Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Microsoft Security Windows

400,000 PCs Infected With Fake "Antivirus 2009" 353

nandemoari writes "The second month of Microsoft's campaign against fake security software has resulted in the removal of the rogue "Antivirus 2009" application from almost 400,000 infected PCs. Microsoft claims that December's version of the Malicious Software Removal Tool (MSRT) — the free utility included in Windows Update every month — specifically targeted 'Antivirus 2009.' According to Microsoft, MSRT removed the rogue application from over 394,000 PCs in the first nine days after it was released on December 9."
This discussion has been archived. No new comments can be posted.

400,000 PCs Infected With Fake "Antivirus 2009"

Comments Filter:
  • by meadowsoft ( 831583 ) on Wednesday December 31, 2008 @05:23PM (#26285111) Homepage

    "over 394,000 PCs report massive amounts of virus infections due to the accidental removal of Antivirus 2009"

  • by Anonymous Coward on Wednesday December 31, 2008 @05:23PM (#26285115)

    Remove my win32 directory?

    • Re: (Score:2, Funny)

      by Anonymous Coward
      Run a search, I'd bet it already did.
    • ... and load a Ubuntu installer?

  • Malwarebytes (Score:5, Informative)

    by oahazmatt ( 868057 ) on Wednesday December 31, 2008 @05:23PM (#26285119) Journal
    At my job, we've used Malwarebytes to fix about 200 PCs with this so far. It's a good alternative.
    • Agree! (Score:3, Informative)

      by MxTxL ( 307166 )

      Malwarebytes is awesome! The AV2009 malware is a tough one to remove, but Malwarebytes takes is right off.

      • Re:Agree! (Score:5, Informative)

        by enharmonix ( 988983 ) <enharmonix+slashdot@gmail.com> on Wednesday December 31, 2008 @05:45PM (#26285361)

        Malwarebytes is awesome! The AV2009 malware is a tough one to remove, but Malwarebytes takes is right off.

        I swear by them. In fact, I removed Symantec AV from my computer (since it only protects against exploits nobody uses anymore and slows your PC down more than any virus). I use Windows Defender to monitor system changes and do periodic sweeps w/ Malwarebytes. System is much faster now and still clean.

        • by adisakp ( 705706 )

          I removed Symantec AV from my computer (since it only protects against exploits nobody uses anymore and slows your PC down more than any virus)

          I don't personally use Symantec anything but the word is for the 2009 version, they completely rewrote everything from scratch with an emphasis on speed that seems to have worked according to PCmag [pcmag.com].

      • Re: (Score:3, Informative)

        by cjb658 ( 1235986 )

        Yup, and AV 2009 is about the worst spyware there is. It installs a God damn driver just so that DNS queries to antivirus sites don't resolve, even though your hosts files stay clean.

    • by Nimey ( 114278 )

      We use Super Antispyware and Spybot Search & Destroy ourselves, running from the Ultimate Boot CD for Windows: http://www.ubcd4win.com/ [ubcd4win.com]

      • by peragrin ( 659227 ) on Wednesday December 31, 2008 @05:39PM (#26285291)

        the wooshing noise you heard was the sound of thousands of linux boot disks flying over your head.

        • by Nimey ( 114278 )

          You don't get good malware-removal tools running on Linux, tard. ClamAV doesn't count, because it's not very good about detection.

          You get good malware-removal tools on Windows because you get almost all of your malware on said OS, and because that OS is very popular hence has many developers.

    • Re:Malwarebytes (Score:4, Insightful)

      by Finallyjoined!!! ( 1158431 ) on Wednesday December 31, 2008 @05:34PM (#26285237)
      Yup, I've removed it from 14 Windows PC's belonging to neighbours & friends. Malwarebytes was a handy tool.

      The annoying thing though, most of them installed it themselves, deliberately, thinking they were doing "good".

      Bah. Hang the authors of "Antivirus 2009" up by their nadgers.
    • by transporter_ii ( 986545 ) on Wednesday December 31, 2008 @05:37PM (#26285261) Homepage
      Particularly bad virus. It blocked all antivirus web sites and even blocked programs on the computer. I could put Spybot Search and Destroy on the computer, but it wouldn't even start. What I finally had to do was rename combofix.exe to something else like fix.exe, and then it ran and removed MS Antivirus 2009. I did try to Malwarebytes but it wouldn't even install, even if I renamed it.
    • I've used Malwarebytes to fix this nasty little bugger too, several times. It seems to work pretty well.

