Because computers don't fix themselves

Posts Tagged ‘spyware’

Redirect virus

I’ve been struggling with a pretty nasty bit of spyware which has hit a few client computers recently. Tonight, I think I figured out the bugger.

It’s a typical fake “your computer has problems” spyware, which puts dozens of “corrupt hard drive” messages on the screen and generally is very annoying. If left long enough, it will also disable most anti-virus programs as well as make your desktop black, and hide not only all the icons on your desktop and your start menu, but also hide all the files on your computer.

However, all of those symptoms are typical. This one goes one step further. It actually creates a 1 megabyte extra partition on your hard drive, flags it as bootable, and then has some malicious code in that partition which makes sure that the virus is still alive on your computer because it re-initiates itself every time you reboot the computer.

I’ve been able to remove all the above symptoms with either combofix, or malwarebytes, and then using unhide, getting computers back up and running. But, the code in the partition causes a browser redirect which is so far un-stoppable with any of my usual tools. Only ESET online scanner even recognized it as a rootkit, but still couldn’t fix it. The rest couldn’t even see it.

So, long story short, I was able to use UBCD 5 to boot to Parted Magic. From there, I could delete the rogue partition, and flag the main OS partition as bootable again. Reboot, and voila! We win. I still have to use malwarebytes and unhide, but that’s still better than a reformat, which is what I wound up doing before I figured this trick out.

So, if you had spyware on your computer, thought you removed it, but you have a persistent browser redirect, this trick might work for you.

New Facebook Scam

I actually had to applaud the hacker who thought up this new little scam. It’s rare that someone gets me, but this guy did.

As people who know me know, I’m not a huge facebook user. I probably should use it much more than I do. But, when I’m notified of something happening on my wall, just like most people, I will spare a moment to go see what’s happening.

But, I got this e-mail in my inbox today. It looks EXACTLY like an official e-mail from Facebook saying that someone posted something crappy on my wall. And, without even thinking about it, I clicked on it. Sure enough, as soon as I saw the web browser trying to resolve a site name in Germany, rather than Facebook.com, I realized my mistake. And, luckily, I was able to click out before it loaded and potentially put any spyware on my computer. But, I was lucky. By all rights, he got me.

Before you click on a link in an e-mail, hover over it. Usually, the tooltip will show the actual hyperlink. If the hyperlink doesn’t match what the link says, don’t risk it. Delete the e-mail.

Even better, I should have read the fake notification from Facebook, closed the e-mail, and gone to Facebook in a browser to see for myself the nasty comment on my wall, rather than clicking on the link at all. If I were following my own advice, anyway.

I hope this post helps other people avoid this very sneaky scam.