|
Hyrule19026 Posts
For the past 2 hours I've been fixing the receptionist's computer. The problem? Scamware. Clever, annoying scamware. The kind I hate most.
Plenty of people run into spyware. Ads popping up at random, tracking cookies (they count) for certain sites, and things like that. Scamware takes it to the next level: it tries to extort you at the same time.
This one was pretty sophisticated. It posed as an AntiVirus software. It intercepted all DNS requests to anywhere but its site (antivirmore.com). It reported fake "infected files" (real files, just not really infected). It also blocked all programs except browsers. That meant I couldn't go into notepad and block/redirect the site in hosts.
So I tried to boot into safe mode, but no....it's a corporate computer, so obviously nobody trusts anyone: there was a password lock on BIOS and the boot menu. While in theory this is a good idea, it's pretty bad practice when nobody (including the CEO) knows the damn password.
After about 2 minutes of trying to guess it, I said "screw you software, I have direct access to the hardware." And so I grabbed a screwdriver and opened up the computer. For the next 10 minutes I looked for the CMOS reset jumper. It was hidden under a bunch of cables and under the lip of the case..arg. I reset CMOS, rebooted, got into safe mode, system restored to last week, and installed a real antivirus.
Back to the scamware: it blocked everything and said you had to activate the product to remove the infection. This would cost $189.00, and I'm quite sure all that would accomplish would be to disable the blocks temporarily (odds are it was a yearly subscription) and not activate any kind of real AV.
All in all, screw scamware. And everyone stop downloading things.
|
I've had to deal with that kind of problem too, about 2 months ago. Same deal with a fake AV program... Usually I handle it in safe mode and get rid of it from there.
That time, it wouldn't let me start any programs at all, and the first thing I tried was to close it in task manager but it wouldn't come up...... So I spammed task manager and somehow one DID pop up. I tried to shut down the infected process and it didn't work - so I spammed again and it actually CRASHED the scamware =D
So I just installed some spyware removal software and it did the trick. Took about 15 minutes and I didn't even have to reboot. It was kind of funny to me seeing how I've had to handle *VERY* annoying viruses in the past.
|
I just have only the OS on a really small hard drive....whenever I catch something I just unplug my data drive and reformat. Very convenient.
Although I haven't got anything for almost a year...and I don't run ANY antivirus.
I guess I just know how to avoid sketch stuff...I wouldn't say I'm a "low risk user" with all the torrenting and cracking I do...
|
that's cool, never knew you could reset stuff like that. and i bet it felt great when you finally fixed the problem. i've gone through a ton of different computer software and hardware problems that when i finally found a solution and got something to work, i felt damn accomplished. one of those 'fuck yeah' moments.
also, im going to continue downloading things.
|
On July 08 2010 01:08 tofucake wrote:
For the past 2 hours I've been fixing the receptionist's computer. The problem? Scamware. Clever, annoying scamware. The kind I hate most.
Plenty of people run into spyware. Ads popping up at random, tracking cookies (they count) for certain sites, and things like that. Scamware takes it to the next level: it tries to extort you at the same time.
This one was pretty sophisticated. It posed as an AntiVirus software. It intercepted all DNS requests to anywhere but its site (antivirmore.com). It reported fake "infected files" (real files, just not really infected). It also blocked all programs except browsers. That meant I couldn't go into notepad and block/redirect the site in hosts.
So I tried to boot into safe mode, but no....it's a corporate computer, so obviously nobody trusts anyone: there was a password lock on BIOS and the boot menu. While in theory this is a good idea, it's pretty bad practice when nobody (including the CEO) knows the damn password.
After about 2 minutes of trying to guess it, I said "screw you software, I have direct access to the hardware." And so I grabbed a screwdriver and opened up the computer. For the next 10 minutes I looked for the CMOS reset jumper. It was hidden under a bunch of cables and under the lip of the case..arg. I reset CMOS, rebooted, got into safe mode, system restored to last week, and installed a real antivirus.
Back to the scamware: it blocked everything and said you had to activate the product to remove the infection. This would cost $189.00, and I'm quite sure all that would accomplish would be to disable the blocks temporarily (odds are it was a yearly subscription) and not activate any kind of real AV.
All in all, screw scamware. And everyone stop downloading things.
This is hardly clever...by the time it pretends to be anti-virus, you're already too late. Your receptionist was just browsing sites that they shouldn't have been.
