by Flightful
Mon Aug 09, 2010 12:50 am
I removed a particularly nasty piece of work called Security Master from a client's PC. Securtiy Master is a fake antirus program that attempts to dupe the user into spending $100 via credit card. Fortunately client didn't take the bait , he just shut it down and asked me to take a look. Here's how it works:
1. During a visit to a website, you'll get some kind of "virus alert" popup that invites you to dowload their free AV program. The "free anti-virus software" IS the virus.
2. Later on, popups will appear waning that viruses have been detected. Like legit AV programs, you will be given the option to remove or quarantine the file. Selecting either opens their website where they offer the "Professional Upgrade" for $100. No doubt that in addition to taking your $100, they're probably going to sell your credit card info.
Removal was a challenge because the client did not have any AV installed and I had forgotten my USB key with the AVG package. Security Master is installed as a regular program, however it does not include an uninstaller. Also fun to find because the folder and contents are given the system attribute, which by default are not displayed. Also, the virus prevents Internet Exploder from dowloading popular AV programs, and it creates fake registry entries that prevent legit AV programs from installing and running. Here's how I got the machine back to health:
1. Installed Firefox and downloaded AVG Anti-Virus Free.
2. Booted in Safe Mode and deleted the folder where the softaware was located.
3 Edited the registry to remove all references to Security Master and also all AVG references (they prevent AVG from installing).
4. Installed AVG and performed a full scan, which nuked several hundred bogus registry entries and trojans.
The moral of the story:
1. If your machine is compromised to not use it for any finactial or confidential purposes until it has been cleaned.
2. Install a reputable AV and familiarize your self with the messages it generates. Set it up for continuous protection and a full scan at least for once a day. My preference is AVG Free, designed for the home user, with automatic updates and no annual subscription required.
3. Create a bootable emergency CD with the AV software. This should be done on a regular basis so that you have the most recent virus patterns. Had I had one in my possession I could have cleaned it up in less than an hour.
4. If you suspect a virus on a machine that is either unprotected, has fake AV software installed, or has something that your AV can't handle, try booting with the emergency disk created in step 2 and following the instructions.
5. Legit AV programs NEVER prompt for an upgrade to remove a virus.
If you're not comfortable with editing the registry, the going rate for virus removal by a tech here in Toronto is $40.
How to spot a fake anti-virus:
1. The most common ones are Security Master and iVirus.
2. Popups that indicate a virus has been found which direct you to a website.
3. This is the biggie- all legit anti-virus and security software has an uninstall featire. If it doesn't show up in Control Panel-Add or Remove Programs, it's a fake and your machine is probaly full of trojans.
1. During a visit to a website, you'll get some kind of "virus alert" popup that invites you to dowload their free AV program. The "free anti-virus software" IS the virus.
2. Later on, popups will appear waning that viruses have been detected. Like legit AV programs, you will be given the option to remove or quarantine the file. Selecting either opens their website where they offer the "Professional Upgrade" for $100. No doubt that in addition to taking your $100, they're probably going to sell your credit card info.
Removal was a challenge because the client did not have any AV installed and I had forgotten my USB key with the AVG package. Security Master is installed as a regular program, however it does not include an uninstaller. Also fun to find because the folder and contents are given the system attribute, which by default are not displayed. Also, the virus prevents Internet Exploder from dowloading popular AV programs, and it creates fake registry entries that prevent legit AV programs from installing and running. Here's how I got the machine back to health:
1. Installed Firefox and downloaded AVG Anti-Virus Free.
2. Booted in Safe Mode and deleted the folder where the softaware was located.
3 Edited the registry to remove all references to Security Master and also all AVG references (they prevent AVG from installing).
4. Installed AVG and performed a full scan, which nuked several hundred bogus registry entries and trojans.
The moral of the story:
1. If your machine is compromised to not use it for any finactial or confidential purposes until it has been cleaned.
2. Install a reputable AV and familiarize your self with the messages it generates. Set it up for continuous protection and a full scan at least for once a day. My preference is AVG Free, designed for the home user, with automatic updates and no annual subscription required.
3. Create a bootable emergency CD with the AV software. This should be done on a regular basis so that you have the most recent virus patterns. Had I had one in my possession I could have cleaned it up in less than an hour.
4. If you suspect a virus on a machine that is either unprotected, has fake AV software installed, or has something that your AV can't handle, try booting with the emergency disk created in step 2 and following the instructions.
5. Legit AV programs NEVER prompt for an upgrade to remove a virus.
If you're not comfortable with editing the registry, the going rate for virus removal by a tech here in Toronto is $40.
How to spot a fake anti-virus:
1. The most common ones are Security Master and iVirus.
2. Popups that indicate a virus has been found which direct you to a website.
3. This is the biggie- all legit anti-virus and security software has an uninstall featire. If it doesn't show up in Control Panel-Add or Remove Programs, it's a fake and your machine is probaly full of trojans.