      I've had times where it's been necessary to rename the mbam-setup.exe to something like mbs.exe, and the main .exe to a different name, too. Some of these malwares do block access to known removal tools.

    • by Endo13 ( 1000782 )

      We use it at my job too (phone support) and most of the time it gets rid of it. Occasionally though, even that can't get rid of it. Even when it does seem to clean it, sometimes it misses a few files. My personal method is to first check the malware hiding places manually and eradicate anything I find, and then let Malwarebytes scan to see if I missed anything.

      But yes, I can attest to the widespread plague of Antivirus 2009 and its associates.

      • by Endo13 ( 1000782 )

        Oh yes, and one thing I forgot to mention that I found particularly interesting is how they manage to get so many people infected. They do it via google-bombing. I had been puzzling over how even careful users were getting infected, until I saw it happen on my own laptop: I was running a search on a black friday laptop model for more info, and the first search result on google gave me a panic popup (which I axed from task manager) and sent me to an Antivirus 2009 page. Naturally, knowing how to avoid their

        • One of the potential dangers I've read about with this type of malware is that the google-bombed links don't just display popups - they also include things like hidden embedded PDF files that exploit vulnerabilities in older versions of Adobe [Acrobat] Reader to install the rest of the malware components. So even if you don't do anything wrong - even if you're running Firefox instead of IE, as long as you have an old version of Reader installed you're vulnerable.
          I suspect this can be mitigated by turning of

    • My girlfriend's laptop got infected before i knew this was a common virus (i just found that out) so i was searching all over. Most virus scanners and malware programs missed it (trendmicro online scanner, norton online scanner, Ad-Aware) but MalwareBytes found it all and killed it! I was so happy when it worked!

  • Wait a pain... (Score:4, Informative)

    by Chabo ( 880571 ) on Wednesday December 31, 2008 @05:24PM (#26285127) Homepage Journal
    I was tasked with getting this thing off my mom's laptop. That was tougher than any other piece of malware I've ever dealt with.

    I also had to convince my dad that there was no easy way to sue the "manufacturer" of this program.
    • Re: (Score:3, Interesting)

      by plover ( 150551 ) *
      I hope one of those fakers takes Microsoft to court over this and publicly identifies themselves. There are many pissed-off users that would be happy to take a baseball bat to them. One of them would likely be on the jury.
  • by fuzzyfuzzyfungus ( 1223518 ) on Wednesday December 31, 2008 @05:26PM (#26285157) Journal
    In having to do support for assorted windows users, I've seen assorted popup/redirect stuff pushing that particular fine piece of software a lot. Most disconcertingly, it even happens to users visiting what one would think of as reputable sites, on machines with fully updated AV that reports no issues.

    I really don't have the time or interest to figure out if the AV is just sucking, and not reporting infections that actually do exist, or if whoever is pushing the software has compromised a bunch of ad providers; but it seems to be a big issue in windows land(poor bastards).
    • It's probably the ad providers, but the really disturbing thing is it may be legit. Well-known (I can't quite call something like doubleclick "reputable" but you get the idea) advertising companies have pushed ads for malware sites before. In fact, they've even pushed ads that actually contain malware (Flash-based exploits, mostly - it's a sad day when AdBlock actually improves security as well).

      For that matter, while Google doesn't generally do the pop-up-flashing-in-your-face ads, I've seen many examples

    • Re: (Score:3, Interesting)

      by Bert64 ( 520050 )

      I uploaded a few parts of this malware to virustotal.com a few weeks ago, it was picked up by 11% of the av engines tested, ie a very small percentage...
      I got it from a machine that had mcafee installed, it didn't detect anything...

      They seem to update this malware regularly to avoid detection, and there are typically several versions circulating at any one time. This particular machine had several versions installed which all pointed back to the same bunch of sites...

