There's a bug (one of many) out there that prompts users with a popup, warning them that their computer is infected with all sorts of bad stuff and they can only fix it by going to ProtectionReads.com (don't go there) and paying for their anti-malware solution. Not sure if this is necessarily hostage-ware (infects/locks up your system, only to be unlocked if you pay the bad guys to remove it) or just a typical virus scheme, but whether you click to agree or cancel, it directs you to ProtectionReads.com (don't go there) anyway. It is of the utmost importance that you DO NOT go to that site, under any circumstances, unless you want your computer to be screwed. Further, it hasn't been reviewed or blacklisted by Site Advisor yet, so it'd be easy to get caught with your guard down.
This false warning popped up on a friend's wife's mom's computer (whew), which we found out was already infected with a bevy of other malware and trojans. The owner was completely unaware of it, and blamed her son-in-law for messing up the computer when he was merely uncovering the situation. He promptly called me and asked what to do about it. Among other things, I suggested he download and run SpyBot, MalwareBytes.org's Anti-Malware, Avast! antivirus, and finally RegScrubXP.
Funny thing, though, Internet Explorer (the most virus-prone browser in the universe) wouldn't "allow" him to go to those sites or download any of their programs. The sites were blocked (presumably by the malware already infecting the system) as being flagged for suspicious activity that could harm the computer. Clever self-preservation technique, herr malware. The only way to get these programs was to install Firefox — the downloading of which apparently wasn't on the block list within the infecting bytes — and download the needed tools through FF.
Once FF was installed, Spybot was downloaded, installed, and run, coming up with hundreds of problems, and its real-time monitoring TeaTimer.exe app kept catching malware trying to change registry and system startup entries. The items it flagged were all fixed, but problems remained, particularly a nasty "s.exe" file in the Windows task manager that was using 50% of the CPU time, consistently. The process could be manually terminated, but always reappeared after rebooting.
MalwareBytes.org's Anti-Malware was next up, and while it found hundreds more things wrong with the system, it still hadn't resolved the s.exe appearance. Doing a manual file search on the system revealed a "s.exe" in the Windows\Prefetch folder, but deleting that didn't fix it, since the exe started up again on the next boot. This was evidently a dummy file, put there to throw novices off the scent.
Finally, Avast! was installed, and virtually right away freaked out with virus warnings. A scan was started, and it found malicious processes running in memory that couldn't be removed except by a boot-time scan, and so it was ordered, set to move all malicious items to the "chest," Avast!'s version of quarantine.
While I was coaching my friend on the phone through all of this, I went to ProtectionReads.com on a whim to see what exactly it was, and right away Avast! alerts flooded my screen and blocked the site on from displaying, citing at least three immediate infections one's system would acquire by simply opening the page. I suggested my friend change the passwords to any websites he logged into on that laptop when he next got to a clean machine.
Finally, after the boot-time scan, the system seemed to be back to normal. The last step was to run RegScrubXP to get any remaining potentially bad registry entries out of the system, and to make sure the fat (null entries) was trimmed along with it.
It is still amazing to me that people can accumulate this much malware and have no clue it's even happening. Having reliable, thorough, real-time monitoring security software and learning what to click/not click is growing more important every day. If you opt not to get the programs mentioned in this article (all of which are free), I advise you to get something equivalent, keep it up to date, and use it regularly.Powered by Sidelines