Tag Archives: rogue anti-spyware

How to Remove Scareware – Common Issues

Your guide to Scareware, and its common Issues

HandyMan Can Animated On 411-Spyware.com and the computer repair shop I work at, I’ve found that a lot of people use manual removal instructions to remove fake security software (AKA rogue anti-spyware software, or scareware) from their computer.

Using a paid antivirus/antispyware program is easier and more reliable, since manually removing infections can be tricky.

But for those of you who like the long road — yep, I’m raising my own hand here — , you may run into these common issues while removing fake antispyware.

I’ve got a list of files to delete, but Windows won’t let me delete them.

That’s because you are currently running the scareware, and Windows won’t let you delete files that are in use. Boot into Safe Mode (hold F8 at start up, and when the menu appears select “Safe Mode”).

This will prevent any programs automatically loading other than those that Windows needs to run. Delete your files from there and when you’re done, just reboot normally.

How am I supposed to delete this scareware when it generates popups every 20 seconds?

Once again, if you’re manually removing the files, you can use Safe Mode to make things easier. Some technicians advise using MSCONFIG to stop scareware from running.

I find this unnecessary as you can remove files in Safe Mode, and when you restart your computer you can see if it is still running and if there is anything else you have to remove.

ComputerCrash

The scareware won’t let me boot into Windows. I can’t do anything.

This is a very nasty tactic that some scareware uses. What makes it worse at that it even launches in Safe Mode, making your computer unusable.

Fortunately, not many scareware programs do this as it defeats the purpose of the scam. How can they get your money when you buy their fake software, if you can’t even get into Windows?

When I get infections like this I use a free program called VistaPE. Basically, VistaPE puts an operating system on CD that your computer can boot off. You can then view your hard drive and delete the scareware files that way. As you’re running off a CD, there is no way the infection can mess with the disk.

Follow this tutorial to make a VistaPE disk. Don’t worry about the advanced stuff. All you want to do is view and edit the contents of your hard drive. Once your disk is made, you may need to edit the boot order in your bios to make the CD/DVD drive the first boot device. Your computer manual will show you how to do this.

I’ve deleted all the files, but that damn scareware always comes back.

Scareware does have a habit of reappearing when you have think you’ve killed it, just like a horror movie monster.

This is happening because your scareware was put there by a Trojan. Right after you remove all the scareware files, the Trojan sees that you don’t have scareware on your computer, and happily provides you with one.

Even if the scareware you were infected with doesn’t reappear, you most likely have a Trojan running in the background. 90% of computers I see with scareware infections have a Trojan installed, too.

Trojans want to remain hidden, so even if you suspect there is one on there, you won’t know which one it is. The best way to find out is to download and run a legitimate antivirus/antispyware trial, like Spyware Doctor, and see what it finds.

If you really want to, you can see if there are manual removal instructions for your Trojan once you know its name (but I hope that by that stage you purchase software to remove it and any other nasty files it finds).

Please note most security software trial versions don’t allow you to install updates, so you may be infected with a Trojan that’s not in the default database.

That’s all the tips I have at the moment, if I find any more I’ll update the article.

If you have some tips or questions, please leave a comment.

Guest Writer: This is a guest post by Kristopher Dukes of 411-Spyware.com – an invaluable asset in the battle against malware. Pay a visit to 411-Spyware.com, and I’m convinced you’ll become a regular visitor.

The content of this article is copyright 2009 © by Dukes Media, LLC All rights reserved.

2 Comments

Filed under Anti-Malware Tools, Don't Get Hacked, Geek Software and Tools, Guest Writers, Interconnectivity, Manual Malware Removal, Rogue Software, Spyware - Adware Protection, trojans, Viruses, Windows Tips and Tools

Every Good Story Needs a Villain!

This is a guest post by Paul Eckstrom, a technology wizard and the owner of Aplus Computer Aid in Menlo Park, California.

