PC Question

zx1zx1
edited February 2011 in Chit chat
This morning i booted up my PC and was checking my emails when a pop up appeared (which looked like a Windows 7 program) that scanned my PC and said 'Your computer is infected!) it said i had something like 30 trojan horses in my hard drive and 200 suspicious programs. If i had 30 trojans wouldn't my PC run mega slow/crash? Anyway when i exited the program a box appeared that said 'Do you wish to run, save, or cancel this program?'. I hadn't selected anything. I thought it strange so i ran a virus scan than picked up 1 harmless trojan and a spyware scan picked up nothing.
Is this some kind of scam?
Post edited by zx1 on
The trouble with tribbles is.......

Comments

  • edited February 2011
  • edited February 2011
    yes its a scam..scareware

    scan with malwarebytes anti malware http://majorgeeks.com/download.php?det=5756
    Professional Mel-the-Bell Simulator................"So realistic, I found myself reaching for the Kleenex King-Size!" - Richard Darling
  • edited February 2011
    wikipedia
    Scareware comprises several classes of scam software with malicious payloads, or of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at an unsuspecting user. Some forms of spyware and adware also use scareware tactics.
    A tactic frequently used by criminals involves convincing users that a virus has infected their computer, then suggesting that they download (and pay for) fake antivirus software to remove it.[1] Usually the virus is entirely fictional and the software is non-functional or malware itself.[2] According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008.[3] In the first half of 2009, the APWG identified a 585% increase in scareware programs.[4]
  • edited February 2011
    I got a particulalrly nasty bit of Scareware last year, it basically kept telling me every single file on my PC was infected, and no matter what I tried to run or clicked on I had to run it. In the end I pulled the plug.

    It had gone away on the startup, but I still CCleaner'd the mofo afterwards.
    Every night is curry night!
  • edited February 2011
    I got a particulalrly nasty bit of Scareware last year, it basically kept telling me every single file on my PC was infected, and no matter what I tried to run or clicked on I had to run it. In the end I pulled the plug.

    It had gone away on the startup, but I still CCleaner'd the mofo afterwards.

    i got that too a while ago, it didn't even clear on start up, had to re-install windows. luckily it was my lappy, so dont have any files on there.

    unfortunatly, my pc bolloxed up a few weeks later in a seperate incident, and thats when i lost all my files. :-P
  • edited February 2011
    zx1 wrote: »
    This morning i booted up my PC and was checking my emails when a pop up appeared (which looked like a Windows 7 program) that scanned my PC and said 'Your computer is infected!) it said i had something like 30 trojan horses in my hard drive and 200 suspicious programs. If i had 30 trojans wouldn't my PC run mega slow/crash? Anyway when i exited the program a box appeared that said 'Do you wish to run, save, or cancel this program?'. I hadn't selected anything. I thought it strange so i ran a virus scan than picked up 1 harmless trojan and a spyware scan picked up nothing.
    Is this some kind of scam?

    You're fecked, FORMAT !!!!
    So far, so meh :)
  • edited February 2011
    Don't worry, just delete the file named "System32" in the Windows folder and you won't have any problems on the internet again.
    THE RETRO GAMER IRC CHATROOM. EVERY SUNDAY AT 9PM BST. LOG ON USING THE LINK BELOW:
    https://discordapp.com/invite/cZt59EQ
  • edited February 2011
    Spector wrote: »
    Don't worry, just delete the file named "System32" in the Windows folder and you won't have any problems on the internet again.

    There isn't a file called System32 in the Windows folder, :p
    So far, so meh :)
  • fogfog
    edited February 2011
    zx , just download / install / update spybot..

    reboot ya pc in safe mode and scan.. it'll prolly pick up a load of malware / fake warning type software.. get yaself some decent security if you haven't already

    the worst pc I ever cleared out had 35 trojans on and 60+ viruses and it still booted.. it was a business computer.. problem with that was , it was being used as a zombie to mass mail the company clients links to pr0n sites.

    http://www.filehippo.com/download_spybot_search_destroy/


    http://www.filehippo.com/software/antimalware/antispyware/
  • edited February 2011
    fog wrote: »
    zx , just download / install / update spybot..

    reboot ya pc in safe mode and scan.. it'll prolly pick up a load of malware / fake warning type software.. get yaself some decent security if you haven't already

    the worst pc I ever cleared out had 35 trojans on and 60+ viruses and it still booted.. it was a business computer.. problem with that was , it was being used as a zombie to mass mail the company clients links to pr0n sites.

