Colin’s IT, Security and Working Life blog

September 4, 2009

Back in the loop – as friends and family tech support (total virus security removal)

Filed under: Uncategorized — chaplic @ 8:44 am

I’ve not been blogging for a while as I’ve broken my collarbone following a “BSOD” biking incident.

Myself like many others I expect act as the unofficial (and often un-volunteered) technical support. I got the call on sunday from the in-law:

“My computers telling me the virus software needs updating and it won’t let me do anything”

After ascertaining it wasn’t McAfee playing up, I thought, no problem I’ll jump onto the machine using the excellent teamviewer remote support tool I’ve got installed. Only I can’t. In fact, after a bit of shouting down the phone (bit deaf), I gather it’s not installed at all.

Now the in law is 500 miles away so a site visit would be extremely time consuming!

I connected to another laptop in their home, then RDP’d to his machine, which worked.

Turned out it was fake anti virus program called “total security”. It’s the “best” implementation I’ve seen – graphics look good, spelling correct. If it didn’t stop me doing anything, my first thought would have been that it was genuine.

It didn’t allow me to get to a command prompt, run procmon or any of my usual tools. Curiously, removal guides on the net didn’t help. this appeared to be a new variant.

I was scratching my head at how to get at it, then had an idea – it did let internet explorer run. I copied cmd.exe and renamed it iexplore.exe and tenatively double clicked – it worked! I thanked my lucky stars they didn’t use a hash to determine what application to allow to run.

From there, I knew the bad guys days was numbered. I downloaded process explorer from the systinernals guys and found an add looking numbered process hanging off explorer.exe. I killed this and normal service was resumed.

Updated Malwarebytes, run scan which duly found the nasty, reboot, all clean!

The in-law was left with another warning about net hygiene. I cannot complain too much, he’s come far – at one point he was determined to enter his bank details into a phishing scam despite not having an account at that bank!

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: