It appears that yet another software program is out there pretending to be an anti-virus product when it is in fact a virus. I was working at a client’s office when they handed me one of their personal laptops. They told me that they were pretty sure that the machine was infected since they kept getting pop-ups telling them that the PC was infected. I look at the laptop and noticed there were in fact multiple alerts on the machine stating that the hard drive was crashing, the hard drive was running low on space and that the machine had multiple viruses. The program claims that it can scan and determine how to fix the problems but if you want the program to actually fix the issues you must purchase the “PRO” version and pay money for it. Well don’t do it it’s a scam and who knows what these people will do with your credit card information so don’t pay them to remove their own virus.
Here’s what I did first off I installed Malwarebytes onto the laptop and tried to update but the virus was preventing me from doing updates. I went ahead and scanned and was able to delete the virus off the system plus Malwarebytes also restored the registry entries that the virus had modified. I then rebooted into safe mode and ran another scan just to be safe but it appeared that the virus had in fact been cleaned off. I checked to see if System Restore had been set and if so I was going to delete the previous system restore files since usually a virus will infect those and end up back on your machine. System Restore was disabled on the laptop so it wasn’t an issue. I rebooted the machine and updated Malwarebytes and ran my third scan which again came up clean.
I decided to check a few things on the machine before handing it back to the client and noticed that if I went to the C: Drive the contents appeared empty. I knew the hard drive couldn’t be empty since the laptop actually booted all the way back to the desktop. I had determined that the virus had in fact marked all the files to be hidden. There are a few ways to un-hide them and I started first at the command prompt but ended up finishing the job in the Windows interface. First in Windows you need to set your folder options to allow you to view hidden files. An easy way to get there is open the C drive then underneath Organize select “folder and search options”. From there go to the view tab and find that part and select “Show hidden files, folders and drives” This will now show you all your files. Select them go to properties and deselect “hidden”. This will take a while to un-hide all your files.
The next issue I found was that all of the shortcuts were deleted. Not just from the desktop but if I went into Start, Program Files and check any folder all of the shortcuts were missing. At this point I was starting to think a restore of the system may be necessary since it is difficult to know how each shortcut was setup. After working with it a bit I learned that you could restore shortcuts to previous versions. The fastest way to restore all shortcuts is to go to Start, then right-click on All Programs, then select “open all users”. From there right-click on Programs and on the drop down box you should see “restore previous versions” if you machine is keep track of changes to shortcuts you can restore the previous versions. This machine had multiple different versions and I selected a date before the virus had attacked. Now all the shortcuts were restored and the client could access their programs and files.
I had seen viruses like this before in previous versions of windows and in fact blogged about it here. It seems like the site I suggested for Microsoft’s free online scan is no longer available but Microsoft now has a free anti-virus product known as Security Essentials that was to replace the previous online scan that they offered.
I noticed that Malwarebytes is now offering a free trial of their full version of their product. The free version will still scan and remove viruses but the full version offers real-time protection.
Oh by the way the laptop had registered version of McAfee and for some reason it still let the virus infect the laptop. I don’t know if the way the virus infects the PC’s bypass the anti-virus or what but when I got the Windows Vista version of the virus on one of my machines it was protected by Norton 360 at the time and still got on the machine.
What anti-virus products do you use and how effective are they?