PC World has an article on this – http://www.pcworld.com/article/228893/not_even_security_managers_immune_to_fakeav_infection.html#tk.nl_spx_h_crawl
* And I got hit yesterday with one while casually browsing the web … the one that I got either caused the actual Microsoft Security Essentials to pop up or created a fake pop up. I shut the computer down, although I read that it would shutdown and reboot the computer itself. When it boots back up the only thing that runs is the Fake AV Software. There is no option out of it. As described in the PC World article rebooting into Safe Mode is of little help as they have replace the “shell” (explorer.exe) as the GUI or Graphical Interface that is run in either Regular or Safe Mode boot up modes.
There was a system type of file to be run to restore the normal desktop “shell” – if you could get to a point where you could actually run that.
* The actual fix was to download Malware Bytes and the Rules File on another computer and burn it onto a CD (or use a USB memory stick or other external drive) – then boot into safe mode with Command Prompt. Start “explorer.exe” and then navigate to that external drive and run the “shell” fix, probably might as well already run Malware Bytes install, the Rules File Install, and do updates anyway when first running Malware Bytes. If Malware Bytes wants to do an update (mine did) do that update for sure as well. Run the Quick Scan (which wasn’t very quick) and remove everything that it finds. Meanwhile MS Security Essentials found some infections during that scan … which I also told it to Clean/Remove.
* My desktop wallpaper had been changed to a black background with a single pixel white dot in the center. So after doing all of the above and rebooting I changed my desktop background back to what I had it at before the exploit hit me.
* I was pissed about the time wasted undoing this malware … and would love to beat the h!%&@ out of those responsible if given a chance or at least charge them an hour at $100 an hour for the work to remove their crap-ware. Anyway the PC World article in part reads:
Not Even Security Managers Immune to FakeAV Infection
By J.F. Rice, Computerworld May 28, 2011 1:00 pm
Can you believe it? As I sat down this morning to write this column, I got hit by a drive-by download of FakeAV.
My computer is infected with pop-up warnings and file scans telling me I have security problems, and Internet Explorer has been hijacked to keep sending me to a website where I can “purchase the software.” Pop-ups are coming from my taskbar, showing up in the middle of the screen, and rifling through my files with a fake scan. My computer is being held for ransom.
How did this happen? And what am I going to do about it? I mean really, as a security manager you’d think I would be immune to this kind of problem. My antivirus software is up to date and actively scanning, and my system is fully patched. That’s more than most people are doing. Fortunately, I also have current backups (more on that in a minute).
I wrote that a week ago. As it turned out, I had to do a lot more work to get rid of this infection than I anticipated.
I started with some research on what FakeAV is all about. I’ve been hearing a lot about it through word-of-mouth, and now I’m getting firsthand experience. According to Sophos, FakeAV is a rapidly growing threat on the Internet, mainly because it’s profitable to the people who wrote and distributed it. Evidently, a lot of people are being tricked into sending money to these criminals to get back control of their computers. I hate to think how many people are being fooled by this malware into thinking it’s a legitimate security scan. It would be a lot easier to just send them the money to get back control of my system. But I’m not going to let these guys win.
—
Alan Spicer
Alan Spicer Marine Telecom
http://www.marinetelecom.net – http://www.wifiyacht.net
communications @ marinetelecom.net
+1 954-683-3426
* Disclaimer: I could be totally full of it … about anything that I say on here. So take responsibility for your own actions with your own computer gear. I provide my email and telephone number because I am in business in Marine Communications and I.T. Consulting (Sales, and Service) – this does not give blanket permission to email spam me … or ask for free consulting. I don’t mind a casual email or two on occassion … but phone calls for free opinions and advice are generally out of the question … unless they are leading to some I.T. Consulting Work or Sales (particularly in the leisure marine market.)