I have spent the better part of the last two weeks tracking down and removing this malware from client systems. This fake antivirus program tries to scare end-users into installing it by creating a pop-up that says "You are infected" and scrolls through a list of viruses. If you click on the pop-up, pretty much anywhere in the pop-up, the malware is installed. Once installed, you will receive more pop-ups, sometimes several a minute, telling you that you are infected and directing you to the makers site where you can "activate" your software by giving them your credit card. In general it just drives people crazy, and if you don't know how to get rid of it, you may end up spending a lot of time and energy trying to remove it.

Most often this program disables your anti-virus, and prevents you from installing some of the most effective tools for removal, such as Malwarebytes and SuperAntiSpyware. It also redirects you to their site if you try to access antivirus/antimalware manufacturers sites. There are probably at least 20 variants (a good list as well a detailed overview of this malware is available here) but they all do similar things. Some even generate phony "blue screen of death" using the joke BSOD program I previously mentioned.

When I saw the first variants of this malware a few years ago, they were pretty simple and easy to clean up. It was also not widespread - it was spread mainly through the UPS/FedEx emails and few bad websites. The latest incarnation is not only much harder to clean up (other techs I have spoken to say they are averaging 2 hours a machine to get rid of this one) it is also spreading through legitimate websites, which makes it even harder for the average user to avoid. And because a click on the pop-up is what installs this malware, it isgenerally able to avoid detection by your legitimate anti-virusprogram.

So what can you do to avoid it?

1. Make sure your system is up to date. Install Windows updates, and update Java - old versions of Java may be one of the ways in which this is spreading.

2. I've been telling clients to close the pop-up by right clicking on it on the toolbar and selecting "Close" so that they don't inadvertently click within the pop-up. Another tech told me that he is recomending that clients ignore the pop-up, close out of all other open programs,and restart the machine with the pop-up still open. This way you don't click anything related to the pop-up. This may not be a bad idea.

At this point, I don't have much other advice on how to avoid this. You can find screenshots of a few of the pop-ups that accompany this infection here, as well as basic removal instructions. However, if you are unable to install the recommended removal tools, or have any questions, please let me know.

        

 

What did you think of this article?

Liked
Disliked
No Opinion