'T CLICK ANY BUTTONS... Not even the [X] to close the Window!
(click to enlarge)
Yet another window attempting to trick you to click its buttons to make you think you need to update your virus database...
DON'T CLICK ANY BUTTONS... Not even the [X] to close the Window!
(click to enlarge)
Okay, its busting time....
First disconnect your system from your network, internet, turn off your wifi. You do not want this system accessing any network while your cleaning up this infection. This variant will detect your cleaning it and will try to pull down more stuff to install on your system. Also if you click any of its buttons in its various windows, it will pull down more crap to remove.
01. On another clean computer, dowload the following:
Malware Bytes 1.42 (file hippo is safe to download from)
http://www.filehippo.com/download_malwarebytes_anti_malware/tech/
02. Copy the downloaded file to a USB drive.
03. Plug the USB drive containing the file into the infected system.
04. Install MalwareBytes (but uncheack "run now" and "update now).
05. Go to the folder containing the installed "Malware Bytes" and copy and rename the main .exe file-> "mbam.exe"... name it to something other then "Copy of mbam.exe". This infection will look for BOTH of these names, and kill the application as soon as its launched.
06. Double click on the copied/renamed .exe you just renamed.
07. Click on the [Scan] button to begin the scanning process, and wait.
(click to enlarge)
08. Once the scan process is completed, you will see that Malwarebytes has found some issues, click [OK] to continue.
(click to enlarge)
09. You will then see a list of all the infections (spyware, viruses, trojans) that Malware has found, then click on [Remove Selected] and wait. Malware will then state it needs to restart your computer... do not allow it.
09. You will then see a list of all the infections (spyware, viruses, trojans) that Malware has found, then click on [Remove Selected] and wait. Malware will then state it needs to restart your computer... do not allow it.
(click to enlarge)
10. Now shutdown your PC completely, this variant will stay in RAM, this is why you do not want to perform a "warm" boot (aka just restarting your system).
11. Once your rebooted from a cold boot, repeat steps 06 through 10 again until you are clean.
12. After you have rebooted to a clean system, update Malwarebytes, and perform yet another scan of your system to make sure its clean.
13. I also recommend updating and running Spybot Search & Destory against the system, its always good to run them after each other sorta like a "second pair of eyes" to make sure things are properly cleaned up.
14. Procedure completed.
Here are results if you just perform a "warm" boot instead of a "cold" boot of your system, these screens were captured for the "Nortel Antivirs" which is Rougeware as well.
The "Blue Screen Of Spyware!?"
Before you thing majore issues are upon your system, stop and read what this is saying, its stating that your Rougeware is not yet registered. Scammers will pull out all the stops when trying to get your attention and hand over yout money for their scare tactics:
(click to enlarge)
Boot Screen of Infection:
Since the variant "lives" in the memory until you perform a "cold" boot, it can popup all over the place to get your attetion, scare and annoy you until no end. This is why its important to always do cold boots during the cleaning phase of your system:
(click to enlarge)
1 comments:
Such a nice blog for those who are concerned about security both residentially and commercially. As I have got from Security Window Gates
Post a Comment