A Close Brush With Scareware

OK, I’ve got to say up front: I think that some virus and other malware writers should be stood up against a wall at noon and shot.

I’ve told people for years that they needed to practice safe computing and use antivirus software and keep it updated. I recommend Microsoft Security Essentials for a couple reasons. First, it works pretty well. Second, it’s free, and kept up to date pretty well by Microsoft. Third, given the well-known vulnerabilities in Microsoft software, Microsoft should provide a free AV capability.

I’ve spent literally hundreds of hours clearing up virii infections from various computers. Probably the worst one was my Moms computer. She visited gambling site, free-coupons sites, free-stuff sites, and many other something-for-nothing sites, and her computer picked up so much digital smegma that it was wasting 80%+ of its CPU on the junk. After the third time cleaning off her machine (the second time time by just reinstalling Windows), I ended up putting a version of Ubuntu on her computer, and then I put a skin on it that looked just like Windows XP. No problems after that. I’ve worked on 20+ machines from friends and relatives getting the e-crud out of them.

Yesterday, Raegan called me in. She knows bullcrap when she sees it, and she had had a number of windows pop up proclaiming her computer had a virus. I know from a look that she had a “scareware” app. The scareware is just another malware; if you do the “scan” it requests, it’s permission for the crap to install itself on your computer, and then you have to send the SOB developers money to get it off.

I powered her system down. Then, having worked on four other machines that were similarly infected, I pulled the drive out so I could sanitize it in offline mode.

Of the other four machines that I’ve seen this on, I was able to completely clean two, one I cleaned but it was still severely affected (missing programs, missing files), and one was so fracked up I had to re-install the OS (I switched it from XP to Ubuntu).

So I updated the Microsoft Security Essentials AV definitions, then the AVG, then Ad-Aware, and finally Spybot. Then I hooked her drive to an external USB-to-SATA interface I have, powered the drive up, and started scanning. MSE found and cleaned off the offending virus, which had infected the boot sector as well as tied itself into the machine startup in the registry. It took about five hours to fully scan and clean her 1.5TB drive (that had about 600GB of stuff). I repeated the process with AVG, which false-alerted on some stuff I know to be benign. I decided to not run A-A or Spybot.

After putting the disk back into her machine, XP took a couple passes of CHKDSK, found some files damaged, and finally it all booted up, and looks pretty good. The only damage we have found so far is that the right half of her Start Menu stuff (My Computer, Control Panel, etc.) was missing. I found that that stuff can be restored by clicking Start, then the Properties, then Customize, and finally Advanced.

So after an hour or so of actual work, and about 10 hours of scanning, it seems that her machine will survive the scareware. Raegan is careful, and doesn’t hit any nasty sites. We tried to figure out where the crap came from, and we think it was a site that had a download for a word search puzzle generator, as it was only one of two sites that she had visited immediately prior to the infection. It looks like the crap was put there before her MSE could recognize the signature of the downloaded malware.

I have no problem opening a machine up and pulling the hard drive to scan offline (and I have the stuff to be able to do just about any drive, IDE, SATA, or SCSI), but most people don’t, and have to scan and try to fix the problem in situ, with the malware running also. That just makes it more difficult.

But I would like to see the perpetrators have something nasty happen to them.


4 Responses to “A Close Brush With Scareware”

  1. Clark Cone Says:

    Bill – I share your enthusiasm for rooting out hardware problems/issues on Windoze machines…curious, you said: “I have no problem opening a machine up and pulling the hard drive to scan offline (and I have the stuff to be able to do just about any drive, IDE, SATA, or SCSI),”…can you describe that “stuff”? Clark – clark dot cone at gmail dot com

    • Bill Hensley Says:

      Hi, Clark. I have three USB external drive carriers. One is for 5″ desktop IDE drives, another for 2.5″ IDE laptop drives, and another that fits either size SATA. I also have a computer with a PCI-to-SCSI adapter and a SCSI-2 cable. Any of these mount under Windows as G: or F: and allow the drive to be scanned without being an active drive. I can also do a remote connect to the drives registry to clean out nasty stuff referenced in the Run keys.


      • Clark Cone Says:

        thanks for the reply, Bill…not familiar with a 5″ IDE drive – to -USB carrier…I do have a SATA to IDE converter..can I plug the IDE HD with the converter attached into a SATA slot on another machine? Should work, eh? Clark

      • Bill Hensley Says:

        My bad, Clark, I should have written “3.5 in”. I’ve never used a SATA to IDE converter, but don’t see why it wouldn’t work.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: