Fake anti-virus infection

My granddaughter, running her laptop on Vista Home Premium SP2, with all
the updates managed to get infested with a fake A/V scanner. The
"scanner" runs for a bit, then tell you that it has found somewhere
between 5 and 15 "infestations" and tells you that you have to pay to
get rid of them. Every 5 seconds a pop-up appears telling her that
'whatever'.exe is infected and cannot run. All sorts of executables
will fail to run - including AVG. I cannot start Task Manager either -
I'm told I don't have enough priveleges and 'not enough permissions' (sic).

I tried all the normal methods to get this pesky thing, but none will
work. I ended up pulling the HD and hooking it up to my desktop and
scanning it with AVG there. Didn't find a thing. Malwarebytes I
scanning now, but it is not finding anything (yet).

I can start the computer in safe mode, but AVG will only run it's
commandline interface. Didn't find anything that way either.

I figure it has to be coming out of the registry and kicking off a
couple of hidden executables. Where would be the best place for these
to come from; HKLM\Software\Microsoft\Windows\Current_Version... or
somewhere else?

Questor

I would do these three things.

1. Run the Microsoft Malicious Removal tool as it is already on your
system if you are current in your Window updates. It is located at
C:\Windows\System32\mrt.exe

2. Download, install, update and run MalwareBytes Anti Malware (FREE)
from
http://www.malwarebytes.org/

3. Download, install, update and run Surer Anti Spyware (FREE) from:
http://superantispyware.com/superant...freevspro.html
Make sure to download the free version unless you want to pay for the added
functionality of the paid version. Their removal capabilities are identical.

--

Richard Urban
Microsoft MVP
Windows Desktop Experience & Security


"Questor" <> wrote in message
news:...
> My granddaughter, running her laptop on Vista Home Premium SP2, with all
> the updates managed to get infested with a fake A/V scanner. The
> "scanner" runs for a bit, then tell you that it has found somewhere
> between 5 and 15 "infestations" and tells you that you have to pay to get
> rid of them. Every 5 seconds a pop-up appears telling her that
> 'whatever'.exe is infected and cannot run. All sorts of executables will
> fail to run - including AVG. I cannot start Task Manager either - I'm told
> I don't have enough priveleges and 'not enough permissions' (sic).
>
> I tried all the normal methods to get this pesky thing, but none will
> work. I ended up pulling the HD and hooking it up to my desktop and
> scanning it with AVG there. Didn't find a thing. Malwarebytes I scanning
> now, but it is not finding anything (yet).
>
> I can start the computer in safe mode, but AVG will only run it's
> commandline interface. Didn't find anything that way either.
>
> I figure it has to be coming out of the registry and kicking off a couple
> of hidden executables. Where would be the best place for these to come
> from; HKLM\Software\Microsoft\Windows\Current_Version... or somewhere
> else?
>
> Questor

--->
> I would do these three things.
>
> 1. Run the Microsoft Malicious Removal tool as it is already on your
> system if you are current in your Window updates. It is located at
> C:\Windows\System32\mrt.exe
>
> 2. Download, install, update and run MalwareBytes Anti Malware (FREE)
> from
> http://www.malwarebytes.org/
>
> 3. Download, install, update and run Surer Anti Spyware (FREE) from:
> http://superantispyware.com/superant...freevspro.html
> Make sure to download the free version unless you want to pay for the
> added functionality of the paid version. Their removal capabilities are
> identical.
>

Thanks for the response Richard:

I couldn't do #1 as it would be blocked from running and I'd get a
pop-up telling me that "mrt.exe is infected and cannot be run".

I've already done #2 and #3. Malware bytes found the culprit:

Trojan.FakeAlert in the users\--granddaughter--\appdata\local\dsqdgk folder

Another file, in the ..\local\temp area held another strange executable.
Every time it ran, the name would change by one number. I caught it
at 2241.exe. Eventually I suppose that the executables would multiply
and fill the HD (160Gb).

The only way I could do any useful work was to dismount the HD from her
laptop and connect it to my desktop and run scans on it. Luckily I had
a SATA to USB dongle to use.

Once I snapped the HD back in the laptop it sprung to life just fine.
All is back to normal with the admonishment to my granddaughter to stay
away from links presented on Facebook. She thinks that is where she got it.

Questor