About the author

Christine

I'm a geek with a love for all things tech. I'm also an online business consultant with expertise in SEO, SMM, and digital marketing strategies.

Related Articles

31 Comments

  1. 1

    Chad Stephen Albert

    There’s a few linux based live cd’s that will boot into a stripped down linux and let you run clamav on an infected machine. Check out
    http://www.volatileminds.net/opendiagnostics/index.php/OpenDiagnostics_Live_CD

    Linux live cd’s that contain clamav are a great way to try to get nasty malware that make it tough to work with the machine when in windows.

  2. 2

    Jeremy Townsend

    I have ran into that one a few times at work. It is a nasty one. It is the only one I have ran into that I have had to have the computer shipped to me to fix. I was completely unable to repair this remotely.

  3. 3

    Lance Rulau

    You, Gina, are a saint. You are doing God’s Work (as Jeff would say). Many people are REAL people, and you just rescued another one. It may be frustrating, but it is the right thing to do.

    You’re Awesome,
    Lance

  4. 4

    mrhaydel

    Gina?

    Sounds like you’ve 100% qualified for this Nerd Merit Badge!

    Of course, that is, unless you already have it.

    Thanks posting this recap – it’s always interesting to see how others go about this kind of stuff!

  5. 5

    Troy Peterson

    I second Chad’s comment. I used ClamAV a few days ago to get ride of this from a neighbor’s computer a few days ago. It worked great the first time. I also took this a step further to prepare for next time installed Trinity Rescue Kit (TRK) on a pen drive. TRK has several free AV tools including ClamAV and AVG.

  6. 6

    geekman

    I had a similar experience a few weeks ago while trying to remove some malware called Personal Security [see this Bleepingcomputer article] from a friend’s PC. I ended up booting the machine from the UBCD4WIN live CD and deleting the program files that made up the malware.

    Once that was done, I was able to restart the machine normally and install and run Malwarebytes to complete the cleanup. I’m sure that if I’d had more time, I would have been able to figure out how to edit the Windows registry from a Linux live CD — but, any port in a storm.

  7. 7

    rujero

    Hi Gina, I had the same exact problem a few weeks ago with a friend’s laptop.
    I didn’t bother trying to remove the malware though: I just backed up what I could and reinstalled Windows reformatting the HD.
    Is there a moral here? Switch to a Mac…

  8. 8

    cmason

    Gina, I had exactly this same issue why my in-laws. The issue was essentially behavioral: my FIL was a fanatic about clicking pop-ups that claimed he was at risk of spyware, so he was constantly getting these nasty fake antimalware programs, like the XP Antispyware. While I did manage to install a wireless router (for me during visits) with hardware firewall, it had little impact.

    After the last time doing this, I backed up their photos, make a record of their sites etc. And then I went to the Apple store and bought then an iMac. Loaded all their photos and other bits, showed them how to do things in MacOSX, and left them to it. As far as I know, my FIL still clicks and downloads all the fake antimalware, but of course none of it works in MacOSX. I have not had to do any work on their PC since the Mac, a change from several times a year with their Dell.

    I am safe until this stuff starts getting created for Mac I suppose.

  9. 9

    boris

    Gina, sorry to tell you but this actually a very old infection,there is actually Antispyware 2010, yes they actually increment the versions to appear more legitimate. But this one was one of the first of what became a whole generation of such infections (most security programs detect them as fake_alert). Unfortunately they all use the familiar windows interface to trick users in to installing their product, then they deliver the infection payload that vareis. They use built in windows policies to prevent access to task manager, windows update, registry editors, sometimes even the control panel all together, all this with a goal to prevent removal. Frequently infection will also modify permissions for the registry and infected files so that they can’t be found and removed.

    I noticed that you turned off Java Updates in msconfig. Security exploits in Java are commonly path by which these infections get in. Another one is Acrobat Reader. While constant update reminders are annoying, having the updated Java, much like windows is a very important step in making sure that this doesn’t happen again. Next time you talk to Leo ask him about this, him and Steve Gibson frequently discuss Java and Acrobat “remote code execution exploits” on Security Now…

    Also, switching to Mac is not a solution, its only a way to ignore the problem… its only matter of time before we start seeing the same type of infections for Macs and more popular they get the larger target they become…. Just be careful where you go and if doubt use Google:

    http://www.google.com/safebrowsing/diagnostic?site=smarterware.org

  10. 10

    dweebsonduty

    Ahh, I have had the privilege of fixing this spyware many times over. I use a program called Combofix to stop it and remove most of it then I use Malwarebytes and Superantispyware to remove the rest of it.