R1CH's thread says hello by the way 
|
i had vista defender it was so bad that i ran to foxfire for noscript
|
It's been about 4-5 years since I got an issue with viruses on my own computers. I do run an antivirus. At this point it's not worth not having one unless your computer is really old IMO.
|
dude, as an IT person, i totally feel you,
esp when its an important computer that has various important files for research and whatnot (i work for a uni IT dept.), it just makes me wonder how these ppl got these in the first place T.T
The worst one i ever had to deal with, it locked me out of safe mode (i got hanged), so i had to boot through linux in order to copy data to another harddrive, scan it, and then reformat the original hdd. Basically took all day and wasn't fun.
|
Hyrule19026 Posts
It's not a very well known thing, the CMOS reset jumper. The only reason it exists is to flush the BIOS settings completely, and it's not something I like doing.
Also, I feel great when I fix my computers on my own time, but when I fix a company computer during company time, all I can think is "great, now I'm 2 hours behind on my other work...."
|
i encountered something like this before when i was in my OJT. after fixing the problem identical to yours. i made an email( instructionals how to avoid this kind of stuffs and some technical tips) then forward it to all employee in the company(ask permission to your boss before sending it).
It work.after that I had so much free time on work LOL.
|
Hyrule19026 Posts
On July 08 2010 01:17 Judicator wrote:Show nested quote +On July 08 2010 01:08 tofucake wrote:
For the past 2 hours I've been fixing the receptionist's computer. The problem? Scamware. Clever, annoying scamware. The kind I hate most.
Plenty of people run into spyware. Ads popping up at random, tracking cookies (they count) for certain sites, and things like that. Scamware takes it to the next level: it tries to extort you at the same time.
This one was pretty sophisticated. It posed as an AntiVirus software. It intercepted all DNS requests to anywhere but its site (antivirmore.com). It reported fake "infected files" (real files, just not really infected). It also blocked all programs except browsers. That meant I couldn't go into notepad and block/redirect the site in hosts.
So I tried to boot into safe mode, but no....it's a corporate computer, so obviously nobody trusts anyone: there was a password lock on BIOS and the boot menu. While in theory this is a good idea, it's pretty bad practice when nobody (including the CEO) knows the damn password.
After about 2 minutes of trying to guess it, I said "screw you software, I have direct access to the hardware." And so I grabbed a screwdriver and opened up the computer. For the next 10 minutes I looked for the CMOS reset jumper. It was hidden under a bunch of cables and under the lip of the case..arg. I reset CMOS, rebooted, got into safe mode, system restored to last week, and installed a real antivirus.
Back to the scamware: it blocked everything and said you had to activate the product to remove the infection. This would cost $189.00, and I'm quite sure all that would accomplish would be to disable the blocks temporarily (odds are it was a yearly subscription) and not activate any kind of real AV.
All in all, screw scamware. And everyone stop downloading things. This is hardly clever...by the time it pretends to be anti-virus, you're already too late. Your receptionist was just browsing sites that they shouldn't have been. R1CH's thread says hello by the way
I didn't mean clever in the way it presents itself, but rather how it blocks every avenue of attack. Other similar scamwares I've dealt with have had some way to remove it from the computer without a reboot, but this one was very good at not letting me do that. Unfortunately for it, it can't stop me from using a screwdriver.
|
Hyrule19026 Posts
On July 08 2010 01:20 barbsq wrote:
dude, as an IT person, i totally feel you,
esp when its an important computer that has various important files for research and whatnot (i work for a uni IT dept.), it just makes me wonder how these ppl got these in the first place T.T
The worst one i ever had to deal with, it locked me out of safe mode (i got hanged), so i had to boot through linux in order to copy data to another harddrive, scan it, and then reformat the original hdd. Basically took all day and wasn't fun.
Not only that, but that and IIRC every other computer all have a drive mapped from the same source. I'm lucky it (apparently) didn't spread beyond just the one computer.
|
|
|
For like 20 years I've been using computers and the internet and I rarely use AV software. I feel so left out  never had a virus or spyware.
|
I had a vista defender one that worked in safemode, and still made popups even when i was reinstalling fricking windows, blocked all registry editing, browsers, corrups all AV's etc.
that was the most annoying one, i literally had to format and install windows for it, never had one as bad at that before
|
The annoying part is where people do have enough user rights to get it on their computer but you never have enough rights to get rid of it
|
On July 08 2010 01:23 tofucake wrote:Show nested quote +On July 08 2010 01:20 barbsq wrote:
dude, as an IT person, i totally feel you,
esp when its an important computer that has various important files for research and whatnot (i work for a uni IT dept.), it just makes me wonder how these ppl got these in the first place T.T
The worst one i ever had to deal with, it locked me out of safe mode (i got hanged), so i had to boot through linux in order to copy data to another harddrive, scan it, and then reformat the original hdd. Basically took all day and wasn't fun. Not only that, but that and IIRC every other computer all have a drive mapped from the same source. I'm lucky it (apparently) didn't spread beyond just the one computer.
