Add your comment

This blog isn't allowing comments at this time.

Previous Comments

Cleaning up malware (System Care Antivirus)

On Tue 21st May 2013, 21:50 Jonathansays:

So it's something I write about reasonably often because there's a lot of malware out there. I was helping a friend this evening who'd got an infected laptop. She hadn't gone anywhere dodgy but that doesn't matter as a compromised legitimate website can still infect your computer. Most importantly she had a backup of her data!

On logging on each time some malware popped up, normal fake-antivirus type stuff which wouldn't let any other application run as it "is infected". The malware disabled the installed anti-virus as has been seen before - the whole thing was somewhat familiar.

Fortunately, there was a second administrator level account on the computer and logging in with that enabled remote control to the unit. Using Autoruns I could identify a directory in c:\programdata\ which seemed wrong, especially given the files in it were "modified 2002" - impressive given this was a Windows 7 laptop.

Visual inspection of the files showed the icon was that of the fake AV. Renaming those files so they couldn't execute (I'd disabled it in autoruns anyway) and logging in as my friend showed the fake AV appeared to be disabled. The free Sophos Virus Removal Tool is running a scan on there at the moment.

Transferring the malware back to my lab environment (isolated from the home network) I can confirm I'd found at least some of the malware (I infected the lab computer to prove it).

So, the "take home" from this post:
* Always have current backups (and at least a copy off site)
* You can be infected from any website on the Internet, not just "dodgy" sites
* Have at least 2 administrator accounts on your computer. Keep the second account passworded and unused until you have a problem (and then create a third before starting working!)