  • by Chryana ( 708485 ) on Wednesday December 31, 2008 @05:36PM (#26285255)

    Now let's hope Symantec is not going to sue them... :)

  • by hguorbray ( 967940 ) on Wednesday December 31, 2008 @05:36PM (#26285257)

    I wonder how many of the clueless will complain to microsoft that the removal tool removed software THEY HAD PAID FOR

    iirc some of the malware and adware 'vendors' had eulas that forbade users to remove their programs

    It'll never happen, but I'd like to see one of those guys try to sue microsoft for violating their EULA -would microsoft try to claim that the EULA was invalid?....

    One can always dream.

    -I'm just sayin'

    • It'll never happen, but I'd like to see one of those guys try to sue microsoft for violating their EULA -would microsoft try to claim that the EULA was invalid?....

      To take into 2009 :-)

    • Re: (Score:2, Interesting)

      by halln ( 1180165 )
      Technically, the user didn't remove it. Microsoft did. I'm sure MS didn't agree to their EULA.
      • Technically the owner of the computer is responsible for all operations on and communication to/from their computer. IANAL, but wouldn't that (in this highly theoretical scenario) make Microsoft guilty of fraud for acting as the computer user and forcing the user to violate the TOS? ;)
    • Re: (Score:3, Insightful)

      by cbhacking ( 979169 )

      An amusing notion, but it'll never happen for two reasons:
      1) EULAs may or may not be enforceable in their usual sense, but a requirement that you can't remove the software doesn't even make sense. The concept of a EULA is that you must agree to the terms in order to use the software. If you're not using the software (i.e. you remove it) you're not bound by the terms anymore.
      2) Since this is intentionally malicious software and almost certainly constitutes at least one form of fraud, the owner publicly ident

    • by Amazing Quantum Man ( 458715 ) on Wednesday December 31, 2008 @06:13PM (#26285663) Homepage

      iirc some of the malware and adware 'vendors' had eulas that forbade users to remove their programs

      But if you remove it, you're in violation of the EULA, and therefore are not allowed to use the program, so you must remove it!

      Absolutely no problem there.

    • Re: (Score:3, Interesting)

      I wonder how many of the clueless will complain to microsoft that the removal tool removed software THEY HAD PAID FOR

      Well, it's malware, not scareware. That is, it only acts scary to get it downloaded/installed, not to get money. Otherwise, they would have tracked down the payments by now. And if they had paid for it, the customers probably used a credit card. So a large number of them could get it refunded because of the fraud involved.

      It'll never happen, but I'd like to see one of those guys try to su

  • by baomike ( 143457 ) on Wednesday December 31, 2008 @05:37PM (#26285259)

    The idea of MSFT deleting a program (albeit a piece of malware) from my machine bothers me.
    When will their idea of malware differ from mine?
    Will they always do it correctly (no collateral damage)?

    • by Volante3192 ( 953645 ) on Wednesday December 31, 2008 @05:46PM (#26285379)

      Well, the reason you install these programs like Defender is so it deletes the malware for you.

      Replace Microsoft with Kaspersky, AVG or one of those other "reputable" AV vendors and ask the same question. They have just as much ability to delete a program.

      • Re: (Score:2, Informative)

        by madhurms ( 736552 )
        I think they quarantine it (by default) instead of completely deleting it. Unless they have changed this recently.
    • Well, then, I guess you better not install MSRT then, right? For it is not installed unless you explicitly ask for it, and it IS fairly clear that it is a "SOFTWARE REMOVAL TOOL", and that it will "remove software or files that Microsoft has determined to be malicious", and that you agree to that.

      Do you worry about Symantec AV removing malware from your machine too, in case their definition differs?

    • First, you don't have to run the MSRT I suspect you can even blacklist it, but leave Windows Update running normally and automatically otherwise. I don't recommend doing so, but it's your system.

      Second, if it did damage your system, you could probably make a civil case about it. This makes it somewhat unlikely MS is ever going to risk actively causing a problem for any significant number of users. I suppose an accident could happen - after all, real antivirus programs have been known to have false positives

    • When will their idea of malware differ from mine?

      Sometime, perhaps.

      Will they always do it correctly (no collateral damage)?

      Probably not always.

      The question is what alternative do you have? If you know enough to turn this off and install a 3rd-party solution you're probably fine. If you're in the lower 99.8% of Windows users, Microsoft knows way more about what it's doing with Windows than you do.

