| Author |
Topic: I Have Vista Internet Security 2012 Virus |
Jeff Strouse
From:
Jacksonville, Florida, USA
|
Posted 15 Jun 2011 5:52 am |
|
I've run Webroot with Spysweeper, and it didn't catch it. I keep getting the Visa Internet Security Alet windows popping up.
I checked add/remove programs, and it's not there.
I found some instructions online about manually removing the virus, but I have to enter codes in the registry and delete hotkeys, and I don't know how to do that. I'm afraid I'd really mess something up. I'm also afraid to reboot...don't these things take over that process, too??
Other sites say I can download & register their software to remove it, but I don't know if I can really trust those programs.... 
Can this be removed simply? Please help! |
|
|
 |
Don Poland
From:
Hanover, PA.
|
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 15 Jun 2011 7:27 am
|
|
Malwarebytes Anti-malware might clean it up. Download it from here, install, update and scan.
Some fake anti-this or that will prevent MBAM from installing. So, the makers recommend renaming the prefix of the installer, to something only you recognize. For instance, if mbam-setup.exe is blocked by the virus, rename the downloaded file to fingerpicks.exe and try again.
Often, a malware infection will stop all other exe files from running, aside from Explorer, Internet Explorer and itself. In that case, reboot into Safe Mode With Networking, by tapping F8, then use the up arrow key to highlight that option and press Enter to load Safe Mode. Log into the same account you use normally and locate the downloaded MBAM setup file and try installing and updating in safe mode. If happy, happy, run a full system scan and see if it removes the malware.
If MBAM cleans the malware out of your system, consider registering it, for $24.95 for a lifetime license, which turns on automatic updates, automatic Quick or Flash Scans and realtime malware blocking. This would prevent a similar Trojan from sneaking in.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Jeff Strouse
From:
Jacksonville, Florida, USA
|
Posted 15 Jun 2011 11:14 am
|
|
Do I need to uninstall Webroot before trying another program, or can I just turn it off?..
Thanks! |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 15 Jun 2011 1:31 pm
|
|
| Jeff Strouse wrote: |
Do I need to uninstall Webroot before trying another program, or can I just turn it off?..
Thanks! |
Neither. Leave it on and update it. But, if WR refuses to allow MBAM to install, turn it off for a long enough time to get MBAM updated and scanning.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
John Floyd
From:
R.I.P.
|
Posted 15 Jun 2011 2:49 pm
|
|
| You also might try Starting uour operatong System in Safe Mode and running a MBAM scan.That Should get it |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 15 Jun 2011 3:02 pm
|
|
| John Floyd wrote: |
| You also might try Starting uour operatong System in Safe Mode and running a MBAM scan.That Should get it |
I already told him to do that and how to get there.
If all else fails, a system restore to a time before the malware took hold may reverse the problem.
Any system restore that goes back before any critical Windows, Adobe, Java, or QuickTime updates were applied will require you to go get all those updates again, since they will also be undone by a rollback to a previous date.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Cass Broadview
|
|
|
|
Mike Bloomer
From:
Connecticut, USA
|
Posted 19 Jun 2011 5:47 pm
|
|
A lot of times this virus comes along with rootkits which a very difficult to remove and will cause the computer to become re infected. There is a tool called Combofix which does a good job. The instructions and download are herehttp://www.bleepingcomputer.com/combofix/how-to-use-combofix. Be sure to follow the instructions to the letter. You will have to uninstall your existing antivirus programs prior to running Combofix. If you have problems removing Spysweeper(and you probably will)use Revo Uninstaller http://download.cnet.com/Revo-Uninstaller/3000-2096_4-10687648.html?part=dl-RevoUnins&subj=uo&tag=button&cdlPid=10998807.
When you get the virus removed I would advise against reinstalling Webroot products as they use a lot of resources and are not effective. AVG 2011 free is a very good program as is Kaspersky or NOD 32.
Feel free to contact me if you have problems. I am an A+ certified computer technician with over 10 years experience. |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 19 Jun 2011 7:24 pm
|
|
Rootkits are tough to remove and will fight back. The tools used to destroy them are very potent also. ComboFix should NOT be used by untrained persons, except under the supervision and direction of a trained malware removal expert. These folks are found on the malware removal forums at BleepingComputer.com and at forums.malwarebytes.org.
ComboFix can do damage if improperly run. I advise anybody who acquires a rogue security program to first try to remove it with Malwarebytes' Anti-Malware. If that fails, sign up at BleepingComputer, or Malwarebytes and post a request for assistance. Do not interject into anybody else's topic, even it it is the same trouble you have. The assistance is one on one. Read their TOS first, before posting.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Clyde Mattocks
From:
Kinston, North Carolina, USA
|
Posted 20 Jun 2011 3:54 pm
|
|
I have AVG 2011 and it has a rootkit search feature.
