Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

"New" Fake Anti-Virus "windows activity inspector"

- - - - -

  • Please log in to reply
7 replies to this topic

#1
seth1066

seth1066

    Newbie

  • Member
  • 12 posts
  • OS:Windows 7 x64
  • Country: Country Flag
Anyone hit with this one? This incarnation calls itself, "Windows
Activity Inspector." Looks very slick and comes complete with Microsoft
logo.

Client had me out to fix it, but I'm more hardware than software. A
Google of "windows activity inspector" turned up zero hits from any
recognizable website, but plenty of ones I never heard of offering a
free scanning tool. The tool allegedly finds the threats, but doesn't
remove them with out a payment. Very slick operation, build the fake
anti-virus and have already googled to the top a bunch of sites that are
likely authored by the same people.

I guess I'm going to have to wait a few days to get a solution, since
this thing is only 48 hours old. The client wanted to just pay until I
told him his credit card will be charged in a former eastern block
country for a much larger amount and then sold.

If anyone has a solution, please post!


How to remove advertisement from MSFN

#2
Sp0iLedBrAt

Sp0iLedBrAt

    MSFN Addict

  • MSFN Sponsor
  • 1,727 posts
  • OS:XP Pro x86
  • Country: Country Flag
http://www.bleepingc...ivity-inspector
http://trojan-killer...inspector-scam/
http://www.remove-vi...vity-inspector/

Google search seems to be throwing out plenty of hits. It goes without saying I can't verify if they are true, since I haven't had/seen the infection, but most of these sites are dated 16 May 2011.

#3
seth1066

seth1066

    Newbie

  • Member
  • 12 posts
  • OS:Windows 7 x64
  • Country: Country Flag

http://www.bleepingcomputer.com/virus-removal/remove-windows-activity-inspector
http://trojan-killer...inspector-scam/
http://www.remove-vi...vity-inspector/

Google search seems to be throwing out plenty of hits. It goes without saying I can't verify if they are true, since I haven't had/seen the infection, but most of these sites are dated 16 May 2011.

My client got it on 16 May 2011 which leads me to the conclusion that, for now, google reflects websites created by the authors of the malware. I tried the second one that you listed, it's pay-to-fix.
It's only day 3, so none of the major anti-virus software players have anything on this, yet.

Edited by seth1066, 18 May 2011 - 01:24 AM.


#4
allen2

allen2

    Not really Newbie

  • Member
  • PipPipPipPipPipPipPip
  • 1,812 posts
Did you tried booting in safe mode ?
Most of those fake anti-virus exe usually are stored in the user profile, so booting into safe mode shouldn't allow them to run and there you should able to create a new account. Then you'll need to try it in normal mode. If everything is ok, all you have to do is to backup only the needed files from the old profile.

#5
seth1066

seth1066

    Newbie

  • Member
  • 12 posts
  • OS:Windows 7 x64
  • Country: Country Flag

Did you tried booting in safe mode ?
Most of those fake anti-virus exe usually are stored in the user profile, so booting into safe mode shouldn't allow them to run and there you should able to create a new account. Then you'll need to try it in normal mode. If everything is ok, all you have to do is to backup only the needed files from the old profile.

I did that, but I don't know what other malware may have been installed. Currently, it has blocked MSSE from being implemented from any account, which leads me to believe there is something else on there. Before I deleted the infected user account, I ran the Kaspersky Rescue disk with fresh updates, which is a CD loaded O/S that scans the hard disk. It found nothing

#6
dougdeep

dougdeep

    Newbie

  • MSFN Sponsor
  • 15 posts
  • OS:none specified
  • Country: Country Flag
It sounds like a variation of the MS Antivirus Security Center malware that's been around for a while. A friend got that one earlier this month (it was calling itself MS Security Essentials) and I thought it looked very slick. It had all the right styles and logo for Windows Vista/Seven and would have been really convincing except it was on an old XP machine. On startup it would go into its routine before the desktop appeared which makes it a real pain to try and stop (CTRL-ALT-DEL will not bring up the task manager). The worst thing this one did was to set the HIDDEN file attribute on everything in the user's Documents and Settings folder – 'bout gave my friend a heart attack thinking everything had been deleted.

I used the methods described over at bleepingcomputer.com, especially the Rkill program, to stop the **** thing from running and then Malwarebyte's Anti Malware to remove it. After scans by two different antivirus programs it said it was clean but it just didn't run quite right. A week after I gave the computer back it returned so this time I backed up all the files and reformatted (and repartitioned). It's time consuming to start over but that might be the safest thing to do.
Beats a poke in the eye with a sharp stick.

#7
seth1066

seth1066

    Newbie

  • Member
  • 12 posts
  • OS:Windows 7 x64
  • Country: Country Flag

It sounds like a variation of the MS Antivirus Security Center malware that's been around for a while. A friend got that one earlier this month (it was calling itself MS Security Essentials) and I thought it looked very slick. It had all the right styles and logo for Windows Vista/Seven and would have been really convincing except it was on an old XP machine. On startup it would go into its routine before the desktop appeared which makes it a real pain to try and stop (CTRL-ALT-DEL will not bring up the task manager). The worst thing this one did was to set the HIDDEN file attribute on everything in the user's Documents and Settings folder – 'bout gave my friend a heart attack thinking everything had been deleted.

I used the methods described over at bleepingcomputer.com, especially the Rkill program, to stop the **** thing from running and then Malwarebyte's Anti Malware to remove it. After scans by two different antivirus programs it said it was clean but it just didn't run quite right. A week after I gave the computer back it returned so this time I backed up all the files and reformatted (and repartitioned). It's time consuming to start over but that might be the safest thing to do.

Same thing here, locks out the normal desktop, hides the user settings, blocks task mgr. Client bought the machine second hand and didn't want me to reinstall the O/S because it came with some good software (no disks, of course). I'm going to reinstall the O/S from scratch, unless he wants his credit card data to end up in East Beserkistan the next time he buys something online.

#8
dday000

dday000
  • Member
  • 1 posts
  • OS:none specified
  • Country: Country Flag
http://www.bleepingc...ivity-inspector

Removed this by using: Automated Removal Instructions for Windows Activity Inspector using Malwarebytes' Anti-Malware from above link




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN