Rob Cheng
Dave Methvin
Steve Hogan
Lyle Schuknecht
Steve Bass
Harry McCracken
Chris Pirillo
Bill Pytlovany
John DodgeFake AntiVirus At Epidemic Proportions
Download AV 2009 now.
Each week I see computers hog tied by Trojans masquerading as AntiVirus and Protection software. Sometimes it's a neighbor and sometimes it's a friend, but the story is always the same. "A pop-up said I was infected, so I downloaded a program to remove it."
The warnings look real, mimicking Microsoft or well known AntiVirus products. The names sound legitimate.
Once you click the link, you've been scammed. The link will direct you to buy a product, bilking you of your hard earned cash. Then it scans your computer looking to find more credit and banking information, and you know it will find it.
Can it get any worse? Why sure it can. After you've been scammed by false pop-ups, after you've paid good money to the very people who gave you the crapware, and after they receive and sell your personal information, they can then connect your system to botnets. Botnets which leave your computer vulnerable to a whole world of scammers and thieves. An automated thief that never tires of passing along your personal information for a profit.
When I tell people what has happened they immediately ask, " How am I supposed to know what's real and what's not?"
1. Check questionable files. There are several places that offer lists of known malware. Not as many have libraries of thousands of files, malicious or not. PC Pitstop has one of the best. It gives you complete information on malware and safe files. Search the file in our PC Pitstop Processes Library. Use it to identify files that you suspect are malicious. The legend helps determine whether the file is safe, spyware, or virus. There are thousands of files in this list and all have been identified and labeled.
2. Use Google search. This is the quickest and easiest way to check whether a program or process is legitimate. It also requires that you make a judgment on the results you find. You'll quickly learn to spot key words and phrases like Remove, How To Uninstall, Free Removal Tool. It's always best to NOT INSTALL a program you can't identify.
3. Use a good AntiVirus software to protect your system against infections. Be aware that all antivirus software are not created equal. I have compiled a list of reputable and effective software companies that I use and that we suggest through our help desk. Be sure to update the definitions regularly and use realtime protection. These programs work when others don't. When every minute counts you can't waste time with products that don't find and remove the threat.
- Avast from ALWIL **
- AVG
- Comodo
- F-Secure
- Kapersky
- Malwarebytes **
- Norman
- Superantispyware **
Knowing that you're infected can initially be tough to figure out, but once it takes hold this crapware prevents you from accessing sites on the Internet, particularly sites that could help remove it. Then, as if that weren't enough, you'll find you're unable to download anything. You especially can't download antivirus software, and if you can download it, you won't be able to open or run it. CAN'T ACCESS INTERNET, CAN'T DOWNLOAD PROGRAMS, CAN'T INSTALL PROGRAMS, just perfect. Now what do I do?
Take action immediately to remove the already introduced malware. Know that once you see these pop-ups, you are already infected and that taking the wrong steps can only let the infection strengthen. If you wait too long, your system will literally come to a halt. No downloads, no internet access. Yes, these beasts prevent you from accessing the very sites that could offer you assistance with legitimate antivirus removal tools. Eventually there is no escape without spending big bucks to erase your drives and reinstall Windows.
We of course recommend Exterminate but be aware that no single software can cover all threats. Use a minimum of two programs to search out threats. If you would rather take advantage of the free programs available, choose one from those suggested in our Safe Software list above.
If you are experiencing these symptoms please take the following action immediately.
1. Boot into SafeMode With Networking. To do this, reboot your system while continuously tapping the F8 Key.
2. At the Options screen choose SafeMode With Networking.
3. Download each of the following free software programs.
a. Malwarebytes
b. Superantispyware
c. Avast Home
d. Exterminate scan
4. Be sure to update the definitions for each program before running. These threats are changing by the hour and updating definitions is a must. Without updating, you are wasting your time.
5. Once you have downloaded and installed at least two of these, I suggest Avast Home as a second choice, turn off your system restore, and run the antivirus. It's necessary to turn off system restore because this is a favorite hiding place of Fake AntiMalware. Turning it off allows access to your complete drive. The restore function is usually disabled by the virus anyway so your not loosing anything. Running System Restore when infected only strengthens the trojans hold.
