Friday, November 17, 2006

When anti-spyware is actually spyware

My laptop got infected with spyware today, the exact same case as my sister's in the post I did here. Fortunately, it did not require me to reinstall Windows! Basically, what was happening was that I had two programs that were installed in the system tray. The first was a red circle with an exclamation which kept constantly giving me a message saying that Warning: you have spyware on your computer and to click this balloon to download all necessary software. However, this program is clever because to the average user, he/she would click and start downloading other anti-spyware programs and anti-virus programs like WinAntivirus Pro. The second item in my system tray was a "Critical system error" message prompting me to download their anti-spyware software to clean it. Actually, these programs are spyware but are cleverly disguised as anti-spyware. Don't download their anti-spyware! (this is examples of what is called rogue spyware, it seems legit but it isn't, so it may fool you). If you actually look at the message, there is a misspelling on balloon, it's spelled "baloon", so I could tell that I had spyware installed. But using your average anti-virus program (Symantec Antivirus in my case) and Windows Defender and Lavasoft Ad-aware could not remove it. Ad-aware did detect malware and removed some of it but not all.

As I start getting fed up and concerned about this, I did a Google search for "Critical system errors system tray windows", and up came a whole bunch of articles on how to remove it. Some were very complex, saying you have to install this and that, and I was like what? Others had to post something called a HijackThis log, and I wasn't in the position to do something like that. I finally found out how to get rid of both of my spyware programs and these are the steps that I did.

1. I came to this article which is a blog post from PC's Ancestor, which was the top search in Google. Thanks to this, I was able to download SmitfraudFix.zip and follow the instructions to remove infected items in the registry in Safe Mode. So, that got me to remove the "Critical system error" message in the system tray.

2. Then I rebooted back into Windows XP and Windows Defender came on and detected a program called Toolbar888 which is called Browser Modifier, this is what happened and modified the browser so that popups are displayed. So, Windows Defender removed that.

3. To make sure I had no other infections, I rebooted back into Safe Mode and ran Ad-aware. I found out that I still had some type of spyware called Virtumonde which is a program that causes popups to happen. Ad-aware couldn't kill it or quarantine it so it said that I need to go and download a Virtumonde removal tool.

4. I'm currently downloading the Virtumonde removal tool from Symantec.

Now, I don't have the "Critical system error" message or the "Security warning" messages in the system tray anymore.

I also just realized that there were two URLs that were installed in my Start menu about online and security troubleshooting but I've removed them (that's the easy part).

I've never seen software this sophisticated before, it just shows that you have to be careful when you're downloading and on the internet, and install a firewall, anti-spyware (a valid one!) and anti-virus programs. Hope these instructions will help others who have the same problem.

On Technorati: , ,

2 comments:

Anonymous said...

Reading through all of the comments I see praises for many free antivirus software downloads but so far I haven’t seen anyone talk about Blink Personal from Eeye. Has anyone out there ever used their antivirus applications or network security programs? I’ve never had any of the problems I used to have before I introduced their software into my network. I would recommend that you guys go take a look at their free downloads. I’d be willing to gaurentee that you guys would be happy with their intrusion prevention options as well as how thoroughly the scans are.

Anonymous said...

While researching for free virtumonde removal tools I came across 3 of them: Symantec, VundoFix (as mentioned above),
but also lavasoft ad-aware at some point released its Virtumonde Remover 1.0. I think it was available for download at download.com, but at lavasoft websites they say the tool has been made part of ad-aware program and is no longer distributed as a separate software.