TR Forums

What the hell. My wife caught a virus, it makes "windows 7 antivirus" pop up like crazy. I haven't seen a virus for real in a long time. I'm sure I've had them, but I haven't actually seen such an annoying one in a while.

It's probably her computer illiterate family sending all sorts of warnings (with links) about computer viruses.

It's quite possible they visited a legit site with an infected ad server. Happens to my users a lot.

Make sure Java, Flash, Acrobat, and Quicktime are all up to date if they're installed; IIRC the biggest infection vectors are those four more or less in order.

Huh, good point. Those are the most annoying things to update, too.

Try MBAM on it.

I just tackled this bastard today at work. The instructions and tools on this page worked really well.


Side note: I actually sat and watched my own personal pc succumb to a very similar virus/malware. It caused a system tray popup message that warned of a failing hard drive. When I clicked the "X" to close the popup, all hell broke loose. Turns out the virus came from an infected ad server on the page of a Facebook flash game I was playing. So it is not necessarily computer illiterates doing stupid things to welcome viruses onto their systems (yes, I know that playing flash games on Facebook may qualify as a stupid thing lol).

SpotTheCat wrote:

What the hell. My wife caught a virus, it makes "windows 7 antivirus" pop up like crazy. I haven't seen a virus for real in a long time. I'm sure I've had them, but I haven't actually seen such an annoying one in a while.

It's probably her computer illiterate family sending all sorts of warnings (with links) about computer viruses.

Just curious if there's any anti-virus on her computer?

Also, what settings do you have for UAC?

Two things. First, UAC should be at the maximum level. It's not at all annoying unless you're setting up a new Windows installation. Second, your day to day user account shouldn't have Administrator access. Limited User+Maxxed UAC means your Windows 7 box doesn't get malware-smacked in any significant way.

To be specific, there's some malware that pops up a fake "anti-virus scanner" and auto-kills Task Manager and you can mostly keep it from starting via msconfig and then remove when it's not running. I forget the name of it, so you in your thing and you'll find it.

This form of malware is known as smutware. It is basically a phishing scam that depends on users who pay the writers for fake anti-virus software (which is really a backdoor trojan) and use the financial information to commit identify theft. The fake anti-virus generates nothing but false positives to make it look like that your entire system has been compromise. In reality, it is the program itself that is the infection. It likes to duplicate itself within your Users and temp directories using random strings like "$G35787" and "DGMDTG@".

My first action is to completely isolate the infect system from the network/internet and do anti-malware updates via sneakernet. Obtain the aforementioned updates from a clean system. Do the anti-malware scans and then search for traces of the malware in the registery/HDD and remove it manually. If this all fails, you have little choice but to nuke everything from orbit.

One of my biggest praises of WIndows 7 is that most of this type of malware has been forced to become simple user-level annoyance apps, which makes it extremely easy to remove by simply logging in as a different user with admin access, and picking apart the infected user's user directory while the malware is inactive.

Much, much better than the days of Windows XP letting everything into the system with either an admin account, or a privilege-escalation attack, then having to clean it out of a hundred different possible hiding places.

Krogoth wrote:

This form of malware is known as smutware.

PeregrineFalcon is not impressed with Krogoth's incorrect terminology. Scamware or scareware.

Smutware would be porn pop-ups.

The culprit is many things. Mostly, I've assumed she has the same computer decision making skills as I do.
1. I always update my software.
2. I never even open emails from my relatives. It's 99% chain/spam anyways. (I also don't listen to voice mail, who wouldn't just text if I don't pick up?)
3. I avoid ad-plagued websites like... well... the plague.
4. Other habits I have that pretty much eliminate problems.
5. I do virus scans about quarterly, I don't like running real-time software because they make everything so slow and interrupt so many common actions.

I found a guide to uninstall the virus, it seems to have worked. I'll run a gauntlet of AV software suites to make sure.

Changes to her policy
1. I will enforce her use of google docs for her work. She works from home (she is a writer!) and I've been insisting that google docs will provide safer storage for her work for months. Nothing I can do will be as robust and safe as the cloud.
2. I have made a separate work account for her in windows. If something asks for the admin password she will not have it!
3. I will either find a way to safely update all of the weaker software (Java etc.) automatically, or will make a point of checking it often.
4. I will (reluctantly) have avast or AVG (or another?) running constantly "in the background." I hate them, they slow everything down and befuddle you with constant questions that you eventually just ignore. Does anybody have a better idea?

Is there anything else I need to do or something I should do differently? I'm not a corporate IT policy guy, but I feel like I need one considering the mission-critical nature of this computer.

3. I will either find a way to safely update all of the weaker software (Java etc.) automatically, or will make a point of checking it often.

I would recommend Secunia PSI. It scans all installed applications and checks them against Secunia's vulnerability database. It will notify you if any of your software has known vulnerabilities and if there are patches for it. It will also automatically patch weak links like Flash, Adobe Reader and Quicktime (I think). It's another thing to run in the background, but a newish computer should be able to handle it without slowing down too much. It does a start-up scan and then mostly stays out of the way.

4. I will (reluctantly) have avast or AVG (or another?) running constantly "in the background." I hate them, they slow everything down and befuddle you with constant questions that you eventually just ignore. Does anybody have a better idea?