6. If given the option, allow the programs to check memory and boot sector on reboot.
7. I would run each program at least once in SafeMode With Networking and again in regular Windows Mode.
8. When clear, be sure to turn on System Restore and create a new clean restore point.
If fortunate, you'll successfully remove these threats, but be aware that these nasty thieves are getting better and better at disguising themselves. If ignored for too long, their strangle hold is impossible to break.
____________________________________________________
PITSTOP MALICIOUS PROCESS LIBRARY
LINKS TO FREE AV
PREVIOUS ARTICLE ON CONFICKER WORM REMOVAL
No related posts.
Email
Digg
Facebook
Twitter
My Space
Yahoo Buzz
Loading ...
August 3rd, 2009 at 8:28 pm
I believe I must be in "advanced meltdown" I got my laptop to save Superantispyware after several attempts. Now it says "The system administrator has set policies to prevent this installation"
If only they used their powers for good! Wish me luck!
August 4th, 2009 at 6:51 am
Howdy Felicia, Be sure your installing and running from SafeMode With Networking.
August 5th, 2009 at 3:04 pm
Great article, good advice. I got one of these "you are infected messages" but was fortunate enough to doubt the validity and checked with Shogan before acting on it. Thanks, Shogun, for keeping us on top of things.
August 5th, 2009 at 6:58 pm
Can you advise if PC Pitstop have a solution to removel of
lbcore1.metacafe.com
Every thing I try will not remove the issue.
I'm using Trend Internet Security and have done a complete scan using Windows Mal. all with no success.
Regards Laurie Garsden
August 5th, 2009 at 7:08 pm
I've had that fake antivirus pop up on me before and when it did i killed the internet explorer process using the task manager without touching anything else on the screen and avoided all the problems. My girlfriend wasn't as lucky with her laptop and got it. She couldn't go online to get help but fortunatly her I put Norton Antivirus on it before it happened. It didn't stop it from getting on her computer but it did monitor the registry changes the fake program made so after deleting the browser helper object it installed i was able to go online and research the problem and remove it. Its was a hassle but at least it failed in its atempts to steal info!
August 5th, 2009 at 7:41 pm
I hear a lot of people are getting this. It happened to a couple of my friends this week.
August 6th, 2009 at 12:20 am
I was called to help an elderly friend repair her computer already infected with this malware (virus). I was able to work around the malware (virus) before this article was released, lol which would not have mattered as PC Pitstop is blocked by the malware (virus) as well, I know I tried. With virtually no internet access on her computer I was able to download Firefox to replace the affected IE7. The malware (virus) did not try to stop this installation. Using Firefox I was able to download and install Avast and Malwarebyts. All attempts to download or search anything that would remove the Malware(virus) with IE7 was blocked.
August 6th, 2009 at 7:30 am
Great information Tim. I use Firefox and IE but have not checked to see if Firefox was better at getting through the blockade that is put up.
Will give that a go next time.
August 6th, 2009 at 11:26 am
I believe I have succeeded in my battle with this beast. I'm going to give it a few days before I celebrate.
I have to share with you something I got a laugh from with the first version that appeared.
I was in a battle of wits with the popup screen. I would click to close it. It would switch up the position of the close button. I assume they were trying to get you to the edge of sanity and when you couldn't take any more you would give your first born to make it stop! I don't know how long our "battle" had gone on, but after one of my clicks no screen appeared. But I heard a small male voice say "you win!" I looked around to make sure I was still alone and waited for the next assault. But nothing! I just think that is funnier than heck.
Unfortunately, my joy was short lived. A week or so later a new screen showed up. I almost cried when I saw it. But found your instructions and informative article. You saved my already fragile sanity and several others I'm sure. Thank You, Thank You, Thank You!
August 6th, 2009 at 8:44 pm
Twice I was infected by fake anti-virus. Both times I removed it with Spybot Search and Destroy. I'm surprised that's not on your list.
.
August 6th, 2009 at 10:17 pm
That article is great! I sat here and laughed because me sister reports to me about every few months how her computer is no longer functioning because her Tweenage kids keep clicking on things that then bring it a scretching halt.
August 7th, 2009 at 5:35 am
Hi to all at Pitstop
I had enormous problems with malware that in the end resulted in a complete system restore. I managed to burn some files and photos which were saved by e-mailing them to my brother as attachments.
