« Review: Mr.Lite BLF AA-4YE | Main | Black Cat HM-01 Warm »

Wednesday November 17, 2010

Win 7 Antispyware

Tonight Mom called and said she thought she had gotten some kind of virus disguising itself as anti-virus software. She kept getting a window popping up telling her to download some software. She knew that she wasn't supposed to do this and that McAfee was supposed to protect her from viruses. But McAfee had let this one through. [In fairness to McAfee, it turns out her subscription had expired several months earlier.]

This isn't a virus so much as it is a trojan and like so many of them, once it gets on your computer it is very hard to get rid of. By manipulating the Windows registry it prevents executables from running so that you can't install anything or run programs, and it stops you from getting to websites where you might find help or download fixes. Even if you can find the virus' executable files, they will reinstall themselves the next time you open your web browser or any other executable. Awful.



So Mom wanted me to help her get rid of it over the phone. The first help I found involved changing registry files and hopefully finding all the different names the trojan would hide under. I really didn't want to try that. But I found some advice on a McAfee support forum that seemed to be effective eventually (the post was from March of this year; it's now November and McAfee still isn't stopping its users from being infected by this thing or detecting or fixing it). It involved going to a page and downloading some other software. It seems like McAfee should catch the trojan by itself, but Mom was running a scan and it wasn't catching anything and at the end announced no problems were detected and her computer was clean, even while the big Win 7 Antispyware window was open on top of McAfee.

The person on the McAfee forum that had been infected had gone to the web page that had been suggested and unwittingly clicked on a Google ad at the top of the page for PC Tools. The PC Tools ad had a button saying Download Now. But really that just took you to PC Tools where they said you should buy PC Tools to fix your problems. Thinking that was the only way to fix his problem, the guy actually paid $50 for PC Tools and it didn't catch the trojan either. But below the PC Tools ad were the actual instructions on how to fix the problem. Part of the solution is installing MalwareBytes Anti-Malware, which is $25 shareware, but the free version will fix the problem.

Once you get into the real instructions, it is pretty straightforward. You download two files using an uninfected computer and put them on a USB drive (the laptop was infected, but fortunately the HP desktop was not, so she was able to get the files). Then you double click the first file, which is not an executable, but a .reg file. This file goes in and cripples the bad parts of the registry, I guess, allowing you to run the second file which is the MalwareBytes installer (an .exe file, which the trojan wouldn't let run until the reg file crippled it). The trojan still has its screen up the whole time, in fact the instructions say that if it isn't running that you need to get it running by starting your browser.

But the trojan doesn't do anything to stop the MalwareBytes installation and soon Mom had the software installed, updated, and was doing a full scan where it immediately started finding hundreds of bad records in her Windows registry (we would have never found all of those manually).

For some reason, after the first scan, the program started scanning again, so we closed the program, opened it again, did a quick scan, told it to fix whatever it had found, restarted as instructed, and now she is running a full scan again just to make sure it is cleaned out.

Anyway, it looks like a good solution if you avoid clicking the ads at the top of the page.

Here's the page:

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010

I don't think Mom should buy the full version of the shareware, but I did click on the two ads afterwards so the owner of the site would at least get something for his trouble.

Comments (4)

What a pain. Have you considered installing Linux for her? Or does she need some proprietary Windows-only app? I have found that Linux is the best option for people who are beginning with computers, because they aren't accustomed to ANY operating system, and because Linux is much harder to mess up.

She's pretty good on computers and uses Office and Publisher a lot, so Windows is best for her, despite the occasional glitch.

Plus I'm not a fan of Linux, though I agree it has its uses. I have a friend who isn't great at computers and his son set up a Linux installation for him on a laptop so he can surf the internet. He didn't even realize he was using Linux; all he knows is it never breaks, unlike his laptop at work.

Oh that she could afford a Mac....

Jami called me this morning after her laptop got a similar virus. This one wouldn't let her run the .reg file though. So instead we booted into safe mode with networking. The virus didn't seem to be working in safe mode and she ran the reg file and then installed MalwareBytes and updated it (that's why safe mode needed to be "with networking"). The scan caught a bunch of stuff and she is now running a second scan in normal mode (unsafe mode?) before putting Norton on there and hopefully preventing future infections.

Post a comment