      So, the question isn't whether Microsoft will be perfect but whether you're, on average, better with this than

    • by Lumpy ( 12016 )

      Just wait, soon the following will be on their malware list.

      dvd decryptor
      dvd shrink

      Those programs have no legitimate purpose and only C R I M I N A L S would have them. you'll be lucky that they only delete it and all *.mp3 and *.mkv files it finds.

      • Take off your tin foil hat, man. Put down the gun. Seriously.

        MS has been using MSRT for years and no one has targeted your little cd apps.

        If youre this paranoid, then dont run it. Uncheck it from automatic updates.

    • Re: (Score:3, Interesting)

      by enharmonix ( 988983 )

      The idea of MSFT deleting a program (albeit a piece of malware) from my machine bothers me.
      When will their idea of malware differ from mine?

      I had to use Real VNC at my last job and Windows Live OneCare (or whatever it's called) detected and removed it. I would think MRT would ignore questionable software, but for apps/services targeting Joe Sixpack, don't be surprised to see some things like VNC or IRC software flagged as malware.

      • by 3vi1 ( 544505 )

        Microsoft Forefront does this with VNC too. Drives me nuts.

        • Dunno about ForeFront, but there's a whitelist for OneCare. Given hat ForeFront is a business app, I'd expect it to have some centrally configurable whitelist.

    • There's no way to know unless you're running free software (software you're free to inspect, share, run, and modify) to do that job.

      By the same token, any proprietary software (regardless of its purported task) should be troublesome. Technically there's nothing that prevents a proprietary statistical analysis program from doing things you wouldn't want done without your full consent such as removing programs, altering files, opening a remote access point for someone, or sending information about your compu

    • Dont run it then. Uncheck it from automatic updates. No one is putting a gun to your head.

  • by Rahga ( 13479 ) on Wednesday December 31, 2008 @05:37PM (#26285271) Journal

    This family of infectors is probably, by far, the worst spyware/hijacking peice of junk I've ever seen. I can't help but feel that 400,000 isn't nearly the number that has actually been infected, simply because nobody I know actually uses MSRT, and I seriously doubt that any machine that gets infected with it could actually get back into the condition where it can download and/or install MSRT, or virtually any other software. It's just that bad.

    • by PCM2 ( 4486 ) on Wednesday December 31, 2008 @05:50PM (#26285425) Homepage

      nobody I know actually uses MSRT

      You might be surprised. The version of MSRT that comes from Windows Update runs in the background once a month and only alerts you when it notices a problem. I've never knowingly run it, but sure enough, if I check my Windows Update history I've installed the December edition.

      On a side note, maybe this explains the persistent disk thrashing episodes I still get with Vista, maybe once a month or so...

      • Out of curiosity, when do you have Windows Update scheduled (controllable from the Change Settings dialog on the side of the Windows Update window in Vista)? It only takes a few minutes to run the MSRT most of the time, and a couple minutes of disc thrashing at 5AM isn't likely to be a problem.

    • Re: (Score:3, Interesting)

      by enjo13 ( 444114 )

      Literally every single Windows user I know has been infected with this. I removed it several times over the holidays. My wife (and many of her coworkers) where infected...

      I know it's not necessarily a representative sample, but I'd be shocked if it was only 400k machines in total.

    • Actually, probably most people you know run the MSRT without even noticing. It's a default part of Windows Update and has been for years. Unless you specifically de-select it every month (or blacklist it) it will run automatically.

      400,000 is probably the number of computers that got infected but were still sufficiently operable to run Windows Update on automatic, with perhaps a handful of people who manually ran it off a flash drive or similar (it doesn't need to be installed, and it might be possible to re

    • by gad_zuki! ( 70830 ) on Wednesday December 31, 2008 @07:13PM (#26286259)

      >simply because nobody I know actually uses MSRT

      MSRT is packaged with windows update. If they have automatic updates set as theyre supposed to then they run it every month. Its just not obvious to the end user. MS uses MSRT for a lot of things. Last time they took down one of the bigger botnets.

      Ive seen PCs with "Antivirus 2009" and its precessors still able to use automatic updates. Im sure malware writers will now just disable the service. I believe some versions of Antivirus 2009 did shut down the service.