Yes, just use Microsoft Security Essentials. It's free, fairly light and non-intrusive.

Also, I would recommend installing Opera as the default browser. You can disable JS and plug-ins by default and then only enable them for individual websites via custom website settings. (I'm sure you can do this with other alternative browsers as well, but I'm only familiar with Opera.) This will stop compromised ad servers from infecting your machine (unless you enable JS and plug-ins for the ad servers, that is).

SpotTheCat wrote:

1. I will enforce her use of google docs for her work. She works from home (she is a writer!) and I've been insisting that google docs will provide safer storage for her work for months. Nothing I can do will be as robust and safe as the cloud.

What if Docs lacks a feature she uses often enough for its omission to be annoying? It's a bit light on features compared to Word. John Scalzi (sf writer) tried writing a book in Docs on his Cr-48 for a time early this year and gave up because it didn't do what he wanted.

A few very minor suggestions--

AVG Free just got a very positive review from Maximum PC and it does NOT pop up with annoying messages much--I am using it on two machines.

Consider ZoneAlarm Free Firewall as an addition.

Have her do WEEKLY scans.

Use Ninite--free or paid service at $10/year--to update a group of apps at once, including QuickTime, Adobe Flash, etc. Highly recommended. For the free version you run the downloaded file periodically and it updates all the apps. The paid service scans and does it daily. http://ninite.com/

Have her use the Chrome browser since it is sandboxed. Alternatively, buy her Sandboxie--http://www.sandboxie.com/--and set it up so her browser (and other programs if desired) are automatically sandboxed.

SpotTheCat wrote:

The culprit is many things. Mostly, I've assumed she has the same computer decision making skills as I
1. I will enforce her use of google docs for her work. She works from home (she is a writer!) and I've been insisting that google docs will provide safer storage for her work for months. Nothing I can do will be as robust and safe as the cloud.

I love Google Docs but I recently lost a diary I'd been keeping on there for ages. Moral of the story: It seems easier to nuke a document in the cloud than it does locally.

axeman wrote:

I'm not sure what support Google gives for Docs if you aren't paying for the service, but doubtless it could be recovered from a backup somewhere.

Your naivete is cute. Google doesn't provide /any/ support, basically, so if you want a backup that's your lookout.

axeman wrote:

...
3) why the hate towards a FREE service? Same people that bitch about Facebook I guess.

IMO much (though not all) of the ire directed at Facebook is deserved. It is a malware cesspool, and a major contributor to the "dumbing down" of the Internet.

I'm not hating on Docs, it's good for what it is, but the point is that you can't trust them to never lose your data, and you can't expect a free service to be assiduous about restoring your backup.

You want a backup, you keep your own damn backups and take responsibility for them. You might never have a problem with THE CLOUD, but then again you might and your data could disappear forever if you don't have an offline copy, same as for anything else.

bthylafh wrote:

You want a backup, you keep your own damn backups and take responsibility for them. You might never have a problem with THE CLOUD, but then again you might and your data could disappear forever if you don't have an offline copy, same as for anything else.

"The Cloud" is really just a euphemism for migrating back to the datacenter/mainframe/terminal model of computing (with web browsers taking the place of the terminals). Letting someone else manage your data for you means you no longer *control* your data.

just brew it! wrote:

Letting someone else manage your data for you means you no longer *control* your data.

Very well put. I'd also note this presents more danger than just losing your data. It also represents a risk of the compromise of your data too.

The cloud should not be the goto solution without some real thought about what you can afford to lose.

just brew it! wrote:

axeman wrote:

...
3) why the hate towards a FREE service? Same people that bitch about Facebook I guess.

IMO much (though not all) of the ire directed at Facebook is deserved. It is a malware cesspool, and a major contributor to the "dumbing down" of the Internet.

So did you bitch about the move away from BBS and newsgroups dumbing down the internet back in the day to


My parents got hit by this same virus today. I will know more tomorrow when I go to fix the problem. Going from memory they have a fully updated version of windows 7 64 bit, running chrome, and Microsoft Security Essentials.

FWIW, I was able to bring up task manager (I had to ctrl+alt+delete, any other route to the task manager was blocked), find the location of the process, kill the process, delete the file the process was run from, and then I used a spyware removal tool to change the registry back. I hope that's all of it!

SpotTheCat wrote:

FWIW, I was able to bring up task manager (I had to ctrl+alt+delete, any other route to the task manager was blocked), find the location of the process, kill the process, delete the file the process was run from, and then I used a spyware removal tool to change the registry back. I hope that's all of it!

http://windows.microsoft.com/en-US/wind ... er-offline

MS has a beta version of Windows Defender (looks just like MSE) available as an offline product one can install as bootable to CD/DVD or USB. I gave it a whirl and it seems to work pretty well. You do have to run the wizard as admin, though, if you want the USB stick reformat to work (using XPSP 3 here).

My mom got hit by this. Not entirely updated version of Vista with FF. Adobe reader and java both needed updates, flash probably does too. I booted into safe mode, cleaned up registry and start-up with CCleaner, ran MBAM several times then booted into windows normally and am running AVG and MBAM scans. She was using AVGFree, just doesn't know what to click on and what not to click on apparently. It's a good thing this only happened 2 or 3 days ago as I just got home yesterday and nobody else here would've looked at it.