Yes, standard operating procedure states that all virus-related cases require us to scan the network drives that the person had access to so that it doesnt contaminate the network. Networks are so hard to maintain :/
|
Hyrule19026 Posts
On July 08 2010 01:45 StRyKeR wrote:
it's tofucake!
Indeed.
On July 08 2010 03:09 Baksteen wrote:The annoying part is where people do have enough user rights to get it on their computer but you never have enough rights to get rid of it
I'm sort of lucky there, since the account was a limited one.
On July 08 2010 03:11 barbsq wrote:Show nested quote +On July 08 2010 01:23 tofucake wrote:On July 08 2010 01:20 barbsq wrote:
dude, as an IT person, i totally feel you,
esp when its an important computer that has various important files for research and whatnot (i work for a uni IT dept.), it just makes me wonder how these ppl got these in the first place T.T
The worst one i ever had to deal with, it locked me out of safe mode (i got hanged), so i had to boot through linux in order to copy data to another harddrive, scan it, and then reformat the original hdd. Basically took all day and wasn't fun. Not only that, but that and IIRC every other computer all have a drive mapped from the same source. I'm lucky it (apparently) didn't spread beyond just the one computer. Yes, standard operating procedure states that all virus-related cases require us to scan the network drives that the person had access to so that it doesnt contaminate the network. Networks are so hard to maintain :/ That would murder me and waste about 3 days. Too many computers, not enough AV. Unfortunately, it also probably means that I'll have to deal with this crap again soon.
|
get antivirus .. oh no wait.. that cost money .. learn to dodge .. its free :DDDDDD
|
On July 08 2010 03:11 barbsq wrote:Show nested quote +On July 08 2010 01:23 tofucake wrote:On July 08 2010 01:20 barbsq wrote:
dude, as an IT person, i totally feel you,
esp when its an important computer that has various important files for research and whatnot (i work for a uni IT dept.), it just makes me wonder how these ppl got these in the first place T.T
The worst one i ever had to deal with, it locked me out of safe mode (i got hanged), so i had to boot through linux in order to copy data to another harddrive, scan it, and then reformat the original hdd. Basically took all day and wasn't fun. Not only that, but that and IIRC every other computer all have a drive mapped from the same source. I'm lucky it (apparently) didn't spread beyond just the one computer. Yes, standard operating procedure states that all virus-related cases require us to scan the network drives that the person had access to so that it doesnt contaminate the network. Networks are so hard to maintain :/ That would murder me and waste about 3 days. Too many computers, not enough AV. Unfortunately, it also probably means that I'll have to deal with this crap again soon.
[/QUOTE]
I don't envy you
Where i work i'm the only one who knows the basic stuff about IT so we have it out sourced. I am so glad we did that everytime i read a post like this.
Good luck though and hope it won't happen again.
|
On July 08 2010 03:19 tofucake wrote:Indeed. Show nested quote +On July 08 2010 03:09 Baksteen wrote:The annoying part is where people do have enough user rights to get it on their computer but you never have enough rights to get rid of it I'm sort of lucky there, since the account was a limited one. Show nested quote +On July 08 2010 03:11 barbsq wrote:On July 08 2010 01:23 tofucake wrote:On July 08 2010 01:20 barbsq wrote:
dude, as an IT person, i totally feel you,
esp when its an important computer that has various important files for research and whatnot (i work for a uni IT dept.), it just makes me wonder how these ppl got these in the first place T.T
The worst one i ever had to deal with, it locked me out of safe mode (i got hanged), so i had to boot through linux in order to copy data to another harddrive, scan it, and then reformat the original hdd. Basically took all day and wasn't fun. Not only that, but that and IIRC every other computer all have a drive mapped from the same source. I'm lucky it (apparently) didn't spread beyond just the one computer. Yes, standard operating procedure states that all virus-related cases require us to scan the network drives that the person had access to so that it doesnt contaminate the network. Networks are so hard to maintain :/ That would murder me and waste about 3 days. Too many computers, not enough AV. Unfortunately, it also probably means that I'll have to deal with this crap again soon.
Well, fortunately for us, we run a pretty tight ship. Ppl only have access to a very limited amount of space on the network, with really only staff computers having access to the larger network hdds. For lab computers, it typically only increases the workload by ~ 1-2 hrs or so. Still sux tho
|
|
|
|
|
|
EPT