      That said, the real problem here is why legitimate sites are service up the pop-under ads for antivirus 2009. Ad networks need to start vetting their clients. People should just start blocking all ads as a security threat.

  • family tech support (Score:5, Informative)

    by EpsCylonB ( 307640 ) <.eps. .at. .epscylonb.com.> on Wednesday December 31, 2008 @05:40PM (#26285297) Homepage

    Yep, got called round to my brothers house to fix his computer cos it had this stuff on it.

    I don't know exactly what it was supposed to be doing, the computer would boot up into winxp and then just freeze. Safe mode worked but safe mode with networking did not, so I guess it was calling home somewhere (thinking about it now I should have just unplugged the network cable to see if that stopped the computer freezing).

    Anyways I didn't have any stuff with me and without net access I decided the path of least resistance was to reinstall windows (my brother did not have anything he wanted to keep).

    I should have brought round a ubuntu live cd with me.

    • by gd2shoe ( 747932 )
      Possible, but more likely it had infected the networking stack somewhere. (I haven't dealt with a bad one yet, so I don't have any way to know.)
  • *golf clap*

    Anyone besides me concerned though that this piece of shit malware was eliminated on that many PCs? Doesn't that just scream that there is something fundamentally wrong with the browser and/or the OS?
    • People actually pay to install it and then manually do so. There's not a lot the OS can do when the user is specifically enthusiastic about installing the malware. That is, there's not a lot the OS can do until the malware is specifically identified for removal.

    • Nope. Try a little research, please. This program spreads through two methods, Trojans and scareware (tricking the user into thinking that his computer is infected, so he buys and installs AV2k9 as a "fix"). Such software can do anything the user can (which, provided you run the program with root/Administrator credentials - like you would if installing something - is anything at all).

      In either case, it's a simple matter of Problem Exists Between Keyboard And Chair. The prevalence of malware for Windows does make scareware more likely to work, but in the end it's still a matter of the user telling the OS to do something stupid (run a malicious program) and the OS obeying just like it's supposed to.

    • by cdrguru ( 88047 )

      If software can be installed, then your average user is going to do something bad.

      Best answer is a web appliance that does email and web browsing and NOTHING ELSE and CANNOT have anything installed on it, no matter how attractive is sounds.

      This is all 99% of the "home computer using population" needs. The other 1% can have computers they can screw up to their hearts content. The problem is today this move would put all of the PC manufacturers out of business. It would also put anyone who gets paid for cl

  • by TheGeniusIsOut ( 1282110 ) on Wednesday December 31, 2008 @05:43PM (#26285355)
    I do not have anti-virus/spyware/malware software installed, the only firewall I have is in my router, my computer is on and connected nearly 24/7, and I have not gotten any viruses/malware/spyware in at least 3 years. Windows XP fully updated, careful browsing/downloading habits, and liberal use of free online scanners for suspicious software before execution has served me well. The problem is too many people are click happy and ignore common sense, basic safe computing habits, and in general are looking for a quick fix they don't have to think about. This leads to people falling prey to the pop-up ads claiming their computer is infected so they can download the latest botnet zombification software. Up until a year ago, I was having to clean my sister's PC on a weekly to monthly basis due to all the crap she downloaded off the internet. After convincing her to try the safe habits I practice for a month, in which time her computer worked perfectly, she realized she was the source of her computer problems and corrected her attitude towards computer security, with no problems to this day.
    • by Anonymous Coward on Wednesday December 31, 2008 @06:12PM (#26285645)

      I'm not saying this as flamebait but I'm really tired of users who consistently post in forum after forum that they don't run antivirus, firewall, or antimalware applications. Then, just like you, they claim they don't have any infections. How would you know even if you had an infection without running a scanner? Online scanners are great but they only cover files that you're going to run of your own volition. They do not cover infections that occur through holes in the browser and/or OS. This is where the fundamental problem lies in your strategy.

      Case in point, lets say you browse to a website that uses a hole in your browser to get code onto your system that opens a port via UPNP in your router. Then through the open port your machine starts infecting/spamming others. How would your methods guard against that?

      Safe computer habits are great when you can trust your Operating System and browser to be secure all while you're not logged in with an account with "Administrator" (root) level privileges. Too bad Windows can't be trusted to be secure and, therefore, necessitates the need for antivirus, antimalware, and firewall.