    We probably clean this one out once a week as our business is computer repair.

  11. 11

    Ted Avery

    Strange that Microsoft Security Essentials didn’t detect it for you. I treated my uncle’s computer with this problem via Crossloop a couple of weeks ago and simply transferred the Microsoft Security Essentials installer through Windows Live Messenger file transfer. Ran it, installed it, and the spyware was gone.

  12. 12

    AJ West

    “when I restarted Windows in Safe Mode (F8 during boot) and tried to launch AdAware, this software started instead.”

    Wow… That’s insane. At that point I probably would have just reinstalled Windows and tried to salvage any files that my friend needed.

  13. 13

    @soyelmango

    Good on you for saving the day, though like you, I find that explaining the difference between legitimate and false popups is surprisingly difficult.

    And personally, if it’s looking like a case of multiple malware infection, I’d grab DrWeb LiveCD or Avira’s Antivir Rescue System – both live CDs so that you don’t even boot the infected Windows.

  14. 14

    Nathaniel Kabal

    I just removed this from a PC last week. Yeah, a nasty piece of work indeed. Wanted to flatten it and do a re-installation, but they wanted their data retained. Not the most agile user, but I demoted her account to standard, and will have to hope she doesn’t re-acquire.

  15. 15

    Alain Donais

    Is it only me or am I a bit paranoid, but I wouldn’t trust a computer with no updates since SP2 with firewall off for that long.

    I would copy data, destroy partition and start over re-installing Windows and everything else.

    From my experience anti-viruses are great to prevent incoming viruses, but once the virus/trojan/malware is in, I would not trust just one AV to find everything and be able to remove.

    Once a computer has been open season for a while, I can’t help but feel like I can’t trust it anymore.

  16. 16

    joec

    Did you have any issues with the user being renamed to “SAM”? I did when I had to clear this off a friend’s computer, and I still don’t think I can remove that user….

  17. 17

    rtfmplease

    @boris … while in theory I agree with you, I have been hearing that same logic for the last ten years. I haven’t had to do that kind of scanning after I switched. Sure, the mac isn’t for everyone, but after I switched my family over, my holidays with them have been way more peaceful and headache free.

  18. 18

    trivialm

    I ran into this a few weeks ago on my sister-in-law’s computer. Definitely a pain in the butt. The whole official looking pop-up window fooled me. I got tired after an hour of dealing with all the programs being hijacked so ended up reinstalling Windows. Though I did first use a Live Ubuntu CD, which was really nice, to get access to the drive and backup the data before reinstalling. I wish I did more googling at the time now.

  19. 19

    Gene Miller

    I deal with this b@stard of a program on a weekly basis (for work). Depending on how many times I’ve done it that week I’ll do a variety of these two methods. FYI, these methods are for workstations on a domain.

    1. Run legit antivirus w/ antispyware from the server on the infected machine. (Doesn’t always work)

    2. Log in as a new user, one that has never logged on to that machine before. Let the profile build, but before it is finished loading, right click the taskbar and load up Task Manager. Once you have that running, you have control of the Antispyware application and can run whatever apps/services you need to in order to regain control of the workstation. No registry editing is needed.

  20. 20

    Bryan Villarin

    Hey Gina, nice work.

    I’ve been using the Malware Removal Guide from the forums at Majorgeeks.com for over five years. It’s updated regularly.

    Of course, I hope you never have to use it. But, who are we kidding? 🙂

  21. 21

    MxxC

    Interestingly enough today i had to clean up another computer infected with one of those Fake Anti-virus and i had very good luck with McAfee’s Stinger tool http://fileforum.betanews.com/detail/McAfee-FakeAlert-Stinger/1269012477/1
    They just released a new version specifically targeting those fake anti-virus apps.

  22. 22

    Jonathan Shan

    I work at UC San Diego’s Residential Networking, we do free viral removal for all UCSD affiliates, here’s our process:

    1. Run Hitachi’s Drive Fitness Test (DFT). About 30% of the time, people have failing hard drives so it’s always best to check before spending a good deal of time manually cleaning a computer only to find out the work was in vain and the computer has hardware issues. If it fails, we call up the customer, have them purchase a new hard drive, and reinstall the OS for them using the COA on the bottom of their laptops, and pull the data from the old hard drive (this is all done with a fresh copy of Microsoft Security Essentials and the latest service packs on their machine so their computer isn’t reinfected.. If the test passed, we go on.

