Software Scam

[nebgranny]

Morning :
My friend has a problem with a screen which came up on her computer last evening. It has taken over as her home page which she can still get to via her favorites. It keeps intruding and comes up with a message telling her that her computer has been compromised and she has a virus. It tells her to download a software within the screen. I am sure this is a scam to get her to purchase a software program by scaring her into thinking she has a virus and 2 that she needs the software to remove it. She did a search all files and hidden files and her computer does not have a virus.

I remember having something like this a year or so ago, but do not remember how I got rid of it. Does anyone here know how to get rid of this screen ? Any help would be greatly appreciated . Thanks Nebgranny

[denschneider]

this may be a scam or worse it probably is a virus that will be downloaded when she clicks on the download button on the screen.How to get rid of it? a good antivirus like macafee or kaspersky should clean it.

[Xaran]

You don't say which browser she is using but assuming IE then can she reset her home page. under tools/internet options on the menu. If she has her original home page open she can then just click on the use current button.

Christine

[bazza64]

Hi nebgranny,
It sounds like your friend has the "Winantispyware 2008" trojan, it's also known as the "Winantivirus 2008" trojan. It pops up on peoples screens as they surf the net looking at seemingly normal web pages, it tells them it has detected a virus on their computer and immediately starts downloading a free scanner., thats when it installs itself on the computer. It supposedly finds a number of "bugs" on the computer and if you pay them a fee they will download the unlock key for the software, IT"S A SCAM,
it's been around since 2005 it changes its name every year. It's also known as the Vundo trojan.

It hijacks IE and and redirects you to web pages it wants to, it's no use changing your browser bach to what you had before it will simply change it back again.

If you want to try and fix it yourself then as a start I would suggest you download spyware tools like PCtools, Hijackthis (be carefull using this), Superantispyware, Avg v8 free. these are all free!! in some cases you might have to edit the registry files (this can be harmfull) one software package is not enough to clean out this baby, it's got a bad habit of rewriting it's own .dll files and you have to start all over again.

If your not sure on what to do I suggest you call a technician, this is one of the worst "bugs" on the net.

I get at least 6-8 comps' a month with this bug on it, it will gradually disappear over the next few months as the security software company's get a handle on it, untill next year.

For anybody reading this, as soon as you see it on your screen immediately get out of IE (this stops it installing)and then reactivate IE and go to Tools-> Internet Options and delete all cookies and temp internet files. This is where it resides untill you reboot your computer.

Hope this helps you,
Regards,
Barry

[TommyO]

I would agree with Barry. These often fall into the Malware category, thus many low end virus software don't catch them. I have had it before, as many friends have. It can be removed easily, but often takes several iterations from the removal tool. I had success with AdAware and SpyBot (both free); again, having to use both. It can also be removed manually, but is a pain.

[Jerryb]

hi,
your friend sounds like has a adware infection.... that not a virus.... come underthe broad category of spyware...

now to remove if we knew the name of the software that there trying to scare the person into buying....... we could probably come up the procedures to remove it...!!

but your friend can do a search on removal instructions on the net and find it should be easy...

alternatives.... many times they set themselves up running at startup so check your msconfig....

now another way...... this will make it inactive,,, but files still be there on the hd just that there doing nothing and that is use your restore point and pick date a couple of days before the infection occurred...!

Quote:

Originally Posted by nebgranny

Morning :
My friend has a problem with a screen which came up on her computer last evening. It has taken over as her home page which she can still get to via her favorites. It keeps intruding and comes up with a message telling her that her computer has been compromised and she has a virus. It tells her to download a software within the screen. I am sure this is a scam to get her to purchase a software program by scaring her into thinking she has a virus and 2 that she needs the software to remove it. She did a search all files and hidden files and her computer does not have a virus.

I remember having something like this a year or so ago, but do not remember how I got rid of it. Does anyone here know how to get rid of this screen ? Any help would be greatly appreciated . Thanks Nebgranny

[bazza64]

Hi again Nebgranny,
With the symptoms you described I assumed it was the 'Winantivirus 2008' malware, only because over the last couple of months I've had a rash of infections with this 'bug' on customers computers.
The only software that you have to be carefull with that I recomended to you is 'Hijackthis', this software tells you if IE has been changed in any way over and above the "normal" level of modification thats done by genuine software. If your not sure about it, don't use it.