    • (l)Users don't want to have to think about what they're doing, they just want to be able to do it. Sad but true.
    • by Lumpy ( 12016 )

      Because a computer is too complex for these people. Cripes they have to put a warning label on a curling iron to NOT stick it into any bodily orifices.

      if our consumers are stupid enogh to stick a hot curling iron in their ass, ear,mouth, nose ,etcc... then they certianly are not smart enough to be near a computer.

      People expect computers to be toasters. They are not, they are highly complex devices.

      It does not stop me from collecting all the malware infected dells that are 1yr to 6 months old. I sell th

    • Substitute Vista for XP and add the Windows Firewall (which is much better on Vista than XP) since I'm on a laptop that's not always behind a router, and this is true for me as well. There's always the risk of a 0-day exploit, but those are less and less common and there are mitigations for them (like NoScript or other forms of Flash blocking, plus don't run everything as Administrator). Unfortunately, as the software security gets better, it seems the user security gets worse.

      It really is a problem of educ

    • I recently felt that same way, that it was mostly due to people downloading weird stuff. Then I browsed a cached version of a Google page, which launched some JavaScript and completely destroyed my install of Windows Server 2003 (it wouldn't boot up at all). Afterwards I switched my home browsing to Firefox with NoScript and AdBlock Plus.

      Fast forward to work a couple weeks ago, running IE7, Norton Anti-Virus, and the typical corporate firewalls. All I did was have a pop-up ad from a boring site and my
  • by MrNonchalant ( 767683 ) on Wednesday December 31, 2008 @05:45PM (#26285373)

    Thanks Microsoft for thoughtfully protecting all the Zunes from this outbreak.

  • by flyingfsck ( 986395 ) on Wednesday December 31, 2008 @06:07PM (#26285585)
    If only 400,000 machines were infected, then it would seem that Apple And Linux have taken over the desktop.
    • Re: (Score:3, Informative)

      by cbhacking ( 979169 )

      The malware may try and stop Windows Update from running (many of them do). For that matter, the kind of people likely to install something like this (it spreads either through Trojans or as scareware, not through system exploits) are probably statistically more likely to have Windows Update turned off entirely. For that matter, this isn't a worm that spreads automatically - it takes substantial user error to get infected in the first place.

      All this means that the only infections the MSRT can get to were ei

  • by pembo13 ( 770295 ) on Wednesday December 31, 2008 @06:23PM (#26285779) Homepage
    Why do does the malaware removal tool report back about what it finds? Do all such tools do that?
    • Depends (Score:4, Informative)

      by Sycraft-fu ( 314770 ) on Wednesday December 31, 2008 @09:56PM (#26287685)

      Some do, some don't, some are configurable. A lot of companies want their tools to check in so that they can measure how widespread something is and react accordingly. For example NOD32 can be configured anywhere from submitting no information to submitting anonymous statistics as well as files it flags as potentially unsafe but can't identify. They want the information because it helps them better update their virus database and respond to new threats faster.

      Also many corporate AV/AM products can do very full reporting back to the central server. They'll check in and say when they ran, what they found, where it was, etc.

  • it got me (Score:2, Insightful)

    I consider myself a pretty knowledgeable computer user as I've been in IT for 6 years now working in technical support, network administration, and development. Spybot and AVG would not even run and I couldn't reinstall them. Trend Micro's online scanner would stop working half way through. I installed adaware and that removed some of the junk. Then I installed Avast and that removed a bit more. At this point I was able to run SpyBot and that removed a bit more. Finally after running malware bytes or
  • by rrohbeck ( 944847 ) on Wednesday December 31, 2008 @06:34PM (#26285899)

    So how long will it take to clean up the entire population of Windows PCs?
    This kind of propaganda is counterproductive. First of all, this is a negligible effect, secondly it pretends that MS takes care of Windows users, and thirdly it doesn't emphasize that safe computing is far more important than all security software in the world.