    http://www.filehippo.com/download_spybot_search_destroy/


    http://www.filehippo.com/software/antimalware/antispyware/
    **** spybot

    i had a bad trojan and spybot / avg wouldnt find it when i pointed em to it, avast / malwarebytes did, cleared it eventually
    Professional Mel-the-Bell Simulator................"So realistic, I found myself reaching for the Kleenex King-Size!" - Richard Darling
  • edited February 2011
    fog wrote: »
    zx , just download / install / update spybot..

    reboot ya pc in safe mode and scan.. it'll prolly pick up a load of malware / fake warning type software.. get yaself some decent security if you haven't already

    the worst pc I ever cleared out had 35 trojans on and 60+ viruses and it still booted.. it was a business computer.. problem with that was , it was being used as a zombie to mass mail the company clients links to pr0n sites.

    http://www.filehippo.com/download_spybot_search_destroy/


    http://www.filehippo.com/software/antimalware/antispyware/

    and... when that doesnt work. FORMAT....
    So far, so meh :)
  • zx1zx1
    edited February 2011
    Does this mean that a spyware program is already lurking in my system?
    I don't really fancy formatting my hard disk (again!).
    Excuse me, i'm too drunk too answer my own question. I'm off to vomit.........
    The trouble with tribbles is.......
  • edited February 2011
    No, scareware can be fired up by just visiting a site with nothing wrong with your machine. My misses got something similar the other night night while she was browsing women porn (A kitchen supplier). Nothing on the machine at all, just triggered by the web page.

    Of course if you follow the link then all sorts of nasties can ensue but the machine was clean. (she had the good sense to give me a shout, you could see the false links embedded in the web page and this was a very respectable supplier)

    I would still scan the machine with 3 different Anti virus packages (non are anything like foolproof) to make sure but if you haven't followed the link then your machine probably isn't infected from just the warning. Recent research does say that your machine is probably infected with something but that is a different matter.
  • fogfog
    edited February 2011
    **** spybot

    i had a bad trojan and spybot / avg wouldnt find it when i pointed em to it, avast / malwarebytes did, cleared it eventually

    and you saying scanned in safe mode with sys restore off ? spybot finds more in safe mode.

    thats the only SURE way to make sure that the cack is off the machine.. I used to use avg, but with a newer version I found it to be very bloated.

    besides, your chatting about avg.. what about vcleaner ? if your saying you didn't use that.. then you didn't use avg fully...

    not everything can be shifted with solely a virus killer thats why there is vcleaner / stinger and many more things are around.

    in an ideal world people would have 2 drives, 1 data , 1 system.. or at least 2 partitions.. that way system drive is easy to bring back and the data drive , well you could bring back on another clean system.
  • edited February 2011
    fog wrote: »
    and you saying scanned in safe mode with sys restore off ? spybot finds more in safe mode.

    thats the only SURE way to make sure that the cack is off the machine.

    No its not. Not at all. That is plain wrong.

    Firstly there is no sure way. All public AV products (anti virus, anti spyware etc) rely on signatures which are always out of date. Even if you downloaded the latest update 10 seconds ago it is already out of date. Heuristics (and also sandbox emulation) are not 100% reliable either so the bottom line is quite simple. There is no such thing as a 100% reliable AV product. Snake oil is a term frquently used.

    The best way is to create an AV boot disk (most products will let you do this, AVG's rescue disc for example) and boot the machine from that. Even in safe mode a nasty can already be active. If you allow windows to become active in any way there is already a good chance you have lost the battle.

    The only sure way is a full disc format. Not what you want to do.
  • edited February 2011
    Alot of malicious scareware can be avoided by installing the NoScript add on for Firefox. It blocks javascript on particular sites, thus stopping malicious scripts from doing nasty things to your computer. Been using it for years.

    Another goodie is ccleaner for getting rid of cookies, registery problems, cleaning up temporary files and uninstalling programs. It's free from filehippo.com.

    Finally WOT (Web of Trust) is a good thing to install if your anti virus does not rate the safeness of sites in google search. WOT displays RED for danger, Orange for SUSPECT and GREEN for okay. WOT is a plugin for Firefox web browser.
  • zx1zx1
    edited February 2011
    The wierd thing was that it did look like a legitimate windows program, all the fonts were the same and there was a menu at the left hand side for 'Documents', 'Pictures','Music' etc etc. But i did think it was something dodgy.
    The trouble with tribbles is.......
  • edited February 2011
    Super anti spyware is another good program to have.
  • fogfog
    edited February 2011
    ADJB wrote: »
    No its not. Not at all. That is plain wrong.

    is it , why ? because stopping the registry from starting in safe mode is basically stopping it from re-spawning and allowing it NOT to be untouchable (i.e. hiding in that or sys restore)

    appart from anything like that wanting to infect as many files as possible it's other task it to re-spawn..otherwise why would would so many AV companies also have separate EXE's and not just solely the AV scanner.

