Warning; Malware - Looks like genuine AV

I've just spent several hours removing a very nasty bit of malware from a neighbour's computer.
This particular nasty pops up looking very like a genuine anti-virus program window and tells the user that it has found 30 or more viruses. The bottom line is that it wants the user to pay for "the full version" of the program that will then remove the viruses and prevent further infection.
Running your own AV program does not work on it as it manages to either disable or or dodge removal.
This infection managed to get past the virus protection (Avira Anti-Virus) on my neighbour's PC and from what I've gleaned from browing the www it has even got through Norton AV, and Firefox and IE are equally prone to hijack.
This particular nasty is called - Total Security - and originates in Russia. It's a very convincing looking fraud!

I managed to get rid of it by downloading Malwarebytes Anti-Malware onto my laptop (Main PC is still U/S here due to HDD crash) and also the Manual Updater (of virus definitions) and then copying them across to my neighbour's PC on a USB stick. When I ran the program it found 40 rogue files which I deleted and the neighbour's PC is now running fine again.
This is a fairly recent bit of malware so I'd though I'd post a warning as it really does look very convincing.
There's quite a bit of info on the web if you Google for it, but if anyone does get smitten by this horrible thing I'll be pleased to help with more detailed info.

 

This managed to sneak into our work's network the other day, despite us having very good network security, limiting what we can access on t'internet, and regularly updated antivirus software on ever PC and on all the servers.

The advice I would always give is if a window pops up asking you to buy something, no matter how genuine it looks, ignore it, reboot your PC in safe mode (hit F8 at the beginning of startup) and run a full virus sweep. It is also worth downloading a program called HijackThis. It looks for dodgey settings in your Windows registry that may have been put there by malware, and gives you the chance to either delete the settings or restore them to the Windows defaults. It's useful because a common trick of modern virus is to use a two pronged attacked. First they modifying your settings so that as soon as you go on the internet it goes and downloads the virus again, then of course the other aspect of the attack is to do whatever its main dirty work is. Anti virus tools have a real hard time with this type of attack, because the dodgey setting is not a program or file, its just an entry in your registry, and they can't really check your whole registry because it is normal for all sorts of legitimate programs to put all sorts of different entries in it.

 

Is this the one that pops up looking like a Windows update? I had that recently - and yes it does look very genuine, until I spotted the typos in it - it still took alot of effort to get rid of it though, not to mention the frustration!
Thanks for the warning!

 

Not the same Natalie - I've seen the one you mention - well done for spotting the rogue!

Clueless - Yes there are several registry enties created by Total Security as well as redirects for IE or Firefox though the latter can be stopped if you can get into Task Manager fast enough. Best option is to disconnect from the internet before you zap the little b* or/and do as I did and install from an uninfected PC.

Here's a screen shot of one of the screens in the "Total Security" scam.
[align=center][/align]

 

Being a computer know nowt I am particularly vulnerable.

Coincidentally I have an issue at present with my laptop. Recently my avira has been warning me of a virus and I have been denying it access, but it must have gotten past it somehow as everytime I try to google something it automatically redirects me through three or four different adware search engines. I redownloaded the malwarebytes but now when I try to open it it says windows cannot access the specified device, path or file. You may not have appropiate permissions etc etc. Also I cannot access restore points further back than August 28th which is when it started playing up.



Anyone know what I can do?

 

hi dave, thanks for the warning im pretty certain ive seen that on my pc it looks like windows, why do these people want to ruin everyones pcs they must be just real nasty people that do this. anyway thanks for this, im with mcafee i always check to see that its updated.

 

Thankyou Dave and Natalie. I agree Rosa, some people have nothing useful to do with their time. Unfortunately there are idiots around everywhere.

There is also a nasty virus on Facebook. It tricks you by sending a message from a friend on there to watch a video they have sent you. It all looks genuine but it you click to watch you get a message telling you need to update something. If you do then you are infected.
There is a large group of us on there and this was sent to all of us :(

One or two opened it but luckily my protection told me not to. You have to check, check and double check - when you see a frinds name you automatically assume it is OK to open.

 

I hid those links on my page Jazmine - so hopefully none of my friends have opened them as they could not be seen - glad I saw the warning from yourself and the 'sender' before even seeing the links

 

Try renaming malwarebytes to something random and it might start up properly.The virus does not know to look for '1malwarebytes' but it does know to stop 'malwarebytes'. Download hijackthis from here: http://www.filehippo.com/download_hijackthis/
Then install it and click 'run and save a log file'. Send me the logfile and i can check it out for you. DONT start deleting entries without being told which too as it can easily mess up your computer.

 

Thanks, I was starting to feel like I was stuck with this PITA -I will try that tonight

 

There are some other programs you can run that most virus's cannot stop from running. I had one once that even with renaming malwarebytes it still could not run, run the other program and it allowed everything else to work as it should. Do you have the free or full version of avira?

 

Yes, I have avira-it keeps warning me of something trying to have a bash at the pc and I deny access. I tried renaming malwarebytes-but still no go.

If I could find the blinking xp disc I would just download all the pics on here to my ipod and strip the whole thing back to factory settings, but I live in a madhouse and nothing is ever where I left it last ( damn kids lol).

 

No need to format the whole computer. Just a few programs to run and you should be all clear. Did the Hijackthis run ok?

 

I am on laptop in the evenings-I will try it and run it later and let you know.

 

Okay-I managed to download it ( after I was pushed through three different search engines) and the same thing happened, it dowloaded fine, asked me if I wanted to run a scan and create a log file-I click yes then it disappears, nothing pops up aftera few moments so I do into the programs try to open and run the software and again up pops the you do not have appropiate permissions etc etc.


If I take it into the shop they'll charge my £70 just to strip it back to factory settings............at my wits end with it now.


The problem is that whatever virus is in here won't let me run any of the anti virus or anti spyware programs.