How effective is it?
_________________
LeGrande II, Nash. 112, Fender Twin Tone Master, Session 400, Harlow Dobro, R.Q.Jones Dobro |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 20 Jun 2011 6:43 pm
|
|
| Clyde Mattocks wrote: |
I have AVG 2011 and it has a rootkit search feature.
How effective is it? |
Probably as good as the money you paid for the registered version of the program. AVG is Windows Certified, so it is allowed to create hooks into the Windows Kernel, which is where rootkits hide.
I don't know if the free version is as robust in rootkit detection, removal and prevention.
There is huge money to be made writing, rewriting, or re-packing and distributing rootkits. TDSS and Alureon rootkits are really big at this time. Also, the Mebroot hard drive bootsector rootkit is very much still in the wild.
One trick I learned when fighting off a rootkit, is that if you can halt its process in memory, putting it to sleep, you can kill it with the proper industrial strength detection tools. The trick to doing this is to run a file that is a disguised executable, but which is not a known dangerous filename to that rootkit. If the rootkit allows executables to run, and you run a rootkit sleeping pill, you can induce a temporary coma in its process in memory. Then, any decent anti-virus, or anti-malware program should be able to detect and delete it, with certain caveats.
Once a rootkit has been put into sleep mode and you begin to scan with your updated anti-malware program, three things are certain to be required.
1: you are going to have to disable system restore, because rootkits are always backed up in those hidden folders and will be restored upon rebooting, if found to be missing or damaged.
2: you are going to have to reboot after the first battle and run another scan to remove leftover files and startup references.
3: you may have to repair your Windows installation, if the rootkit altered system files. This could involve a complete reinstallation of Windows, including re-activation of Windows and all soon to be reinstalled - licensed programs.
Because of the strong likelihood that Windows will need to be reinstalled, it's a good idea to remove the hard drive and attach it as a slave in another PC. There, you can copy over all of your personal data files, pictures, audio and video, while using the anti-virus in the other PC to scan as you transfer the files. Save them to another drive or memory device (don't neglect the scanning for viruses).
When the detached drive has had all important files copied to another location, it should be virus scanned while connected as a slave. If you are lucky the rootkit will be detected and deleted, while it lies dormant.
Today's rootkits are much more insidious than those of October 2006 and earlier. Much development has gone on and IS going on, in the malware writing and distribution circles. Right now, Russian cyber criminals are running banner ads on various Russian software developer forums, recruiting new malware writers. The pay is very high in Rubles and a lot of college students and out of work graduates are taking up the offers from these criminals. The primary job requirement involves writing new, or altering existing rootkits and fake AV programs, to avoid detection and removal.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
Mike Bloomer
From:
Connecticut, USA
|
Posted 21 Jun 2011 2:14 pm
|
|
One thing I would add about the MO of the fake Antivirus infection is that it often comes via a hijacked link on a web page.
The scenario goes something like this: You're surfing the web you click on a link and a warning pops up telling you that you're infected. It usually looks pretty authentic sometimes like a Windows warning, sometimes like a real Antivirus program. At this point you're infected because the virus has taken up residence in your computer's memory and will install itself the next time you boot up bypassing your antivirus program.
There is a way out of becoming infected and that is to do a hard shutdown which causes a memory dump.
To do a hard shutdown simply hold the power button in until the computer shuts off. Do this right after you get the pop up window saying that you are infected. I have tried this and it works 99% of the time.
This is not particularly good for the computer (there is the possibility of damage to the hard drive, especially older model hard drives) and you will lose any files that you have open. So weigh the alternatives.
One thing that I will stress here is that It is a very good idea to have backups of your data. What I have been doing for several years is keeping my Documents Folder(or Libraries for Vista/7 users) on a separate drive. (If you right click on the icon and go to Properties you can change the destination...)This way when I do a backup of my operating system it goes much faster because I'm only backing up the operating system and programs. I back up the Documents drive separately and on a different schedule. Because in the digital domain if something exists in less than two places it doesn't exist...
_________________
Every moment you spend watching television is a moment you have surrendered your free will |
|
|
|
Wiz Feinberg
From:
Mid-Michigan, USA
|
Posted 21 Jun 2011 2:44 pm
|
|
| Mike Bloomer wrote: |
| I back up the Documents drive separately and on a different schedule. Because in the digital domain if something exists in less than two places it doesn't exist... |
All your document are belong to us!
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog |
|
|
|
