By now we’ve all seen one of those rogue antivirus programs that look like a real antivirus program telling you that you are infected and unless you buy their software you can’t get rid of it. I even wrote about one once a few years ago, and how to use Malwarebytes to clean it up.
Well I found one last week that I think is just as, if not more nasty. Instead of posing as an antivirus program, it looks like some kind of hard drive failure detection software. Right before it pops up, it launches about 50 other pop-up windows saying that there was a write error due to disk failure, then this fake program calling itself S.M.A.R.T. Check pops up and starts doing a bogus scan. I took a picture of it here because the victims computer wouldn’t let me take a screen shot:
One of the things this bad boy did that I thought was fairly slick was it went through all of your program and users folders and hid all the folders! Here is a screen shot I took after I went into my folder options and checked the box to show hidden folders:
The user that got hit by this thing was running Microsoft Forefront EP 2010, and the malware was detected by it however even though it said it was deleted it wasn’t. Removal was pretty easy though. I logged in as a different user. This sucker only infected one user account, although the folders were hidden from them all. I browsed to c:\ProgramData and deleted the files in the image below:
After that I also installed Spybot and scheduled a scan at boot up. It found and fixed a few other minor issues, but for the most part this thing was gone.