Thursday, March 11, 2010

Effing typical

So, it's three am, I'm just about to get into bed when I decide to just check to see if there's any new podcast episodes available.

I'm pressing the stumble button as I'm waiting for the download to page takes longer than it should to download and then...Bam! Freaking browser hijack.

Now I've got a fake 'windows defender' box popping up every thirty seconds telling me to buy and download something to clear a billion viruses.

So, in other words, someone has infected my PC so they can charge me for a 'cure' that'll make things worse.

Kinda like me throwing shit at your car's windshield, then charging you to let me clean it off with diareah.

Oh, did I mention it effed up my registry and won't let me start up any of my anti-malware stuff.

So, yeah. I get to spend the next hour or so trying to fix this crap.

Now I feel bad for bitching about the iPod Touch. That's what I'm writing this on while my fecking PC scans away in safe mode.

...too bad I was watching the Nostalgia Critic, you need flash to watch his videos.


Evan 08 said...

I've been running across this a lot lately. Try booting in to safe mode, and see if it's under c:\docs and settings\username\temp

Evan 08 said...

BTW, were you using IE or Firefox?

Paulius said...

I got it fixed in about an hour. It would have been MUCH worse if I didn't know to close the pop-up through task manager instead of clicking the 'close' button in the window.

Basically, it installed 'av.exe' to my windows directory and altered my registry so windows firewall and windows defender pointed to it. It also put an entry in my prefetch file, so it loaded as soon as the PC started. I even got the bogus windows defender window when I started in safe mode.

So, I took the entry out of the prefetch folder and used 'hijack this' to stop it auto-starting... used 'malware bytes' to fix the registry and got rid of the file itself with 'file asssassin'.

It appears to be fixed.

Oh, and I'm using the latest version of Firefox.

Evan 08 said...

You're actually lucky... many instances of av.exe (and their cousins) would automatically kill task manager, msconfig, regedit and command prompt any time I'd try to run them.

Malware Bytes is a great product. Unfortunately, it's kind of slow for my customers who are in a hurry.

My quickest, dirtiest answer is to use Hijack This, but the executable has to be in a different folder, with a different name, otherwise it won't run. And, of course, it has to be used under the infected profile.

I had considered mentioning Hijack This to you, but figured that either you already knew about it, or that it may do more harm than good.