BraveSentry WTF!

So just been asked by my father to take a look at his PC because it is saying it is infected.

Boot it up, and I have balloon windows *appearing* to be from Windows security centre saying it is infected, a new backdrop with links saying click here to update your PC because it is infected and some dumb app called BraveSentry (which it appears is a spyware gateway).

I tried a quick manual clean, but if you choose to Exit BraveSentry the only options it gives are Continue Evalutation or Register your copy.  WTF?!?!

This is undoubtedly spyware (the web tells me it came down through IE) but AdAware doesn't know about it yet, Spybot is currently downloading though.

Is this sort of thing legal? How can the BraveSentry people think they're not going to get sued for that? 

Also, on a related note, how do I disable IE so that my father can't use it anymore? He has FF installed but sometimes forgets to use it, instead clicking on IE.

Needless to say my father is absolutely f'in furious, seeing as he banks on the Internet.... time to dig out that old Mac I think.

Rossj wrote:

Also, on a related note, how do I disable IE so that my father can't use it anymore? He has FF installed but sometimes forgets to use it, instead clicking on IE.

Set Program Access and Defaults allows you to hide all the obvious entry points to IE, that's probably enough to stop him running it.

It's another name for SpySheriff

 

see here

http://en.wikipedia.org/wiki/Spysheriff

there links about removing it etc

Before u disable IE check that he can still bank using FF

AdrianJMartin wrote:

Before u disable IE check that he can still bank using FF

Yes he can, I made sure that everywhere he went works well in FF (most UK banks work with it) and that there wasn't anything that was going to throw him a curveball.  And he does use it most of the time, but occassionally he will use IE (for no apparent reason).

I am more disturbed that BraveSentry can get away with working like that, I know they are in Spain (I checked) but surely the law isn't that forgiving in Europe when software hijacks a PC and pretty much forces non-technies into either paying to have it removed, or paying for the software.

SpyBot looked like it managed to remove it ... but it is still there and I just got System has recovered from a serious error. *(&#*($&*($ PC.

I am taking suggestions now for decent backup software ... so I can start all over again...

Update: Dead machine.

Once the machine is back up and running make sure to install SP2 and turn automatic updates on.

daSmirnov wrote:

Once the machine is back up and running make sure to install SP2 and turn automatic updates on.

If only it was that easy

This is exactly why tools like Windows Defender are a must. Anti-spy/malware programs that are constantly running and monitoring usually grab crap like this.

B.t.w, IE was surely only the entry point? I presume your father had to actually allow the application to install by himself?

If people are doing serious banking/business over the internet, simply switching browsers is not secure enough (although it can help). What's to stop him from falling into a phishing scam next? Users themselves have to be educated as well as have protective programs such as antivirus/antispyware/firewalls up and running at all times these days.

Stebet wrote:

This is exactly why tools like Windows Defender are a must. Anti-spy/malware programs that are constantly running and monitoring usually grab crap like this.

B.t.w, IE was surely only the entry point? I presume your father had to actually allow the application to install by himself?

I assume he must have clicked on something, but when you get a balloon window telling your Windows Security Centre has detected an intrusion, click here to install something to protect yourself - I am guessing a lot of people will install it.

Stebet wrote:

 What's to stop him from falling into a phishing scam next? Users themselves have to be educated as well as have protective programs such as antivirus/antispyware/firewalls up and running at all times these days.

He won't fall for a phishing scam, I have educated him in what to look out for - but that balloon window in the taskpane looked *very* convincing, and it wasn;t until the backdrop changed to some dodgy active windows thing that he started to get suspicious.

Rossj wrote:

I assume he must have clicked on something, but when you get a balloon window telling your Windows Security Centre has detected an intrusion, click here to install something to protect yourself - I am guessing a lot of people will install it.

I'd guess the application was already installed at that point and it was the app itself and not Windows Security Center that was showing the pop-up (just a guess though). Some pop-ups have lately been showing how to "click the yellow information bar at the top and allow the active-x to install" in IE

Rossj wrote:

He won't fall for a phishing scam, I have educated him in what to look out for - but that balloon window in the taskpane looked *very* convincing, and it wasn;t until the backdrop changed to some dodgy active windows thing that he started to get suspicious.

Good man. Yeah, programs, once installed, could easily imitate the Windows Security Center and look very legitimate.

What pisses me off the most is how these companies get away with crap like this

rossj wrote:

Also, on a related note, how do I disable IE so that my father can't use it anymore? He has FF installed but sometimes forgets to use it, instead clicking on IE.

Will this work?

REN IEXPLORE.EXE DONTRUN.EXE

Stebet wrote:



Rossj wrote:I assume he must have clicked on something, but when you get a balloon window telling your Windows Security Centre has detected an intrusion, click here to install something to protect yourself - I am guessing a lot of people will install it.

I'd guess the application was already installed at that point and it was the app itself and not Windows Security Center that was showing the pop-up (just a guess though). Some pop-ups have lately been showing how to "click the yellow information bar at the top and allow the active-x to install" in IE

Yes, exactly that.  There really isn't much you can do once something is installed and looks exceedingly like the related Windows component

That's why I was questioning the legality of BraveSentry which seems to have a company behind it trying to sell it as a product.


I am going to try Minh's suggestion, although I expect Windows to complain on each reboot

Minh wrote:


Will this work?

REN IEXPLORE.EXE DONTRUN.EXE

Actually, no. Windows File Protection will detect the iexplore.exe isn't there and replace it.

Yeah I would not recomend doing that. It could potentially crash some functions. I believe IE is used for some "pretty" rendering capabilities and functions. If you want to restrict web browsing you can set a system policy. That is the extreme way. But I always count on users finding a way to do something so I go with the previous suggestion of installing anti-spyware and make sure IE is at the IE 7 version.

There are a lot of nice things in there that protect users just like SP2.

So the rule of thumb is to install ALL patches (at least the ones that don't break any applications) and update the browser to the latest version & patch level. That way the risk is minimized..

Windows defender is not bad at all. Also Spybot S&D is good too. When I get people that are infected, I always run those two first. Usually most things are gone after running those.