The 'AntiVirus PRO' Scam

[flybabe]

There's this 'program' that will pop up on your computer randomly with a screen show that there are viruses on your computer, and recommending a download of this software in order to protect your computer. For the love of God, don't download it. It will worm it's way through your computer sending tons of annoying pop ups saying that 'Malicious software detected' when in fact it is the virus. It's a bunch of trojan viruses claiming to detect them. If you get this on your computer and you have windows, turn on Windows Defender and it will kick it's ass. It took a while because I made the mistake of deleting the file before I found out how to get rid of it properly.

 

[Liesje]

There are dozens of these going around lately. I spend half my days at work removing them (I work in IT and my main responsibility is working on students' computers). They all behave a little differently but by now it takes me about 10 minutes to completely clean them off, manually (not using other programs to scan, fix, or remove them, I clean them myself).

ETA: I've seen the Mac version as well. Yes, that's right, I've seen a Mac infected with a rogue antivirus that also had some proxy or browser redirect that loaded porn regardless of where you tried to browse.

 

[flybabe]

A Mac, the god of computers, infected with this crap...

It's out there just to piss you off it seems. It didn't do much to the computer, it would just take over the screens, and it was a real headache. And from what I've read, it's almost everywhere, even on some legitimate virus program websites. I mean, what the hell!? And that is someone stooping really low to make a virus as a program that seems like it's real. You can't trust anything anymore.

 

[Liesje]

At work we are trying to figure out why the sudden increase. Not really an increase but pandemic more like. I've never become infected, and I'm on the Internet almost every waking hour. The only things I can think of are 1) I use AdBlock Plus on all my systems, so not only do I not get pop-ups but I don't see ads, like the ones on this forum and others. 2) I use Facebook a lot but do not do any FB games or allow apps to access my information. 3) Most of the web sites I visit are ones I visit all the time, so I already know exactly what they are. My mom goes all over to random YouTubes and people's blogs that she doesn't really know and she got a rogue last week. A few weeks ago, I heard about a medical condition in a book so I Googled it and when I clicked on one of the images I got a rogue type pop-up. I immediately rebooted the computer, started in Safe Mode, cleared out my ...AppData\Temp folder (which is where many of them hide), cleared my browsing cache, and was fine. The problem with a lot of these rogues is that it's not just about finding and deleting the files but they also mess with your hosts file and/or put proxies in your browser's LAN settings so you constantly are redirected back or to porn or advertising sites. Some of these things you can't fix by running some freeware scans and deleted files, they have to actually be edited.

 

[corianderstem]

I've had it twice in the last month or so on my work computer. Seriously irritating. The help desk said they'd been dealing with a lot of them as well.

The first time, they were able to fix it relatively quickly. The second time, they had to regen my hard drive.

 

[flybabe]

It has become a pandemic because after I had looked up about how to get rid of it, and millions of people had been asking questions of how to get rid of it. Like I said it is around the most innocent of sites.

That was the first time we had had this type of virus, and it came out of nowhere and thank goodness it wasn't a bad one. The last computer we had, a virus got in it and wiped the entire motherboard out, taking all of our information and essentially making us loose our photos and everything we had, and to this day I still have no idea what it was. Since this 'antivirus PRO' incident, we have two defense systems put up to avoid anything else getting in. We had defenses up before but somehow it still got in, but I don't think we had up what we were supposed to. Windows Defender has cleared out everything making it safe. After getting rid of it once it did come back, but then one day it was gone from the computer so I'm not too convinced it is at all easy to get rid of.

All I can say is, turn it on if it isn't already (if you have windows that is) and do a full scan on your computer, and give it a little while.

 

[KhanadaRhodes]

ETA: I've seen the Mac version as well. Yes, that's right, I've seen a Mac infected with a rogue antivirus that also had some proxy or browser redirect that loaded porn regardless of where you tried to browse.

yep, yesterday i had something try to pull this crap. i was looking for a country's map, hardly anything unsavoury, and it redirected me to a page supposedly scanning my hard drive and downloaded a zip file.

i just closed the tab and deleted the zip file, but geez.

 

[Liesje]

All I can say is, turn it on if it isn't already (if you have windows that is) and do a full scan on your computer, and give it a little while.

Do it in Safe Mode at the very least. The problem with these types of viruses is that many of them *are* generated by the user. The user makes a choice to click on a harmful link or open a harmful attachment and basically allows the computer to become infected. Once infected, those files are active/running and while some antivirus programs might alert to that, you or the antivirus program/scan cannot delete a file that is in use. Also most of these files have strange permissions or bury themselves. Running a scan is just a waste of time. Most if not all of the computers I work on these days are up to date with the latest service packs and are running a valid antivirus program, but these rogue antiviruses are basically things that the user inadvertently allows to run on their computer, usually because they assume a file or web page is OK when it is not.