    if your telling me that certain things can be removed without using safe mode (or a boot disc as you say) then I'll disagree with you.

    for people to say "oh I used an av scanner and it didn't find something" fair enough ... IF they have tried all the extra exe tools that are with it.
    zx1 wrote: »
    The wierd thing was that it did look like a legitimate windows program, all the fonts were the same and there was a menu at the left hand side for 'Documents', 'Pictures','Music' etc etc. But i did think it was something dodgy.

    they all try to do that though, to make you think something is up and it's official or to mask that it's doing something.
  • edited February 2011
    Safe Mode does not run the autoexec.bat or config.sys files.
    Most device drivers are not loaded. A device driver is the software that Windows uses to interact with a piece of hardware, such as a printer or scanner.
    Instead of the normal graphics device driver, Safe Mode uses standard VGA graphics mode. This mode is supported by all Windows-compatible video cards.
    Himem.sys, which is normally loaded as part of the config.sys script, is loaded with the /testmem switch. This switch tells the computer to test the extended memory before continuing.
    Safe Mode checks the msdos.sys file for information on where to find the rest of the Windows files. If it finds the files, it proceeds to load Windows in Safe Mode with the command win /d:m. If it does not find the Windows files, it will run command.com to bring up a C: prompt.
    Windows boots using a batch file called system.cb instead of the standard system.ini file. This file loads the Virtual Device Drivers (VxDs) that Windows uses to communicate with the standard parts of the computer.
    Windows now loads the regular system.ini file plus win.ini and Registry settings. It skips the [Boot] (except for the shell and device lines) and [386Enh] sections of system.ini and does not load or run any programs listed in win.ini.
    The Windows desktop loads up in 16 colors and at a resolution of 640 x 480 with the words "Safe Mode" in each corner.
    So any virus that has taken over any of the above running programs already has control of the machine.

    NOTE - The registry runs - although that is totally irrelevant to a number of Trojans and root-kits, they are loaded far before the registry even kicks in.
  • edited February 2011
    ADJB wrote: »
    So any virus that has taken over any of the above running programs already has control of the machine.

    NOTE - The registry runs - although that is totally irrelevant to a number of Trojans and root-kits, they are loaded far before the registry even kicks in.

    I'm not sure where you got that definition of Safe Mode from but it's horribly out of date, it's referring to the 9x line of Windows and almost all of it is utterly irrelevant to NT based versions of Windows regardless of whether they're in safe mode or not.

    That said, the Registry loads in both Safe Mode and a normal boot, it's just that in Safe Mode device drivers and services not marked as suitable for Safe Mode don't load (it's trivial to mark a service as starting in Safe Mode so it's zero protection against viruses).

    Any half decent anti-virus tool can work as effectively from an ordinary boot as it can from Safe Mode, if it can't clean up the machine under normal circumstances then a format and reinstall is really the only option.

    Of course good practice is to run your virus scanner continuously with up to date definitions, so that infected files are removed long before they get to damage your OS.
  • edited February 2011
    AndyC wrote: »
    I'm not sure where you got that definition of Safe Mode from but it's horribly out of date,

    Technet

    AndyC wrote: »
    That said, the Registry loads in both Safe Mode and a normal boot, it's just that in Safe Mode device drivers and services not marked as suitable for Safe Mode don't load (it's trivial to mark a service as starting in Safe Mode so it's zero protection against viruses).

    My point is that the registry is irrelevant to a virus which can easily be written to run without it and can be active long before the registry loads.

    AndyC wrote: »
    Any half decent anti-virus tool can work as effectively from an ordinary boot as it can from Safe Mode, if it can't clean up the machine under normal circumstances then a format and reinstall is really the only option.

    Safe or normal mode as you say shouldn't make any difference but I don't agree that all is lost otherwise why would all the major AV companies provide a boot disk which can work without launching windows at all. The fact that windows starts to boot at all is frequently enough to embed some nasties and the only option is then negate the issue by booting into either a PE or frequently mini linux environment from non writeable media. See Norton, AVG, Kaspersky and others for examples.

    AndyC wrote: »
    Of course good practice is to run your virus scanner continuously with up to date definitions, so that infected files are removed long before they get to damage your OS.

    I agree this is best practice but maintain that signature based AV products are fundamentally flawed as they are purely reactive. I would also say that a very rarely followed piece of good practice on a Windows box would be to run as a User and not, as almost everybody does, as an Administrator. At least this means that undetected nasties have to do some privilege escalation to embed themselves which is another barrier you can add at no cost.
Sign In or Register to comment.