 |
 |
On 6/1/2011 3:40 PM, Al Puzzuoli wrote: > Over the past few months, I have seen a number of instances of machines > getting infected with variants of this Fake Alert bug. It has happened > to several users in the office; but I have also seen it on friend’s > machines as well. Some users were running XP, others were on Windows > 7.Some had admin rights, others didn’t. It’s gotten past Nod32, VIPRE, > and Security Essentials. Bottom line is, I have no idea what to do to > keep this bloody thing out! Are others having similar problems? If so, > why hasn’t there been more of a general outcry to the AV companies? They > all seem to be virtually useless when it comes to this sort of attack. > If AV isn’t the answer, then what is? > I've seen a definite uptick in the number of cases I've had in the last couple of weeks. The only good news is that I've gotten pretty good at removing it these days :). I haven't been able to stop it, or figure out any way to do so. My understanding is the code is changing enough to make it tough for virus software to catch. Generally to remove it, I've used a combination of malwarebytes, combofix, tdsskiller, and going through fixing the file associations in the registry by hand (since these inevitably will change exe, internet explorer, and firefox to all run through their executable). The registry part is a little annoying, since if I'm not logged in as the user in question, I generally have to go back and fix their profile too (even things in HKEY_CLASSES_ROOT seem to be different for different users). Combofix seems to like to wipe out a particular pieces of software that some of my users use (Eprime), so I've gotten away from that recently. Last couple I've cleaned up after have also disabled the windows firewall and screwed up automatic updates, so it's worth looking at that too. I'll have to try that Standalone Sweeper thing that Matt brought up and see how well it does. Somehow I'm pretty sure I'm going to get the chance to do that. Gary > Totally frustrated, I've moved beyond being frustrated and have reached the more resigned state. > > Al >