    2. F8 into Safe Mode with Networking
    3. Our network runs through a firewalled server with tools we download and run.
    4. Run rkill.com to remove any active processes.
    5. Run combofix, it sometimes takes more than once to run
    6. Check the logs for missed things and manually remove files
    7. Run CCleaner to remove any malware hidden in temp folders.
    8. Run Autoruns to remove malicious startup entries
    9. Run Process Explorer to see if any malicious processes are still running, and if there are any dll hooks from malicious programs.
    10. Install and run Malwarebytes Anti-Malware full
    11. Install and run Microsoft Security Essentials.
    12. Verify with Autoruns/process explorer (to make sure its all gone).
    13. Update programs with filehippo or ninite.
    14. Install the latest service packs.
    15. Give the customer a detailed description of how to stay safe and avoid reinfection.

    Obviously this is the bare bones of what we do, we add on any necessary registry hacks and networking fixes on a case-by-case basis.

    Hope that helps.

  23. 23

    ZLoether

    Most computer users, including IT professionals, will do whatever they can to not have to reinstall an operating system. Run anti-virus software, remove the virus. That might fix that problem, but how can you really be sure?

    Once a computer it has been comprised, it can NEVER be trusted again, at least not until all connected hard disks have been wiped and the operating system reinstalled.

    It is the clever intruder who installs two pieces of malware, one is obvious to draw your attention, and one is silently logging your keystrokes.

  24. 24

    shri

    Funny, I encountered this one yesterday on a fully patched XP system with F-Secure for Workstations on it. Beats me how it got in.

    I solved it by running the Taskmanager as another user with administrative rights, killed the .exe proccess that the spyware consists of and upgraded the Anti-Virus to include proccess control, browsing protection etc. Works fine for the moment but I guess I should check those registry entries!

  25. 25

    adventurejason

    Yet again, Gina, you’ve proven yourself one of the true superstars of the Internet, social media and the information age. Rock on.

  26. 26

    Miguel Wickert- Pineiro

    Great timing Gina, this article helped saved my father-in-law to be, computer. Seriously, this is huge, it helped me completely turn everything around. Some similar issues in both our situations. All is well for now. 🙂

  27. 27

    Andreas Schneidereit

    Gina, great story and reminder to all of us. I do light office work and some computer nerd duties at a small screen printing company when they need a little extra help. I went in one day and there was a new anti-virus on the computer asking to be updated. Since I had installed the anti-virus, and anti-malware software on the computer it totally confused me and stopped me from clicking the “OK” button. I asked the business owner if he had installed a new anti-virus and he told me “no”. Like the rogue program on your friend’s computer It too would pop up a screen with a false list of problems after a “scan”. The more I tried to clean it out using my old tried and true methods, the worse the computer ran until it was completely unusable. I booted into safe mode, found and removed the executable, then I was able to reboot and download Malwarebytes. It cleaned the computer of any remaining traces of the rogue anti-virus. It was a truly frustrating, yet satisfying experience.

    I was unable to find out how the rogue program made it on the computer, it was running Windows firewall, AVG, and Spybot S&D. My only guess is somebody was visiting porn sites.

  28. 28

    gmf

    I contacted their customer service to remove this from my computer and they emailed me to set my calendar ahead 8 days, then in 8 days to reset my calendar correctly. Supposedly the program expire and delete itself after 8 days. The other options were to not use your computer for 8 days or download one of their programs for removal ???? Yeah…right!! I have not tried this because of already going through the process of stripping my computer with the original software and restoring this way. Next time I will try the above method first, I have run across this program before and been able to get rid of it more easily than in this instance.

  29. 29

    Gabriella Arroyo

    HELP!
    Do you know anyone who actually fell for this scam and bought the Antispyware protection?? thats what my mother did and she paid 80 dollars with her credit card!
    Will she get her identity stolen? We just called the bank what else can we do to prevent this??

  30. 30

    philmiller

    I too am wondering if anyone knows of what happens after someone falls for this and pays the $70. I will be using the hints here to help a friend friend tomorrow to remove this. They paid the money and even spoke with someone from “customer support”. I will update here after I go through the process and am not on my phone.

  31. 31

    lgforbes

    Do *not* pay for this, especially with a credit card. For those folks who have already done so, it probably wouldn’t be a bad idea to cancel those cards. (See link below.)

    To safely get rid of such crap, there is lots of very good, effective advice, this site included. Cry for help — use a friend’s computer or go to the public library if you have to — and you’ll get it.

    Things can get worse:
    http://news.bbc.co.uk/1/hi/technology/8622665.stm

    Keep up the good fight, Gina et al!

Comments are closed.