I’ve not been blogging for a while as I’ve broken my collarbone following a “BSOD” biking incident.
Myself like many others I expect act as the unofficial (and often un-volunteered) technical support. I got the call on sunday from the in-law:
“My computers telling me the virus software needs updating and it won’t let me do anything”
After ascertaining it wasn’t McAfee playing up, I thought, no problem I’ll jump onto the machine using the excellent teamviewer remote support tool I’ve got installed. Only I can’t. In fact, after a bit of shouting down the phone (bit deaf), I gather it’s not installed at all.
Now the in law is 500 miles away so a site visit would be extremely time consuming!
I connected to another laptop in their home, then RDP’d to his machine, which worked.
Turned out it was fake anti virus program called “total security”. It’s the “best” implementation I’ve seen – graphics look good, spelling correct. If it didn’t stop me doing anything, my first thought would have been that it was genuine.
It didn’t allow me to get to a command prompt, run procmon or any of my usual tools. Curiously, removal guides on the net didn’t help. this appeared to be a new variant.
I was scratching my head at how to get at it, then had an idea – it did let internet explorer run. I copied cmd.exe and renamed it iexplore.exe and tenatively double clicked – it worked! I thanked my lucky stars they didn’t use a hash to determine what application to allow to run.
From there, I knew the bad guys days was numbered. I downloaded process explorer from the systinernals guys and found an add looking numbered process hanging off explorer.exe. I killed this and normal service was resumed.
Updated Malwarebytes, run scan which duly found the nasty, reboot, all clean!
The in-law was left with another warning about net hygiene. I cannot complain too much, he’s come far – at one point he was determined to enter his bank details into a phishing scam despite not having an account at that bank!