TommyO is right, it is "malware" meaning it's more of a nuisance bug more than anything else as your finding out.
JerryB is right to, you can go back in time by using system restore, but it's files are still on your drive!! and as a technician thats not acceptable, I like to get rid of all this "bugs" files.

Another tip I forgot to tell you is run your scans in safe mode, this stops it files from activating during bootup.
If you want to you can do a "google" search on "how to remove the Winantivrus 2008 trojan" you will get web pages that list all the files that this bug installs on your HD, print these out and then you can use Explorer to do a search for these files to make sure that their gone, and if any remain you can delete them.
I hope this works for you, if you need anymore help please let me know. Were all here to help.
Regards Barry.

[nebgranny]

Hi Barry:
We found a software that is suppose to remove this , however when my friend ran it and said a lot of things were in the registry and she did not want to fool with them and reemove them at my suggestion . We do not know a thing about dealing with this and have been told this is dangerous. OH, here is the site that offers the removal software. http://www.malwarebytes.org:80/forum...showtopic=5175

Tell us what you think. She tried it and came up with a lot of registry threats or infections. Thanks nebgranny

[plugsnpixels]

And Windows is so popular why-? I'm serious.

[bazza64]

Hi Nebgranny,
If the security software that you ran picks up registry entires from the 'bug' it is usually safe to let it remove those entries, as a precaution I suggest you create a restore point first and back up your reg files to a seperate folder.
I don't suggest you try to remove these manually, any other tech reading this would agree with me the registry is a mine field for the inexperienced user.

Run as much free software as you can, I will list some good ones again for you.
Adaware 2008
Superantispyware free edition
PC Tools antivirus
Spybot search and destroy

I have not used that software in your link as yet, but I will download it and test it out and let you know what I think.

Keep in touch,
Barry.

[bazza64]

Hi Plugsnpixels,
I suppose a lot of people that use Mac's are wondering the same thing. I don't know what it's like overseas but in Australia i can build you a very powerfull PC for a fraction of the cost of a Mac. My average customer dosn't do what you and I and other members of this forum do, their just happy to surf the net, send and receive emails, burn their photo's to a cd to store them safely and take them to Kmart to get them printed, they don't even know what cs3 is and they want to do all this as cheap as possible.

Maybe one day we PC users will evolve
Regards,
Barry.
P.S I like a lot of the helpfull suggestions you give to other members.

[plugsnpixels]

G'day Barry,

Yeah, I understand, no worries. And you're welcome for the suggestions/advice.

I agree, I like the concept of being able to build your own box. But once you load Windows, then the cost begins! ;-) Certain Mac hardware lets you customize the internals to a degree (G4, G5 and Mac Pro towers), and I've taken advantage of this to hot rod my Macs.

I've played with Ubuntu Linux and think it's a great thing to have available, but personally have no use for it at this time.

Anyway, good luck with your customers! I just read this today:

Trojan Steals 300,000 Bank Log-ins, Financial Data

The Sinowal Trojan has stolen roughly 300,000 bank log-ins and a similar number of credi and debit card numbers according to RSA FraudAction Research Lab. RSA reported finding a treasure trove of financial data stolen by the Trojan, which uses rootkit functionality to infect a PC's master boot record, allowing it to slip by malware defenses.

[Dave.Cox]

Hi Nebgranny

If you are still having the problem, I would suggest that you go to Kaspersky.
http://www.kaspersky.com/
They have some free scans that you can run, and they also have a help forum to help users resolve these problems. They also have several tools that can fix many of the problems for you, including system mechanic, and Kaspersky internet security. I know that they aren't free, But I use them and feel that it is worth the cost. (And it's costs less than running out and buying a Mac.)

By the way, I wouldn't run the PCTools stuff. I have seen it cause some real problems for people, including myself, and it can be hard to remove.

[bazza64]

Hi plugsnpixels,
I'm glad you posted that link for members to look at, it backs up what I tell my customers that in general Internet banking is not safe. The trojan thats mentioned is like many other trojans that are written to do the same thing, their called 'keylogger' trojans, in other words they record every keystroke, mouse click, web page that you visit. all this info is saved to a small file (40-50k's) and when full sends the info to the person that wrote it when you connect to the net.( bypassing your security) These crimainals attitude is 'why rob a bank when you can rob accounts', This is the fastest growing criminal activity in the world. Here is a tip, if you find one of these on your computer after a scan, go down to or ring your bank (do not use the net) and change your password, this stops them accessing your account with the old password. There are trojans written to collect all sorts of information these are just one type.

I have special software to scan the mbr for "bugs', this area is a bigger minefield than the rest of the registry.

Ubuntu is a good OS, not enough backup, Bill Gates has got us all by short and curly's

Regards,
Barry.
P.S with a greeting like G'day, you wouldn't be an Aussie by any chance?

[l2jc]

It's not a virus. It's spyware/adware. Although a trojan can be intertwined within the spyware. Definitely Run Spybot and AVG. Just to be on the safe side and to save time. Reboot your computer and as it's starting up press and hold the F8 button and boot up in "safe mode". This will load only the necessary windows drivers and kernels. And then run Spybot and AVG, it will help prevent an automated reinstall of the malicious program.

OH and don't forget to clean out your temporary files and System Restore/Shadow copy files FIRST.


Oh and don't forget to update Spybot and AVG before scanning. Sorry for the order of advice, it's a bit late here in my town. Hope everything works out of ya.



|2Jc
Residential Network Services Tech
University of California Riverside

[bazza64]

Hello l2jc,
Nice to know there is another 'tech' in the forum.

Regards,
Barry.

[studio66]

Hey NebGranny.
Major geeks used to have a program the was pretty nifty at helping with this.
*VundooFix*.
Got rid of most of the thing, but as others have said do it all from safe mode and backup everything else first.
Turn off system restore and delete all system restore points or it will come back to haunt you with random files left in Win system 32.
I finally killed it`s remnants with Tend Micro online scan.
HTH.

Studio66.

[studio66]

Quote:

Originally Posted by nebgranny

Morning :
My friend has a problem with a screen which came up on her computer last evening. It has taken over as her home page which she can still get to via her favorites. It keeps intruding and comes up with a message telling her that her computer has been compromised and she has a virus. It tells her to download a software within the screen. I am sure this is a scam to get her to purchase a software program by scaring her into thinking she has a virus and 2 that she needs the software to remove it. She did a search all files and hidden files and her computer does not have a virus.

I remember having something like this a year or so ago, but do not remember how I got rid of it. Does anyone here know how to get rid of this screen ? Any help would be greatly appreciated . Thanks Nebgranny

.

Sorry I forgot to mention Get Firefox *forget_IE_in any version*.

Studio66.

[plugsnpixels]

Is there a way to do the Windows software update without IE? I'm a Mac user running Windows via Parallels and use IE>Tools>Windows Update to get the latest stuff.

I'm not running Windows at the moment or I'd check and see if it's just a simple matter of bookmarking a URL in Firefox...

[l2jc]

Quote:

Originally Posted by plugsnpixels

Is there a way to do the Windows software update without IE? I'm a Mac user running Windows via Parallels and use IE>Tools>Windows Update to get the latest stuff.

I'm not running Windows at the moment or I'd check and see if it's just a simple matter of bookmarking a URL in Firefox...

If you turn on automatic updates. It'll download the necessary patches automatically. There should also be a link for updates in the programs menu...however I'm not 100% sure. I haven't updated an XP system in a while as I use vista. But the auto updates in the computer settings will work. Or you can always go to update.microsoft.com, but that also requires IE to run.. =\

As a side note:
You use should bootcamp (included in mac osx) and install XP as a dual boot. It's much better than using a virtual machine like parallels.

[studio66]

Try *AutoPatcher* (google it ).
It used to be a download of all the updates and XP service packs in a single download.
Save it and keep it for whenever you do a reinstall of win XP.
No need to go near IE to install it from the cd/dvd.
Also allows to leave out a lot of cruft /as selectable options.

Studio66

[studio66]

Dont forget to Physically unhook your machine from the net connection, or vundoo will just reinstall itself ever time you reboot.
It`s a tough little mother.

Studio.66

[studio66]

Don`t forget to Physically unhook your machine from the net connection, or vundoo will just reinstall itself ever time you reboot.
It`s a tough little mother.

Studio.66