Deze kenden wij al; een van ons heeft er zelf mee te maken gehad!
Purported Spyware Removal Tool Takes Users For A Ride
"SPYWARE
INFECTION! Your system is infected with spyware. Windows recommends
that you use a spyware removal tool to prevent loss of data. Using this
PC before having it cleaned of spyware threats is highly discouraged."
If
you wake up to see this panic message taking center stage on your
computer screen, you could be infected with a rogue spyware removal
tool named SpySheriff. Instead of keeping your system guarded against
spywares, the program itself works as a Spyware and Adware, triggering
pop-up ads and tampering with system components, seriously compromising
the security of your computer in the process.
SpySheriff is
distributed using Trojans, Trojan Droppers and Trojan-Downloaders that
show fake warning messages about spyware and riskware infections. These
Trojans find their way to victim’s computers by exploiting browser
vulnerabilities, Spam mails or by getting bundled with other computer
utilities.
Ronak Desai, a Security Analyst at MicroWorld
Technologies says SpySheriff program also prevents infected users from
performing a System Restore, by blocking the system calendar and
restore points. This robs users of their option to revert computers to
an earlier status.
Ronak suggests that infected users with no
protection can get a workaround for this issue by undoing their last
restore operation and then performing a system restore, which seems to
be working in some cases.
SpyAxe, SpywareStrike, SpywareNO,
Spyware Cleaner and Winantivirus are a few other dubious applications
of the same breed exposed by MicroWorld Technologies in the past. Most
of them follow more or less similar spreading routines to infect large
numbers of victims in quick time.
MicroWorld solutions eScan and
MailScan safeguard user computers with the fastest updating database of
protections against Viruses, Worms, Trojans, Trojan Downloaders,
Adwares, Spywares and suspected Riskwares. eScan and MailScan work on a
unique technology called MWL (MicroWorld Winsock Layer) in conjunction
with a sophisticated Behavior and Intention analysis of potential
security threats.
“I have even seen some people with reasonable
computer acquaintance falling prey for the sly marketing techniques of
these dubious programs and downloading them willfully,” reveals Sunil
Kripalani, Vice President, Global Sales and Marketing, MicroWorld
Technologies. “While it’s vital to protect your computer against the
growing danger of Adware and Spyware, it’s doubly important to guard
yourself against wolves in sheep’s clothing. Because with these
programs, you are neither aware that you are infected, and nor you have
any idea what more malicious stuff they will bring to your computer
tomorrow.”
Bron: Backbones Sec.News. Aanvulling:
Logfile excerpt:
Probleem:
icoon
system tray na bezoek spec. Site. Blijft mededelen dat comp infected
is. Norton gedraaid spyware laten verwijderen. Adware vban spybot
verwijderd.
Search op datum, klant had zelf prog al gedeinstall,
aantal verdachte bestanden. Via symantec gezocht naar spywarequake,
spyguard, en bingo. Klant had ook scan gedraait maar deze kon niet
deleten.
Scan gedraaid in safe mode detecteert niets, daarna in normal mode zijn de div. files en keys weer "zichtbaar".
Oplossing:
advies
via Symtc (KB link= http://www.symantec.com/security_response/). Site
safe mode en dan scan overnieuw doen, helpt dat niet , dan manual keys
via regedit, zie ook sym. Site. Ook worm gevonden tussen de verdachte
bestanden, w32 yanzi, ook opgeruimd.
Prevx1 erop losgelaten, problem solved. Prevx heeft de culprits gevonden en gejailed in system volume information zie:
http://www.hijackthis.nl/forum/
Successor log:
Probleem: 1 pc overleden! Blijft hangen na aanlog scherm. Klant draait Norton disk docter.
2 Modem werkt nier meer.
Oplossing:
1
Geadviseerd om te herstarten in safe mode en rücksichtslos te
uninstallen, omdat wij bij testen prevx1 tot 3keer toe hetzelfde
probleem ongeveer hadden. Bleef hangen na inlogscherm 1 * 40 minuten
laten staan. De uninstall leidde tot onmiddellijk weer normaal
functioneren. Na de 2e keer install, probleem en uninstall onder safe
mode geen probleem meer gehad. Prevx1 was derhalve waarschijnlijk de
oorzaak.
Nog uitzoeken hoe jailed virussen uit system volume information te verwijderen.
Na uninstall werkt pc weer als zonnetje.
2 Repair uitgevoerd. Modem werkt weer.
End log excerpt.
Commentaar:
Deze kwamen wij ca. 2 maanden geleden al tegen. Zelfde probleem. Tijd
nodig om alles op te lossen en schoon te maken incl. onze eigen tests
4:34 uur!!!
theHelpdesk.nl,onDemandSupport.nl, theHelpdesk.eu en onDemandSupport.eu are trademarks of I.S.P. International B.V. and/or Robert A. van Donkelaar. Nieuws.theHelpdesk.nl (de NieuwsDesk) is een sub-domain van theHelpdesk.nl. All other products mentioned are registered trademarks or trademarks of their respective companies; "World Community Grid, the name and the logo, are trademarks of International Business Machines Corporation in the U.S., other countries, or both, and are used under license.