I had several 'attacks' including Zango, Blue Streak, Double Click and others. I had AdAware and AVG but these became unaccessible as I was told that I was not the 'administrator' of my own PC. Comodo constantly errored also. On investigation by a colleague who (lucky for me) runs an IT bureau it was discovered that even the PC address and ID had been hacked and changed to the extent that my PC wasn't mine anymore. Luckily I NEVER buy online so no banking details are used or publicised. I had to crash everything and start again.
I got rid of Norton and d'loaded Malwarebites, Spybot Search and Destroy, Comodo Firewall and AV and BOClean. Ever since nothing has got onto the PC and if stuff does, one sweep with Spybot or MWBites usually cleans everything. this and the usual getting rid of temporary stuff and regular disc cleaning and I've been safe ever since. I regularly receive and read Pitstop bulettins and they're priceless for the depth of info and the different sites one can access through them. Great to know you.
Cheers
Sim
August 7th, 2009 at 8:14 am
I have a husband that clicks on anything that looks real.
We got one.
I ran our McAfee and Spybot and then downloaded AVG. It got it out.
Thank you for telling everone
August 7th, 2009 at 8:41 am
For people who don't have a network set up and so can't use the Safe Mode with Networking method, remember that you can put removal tools on external media from a different, functioning computer and use them in safe mode.
(If it wouldn't be easy for you to get to another computer, not a bad idea to create such emergency media in advance to have on hand. Even a somewhat outdated app may be enough to at least get your foot in the door of the battle.)
August 7th, 2009 at 8:46 am
Have seen this AVG "Lookalike" a while ago. Stubborn to remove. Best way is to move it to a cheap thumb drive and then throw it away. Only thorough solution I have really used that is predictable.
There is a lot of "so called" Anti-Virus solutions out there. There is one on the top of the heap. Kaspersky! It is superior for two main reasons. First, hourly virus database updates. Second, most virus's are written in the Ukraine. They are a twelve year old company based in Moscow, Russia. Have NEVER been compromised using Kaspersky. I highly recommend it.
August 7th, 2009 at 9:04 am
Oh and I would add: As soon as you get your computer functional and seemingly-clean via a small number of established tools as mentioned in this article, generate some additional reports with a greater variety of recommended tools (e.g. online scans, HijackThis, etc.). Often each finds different things, and once a computer is infected it is especially vulnerable, and additional opportunistic infections may have piggybacked on the original one. If you need help with interpreting any reports/logs you generate, get thee to a reputable security forum where you can post your results.
It's worth the time — this be some serious stuff!
August 7th, 2009 at 12:44 pm
I was quite surprised that your list of safe antivirus software did not include either McAfee or Norton.
These fake antivirus are becoming even worse. I've had some that you cannot navigate away from their site without closing the tab. Sometimes you even have to close the entire session (all tabs). I also had one time when the only way to kill it was by using Task Manager.
Any suggestions for dealing with those?
August 7th, 2009 at 12:46 pm
verry helpful thanks
August 7th, 2009 at 2:54 pm
Have you heard of "Antivrus System PRO"?
This one is a real bear. I was invaded last weekend. Luckily I have two hard drives and can only use one at a time. I was still able to access the NET with my uninfected drive. The afore mentioned malware takes control of your system very quickly. I Googled the subject and tried "geekpolice.net" as well as "bleepingcomputer.com". The only answers I got from them was to purchase software after running a "FREE" scam…scan. The only way I was able to get rid of it was to run a total format-reinstall of the operating system. Do you have any suggestions.
August 7th, 2009 at 10:12 pm
Im a computer repair tech. And I found out the best way to avoid getting this fake antivirus is to install netcraft. It would stop the site from loading up. It install on your browser and it monitors fake web sites.
August 7th, 2009 at 10:30 pm
I got it. It was called System Security.I got on to Bigpond Security by phone and was put on to GIZMO.$99 and 2 hours later they got rid of it using Safemodea etc and Malware.
August 7th, 2009 at 11:15 pm
B R DULLITH , a few of my friends had antivirus system pro also . I shut it down with killbox . Then removed it with Superantispy . I added these programs with a thumbdrive .Hope this helps !
August 7th, 2009 at 11:43 pm
I got one when I clicked a link the the latest Pcpitstop newsletter. I killed it with end task. Then I wasn't able to get on to Pcpitstop after that. I'm using another computer and was able to get on to Pcpitstop but got the same kind of redirect when I clicked the link for newsletter archives.
I have some of the suggested software but I have a problem. I can not run my computer in safe mode because I am blind and screen readers do not run in safe mode. So, I have to find someone to help me clean both computers.
