Sunday, April 09, 2006

New Fake Windows Security Site

There is a new fake website from the same spyware makers of SpyAxe, SpyFalcon, and SpywareQuake. If your homepage has been changed to bestsecurityguide.com or you are being directed to this site by alerts on your computer, then you have been infected by spyware.The warning about the W32.Sinnaka.A@mm virus is false. Usually, this infection comes from installing codec to view a short video. About 5 to 15 minutes after installing the codec, you will begin getting alerts near the clock on your taskbar. The following is one example of the fake alert from earlier this year.

This is not a real message from Windows or Microsoft. You will also get pop up windows from time to time alerting you that you are infected with spyware. They will have different looks, but all of them wil lead you to a site where you will have to buy something to fix your computer. In a recent post, I have several screenshots of ones that appeared when I had a test computer infected with SpyFalcon.

The solution offered on the page for Malware Wipe and Pest Trap are just advertisments to get you to buy something. Both programs will not fix anything unless you pay $49. Since these programs are rogue antispyware programs, there's no guarantee that they will fix anything. Last, since these programs come from people from shady backgrounds, your credit card number may be sold to other criminals. Don't buy them!

If you need to fix your computer, you can try my SpyFalcon and SpywareQuake removal instructions. There are some new files that you will need to manually fix that aren't in that post yet, so add these to the removal process:

With Hijackthis, check and fix:

O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\system32\hpAD57.tmp

Note that the file is randomly named. It will have hp***.tmp in it, but the part in the middle with the stars will be random.

Delete the following files:

  • C:\WINDOWS\system32\stickrep.dll
  • C:\WINDOWS\system32\mssearchnet.exe
  • C:\WINDOWS\system32\ncompat.tlb
  • C:\WINDOWS\system32\nvctrl.exe
If there is additional info, I will update.

0 comments:

Sitemeter