 

[Canadiens1131]

I whipped up a quick troubleshooting guide for anyone worried about encountering this new threat:

 

[Dfit00]

Microsoft Security Essentials also has an incognito rogue worm that pop ups when you visit MySpace or Facebook, it appeared around November 2010 calling itself "Microsoft Security Essentials 2011" and has been constantly infiltrating over the last 8 months.

http://blogs.technet.com/b/mmpc/arc...ckles-fake-microsoft-security-essentials.aspx

 

[vjacqb]

Running a scan is just a waste of time.

Is this also true for Norton AntiVirus scans?

What are the proper steps if we suspect we just stumbled upon one of these harmful sites?

With Norton Internet Security on my PC, sometimes if I click on a Google search result page (that I am not familiar with), and it turns out to be a malicious site, Norton would notify me that they just blocked an intrusion attempt to my PC. I wonder if there's anything else I should do to double check nothing harmful has made its way into my PC...

I've seen the rogue AntiVirus program maybe sometime last year. The popup window looked like it was from an AV program, but when I saw that it wasn't Norton, and I only had Norton AV at that time, I ignored it, and hit the 'X' to close the window. But it looked believable.

Nowadays I'm more concerned with stumbling upon malicious websites from clicking on those results from Google search. I've seen an increase on those faux websites that seem to be a hit on your search keywords but they are actually malicious.

 

[Canadiens1131]

There are very few virus or worm threats these days that are not a direct result of the user installing them unwittingly.

Microsoft Security Essentials, Mac anti-virus, Norton et al will not open a random website and open up a download dialog for your browser in order to update themselves.

If something pops up while browsing the web about a security check or security update, close the window, cancel the download, whatever. Just deny it. ALL decent anti-virus or anti-spyware programs update within the program, usually automatically or via a button labeled "Check for updates".

If you're removing a virus or worm under Windows and the default anti-virus program doesn't do the trick, you need to restart in Safe Mode, delete your PC's Restore Points, then run the removal again and restart. Restore Points basically save that virus in them when they are created while the virus is still on the computer.

 

[Liesje]

Is this also true for Norton AntiVirus scans?

Yes, it has nothing to do with what software you use. Windows will not allow you to delete, move, rename, quarantine, etc a file that is running/active/in use at the time.

Also some AV programs only do "quick" scans and the rogues I've seen recently like to bury themselves, often creating files that you cannot "see" unless you change the folder options to "display hidden operating system files".

 

[flybabe]

So far there hasn't been any sign of that virus on this computer, and I haven't encountered the likes on any more sites. I'd like to think that the computer is being protected from that particular virus but am I wrong? Is it just that I haven't be unfortunate enough to get infected again? Cause I'm not entirely sure any computer can ever be completely safe from at least one type of virus...

 

[Liesje]

So far there hasn't been any sign of that virus on this computer, and I haven't encountered the likes on any more sites. I'd like to think that the computer is being protected from that particular virus but am I wrong? Is it just that I haven't be unfortunate enough to get infected again? Cause I'm not entirely sure any computer can ever be completely safe from at least one type of virus...

Well, as has been said, this is really the key...

There are very few virus or worm threats these days that are not a direct result of the user installing them unwittingly.

The problem with these types of viruses is that many of them *are* generated by the user. The user makes a choice to click on a harmful link or open a harmful attachment and basically allows the computer to become infected.

It's not really an issue of being protected or not it's more an issue of browsing habits. If you click on things that you aren't sure are not a virus, then you could very well get infected. The only time I've ever had one of these rogues try to infect my computer was when I did that Google image search and clicked one of the results that had a shady web address and sure enough it was junk. These things don't just appear on the computer even though it seems that way. The user has always clicked on an ad, loaded a bad site, opened some scamming Facebook link or e-mail attachment and that basically gives permission for the rogue virus to run/install. Antivirus programs can sometimes detect and/or clean these up after the fact but cannot block the user from inadvertently installing them.

 

[Rachel D.]

I encountered one of these a while back that was called MacDefender when I went to Hotmail. It popped up and told me I had viruses, but I didn't believe it, because it randomly showed up and I was suspicious. So I googled it and found out that it's a trojan designed to trick people into thinking they have viruses and getting them to buy this fake software and provide a credit card number. It said that it piggybacks on normal sites and that it's mostly designed for stealing credit card numbers. The site I found gave instructions for removal and nothing else has popped up since then.

 

[Rachel D.]

It happened again a few days ago, this time from a Google image search. I read that if you use Safari, you should go to Preferences, and under General, uncheck "Open 'safe" files after downloading." This will stop the trojan from opening automatically after it downloads.