    • While I would in no way consider myself a computer expert of any sort, I do think I'm more informed than a good number of PC users, yet I managed to get infected. I was running antivirus and a firewall, run adaware and spybot regularly, run opera with popups blocked instead of internet explorer, never download anything from e-mail, and thought I was being careful about what I downloaded. Yet I got infected with an annoying one. Still not sure how that happened. Not looking for advice here, so I'm not going

  • I mean, 2009 isn't even there yet and people think this program can exist? Pfft. I bet 80% of the infectees are car manufacturers!
  • by pjp6259 ( 142654 ) on Wednesday December 31, 2008 @07:49PM (#26286569) Homepage

    I'm not sure how this happened. Our personal little website (prestopnik.com), got hit by these guys. The put some redirect rules into our .htaccess file, such that if you were visiting our site from one of about 6 different domains, it redirected you to their site. We didn't see it for a long time, because we usually just visit our site directly, but if you were coming from a link in yahoo mail, or found it via google or something you got redirected.

    Our hosting tech support said one of our computers was infected, but from looking online, I didn't see signs of an infection on our side, but I'm still not 100% sure what happened, and if we are clean now. I think we run on our shared machine for hosting (linux though), maybe they got in like that?

  • Time for Linux (Score:4, Interesting)

    by MrJimbo ( 1442441 ) on Wednesday December 31, 2008 @08:09PM (#26286781)
    My wife's Windows XP laptop was infected with this virus. This was her last straw. She came to me and asked if there is anything that can be done. I told her she can reduce her exposure to these pieces of malware if we were to install Linux on her laptop. It's been 5 days since we installed Ubuntu 8.10, and while there are some slight differences, she is enjoying it. I had been running Ubuntu for some time now.
    • Re:Time for Linux (Score:5, Interesting)

      by TheNetAvenger ( 624455 ) on Wednesday December 31, 2008 @09:00PM (#26287237)

      Sorry about your wife's laptop, but this doesn't happen without the user specifically installing the software.

      Even on Linux, she won't be any safer if she isn't instructed not to click on crap and install it.

      You would be safer running Vista, as this malware (not virus) was not able to get installed on Vista even when users told it yes. If by chance it even did get installed on Vista, it would have had limited damage compared to XP; things like redirect the web sites, turn off anti-virus etc. (Vista users basically didn't have this problem)

      So you convince her to move to Vista yet?

      You could also set her up as a 'user' and not let her run crap in administrator mode, and if she needs something installed, have her do the run as and actually type in the password so she knows that she is modifying the computer. (Yes on XP)

      On, Vista, have her run as User as well, the password prompt is just automatic and doesn't require her to do 'run as'...


      I love the stories of 'the last straw' and how horrible Windows is, especially when it is something users have done to themselves. If Windows or MS is guilty of anything here, is that they made Windows too easy for users and hasn't educated people enough. (Like you should have done for your spouse.)

      PS She should smack the crap out of you for not explaining what to click on and what not to click on to install, especially from the internet.

  • Beyond Annoying (Score:3, Informative)

    by Coopjust ( 872796 ) on Thursday January 01, 2009 @04:00AM (#26289433)
    Back when it was Antivirus 2008 (and earlier) it was pretty easy to remove (relatively). Kill two processes at once via process explorer (so the tree dies and the other process doesn't revive the killed process), remove some registry and startup entries.

    I just had to deal with a new version (friend's PC)- Spyware Guard 2008. What a pain in the ass. This version installed a rootkit, a device driver, locked the HOSTS file, added hidden registry entries, hidden services, parent and child services, downloading stubs to update it to stop detection...antiviruses stopped updating.

    I was determined to kill it though. I got SuperAntiSpyware Free edition- free for personal use. Picked up all of the entries (rootkit, files, registry, etc.) and removed them after a reboot, no safe mode necessary. A standalone A/V scan (McAfee boot disc with latest definitions, and a rootkit scan from an OS outside of Windows) turned out clean, which impressed me.

    I've also used Malwarebytes on a few PCs- very efficient and effective. I have to PayPal some money to these developers, as these two tools are great and allow even users who were decieved into running this crap to disinfect their own PCs. It also makes a techie's job much easier- a few minutes of running tools versus hours of trying to hack at the thing manually.

    I hope whoever is contributing to this P.I.T.A. malware has karma bite them in the ass.

Order and simplification are the first steps toward mastery of a subject -- the actual enemy is the unknown. -- Thomas Mann