Paul adds a nice humorous touch to serious computer technology issues. Why not pay a visit to his Blog Tech–for Everyone.

This story opens gently enough. It begins with a friendly and helpful Comment posted on a friendly and helpful blog.

Someone had written to share “the results of their work”, which he said “solved his security problems.” He was talking about viruses and spyware, and other malware, and he said his method “covers 99.8%! of all known threats.” He posted his advice/Comment on an article about How To prevent the dangers posed by spyware (and also warns about “rogue” anti-spyware programs). He signed himself “Spycrasher”.

So far, this all sounds pretty good, doesn’t it? 99.8% effective certainly sounds good.

As you have probably deduced, Dear Reader, the “friendly and helpful blog” in question was this one. Tech–for Everyone, like most blogs, provides readers the opportunity to respond, ask a question, or just “put in their two cents”, simply by clicking on “Comments” at the bottom of the article. And also like most blogs, I have the ability to “moderate” which comments get posted and which don’t– for instance, Comments containing offensive language will not be published. Spycrasher’s 99.8%- effective security solution will NOT be seen here.

But.. maybe you’re a little curious as to what it was. And.. maybe, why I deleted it. (Take another peek at today’s title..) “Spycrasher’s” comment said to use three particular anti-spyware programs– in tandem– and he provided download links. (This, alone, triggers red flags.) He mentioned two tools I was not familiar with, and one rather well-known program.

* Hyperlinks are always suspicious (and blocked as a matter of policy), and the first thing I checked was, did the links point to legitimate websites..? Or would clicking on them take you to a poisoned webpage (which could infect your machine) or a pharming site.

No problem there. The links he provided did indeed point to real websites.

* The next thing was to check out the unknown programs themselves. No self-respecting and legitimate tech writer will advocate something they have not used, and tested, themselves. Period.

In my initial research of the first program (XoftSpy-SE), I found a wide range of reviews and comments.. from “this is rogue” to “this is the best thing since sliced bread”, and I learned that the program was “for pay”.
I don’t promote “for pay” software here (but do provide a daily free download), nor, even potentially rogue app’s; and so I stopped right there. I would not allow Spycrasher’s Comment.

· Being the gentleman that I am, I decided to write Spycrasher and thank him for his submission, and explain why I had moderated it. But before I did, I wanted to get a feel for where he was coming from.. so I ran a Whois on his IP…

Now, I gotta tell you.. it is very rare for ARIN to come back with a “no match found”. Very, very strange.

So I traced him.

New York >London >Amsterdam >Berlin >Warsaw…

And then he disappears into a virtual private network somewhere in the Ukraine.

Odd.

* So I used a search engine to find instances of the word “Spycrasher”… and he came up a lot. Spycrasher likes to post in various forums. Quite a few of them, actually. Like, practically all of them.
And he posts a lot of Comments there.
* Guess what? They are all identical to the the one he posted (I should say “pasted”) on mine.. right down to the ‘wink’ smiley ;-).

Very.. odd.

Tip of the day: Be very leery of hyperlinks, folks.. and please understand: not every innocent looking thing you see on the Internet is in fact “friendly and helpful”. There are people whose full-time job it is to try to trick you, and seduce you into doing something you normally wouldn’t.
I am very sad to say.

[note to bloggers/forum moderators/webmasters: you may want to search your published pages for instances of “Spycrasher”, and delete this guy.]

Today’s free link: I am going to repost a program here today, because I have it on every single one of my (Windows) machines, and I think you should too. ThreatFire (originally named “CyberHawk”) is a free, behavior-based anti-malware application. I use it as a supplement to my antivirus and other anti-spyware tools. Heuristic tools like ThreatFire are your only defense against “zero day” exploits.

Copyright 2007-8 © Tech Paul. All rights reserved*

4 Comments

Filed under Interconnectivity, Internet Safety, internet scams, Malware Advisories, Online Safety, Spyware - Adware Protection, Windows Tips and Tools