Had an interesting job this week, a customer got in touch with a story about her ‘Cyber Security’ system not letting her browse to any web pages. Nothing she did would get rid of the messages it kept throwing up. It all sounded a bit doubtful to me so I went to have a look.
When I saw the machine I saw that her PC was infected with some sort of ‘spyware’ product. The screens and messages it was showing were very close copies (but a bit crudely drawn) versions of the expected Windows versions, including its own version of the Windows Security screen, which showed the antivirus software as out of date, and the firewall as switched off. Accessing the web was impossible as she described, so I disconnected the machine and took it back to my workshop.
I did a bit of a search on the web for ‘Cyber Security’ and found a few descriptions of it and how to get rid of it, mostly on pages promoting the purchase of some anti spy ware prooduct.
I spent some time on the machine trying various things.
I tried to uninstall it, but it cleverly says that you can”t uninstall it until you register it.
I tried running the two anti spyware programs already on the machine, Spybot and Adware, both of which were woefully out of date. It seemed to spot that I was running these, and started throwing its own messages up regarding having detected spyware on the machine. When I ignored the messages, it went into an imitation blue screen, with messages recommending downloading the latest version of Cyber Security etc. After a few minutes, it then went onto an imitation Windows boot screen, again a bit crude,and again with messages telling me to register the Cyber Security software. Eventually, it dropped me back into the system where I could see the Spybot continuing to process the rest of the system, having ignored the Cyber Security product.
Next I tried updating to the latest versions of Spybot and Adaware, which both started fine, and then both stopped downloading, and all internet access from the machine became impossible.
So, I took the hard drive out of the machine, and put it into my worksop machine as a secondary drive. I went looking for the cyber secuity, and by looking at the shortcuts etc, found that most of the files concerned were called CS.xxx and all were put on the machine between 6:59 and 7:00 on the day of infection. I did a couple of searches over the affected hard drive, and deleted all obvious CS files, and any obviously not required files loaded at the same time. I left one .dll file just in case it was a system file. I ran the latest version of Spybot and Adaware while it was on this machine, and found nothing.
I put the hard drive back into the machine and booted up, and CS did not start. So I loaded a decent antivirus, and updated Spybot to the latest version. I didn’t put adaware back, as it was seriously slowing the machine down.
Tested the machine, and was still getting issues with accessing some websites, when it tried to load the blank.htm page. I removed IE8, and spybot detected a change to the registry regarding the location blank.htm which I allowed. I then allowed the Windows Update to reload IE8, this time denying the registry change back to what was possibly an invalid setting. Everything now looked good.
Just for good measure, I ran the new Spybot version, and picked up the .dll I mentioned earlier, and two registry entries both connected with this infection. In the end I had to run Spybot 5 more times until I got two consecutive runs when it did not pick up any entries about this product!
Next time I see this problem, fixing it will take a lot less time!