Jenleib - Go to www.malwarebytes.org. Download the free version, install and do a complete, not quick, scan. You'll know it if you have a hidden bug, and Malwarebytes will probably be able to deal with it.
After accessing Scott's site but before reading today's posts on this thread I sent an an email head's up I will send him this link NOW. My virus protector caught 6 trojan attempts, like a machine gun going nuts. Thanks to all who have posted here. He is a great guy and his site is more for being informative than for making money, so it is a venture of love of sorts. OK Steve, I spend most of my time here as this too is a wonderful site that I am in no way disparaging. And if I had sites, they would be about fun, service AND money. Jaja.
Details for technical minded folks.... Cleaned up a computer today that was (presumably) infected from Scott's site... the infection was with a particularly nasty scareware/malware called "Personal Protector". Victim was presented with realistic warning message that she thought was legitimate, clicked to "fix" problems.. malware was installed... program disabled anitvirus software, disabled system restore, disabled task manager, hide desktop icons, blocked most attempts to browse the Internet with "website unsafe" messages and denied access to known antivirus or malware removal sites. Essentially rendering the computer unusable unless "full version" is purchased. Malware was removed from XP installation by booting into safe mode and disabling all startup programs via msconfig, resetting the tcp/ip stacks and internet explorer settings to defaults to gain access to malwarebytes.org website, free version of program removed the infection, AVG free antivirus found one additional virus in internet temp files.. computer appears to be working normally now. Have advised victim to change passwords as precaution. Avoid Cancunassit.com until further notice... Personal note: People who write this software should be hunted down and strung up at the nearest light pole! It's very easy to see how someone could fall for it if they are not especially computer savvy... I only hope that the authorities are working to track down those responsible for this and other extortionist malware programs.
Great job. This is exactly the kind of malware I mentioned in my initial explanation. I can save you and others a lot of work if you've managed to get the Malwarebytes anti-malware software onto the infected computer. The majority of these "Protector" scams use a simple ASCII checker to defeat Malwarebytes and several other anti-malware tools. If you can navigate to the C:\Program Files\Malwarebytes' Anti-Malware\ folder and then find the mbam.exe file, simply rename it to anything you like, being careful not to wreck the .exe part of the file name. In other words rename mbam.exe to mixz1.exe. Then double-click on the renamed file to run it as the shortcuts will no longer work. You can avoid all the msconfig and safe mode stuff and get the same result. After the cleanup, rename the exe back to mbam.exe so that menu and shortcuts work again. One last note, noting again that I have nothing to do with Malwarebytes: If you pay for the software, you can enable it to run in the background and never get infected by this garbage. It's going to be about 319 pesos for a lifetime license with free updates and upgrades. It will actually stop you from going to suspicious sites, an action you can overide if you so Desire.
The reasoning for safe mode and disabling everything was to gain access to the malwarebytes.org website which was otherwise blocked. Once access was made the free version was downloaded, installed and run without issue so altering the program's crc or name was not required. Fortunately this bugger had a startup entry which was relatively easy to block from loading however the persistent changes to IE behavior required correction... I'm not certain if rebuilding the stacks or simply restoring the defaults in IE was what allowed access to the malwarebytes.org site, but after completing both of those tasks access was restored and the program was downloaded. Its not the most difficult bug to remove especially with the help of great programs like malwarebytes, but not knowing how to get around the obstructionist measures the malware had implemented would make it difficult for the average user. I am a bit disappointed that AVG free not only didn't detect it as a virus (which is exactly what it is in my opinion) but also allowed itself to be disabled without a fight. Any recommendations on a free antivirus that might do a better job protecting itself?
Yep, Life. You did exactly right. My note concerned a machine that already had mbam on it. By now, I hope everyone reading this has at the least the free version installed. As for a free AV solution; There's no such thing as a free lunch. AFAIK, even the pay version of AVG is going to miss this genre of malware. The best approach is a two tiered approach consisting of a layer of anti-virus and a layer of anti-malware. MBAM has consistently blocked these "protector" malware exploits. Also, all these exploits involve a certain degree of cooperation from the user. When first presented with the false virus warning, simply closing the browser stops the attack. It's only after you cooperate by clicking through do you get infected. Again, hopefully those reading this thread now know better than to fall for the bait.
I am glad that Mix and Life are my buds. If I get in such a jam I sure know who can help, provided they consider me to be their "bud" too. Good luck to Scott and his regular visitors
Looks like Scott is switching to a phpbbb forum. I think that is a wise move and should present less problems in future.
