If your computer has become infected with one of these "spyware removal programs", you probably downloaded an infected codec program when you tried to watch a video online or you may have been hit by a "drive-by" installation of Smitfraud.SmitFraud attacks show fake antispyware programs popups on your screen and/or a balloon popup from the windows system tray displaying a warning message that your computer is infected with spyware and telling you to purchase, download & install their program to remove it.The creator of each popup is an affiliate of the particular antispyware program they are promoting, so each time an unsuspecting user purchases the advertised program in hopes of removing the trojan the person behind the attack gets paid.Not a very ethical way of selling an antispyware, antivirus, or other computer pest removal product.
In many of the infected computers I've dealt with, programs like "Video Access ActiveX Object" show up in the Control Panel and are the initial infection that start the whole issue. Most of these programs when scanned with an up-to-date virus scanner are shown to be infected with viruses like Troj.Zlob.AN, which was part of the original SpyAxe trojan attack a couple years ago. These attacks have spawned over 100 different varieties of malware issues. Many times the home page is redirected to a fake "online security center" or a user will receive a popup that looks almost identical to the normal Windows Security Center but isn't. You can see a couple of these fake alerts by clicking on the images below.
The popups and warnings are smokescreens and fake alerts to scare visitors into buying a spyware removal tool that may not even remove the trojan that caused the warnings in the first place. As I stated above, many of these infections were installed by a fake codec like "Video Access ActiveX Object" that installed into the Program Files directory in Windows.
These files like pmmnt.exe and pmsnrr.exe install and attach themselves to the Windows Explorer shell so they are always resident and recreate themselves if you try to delete them in a normal windows mode. They hide in a registry key similar to
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \policies\explorer\run]
"rare"="C:\\Program Files\\Video Access ActiveX Object\\pmsnrr.exe"
No comments:
Post a Comment