August 8th, 2009 at 11:30 am
David A, Spybot S&D is an excellent program that I use occasionally. What I recommend is what I've found most effective. Spybot would certainly be a good additional program to use. I also use HJT or HiJack This, but because it can ruin your installation I don't recommend it to the average user without getting some trained help.
We also have a help forum completely devoted to the removal of Virus, spyware, and HiJackers. Excellent help there. http://forums.pcpitstop.com/index.php?s=1958cd855e408f4106a65318eece5b49&showforum=9
August 10th, 2009 at 7:42 pm
Steve, great article and very informative. My Mom's in Boynton Beach with problems on her computer…know anyone on that side who will help a senior (81) as a good Samaritan volunteer?
August 10th, 2009 at 7:50 pm
Just thought of something I need help with… I get spam and one of the ones I get has "me" in the "from" line. I tried to set up a filter to delete any emails that are from "me". It made a mess trying to delete all the emails I've ever sent because gmail shows all of my own emails as coming from "me" too. How can I filter this spam out?
August 10th, 2009 at 9:02 pm
Great information! I know a girl named Joy that just had her computer corrupted and then she spent $300 to get it fixed. I'll pass this information on to her because she needs it.
Thanks for the great article
August 11th, 2009 at 8:30 am
In regard to the fake AV programs. A few weeks back my brother-in-law ask me to come help him. He had no AV installed and his PC was a mess! In the taskbar on the desktop was this realistic looking icon with a message that "Your PC has 3,126 virues". I worked on that thing for over 3 hours and was about to give up when I remembered one last thing I had not tried. I opened up
msconfig\startup and there it was! I unchecked everything
in there, restarted, went to Programs on the HD and deleted the hateful thing! My brother-in-law installed AVG and it has so far not showed its ugly face again.
Albert
August 11th, 2009 at 8:33 am
I just recently had a call from one of my friends that got hit with this while using Facebook. Good thing I just read your article. It saved us from a lot of useless work. Thanks.
August 13th, 2009 at 2:32 pm
It happened to me too and killed internet explorer. It's a huge hassle!
August 13th, 2009 at 4:07 pm
The more people I talk to the more I find out how bad this was. Most of my friends found that it invaded Facebook and Twitter. Thanks for your advice, I'll pass along the next time I get one of those panic calls (hey dude what do I to fix this?)
September 15th, 2009 at 11:50 am
The fake scan we encountered downloaded automatically and there was no way to stop it. (on Mangafox.com) So, you don't HAVE to click the thing at all. It just pops up like a pop-up ad. It did it to my laptop, too, but fortunately Vista always asks for confirmation, so I got to say no.
September 17th, 2009 at 2:55 pm
My granddaugther bought a Acer mini-laptop. In less than 1 week she had the AV 2009 malware on it. Spybot, AVG & McAfee will not remove it. I turned on Windows Defender that came preloaded on the computer and did a scan. This removed it. I think she picked it up off of MySpace or Facebook. This was the 3rd time I helped somebody remove it. Previously on other computers, I was able to turn it off and it didn't run until a reboot was performed. I did finally find software that completely removed the malware.
September 17th, 2009 at 4:49 pm
My Daughter was doing her maths homework on a website, mymaths.co.uk recommended by her school. The school had a few hits which they dealt with as they are filtered to the hilt, but they still gave it out for children to use on their PC. My Daughter clicked on an answer box in the subject section she was on, and the scamming thing popped up by itself, fake AV. We phoned dad up and he researched for us and got us to load the malwarebytes site, and it killed it, but not before we had tried Norton, Windows Defender and Tune-up, but malwares recommended by PC Pitstop did it! Thanks for info, no thanks to School………..!
September 18th, 2009 at 7:34 am
In my running processes, I have svchost.exe listed 8 times, all with different PID #'s. Are any of these legit, or how to tell??
February 3rd, 2010 at 3:48 pm
Here's a quick fix. In safe mode, go to:
Start\Run, type in msconfig. Click the startup tab and look at your items. Note anything that looks weird like "goronc" or "bhqrzt". If in doubt about the file google it if you're able to. Look at the location of the file then go to this location and manually delete this file. Then, go to: Start\Control Panel\Internet Options\Advanced then click the reset button to reset your browser. Restart your PC and you should be good to go.